The Hacker Mind Podcast: The Hunt for Ghost #1

Robert Vamosi
October 20, 2021
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ghost #1 was a digital film server that should have stayed blacklisted but due to a unique software flaw it continued to produce pirated films.

Patrick Von Sychowski from the Celluloid Junkie joins the Hacker Mind podcast to discuss his SecTor 2021 talk on Ghost #1, explaining how the transition from 35mm to digital in theaters and how the unique third iteration of cinema in China also allowed this digital projector to evade anti-piracy safeguards for nearly three years. He credits one engineer at the Chinese propaganda department for helping solve a mystery that resulted in the largest film piracy takedown operation of all time, anywhere in the world.

Vamosi:  After a pause for the worldwide pandemic, the motion picture industry is rapidly gearing up for a dramatic close in 2020, between now in the end of the year, theaters in North America and Europe will be premiering much anticipated, and often delayed releases of say the new James Bond film, and the much anticipated epic dune and Spider Man No way home. There is of course a lot of security around these digital releases, for example, there's watermarks, digital certificates, and even keys at the code, the encrypted copies of the films in specific theaters for specific periods of time. Yet, somewhere in China. When digital production servers slipped through the cracks. And for a period of about three years allowed pirates to make pristine copies of first run digital feature films.

[sounds of Chinese New Year]

This ghost server was actually notable during the Chinese New Year in 2019 with three of the largest films in Chinese cinema that year, were set to premiere. However, one of the most anticipated films was spread online for free, which quickly resulted in a loss of box office receipts. This loss, among others, caused law enforcement in China to spin up a massive joint, law enforcement operation, given the codename of "2.15," after February 15 The Chinese New Year holiday that year in over the next 90 days. This 2.15 Taskforce, headed by the Ministry of Public Security would uncover a sophisticated and shadowy network of private cinemas located throughout China, and would result in one of the largest pirate film takedowns in history.


Vamosi: Welcome to the hacker mind and original podcast from for all secure, it's about challenging our expectations about the people who hack for a living. I'm Robert Vamosi, and in this episode I'm telling the story of ghost one, a piece of motion picture projection hardware with a digital certificate that simply should not exist, that was responsible for some of the most pristine pirated films in the state. And it's also the story of the Two Horses gang and how they created a shadowy network of private cinemas in China. And finally, we'll discuss why you'll have to go back to the theater, if you want to see that latest installment of James Bond.


Vamosi: In this day and age, piracy of digital motion pictures is not supposed to happen. Hollywood Studios spent a decade creating a robust hardware certification process that includes military grade encryption with a complicated set of keys, all to protect the latest blockbuster releases. Technically, getting a perfect digital copy of any first one feature film off of the digital server should not be possible. And yet we have the story of ghost one, and it would not be possible without a journalist who first wrote about it in 2019

Von Sychowski:  I'm Patrick Von Sychowski, the editor of celluloid junkie, which is an online business publication about theatrical exhibition and streams, so no movie reviews, gossip, but we talk about the kind of things behind the scenes in the cinema sell technology, business people, that kind of thing. Patrick was in a great position to understand and explain the story. I was covering the Asian and Chinese cinema market for five years, While based in Singapore. And that's how I came to know the Chinese market very well, including reading things in original language press, not because I know how to speak Mandarin, but through learning how to use Google Translate to my advantage. so I've been daily monitoring Chinese media for cinema news stories as I do in many other languages, Japanese, French, German, you name it. And this story came along and as a journalist, you're praying that at least once in your lifetime, you'll have this great scoop where you'll be the first report on the big story, and this was that story I mean it's amazing to me that it still hasn't been that widely reported in English language because it is the biggest takedown of piracy ring in any country at any point in history, I mean it is truly breathtaking and scope. Since

Vamosi: Since 2020 China has become the world's largest box office, in terms of ticket sales. This is the first non US country to achieve the status.

