Many people who watched live streaming video of the inauguration of U.S. President Barack Obama on Jan. 20 may not realize that their PC was used to send the video to other PCs, too.
Clicking “yes” to a CNN.com dialog box installed a peer-to-peer (P2P) application that uses your Internet bandwidth rather than CNN’s to send live video to other viewers.
The P2P application is called Octoshape Grid Delivery and is managed by Octoshape ApS, a company based in Copenhagen, Denmark.
Web surfers who visit CNN.com and select a live video stream for the first time see in their browsers a dialog box, shown in Figure 1, saying, “This site requires the Octoshape Grid Delivery enhancement for Adobe Flash Player.” The dialog box doesn’t appear when playing an ordinary video file, only when starting a live feed. (Feeds labeled LIVE typically appear in the upper-right corner of CNN.com’s home page during business hours.)
Figure 1. Users who select a CNN.com live video feed see a dialog box to install the Octoshape Grid Delivery application.
According to Octoshape’s end-user license agreement (EULA), what’s installed is a peer-to-peer app that will “deliver parts of the video and audio stream to other end users of the Software.”
Why should you care? Windows Secrets contributing editor Ryan Russell, using a network sniffer, measured Octoshape using upstream bandwidth of 320 kilobits per second on a broadband connection. Dan Ferrell, in a comment on contributing editor Susan Bradley’s blog, reports seeing 600 Kbps of upstream traffic. At first glance, Ferrell adds, the multiple connections to his PC looked on his security alert system like some kind of SQL attack.
The Internet Storm Center, an Internet security organization, reported that traffic on Jan. 20 had jumped to a level thousands of times higher than usual on port 8247, which is used for UDP, the User Datagram Protocol. (See Figure 2.) The center quickly identified the source as legitimate — CNN — but security consultant Raul Siles warned in his report, “It would be easy for an attacker to hide his actions on this port if we simply ignore it.”
Figure 2. The Internet Storm Center measured an enormous increase in UDP traffic on Jan. 20.
In a telephone interview, Octoshape’s P2P nature was confirmed by Mike Wise, group technical advisor for platform R&D at Turner Broadcasting System, the parent of CNN.
Wise emphasized that the news network had selected the most considerate software for the job: “The Octoshape technology uses a congestion control mechanism that’s less aggressive than TCP and most UDP implementations.” As one example of the way Octoshape gives priority to user tasks, he explained, “we chose an implementation that wouldn’t interfere with consumer’s VoIP [Voice over Internet Protocol] applications.”
As a European company, Octoshape’s technology was initially used on the continent to stream live feeds of such high-profile events as the Eurovision Song Contest and the UEFA Cup. “We’re their first big United States customer, as least that I know of,” says Wise.
“We did some limited trials leading up to the election” on Nov. 4, as Wise describes it. The big test came with the Jan. 20 inaugural address. More than 26 million live feeds (including restarts of crashed streams) were served that day by CNN.com, according to a Jan. 25 article and chart in the New York Times. CNN’s nearest rivals served “only” 9.1 million (MSNBC) and 8 million (AP).
To my surprise, I’ve seen only a few blogs comment on the implications of CNN using so much upstream bandwidth — and almost no headlines in the mainstream U.S. media.
Most Internet service providers support far less bandwidth in the upstream direction (from a PC to the Internet) than they do downstream (from the Internet to a PC). But that isn’t the only concern with CNN’s use of people’s Internet connections:
- Deceptive marketing. Octoshape’s dialog box warns that playing a live video “requires” installing new software. Despite this, however, if you click “no” to Octoshape, you can play the feed using the streaming video capability built into Windows Media Player or Adobe’s Flash Player, although possibly with less fidelity. Small links to choose one of the two standard formats appear in the bottom-right corner of the playback window.
The Octoshape EULA doesn’t become available until after the user is required to select “yes” or “no” to install the app. But even if the EULA appeared before the buttons, burying in legalese the commandeering of a person’s PC isn’t my idea of “informed consent.” Only a clear explanation of the repurposing of a PC’s bandwidth — in on-screen text, readable without scrolling — is an adequate way to inform users of such a technique.
- Cost-shifting to ISPs. CNN’s use of Octoshape might make live feeds look somewhat smoother to end users, but the primary benefit is a reduction in cost to the cable news network.
The TorrentFreak blog cites an unnamed insider as saying 30% of CNN’s live feed traffic was served from individual PCs and not the network’s own servers. That saves CNN big time on bandwidth. But the cost doesn’t just disappear — it’s shifted to ISPs.
Brett Glass, the owner of Lariat.net, a small ISP in Laramie, Wyoming, testified before the FCC last year on cost-shifting. Bandwidth, he explains, can cost hundreds of dollars per Mbps per month to providers in rural areas like his. “CNN is setting up a server on the ISP’s network without permission or compensation,” he told me in an interview. “CNN’s not a charity, in fact it’s doing a lot better than some ISPs.”
