Hi everyone, your help and opinions are appreciated in advance.
I am using Moodle to publish SWF files made with Articulate Engage. The users are paying to see this content. However, once they log in and enter the resource, a thief would only have to view the page source code to see that the file is located in a place like this:
http://www.mywebsite.com/protected/content/3883773/engage.swf
Once in possession of this information, the thief only has to collect the URLs for each presentation and paste them in a browser's navigation bar in order to get direct access without logging in.
I have read this topic about placing moodle_data directory outside the public_folder, but it's not clear to me how this can be achieved or how this can prevent a thief from getting the content's URL.
I know that if people can see the content on their browsers, they can get it through several methods, and that absolute protection is impossible. Articulate Engange SWF files do not contain the whole presentation, but rather use files from non-public accesible folders. I only want to make it even harder for illegitimate users.
My questions are:
1) Is there a way for Moodle to mask or hide the content's URL in any way , while displaying the content at the same time?
Or,
2) Is there a way for me to set up my server and/or Moodle so the SWF file can only be accesed from within a Moodle session?
Or,
3) Can a SWF file be modified in way that the flash player checks where the SWF is being invoked from?
Thanks!
In reply to Bob H.
Re: Flash module add-on: Making it even harder for content stealers
by Chris Surridge -
Hello humberto
You may wish to try Matt Bury's excellent SWF Activity Module. It will allow you to upload swf files as activities. These files are uploaded into the course's moodledata directory. If your moodledata directory is outside of the root directory, the files within will not be available to users who try to access them directly via standard URL.
Good luck.
You may wish to try Matt Bury's excellent SWF Activity Module. It will allow you to upload swf files as activities. These files are uploaded into the course's moodledata directory. If your moodledata directory is outside of the root directory, the files within will not be available to users who try to access them directly via standard URL.
Good luck.
In reply to Chris Surridge
Re: Flash module add-on: Making it even harder for content stealers
by Matt Bury -
Thanks for the plug Chris! 
Humberto,
Your question is a common one and there are a number of solutions:
#1: Use a separate bucket server, e.g. Amazon Web Services S3, which allows precise user access controls for single or groups of files. Sites such as YouTube, Flickr, Photobucket, etc. use bucket servers in this way and there are a lot of PHP applications that already exist, plenty of documentation and some really good APIs available. This is probably the most secure method.
#2: As Chris said, put the files outside the public directory on your server. Moodle has a proxy script, moodle/file.php, which already handles user access and permissions for you. So your URLs would look something like: http://yoursite.com/2/content/3883773/engage.swf If anyone who isn't logged on to that particular course, i.e. courseid = 2, attempts to access that URL, Moodle will not permit it. You can test this by opening your SWF file in a new window in your browser and then logging on/off and refreshing the page with the SWF file on. This is pretty secure and it's by far the easiest one to implement in Moodle.
#3: Another method is to password protect the SWF files themselves. Your learning management system would use a session to authenticate any user attempting to access the SWF. However, if you're not a Flash developer or you're using authoring software that doesn't allow scripting, then it's probably out of the question. This method is probably the least secure because anyone can download the SWF, decompile it, change the code, recompile it and run it anywhere they like. Flash developers often use decompilers to have a look at other developers' code. As long as they don't make direct copies and call it their own, i.e. plagiarise it, it's considered by most as acceptable practice.
I'm not sure if the SWF Activity Module would be suitable for deploying Articulate Engage learning interactions. This is certainly true for Adobe Captivate that it requires that all the SWF files published for a learning interaction are in the same directory as the web page they're embedded in, which in this case would be moodle/mod/swf/view.php, in the public domain. It's better to upload the entire published directory to the course moodledata directory and link to the published web page as a resource. Learning interactions deployed in this way would also be quite secure.
I hope this makes things clearer for you.
BTW, I'm thinking about modifying the SWF Activity Module to look for SWF Files in a /mod/swf/swfs/ directory by default so that all courses can share SWF applications making them much easier to update. I'd also include the option to look for SWFs with the file picker in the moodledata course directories.
Humberto,
Your question is a common one and there are a number of solutions:
#1: Use a separate bucket server, e.g. Amazon Web Services S3, which allows precise user access controls for single or groups of files. Sites such as YouTube, Flickr, Photobucket, etc. use bucket servers in this way and there are a lot of PHP applications that already exist, plenty of documentation and some really good APIs available. This is probably the most secure method.