Von Sychowski:  So China's cinema market has really, I wouldn't say come out of nowhere, but it has grown exponentially, I mean, there was literally double digit growth for a good decade at its peak, and these were brilliant new multiplex I mean when you saw if you saw the inside of some of them they knock the socks out of what we have here in Europe or North America. They cater to the new rich middle class, and they want IMAX, you know just how much that they want a Gucci handbag. So there's been a parallel growth, obviously in Chinese films but it's harder to ramp up the film industry, especially when you're competing against something like Hollywood that has been perfecting its art for 100 years. So they're very much dependent on foreign films as well, especially Hollywood films but they tried to restrict it so they have an import quota of 36 films that can be shown on a split revenue basis which is standard everywhere else in the world. 

Vamosi:  Think about that. Only 36 foreign films, each year in China. That means Hollywood has to compete with every other country in the world for a spot. While limits, such as these are true in other countries, you can only imagine the optical losses in global sales. If your Hollywood movie doesn't make the cut. For example, Black Widow was not slated to run in China, at least not on the main screen. It's such a big market that some US motion picture studios have been accused of looking the other way on human rights abuses around say the ogre Muslims in western China. Just so that their American films can be secured or released in the lucrative Chinese market. Even so, there remain other legal ways to get your film distributed in China.

Von Sychowski:  Apart from that you can do special deals of just paying a lump sum and then you get to show the film however much you like but yes so you don't get to show just anything in Chinese cinemas. It is totally controlled by the government by the censors. Certain topics are off limits, so not just things that could be against the Chinese Communist Party in a bad way. It's funny to know that for example they have a big thing of, they don't like films about time travel, and they don't like films about spirituality, afterlife, or ghosts, to the point that even the new Ghostbusters comedy did not get a release in China because it did not, you know, find favor with the authorities there. So, the films, some films, you know, most of the big films from Hollywood do tend to get released the Avengers and so on but even something like Marvel's chain chain now has not gotten a release date for various reasons, because it is the world's biggest cinema market in terms of number of screens. As of three years ago, because of the pandemic last year, it became the biggest cinema market by box office to sell China's cinema market force to be reckoned with. Given the tight control on the Chinese box office, there are legal alternatives to getting that popular motion picture into the Chinese market,

Von Sychowski: Obviously, they have a very varied landscape in terms of the ecosystem. So, the smaller towns even have drive-ins and cinemas there. And let's face it, when there's so much growth and there's so much competition as well, there's a new multiplex coming into even small villages, and that puts the existing cinemas under pressure. And that means that there could be under husband, a lot of fraud, and ways of cinemas just trying to stay alive by not reporting ticket sales by involving in dubious practices such as allowing producers to buy out entire screenings, just so that they can show that their film is number one and it inflates the share price of their production company, it's, it's been a bit of a wild east, Even as the Chinese Communist Party is obviously keen to clamp down on nefarious activities such as that. 

Vamosi: The story of Ghost #1, begins with the release of an American spy movie starring Brad Pitt. It's called Allied.

ALLIED: there's no easy way to say what we're about to say. We suspect your wife is a German spy since saying, You're right, all this will be forgotten. If she is execute her with your own hand. And if you do not comply, you will be

Vamosi:  Directed by Robert Zemeckis and written by Steven Knight allied from Paramount Pictures had $113 million budget. That meant that the studio spent that much on both making, and advertising the film. The film however, only grossed a paltry 40 million in domestic sales and 119 million worldwide, meaning that it barely broke even with costs, and therefore, was considered a flop. Studios set expectations on films based on past performance. So, when they fall short, they start looking for the reason why. And one of those reasons may have been the ready availability of high quality pirated copies of allied one pirated copy of extreme high quality was singled out by a Chinese government official

Von Sychowski: so there was a engineer at the Chinese propaganda department, which sounds scary, but really it's just a media control department and he was set to quality inspection level and he came across, because he was looking at all these pirated copies that were turning up online, and he found one that was pretty much pristine

Vamosi: Watermarks in the pirated copy of this film revealed the theater and the projector responsible for the illegal copy

Von Sychowski:  When they found out what the server number was and they went to that cinema that cinema had closed down a long time ago that server had vanished and in theory, in theory it should not be able to play out films because it had been blacklisted.

