neverblog.net

The temporary flaw in ESPN360.com’s security, which was fixed on Monday night, might have temporarily dissuaded some from the notion that they could watch their beloved teams compete in the World Cup online. Thankfully, a company in China has a much better notion: P2P TV channel streaming.

TVUNetworks, based in Shanghai, has a beta download of their TVUPlayer available on their website, www.tvunetworks.com. The player works in a simple, yet ingenious way. Utilizing concept similar to that employed in peer-to-peer downloading software such as Kazaa, TVUPlayer streams the TV channel to you from another user who is running the software, and in turn utilizes your extra available bandwidth to serve the video stream to others. The result: no matter how many people connect, the video plays smoothly, with little to no lag. Quality’s not the greatest, but it’s free, and you’re probably at work, so it beats the hell out of nothing at all. To give an idea of how effective this is, consider that the download of the software (from TVUNetworks‘ servers) is currently proceeding at a mere 8-9kBps on most people’s computers, probably as a result of high demand from World Cup viewers. The streams, however, run great, and often actually improve in quality as the number of viewers increases.

TVU is currently trying to secure contracts with TV channels to broadcast through the TVUPlayer, but until then, bless their hearts, they’re just offering a bunch of streams for free. In addition to the ESPN and ESPN2 available, there’s CNN and some other (often international) channels. Kind of makes ESPN 360 obsolete…

In a move that seems to have occurred rather coincidentally to my recent post about a security flaw on espn360.com, which was also reported on Armenian Eagle’s blog, ESPN just debuted a new Flash-based player. Took about 12 hours, but the new player seems to lock out us ‘bad eggs’ a little better than the last one. Here’s some interesting text from ESPN’s site:

I have the ESPN360 application already installed. Can I still use it towatch videos?
You are one of the lucky users of ESPN. Although your ESPN360 application has been disabled, you can continue to enjoy ESPN360 content and more using the newvideo player. To improve performance and usability the installed version of 360will no longer be used. Once your subscriber clicks on the prompt the downloadableapplication will automatically be removed from their desktop and replaced witha shortcut taking them to the new web-based player.

Heh. Heh. Lucky users…

There’s also news about a 30-day free period for everyone starting on June 26th. That’s after the US plays Ghana in the World Cup June 26th, but what the hell. I can’t believe they also disabled the app–there’s nothing wrong with its security checking anyways. Well, it was a fun afternoon of grainy soccer. Unless I’m wrong, and I’m just seeing this because I’m now at home on my cable modem. Hmmmmm…

UPDATE: And…..their security still sucks. Just try the same link, http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=affiliate, but make sure to block popups and refresh a couple of times if you don’t get in at first.

A colleague and I recently discovered a massive security flaw in ESPN360.com’s browser checking functions. According to the website, you must have a particular cable provider, such as Adelphia, in order to use ESPN360. However, the page only uses a simple variable, affiliate, to determine whether or not your ISP is one that contracts with ESPN. This is easily visible via the source code, which shows a link of the following if you do not have the proper ISP: http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=nonaffiliate

Now, anyone with a modicum of web programming experience will immediately plug the following into a browser: http://static.espn.go.com/broadband/ebb2/360SiteRedesignStaging/index9.html?affiliate=affiliate

Note here how we’ve changed the status from ‘nonaffiliate’ to ‘affiliate.’ This shouldn’t work. It couldn’t possibly work. But it does. That’s it. The entire check is a simple variable that you can pass through the URL.

I would like to point out that I do not advocate using this to receive a free service to which you are not entitled. I myself have a cable provider included on the list, but the ISP I use is separate and provided by work, meaning that it shows up as ‘nonaffiliate.’ As a subscriber to that cable provider (and their internet service at home), I am entitled to download the software there anyway. Finally, I have reported this flaw to ESPN360.com in order to allow them to fix it.

RE-Update: As of Wednesday, we found out that simply holding the ‘ctrl’ key while loading the link above avoids any and all of the security protections. Happy free online sports viewing (esp. the World Cup, boys and girls! Out-of-date-update: As of Monday night, ESPN updated their ESPN360.com page to run with Flash. I wrote an open letter to ESPN protesting the fact that I have to convince my ISP to buy something from ESPN. Read it and sign the petition here.
espn 360

On the interminably long ride from Manchvegas International to the humble hamlet of Sanbornton, NH this evening, I couldn’t help thinking about the horrid dichotomy that is airline travel….on one hand, my flight from Philly to Manchester takes 50 minutes, or 6+ hours less than the trip takes in a car–on the other hand, it took me 5 hours to get from my house to the place I was staying in PA, a savings of a mere 2 hours. Looking back, the stinking train ride took a full hour to transport me a whole 10 miles, the drive home was another hour (45 miles), and the security line comes in dead last (a full 15 minutes for 20 feet). The 50 minutes in the air? 350 miles, and they bring you drinks. What a marvelous technology, rendered almost useless by the inadequacies of American public transit and the paranoia of its citizens. I know people will think I’m crazy, but I’m starting to think I feel safest when buckled into the hurtling metal can. At least then there’s someone at the controls that’s competent.