#2: As Chris said, put the files outside the public directory on your server. Moodle has a proxy script, moodle/file.php, which already handles user access and permissions for you. So your URLs would look something like: http://yoursite.com/2/content/3883773/engage.swf If anyone who isn't logged on to that particular course, i.e. courseid = 2, attempts to access that URL, Moodle will not permit it. You can test this by opening your SWF file in a new window in your browser and then logging on/off and refreshing the page with the SWF file on. This is pretty secure and it's by far the easiest one to implement in Moodle.
#3: Another method is to password protect the SWF files themselves. Your learning management system would use a session to authenticate any user attempting to access the SWF. However, if you're not a Flash developer or you're using authoring software that doesn't allow scripting, then it's probably out of the question. This method is probably the least secure because anyone can download the SWF, decompile it, change the code, recompile it and run it anywhere they like. Flash developers often use decompilers to have a look at other developers' code. As long as they don't make direct copies and call it their own, i.e. plagiarise it, it's considered by most as acceptable practice.
I'm not sure if the SWF Activity Module would be suitable for deploying Articulate Engage learning interactions. This is certainly true for Adobe Captivate that it requires that all the SWF files published for a learning interaction are in the same directory as the web page they're embedded in, which in this case would be moodle/mod/swf/view.php, in the public domain. It's better to upload the entire published directory to the course moodledata directory and link to the published web page as a resource. Learning interactions deployed in this way would also be quite secure.
I hope this makes things clearer for you.
BTW, I'm thinking about modifying the SWF Activity Module to look for SWF Files in a /mod/swf/swfs/ directory by default so that all courses can share SWF applications making them much easier to update. I'd also include the option to look for SWFs with the file picker in the moodledata course directories.
In reply to Matt Bury
Re: Flash module add-on: Making it even harder for content stealers
by Bob H. -
Thank you Chris and Matt!
In reply to Bob H.
Re: Flash module add-on: Making it even harder for content stealers
by Chris Surridge -
My apologies humberto. I believe I may have misrepresented the SWF module. As Matt points out, it may not "be suitable for deploying Articulate Engage learning interactions."
It looks likely that you'll need to explore one or two of Matt's other solutions to get the desired result.
In a related note, I have used Matt's FLV Player Activity Module to embed course video I wished to provide on a conditional basis. Combined with Activity Locking, I am able to control when a student accesses the video without having to worry about students navigating into the directory where the videos reside and 'looking ahead.'
This is not an effort to thwart unauthorized copying of content, but a simple conditional situation that allows students access once they have earned it. The FLV Player allows me to upload and store embedded learning media in the course's moodledata directory, which will also be quite handy when it comes time to zip up the course and share it with others.
Although I understand your wish to protect commercial content (business is business), I have found that the best way to prevent people from stealing my content is to give it away! You get what you pay for, though. 
It looks likely that you'll need to explore one or two of Matt's other solutions to get the desired result.
In a related note, I have used Matt's FLV Player Activity Module to embed course video I wished to provide on a conditional basis. Combined with Activity Locking, I am able to control when a student accesses the video without having to worry about students navigating into the directory where the videos reside and 'looking ahead.'
This is not an effort to thwart unauthorized copying of content, but a simple conditional situation that allows students access once they have earned it. The FLV Player allows me to upload and store embedded learning media in the course's moodledata directory, which will also be quite handy when it comes time to zip up the course and share it with others.
Although I understand your wish to protect commercial content (business is business), I have found that the best way to prevent people from stealing my content is to give it away!
In reply to Chris Surridge
Re: Flash module add-on: Making it even harder for content stealers
by Mauricio Wandeck -
Hello Matt Bury,
I am a Mechanical Engineering Teacher from Brazil. I have build an e-learning course with Powerpoint + Articulate Presenter + Quiz Maker and hosted it in a Moodle LMS. I would like to know if it possible to use the SWFActivityModule to protect the swf files generated by the Articulate Presenter?
Best Regards,
M.Wandeck
In reply to Bob H.
Re: Flash module add-on: Making it even harder for content stealers
by Howard Miller -
I have to say that is troubles me every time I see the word 'thief' in this context. I don't think it is particularly helpful. Moodle was never designed to lock down content - it's designed to let people have access to it.