Vamosi: The blacklisted server was only getting started. In fact, three weeks later, five new pirated films appeared online using the exact same server, 

Von Sychowski: somebody had found a way to effectively bypass the security, the built in security that was supposed to be, you know hacker proof, in a way that enabled it to create, you know, perfect HD copies of films without being traceable, and that's when the beliefs and the authorities, nicknamed it Ghost #1.

[sound of movie reels]

Vamosi: Motion Picture piracy is not new, it's just the quality of the pirated films has gotten much better. And it seems it has something to do with the transition from 35 millimeter digital, which was supposed to reduce, if not removed piracy altogether.

Von Sychowski:  And you're right to us this point because this is really the Genesis story so 35 millimeter film, not just for for filming things but for distributing and showing them has been an incredibly persistent standard is no other medium in audio visual history that has lasted as long as 35 millimeter did, and it's universal across the globe, and it's, you know, last for the better part of 100 years 

Vamosi:  Until fairly recently, films in theaters were made of celluloid plastic with silver emulsion on one side, mind you, this was a huge industry, you had the studios themselves which made the final cut of the negative. And then you had these labs, such as deluxe and Technicolor, which created 1000s of copies of the film on metal reels. These then had to be shipped individually to theaters around the world, and the theaters, often had to have people in the projection booth, just to make sure that the film was running, that the bulb didn't burn out, and that the celluloid didn't break as it was hit by a 24 frames per second. So transitioning from this world with all those people to something else. That was pretty scary for the film industry 

Von Sychowski:  When the time came to replace it, which was the late, the very late 1990s And really, there had been testing for a long time but the George Lucas really kicked it off when he said that the first of the new Star Wars films was going to be shown in digital in four locations, and he was going to make future films in digital so no other big filmmaker has ever said about I'm going to project my film and digital because nobody thought it was good enough. And so, really, he brought these efforts behind the scenes by a lot of tech companies into the forefront.

Vamosi:  We can argue offline whether the Phantom Menace was a great film or not, but the fact remains, George Lucas was a big enough name in Hollywood, to hold the entire Star Wars franchise hostage and force an entire industry to change the way in which films were distributed on screen.

Von Sychowski:  And then there was about a 10 year period of testing experimentation, making sure that film was being replaced by something, not just as good in terms of the visual quality but something better, Because there's no point just swapping, like for like digital, and the Hollywood studios, spent a tremendous amount of time and effort to get it right.

Vamosi:  Theaters run films from a variety of different studios. That means that if one studio is demanding a change to digital, than maybe the other studios need to get involved as well. 

Von Sychowski:  And what’s interesting is that if you think about it the Hollywood studios, we think of them as a monolith over there in Los Angeles but really they're, they're, you know, six, seven companies that hate each other with a passion really wouldn't want to do anything to help each other unless their lives depended on it but it did in this case so they've come together three times in modern history to agree on something. One was the fight against piracy, second time was the DVD standard. And the third one was the agreement on how to transition from 35 millimeter film to digital, pretty much every other technology question they fallen out, and a difference of opinions, you know, HD DVD versus blu ray, you name it, they don't agree on things, customarily, but they did because the transition from film to digital was so important.

Vamosi: Although 35 millimeter film is brittle and clunky. That didn't stop people from creatively finding ways to make copies of these films, particularly in the 80s and 90s.