- Costs to end users. Many ISPs around the world restrict how much bandwidth users can consume. Those providers charge by the megabyte for any traffic above that level. Users who installed Octoshape’s app and served traffic upstream as well as down may get an unpleasant surprise in their next monthly bill. Octoshape anticipated this in the company’s EULA by saying, “You are responsible for any telecommunication or other connectivity charges incurred through the use of the Software.”
In addition, ISP terms of service usually prohibit customers from using their Internet connection to host a server. The FCC ruled last year against Comcast, a major U.S. ISP, on peer-to-peer restrictions, as explained in an Ars Technica article. But other legal issues on home-grown servers remain unsettled.
(In an interview, Comcast spokeswoman Jenny Moyer declined to address CNN’s use of Octoshape, saying, “I don’t think it’s anything we’re going to be able to comment on at this time.”)
- Ludicrous license terms. Anyone who reads Octoshape’s EULA after clicking “yes” to install the app finds that they’ve agreed to some hilarious prohibitions:
“You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information.”
- Company policies on outbound traffic. No one has suggested that Octoshape is doing anything other than relaying live video streams to other PCs. In a blog comment, Johan Ryman, Octoshape manager of strategic partnership and sales, assures users that the app is well-behaved and stops consuming upstream bandwidth within five seconds of a live stream being closed.
Many companies, however, have policies against sending data outside their LAN. How many CIOs will be comfortable with an app that sends unknown information to random PCs?
- Use of Flash’s install mechanism. Octoshape is the only outside company that’s allowed to download software using the Adobe Flash Player’s so-called Express Install feature, according to a Flash Magazine technical analysis. Express Install is used by Adobe to push updates and other software, such as Acrobat Connect and the Adobe AIR runtime.
IT admins who’d like to turn off the installation of Octoshape within their companies could disable Flash’s update mechanism, as explained in Adobe TechNote 16701594. But doing so would disable all auto-updates from Adobe, not just Octoshape.
- Security vulnerabilities. The Octoshape app is supported by an established company and is not any kind of virus or worm. However, most programs have bugs, and Octoshape specifically communicates with its own servers and other PCs in ways that are not apparent to end users.
Any Web site you visit that is “Octoshape aware” can invoke the application. If a security vulnerability is discovered in the Octoshape software, hackers could exploit the weakness.
Media players expose PC users to serious security flaws more often than Windows itself does, as WS associate editor Scott Dunn reported on Aug. 16, 2007. For instance, several new vulnerabilities were discovered in Flash Player version 9 in 2008 alone, including one rated “highly critical,” according to advisories by the security firm Secunia.
In a follow-up article on Sept. 6, 2007, Scott reported that Flash Player 9 was found to be unpatched in 62% of the Windows PCs that participated in a test. End users can correct these holes by patching the player or upgrading to version 10, but too few do so.
- Corporate revolving doors. It’s remarkable to see how a small company in Denmark has managed to gain exclusive contracts with Adobe and CNN. I’m all for innovative software firms selling cutting-edge technology.
At the same time, I wonder how these relationships came into being. Last month, Octoshape hired as its new U.S. CEO Scott Brown, previously a vice president of Turner Broadcasting, according to the Business of Video blog. Sounds like the connection between CNN and Octoshape is getting stronger all the time.
But if all TV programs are going to be streamed live by media giants, as I’m sure will eventually happen, the question is what impact this will have on Internet bandwidth — and who will pay for it.
I’d like to see the computer industry start a well-publicized discussion in the major news media about this. If we’re going to stream TV across the Internet, shouldn’t we select an open standard (the TorrentFreak blog likes P2P-Next), rather than proprietary technology that’s restricted to a few parties with patents?
What to do if you have Octoshape on your PC
As I mentioned earlier, the Octoshape app isn’t currently a threat. But I personally would rather put up with a slightly jerky video than run an application on my PC that’s sending God-knows-what to who-knows-whom.
Fortunately, the Octoshape program isn’t hard to find or remove:
- Step 1. To find out whether the Octoshape app is running, you can use Windows’ built-in Task Manager. (Right-click a blank space on the Task Bar, and then click Task Manager.)
As Susan Bradley shows in a blog post, when you’re viewing a live stream from CNN.com, you’ll see in Task Manager a service called octoshape.exe. (In the illustration on her blog, instances of the service are shown to be consuming 63MB of RAM, but a lot of this memory may be taken up by the Flash Player itself.)
- Step 2. To remove Octoshape’s app, you can use the Control Panel in either Windows XP or Vista. In XP, the applet is called Add or Remove Programs. In Vista, it’s Programs and Features. The “Octoshape add-in for Adobe Flash Player” is the name of the program to uninstall.
Strangely, there isn’t an uninstaller for the Mac version of the app. You have to manually delete the Octoshape folder.
These removal procedures are explained in detail at the bottom of the Octoshape Grid Delivery FAQ.
Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.