I get to say this a lot but if your content actually has some value then people will take it and use it - it's the same issue as sharing music. If it has no value (like a song no one likes) then they won't. All you are doing is inconveniencing your legitimate users.
Surely the main benefit of taking part in a paid for course (and there's nothing wrong with that) should not come merely from the possession of the materials?
I get to say this a lot but if your content actually has some value then people will take it and use it - it's the same issue as sharing music. If it has no value (like a song no one likes) then they won't. All you are doing is inconveniencing your legitimate users.
Surely the main benefit of taking part in a paid for course (and there's nothing wrong with that) should not come merely from the possession of the materials?
In reply to Howard Miller
Re: Flash module add-on: Making it even harder for content stealers
by Matt Bury -
Hi Umberto,
This might help interpret the error codes you're getting: http://en.wikipedia.org/wiki/HTTP_403
I'd check the permissions settings on the directories and files that you're trying to access on the server. Most FTP programs have this function built in as well as cPanel.
Again, if the Flash learning interaction that you want to deploy contains more than one file, it most probably won't work in the SWF Activity Module. If this is the case you'll get either a blank or an incomplete application in Flash Player window, not a server error code.
This might help interpret the error codes you're getting: http://en.wikipedia.org/wiki/HTTP_403
I'd check the permissions settings on the directories and files that you're trying to access on the server. Most FTP programs have this function built in as well as cPanel.
Again, if the Flash learning interaction that you want to deploy contains more than one file, it most probably won't work in the SWF Activity Module. If this is the case you'll get either a blank or an incomplete application in Flash Player window, not a server error code.
In reply to Matt Bury
Re: Flash module add-on: Making it even harder for content stealers
by Bob H. -
Thank you again Matt and Chris,
As Matt points out, the SWF module doesn't seem to handle SWFs that depend on files outside the SWF file itself. However, when you create a new resource and select "link a file", then the SWF will be displayed no matter it is a single file or a file that depends on external files. The inconvenience of doing this, is that you can't adjust the presentation details right into the Moodle interface; you must link to an html file containing the code for displaying the presentation. Fortunately, Engage produces this html file every time you export the presentation to web format.
Since my presentations are mostly videos, I am already trying Matt's FLV player which works just great.
I have an idea to further discourage content stealers: Why not develop a plugin for applying a watermark on top of the presentation or video? This watermark would be the user's ID or whatever information required to identify the person that watched the presentation. In this way, if the content stealer decides to use a screen recording application then he/she will know that the re-distribution of the recording will have his/her identity on it.
Thanks a lot, you saved my day.
As Matt points out, the SWF module doesn't seem to handle SWFs that depend on files outside the SWF file itself. However, when you create a new resource and select "link a file", then the SWF will be displayed no matter it is a single file or a file that depends on external files. The inconvenience of doing this, is that you can't adjust the presentation details right into the Moodle interface; you must link to an html file containing the code for displaying the presentation. Fortunately, Engage produces this html file every time you export the presentation to web format.
Since my presentations are mostly videos, I am already trying Matt's FLV player which works just great.
I have an idea to further discourage content stealers: Why not develop a plugin for applying a watermark on top of the presentation or video? This watermark would be the user's ID or whatever information required to identify the person that watched the presentation. In this way, if the content stealer decides to use a screen recording application then he/she will know that the re-distribution of the recording will have his/her identity on it.
Thanks a lot, you saved my day.
In reply to Bob H.
Re: Flash module add-on: Making it even harder for content stealers
by Howard Miller -
At the risk of going on about - who cares if the video has a watermark?
If it's visible it will annoy people - all of them. If it isn't then you might as well not have bothered. By the way it's not stealing, it's copyright infringement (and probably not even that).
Give it away - you'll feel better
If it's visible it will annoy people - all of them. If it isn't then you might as well not have bothered. By the way it's not stealing, it's copyright infringement (and probably not even that).
Give it away - you'll feel better
In reply to Bob H.
Re: Flash module add-on: Making it even harder for content stealers
by Matt Bury -
Umberto,
You can already add a watermark to videos using the FLV Player module. It uses the very popular JW FLV Player from http://longtailvideo.com which now includes a JW watermark. You can also upload either a transparent PNG/GIF file with a watermark on it or even an animated SWF file. Check out this: http://matbury.com/moodle/mod/flv/view.php?id=445 (login as a guest).