Von Sychowski:  35 millimeter is obviously unencrypted and there were instances where there were literally pirates who rented a van or had a delivery van that normally took the film prints from the film laboratory to the airport and they would have a scanner, a flatbed scanner on the back of the truck and they would copy the film as it was driving to the airport and get a copy of that way, because it could because there's nothing protecting a 35 millimeter print, apart from you could put in some dots sort of vaguely identifying with digital, what you can do is not only can you encrypt the film file to a military grade standard, I mean we're talking, you know, things that would take you decades to decrypt. But secondly, you could also trace it forensically so even if a version is camcorder, in a cinema, you can extract that invisible watermark that will tell you which cinema which screen, what day and what time 

Vamosi:  This also happened with the Academy Awards. Each year, pristine copies of nominated films, or what they're called screeners were sent to Academy members on DVD. Well, one of the recipients released their copy to the internet. Only thing is, the watermark was specific to each individual screener, receiving a copy.

Von Sychowski:  Yeah, there's always the weakest link and it's always a human factor involved and yes, the watermark enabled that screener so obviously another way of easily getting your hands on it and they have been able to trace that and now they're doing a pretty good job of electronically. So even if it doesn't prevent the piracy, it tracks the piracy and that way, they've been able to close down, cinemas, or tighten the grip on cinema that were the source of pirated prints in digital copies so digital enabled studios, a higher degree of security and protection for the first time films than 35 millimeter did.

Vamosi: In order to transition from 35 millimeter to digital, but Hollywood Studios spent millions of dollars and roughly a decade codifying standards, that would be universal, and how films would be screened into the future.

Von Sychowski:  What I should mention again about Hollywood Studios is so when they decided to get together and actually work together on agreeing on a standard for transitioning to digital. They wrote a document together called the DCI specifications so the digital cinema initiative specification. This document rant about 180 pages, and it covered everything from the resolution to the kind of formats widescreen how to encompass that audio metadata description, you know the MSF wrapper for the digital cinema package, but out of those 180 pages, About 75% of that pages were devoted to security and encryption and so that shows me just how important it was, I'm not saying that, you know, seven or 5.1 channel audio wasn't important but they, they covered that pretty efficiently and just, you know, a few dozen pages.

Vamosi:  So there's still some costs in shipping these hard drives to each projector.

Von Sychowski:   The obvious thing is to point to savings, and yes, every year they spend millions and millions with deluxe and Technicolor to make these bulky 35 millimeter prints shipping the 35 millimeter prints dispose the 35 millimeter prints, but really they wanted to safeguard and also future proof of a new technology and one of the ways they do is that by going digital, they can do things that they couldn't do with 35 millimeter prints

Vamosi:  Distributors send a hard drive with encrypted film, known as the digital cinema package or DCP to each individual cinema,

Von Sychowski:  So they didn't quite get rid of the physical aspect but instead of bulky film reels that could wait 6080 pounds, they know how to just you know a portable hard drive that could be FedEx to the site, but yes, the digital cinema packages the files were still anywhere between 50 gig and 200 300 Gig depending on how many subtitles languages versions were packed in there. Obviously, a feature of compression so computer animation would make much smaller file, but even the smallest files would be even 3040 gigs, and you couldn't do that over satellite over for, there wasn't even fiber back then, so yeah, it was hard drives, sent to cinemas

Vamosi: Distributors separately send an encryption key that unlocks the film for a specific server projector combo during a set period of time. This required changes to the theatrical hardware,

Von Sychowski: The security aspect of the hardware of cinemas is universal, and there are several components to it, because obviously there's the media block and player, and then there's the projector; previously they tended to be separate pieces of equipments that had to be a secure link between them as well. These days, the media player tends to be built into the projector unit as well so it's more of a secure environment but at least initially, they were so cutting edge, and then these things were huge expensive replacements that the project unit and the server unit were separate.

Vamosi: So the individual films or watermark in the individual projection units are fingerprinted as well, than the digital key only works with a particular film on a specific projector and only for a specific length of time, 

Von Sychowski: So the server unit or the media playback unit had a certificate so each one has a unique certificate and the idea of how films will be played out is that each one would be issued with a key delivery message, Katie. That would be unique for that film, and that media player, and what that meant was, this was another benefit to the Hollywood studios they could say, I will give you the rights to playback. Fast and Furious, seven or eight in your cinema, but you will have this key for exactly two weeks. And after that, it expires, and that copy on your media player will be useless until they issue you with new keys, so it gave them a greater degree of control as well in this new system, the KTMs were supplied separately. 

Vamosi: The problem was, back in 2000, some of these theaters, still didn't have internet access,

Von Sychowski:  the sheer number of KTMs, and the logistical effort. This is not something that is easily automated as well you have to initially, because of how early on it was people literally had to get KDM emailed to them, they would put it on a USB, and then they would plug it into the media player to download the KTMs. Now some of these cinemas, you have to remember, weren't the most technically sophisticated in the 90s in the early 2000s. I know stories of people who had to go down to the Starbucks to get onto WiFi because there was no internet in their actual cinema. There they downloaded the KTMs put them on the USB drive and then walk back across the road to this and plugged it in, the one phone lines connected so it's it's been a culture change so we saved for cinemas, and therefore, there's never going to be complete automation, reliability, or ability to control and have an overview over which units are active are approved, and are located, where in the world, and there was a bit of a to and fro between the cinemas could set that time period for those keys down to, you know, two hours on a specific date for sight, they might give you some extra time to test it to QC the film beforehand, but it's a hard cutoff point in terms of timing and occasionally came back to bite them I remember when the second star wars of the new Star Wars films that George Lucas premiered, he was running in Odeon Leicester Square which is the flagship cinema in London, I mean it is the red carpet destination. Here, and they were so paranoid about the film running well in the first week so they had two projectors running in digital in tandem. So at least if something went wrong with one. They'd switch over to the other one. And then they both went down at the same time because somebody had set the KTM parameters to West Coast time rather than London Greenwich Mean Time, so these tiny things, you know, they learned from it and then they start tweaking and saying, right, if the film is started. We'll let it finish playing, even if the time on the keys run out but it is incredibly strict controls that these new digital tools enabled the studios to have because, obviously, there were potential for this going wrong film stopping halfway through the last show, and so on so they built in a tiny bit of leeway, but really, whoever controls the key distribution controls the play out of the film, and the key distribution is built on a list of all the certificates out there for all the servers in all the cinemas.


Vamosi: Suffice it to say there was a digital transition period with the hardware as well, when older units were still out in the world. While the industry could blacklist these older units, a flaw in the software made possible for what the Chinese referred to as resurrecting the corpse, or in more prosaic technical terms, cloning. 

Von Sychowski: The cloning thing has been addressed, like I said, for more recent equipment. The only way to be absolutely sure it doesn't happen is really to track down and remove all of the old piece of equipment, as well as constantly updating and keeping an eye on the trusted devices list, and for key issues. We have to remember, managing keys is a nightmare, at the best of times because there are, you know, when you have a new film coming out such as we have James Bond coming out, UK here this week. It is going out to so many different cinemas, it's also going out in so many different formats. And so keeping a track of, you know, who do we have an agreement with what's, you know, what's the status of There's equipment that gets swapped out and what nobody wants neither cinemas, nor the distributors, is to have a dark screen, because that means lost revenue for both of them, so they always allow a bit of leeway. There's always, you know, okay, we will police it afterwards. And then you'll get a smack on the finger or you'll be taken off the list. If this wasn't followed

Vamosi: On this, Patrick is very hesitant to continue. 

Von Sychowski:  And I have to be careful when we get into discussing these kind of things because this is obviously unexploited and was unique to the first generation of equipment that came out very close to the finalization of the specifications that Hollywood put together. And these not exploits, you'd be able to do with more recent generations of hardware, but unfortunately, not all, first generation equipment has been retired. There are still copies out there. In theory I know of ways that you know things could be circumvented so we have to be mindful of not wanting to obviously create a manual for Neuro dwellers to try to copy this.

Vamosi: So, at some point in the transition. There was a flaw that allowed someone to change the identity of the projector, and therefore change, even the protection built into the digital film itself. 

Von Sychowski: Most of these things have been plugged but, yes, there were ways of exploiting flaws, and not so much the specification, but maybe how it had been implemented early on, which allowed like I said the manipulation of the identity, and remove the watermark and the timestamp.