It also supports closed captioning so you could dynamically create the XML captions file with user data on it and set the JW Player to load it by default.
Of course, if a user has one of the many Firefox video download plugins installed, it'd be pretty difficult to prevent them from downloading the unmarked video stream. There's also lots of 3rd party applications that'll rip almost any stream from any site - they work very well even against some of the best DRM and anti-leeching controls. Let's face it. If you don't want it copied, then don't put it on the Internet!
Good luck!
You can already add a watermark to videos using the FLV Player module. It uses the very popular JW FLV Player from http://longtailvideo.com which now includes a JW watermark. You can also upload either a transparent PNG/GIF file with a watermark on it or even an animated SWF file. Check out this: http://matbury.com/moodle/mod/flv/view.php?id=445 (login as a guest).
It also supports closed captioning so you could dynamically create the XML captions file with user data on it and set the JW Player to load it by default.
Of course, if a user has one of the many Firefox video download plugins installed, it'd be pretty difficult to prevent them from downloading the unmarked video stream. There's also lots of 3rd party applications that'll rip almost any stream from any site - they work very well even against some of the best DRM and anti-leeching controls. Let's face it. If you don't want it copied, then don't put it on the Internet!
Good luck!
In reply to Matt Bury
Re: Flash module add-on: Making it even harder for content stealers
by Ygor Bittencourt -
greetings,
Do you have an idea on how to insert a watermark with username on top of the video player? I need this help.
Tks.
In reply to Bob H.
Re: Flash module add-on: Making it even harder for content stealers
by Matt Bury -
Okay, this is a little late, but better late than never...
Re: "the SWF module doesn't seem to handle SWFs that depend on files outside the SWF file itself"
This isn't strictly true. The SWF Activity Module is specifically designed to load ALL of its learning content from moodledata course files directories including other SWF files, images, audio, video,text and XML. In fact, any media type supported by Flash Player. Although, you can deploy single SWFs with all the learning content stored internally.
The problem with SWFs created in authorware packages like Articulate and Adobe Captivate 3 and earlier is that they hard-code the URLs in and, AFAIK, it's impossible to change them so all the published SWFs have to be in the same directory as the web page they're embedded in.
Adobe Captivate 4 now publishes to single SWFs wherever possible and so can be used with the SWF Activity Module.
You can deploy authorware packages as a resource if you upload the entire published directory to a moodledata course files directory and link to the HTML page where the main SWF (loader) file is embedded. It won't, of course, report grades to the grade book like this.
I hope this clarifies things a bit!
Re: "the SWF module doesn't seem to handle SWFs that depend on files outside the SWF file itself"
This isn't strictly true. The SWF Activity Module is specifically designed to load ALL of its learning content from moodledata course files directories including other SWF files, images, audio, video,text and XML. In fact, any media type supported by Flash Player. Although, you can deploy single SWFs with all the learning content stored internally.
The problem with SWFs created in authorware packages like Articulate and Adobe Captivate 3 and earlier is that they hard-code the URLs in and, AFAIK, it's impossible to change them so all the published SWFs have to be in the same directory as the web page they're embedded in.
Adobe Captivate 4 now publishes to single SWFs wherever possible and so can be used with the SWF Activity Module.
You can deploy authorware packages as a resource if you upload the entire published directory to a moodledata course files directory and link to the HTML page where the main SWF (loader) file is embedded. It won't, of course, report grades to the grade book like this.
I hope this clarifies things a bit!
Alternately, you can place the swf file itself in an off-moodle directory and password protect that directory so that it can only be accessed by those who have purchased the pw.
In reply to Bob H.
Re: Flash module add-on: Making it even harder for content stealers
by Howard Miller -
I just re-read this and it's not even true. If you host the files in the course files area then they are 'Protected' (I use the word with due caution) by files.php. The url cited is wrong.
file.php requires that you are logged in to access the content.
file.php requires that you are logged in to access the content.
In reply to Bob H.
Re: Flash module add-on: Making it even harder for content stealers
by Leslie Anifow -
No matter where or how you host your SWF files, once users load them up, it's on their machines and from there a sophisticated user (i.e. content thieves) can easily share it with others or even load it onto their own server and compete with you!
Another possible step would be to encrypt your SWF files, which would prevent others from being able to break your content apart and using the different pieces. But if you really want to protect your content, you will need to hire a security expert to do it for you.
What am I doing wrong with the SWF module?