Vamosi:  I don't know about you, but this flaw in this transition from 35 millimeter to digital, seems like a perfect opportunity for organized crime to step in. In this case, it happened in a working class town immediately west of the North Korean border.

Von Sychowski: So this is where it gets really fascinating because it is the great story of this criminal enterprise that started with two really low life small time operators who were operating or running a driving cinnamomum in an Shan city which is, you know, a rundown steel town on the border to North Korea it's it's the sort of thing posting something you'd find in, you know, in Pittsburgh or it was twinned with Sheffield in UK. And so his name was Mr. Ma, Ma being the surname.  so he teamed up with an old classmate called Mr Ma Moosong. There’s a lot of Chinese names but the thing to remember is, they were the two mods with their fur they became known as the two horses gang, because Ma is also the Chinese character for horse. So Mr. Ma and Mr. Ma, jumped up this new business plan for their failing dragon cinema but they were going to show first run films but they weren't kind of paid for them. They bought a server from a cinema and they paid about 7000 US dollar for it was a first generation server to show digital films, and it had the serial number A15591. This was the server that had been blacklisted after pirated copies of ally first appeared earlier. And like I said this server had effectively been bricked because it had previously been used and that's probably why it was built so because cinema gone out of business, could have been identified, a year previously as a source of pirated film so that's why it was taken off the trusted devices list for creating these KTMs. So, the person who bought it, I bought a useless server because it was basically a big letter press, one is going to issue film because the certificates are supposedly hardwired into it. And so this is when they got the idea of trying to find a way to hack into the server, they found a way to enable or to find an engineer, who could clone a certificate from another server, and so therefore assume the identity of another legitimate server and legitimate source. And so, they then got a new SIP certificate from a cert server with a serial number A03783. But in theory they could have kept cloning certificates, and they got this new certificate by sending somebody into a legitimate cinema in Tan County under the pretext of equipment maintenance. So, you know this fake engineer goes into the cinema, clones the digital certificates and then downloads the account and password for the KTM storage server. What's remarkable is that they succeeded with a relatively low tech approach to it. I mean, this wasn't some super sophisticated criminal enterprise, but it shows that when you find an exploits, or hack then it doesn't necessarily have to involve rocket scientists.

Vamosi:  The MaS didn't do any of this themselves, but they knew people who could do this for them. 

Von Sychowski:  All they had to do was to bribe a cinema employee to look the other way for a few hours while they borrowed the hard drive with films on them. And then the keys were issued automatically for all of these legitimates cinemas in China, but one amongst them was a Rogue One taking advantage of the keys and certificates from a legitimate server to affect the impulses of that server and off that's rogue server came these pristine copies

Vamosi:  So was the quality any good? 

Von Sychowski:  Yes, the quality was pristine because, let's not forget that, you know, most of the camcorder piracy takes place in cinemas, and it's very hard to record off the big screen. covertly, or, you know, at a time when there's nobody else in there, which is why you get these low copies that have either poor sound or or, you know, an unstable image. I remember once, a friend in Asia, this was many, many years ago before the advent of digital, was watching a copy that he thought was legitimate, on the CD. And halfway through the film, suddenly the image goes up and down and you hear Ah-shoo. And that's the pirate sneezing, not holding the camera steady, but here you can, You don't even need a cinema, you just need a white wall, and you can fix the camera to it and afterwards they would use video editing software to tweak and correct and sync the finished film file until it was pretty much pristine.

Vamosi: So the MAS had a way to create digital video copies of high demand, new feature films. Next thing needed a way to distribute them. 

Von Sychowski: So now they're in business. Now they're able to get copies, like I said by bribing a cinema employee he got paid between 75 and 150, US dollars per month to borrow a hard drive for up to 10 films and they would look at the app of what were the popular upcoming releases, and they would take those films, and it was even so low tech that they didn't even get the digital file out of the server but rather they can corded it off a projection on a wall, so it really was a low five type of piracy operation, but incredibly, incredibly effective. But digital opens up a whole new realm of being able to capture very pristine High Definition copies of first round films, and then making them available whether either as bootleg DVDs or distributing it of via the internet, the Chinese, in this case the two horses gang found a third way, which I'm sure we'll get into which makes the story even more fascinating. The thing about illegal DVD sales, is that they can be anonymous, you can employ people to sell them on street corners or in markets. You then fly under the radar of the copyright holders, the studios, even in a tightly policed state such as China, pirated films do appear on shadowy websites, or are treated on social media channels such as WeChat, or QQ, which had conveniently have built in micro payment systems, but like the Hollywood studios, the two horses gang wanted a very tight control over their newly minted counterfeit films. So instead they did something completely novel and unique for China, they took a franchise approach of setting up a series of video parlors or micro cinemas, that could show these films to paying customers. This is what's in his private cinemas and China.

Vamosi: Around this time, private cinemas, or micro cinemas, we're taking off throughout China. 

Von Sychowski: It's sort of like if you've been to a karaoke room, as they are in Asia, especially when there's anything between two and 10 of you. You've got a big monitor, and you can order beer and you sit there and in your soundproof room and you sing away to your heart's content. That's what they did in China so starting in about 2014 They started building these micro cinemas which are effectively like a high end home cinema with a comfortable recliner, and a big LCD projector for a screen and good surround sound. And you rent them by the hour and you have access to a video jukebox where you can watch anything from Game of Thrones to films that were released, you know, in the last or maybe three months or earlier, a lot of these places initially when slightly shady they would show things that were not legitimately available, and including both TV shows and films. But as the industry grew it also started to clean up its reputation. Today there are an estimated 15,000 Private cinema screens in China, and that's slightly above the number of cinema screens, but of course each on the private cinema screen is only between, let's say two to eight people. There are definitely legitimate private cinemas, there are companies that are now investing and looking at making this a well established, well run, totally legal in terms of copyright respect alternative cinemas, it will not be for first round films. But you have to remember that because of this control, and the limited space on the big screens in China, there are lots and lots of foreign films arthouse films. Even Chinese films that do not get a regular distribution, which would be approved by the censors and the government, just cannot find the space on the big screens. So, this opens up a whole alternative market to them other than going directly to the consumers. So, a parallel operation, but at the same time what's in China thought of in some ways, as the third generation of cinema going after single screens, and the second duration multiplexes. This is the third iteration of cinema, and there are people who are looking at taking this concept in its legitimate form out to the West. Seeing this private cinema thing take off in China, the mons decided to create their own shadow private cinema network.

Vamosi: And of course, they made it easy for anyone who wanted in, and they come in then.

Von Sychowski:  And what they do is they offer a McDonald's model effectively like right here is how you build this micro cinema. And what we're going to charge you is they had a priceless and established business models so very quickly effectively there's a monthly fee of about 400 us I'll do everything in US dollars 400 US dollars to be part of this affiliation, will deliver you, you'll get an encrypted hard drive for which you have to pay a fee for about $70 which you can get back once it's recycled, and then a usage fee as well for 15 bucks per month, and a refund, when you return the disk and so on. And then you have to charge people an average of about 15 bucks per viewing, which if you split across two or four people it works out cheaper than cinema. And then obviously, they can make additional money by selling drinks concessions snacks food that sort of thing but regular cinemas also make money from, like, the best criminal organizations, they mirrored the legitimate organizations, the MAS set up their own shadow franchise system, it was fairly streamlined and then they had obviously a encrypted chat channel where they could, you know, order the films get feedback, let them know about upcoming releases. And as we pointed out earlier they had strict codes of conduct, so even if they were sent the film early on they tended to exit the film early. If a film opened on a Friday morning in regular cinemas, they would not be allowed to start playing it in these illegal private cinemas, until the afternoon of that same day, then the MAS took things a step further, like Hollywood, they wanted to protect the digital films, even if they had violated the copyright laws, given that they could remove the digital watermark and the projector ID from the digital films they copied. They could then add in their own. Even more interesting is that there was obviously no trust, and because there's no honor amongst thieves, between the franchisee, partners, and the two horses gang so they would encrypt the film, and they would have their own watermarks. So, in the films that if those copies leaked online, They won't be able to trace it back to the private cinema that got access to it. One might imagine these illegal private cinemas, as they were the only choice in, say, a small town. Well, that wasn't true, the Mas operated alongside the legitimate private theaters, blending in with the local environment, operating in plain sight.

Von Sychowski:  Mostly these kind of things were in existence, alongside existing cinemas so you'd have read legitimate multiplexes but if you wanted to go on a date and you wanted a bit more privacy a bit more luxury, a bit more sophistication than you'd rent a private cinema recently, some of these private cinemas I've got into trouble because they had beds in them they had showers, and guess what, especially I suppose to what point 18 I just tried to get away from parents might be using them for more than just watching films. So, there is a parallel network really that mounts that these could be anything from a very sophisticated operation, legitimate operation with an entrance and a lobby area and a box office as fancy as regular multiplex just on a smaller scale to things that were built on the 13th floor an apartment complex where somebody took advantage of an empty space to furnish a few rooms with a projector of sound system, and a video jukebox, but we know of at least 330 Private cinemas in 20 provinces across China for each one of these private cinemas they could have multiple screens that were many multiplexes determined by 2017 or 18. The number of private cinema screens overtook regular cinema screens in China, not all, high quality, you know, Some of them were a little more than the sheets in the jukebox, some of them were as sophisticated as luxury, as you'd expect from a, you know, a home cinema, you know, Jeff Bezos or, you know, a football or ice hockey player in the top league. And, of course, there's always a danger of taking something like this, a bit too far. The security company or the technology company that they hired for all of this, even tried to take out a patent for their own kind of security solutions for these private cinemas so they're reapplying all the security protocols that the legitimate cinemas had, but for their own kind of illegal pirate franchise operation. 


Vamosi:  So back to 2019. Two weeks before the Chinese New Year festival, Ma Moosong paid a theater engineer for hard drives containing three of the most anticipated films of that year.

Von Sychowski:  Beginning of 2019, which was at the time of Chinese New Year, which, in terms of film releases in China, it's Thanksgiving, Christmas, and summer box offs all rolled into one all the biggest films are saved for that. So the 2019 Chinese New Year, which is February, 15th of February. They had three big releases including sci fi epic The Wandering Earth. And this is when things came to a crunch. And what happened then. And this is karma catching up with you. One of the franchisees discovered that there hadn't been an update on the pirate encryption software, and there was a loophole that enabled the films that were sent to him to be pirated. So he downloaded it, and then sold it on to other private cinemas. Previously, the high quality pirated new releases were confined to the close and heavily monetized to horses gang private cinema network. Now however, copies of the biggest films of 2019 were available freely online it soon spread like wildfire because it was stored on a Baidu cloud sharing link. So before you know it. These films were all over the internet's being sold by from micropayments by apps and websites, and the two horses getting them on ma must be watching sort of with despair of having lost control of their pirated goods, Because the Wandering Earth itself had been watched over 5 million times, online before they got a takedown letter sent from the producer of the film. And that meant that pretty soon they started tracking the franchisees, and from there on in traditional law enforcement style, They worked their way up the food chain until they got to the Two Horse gang. The 215 operation wasted no time. Within a month, they started arresting people involved. They sent out a massive operation across multiple cities, not just multiple cities but territories. This was a tech operation that spanned Taiwan, Hong Kong, and the Chinese mainland. They arrested over 250 individuals, they confiscated 14,000 pieces of equipment, and I forget, there were hundreds of law enforcement officers involved in this. So, again it gives you a feeling for the scale of the operation and just how big it was. And again, uniquely Chinese because nowhere else today is there this private cinema, network legitimate or not legitimate. So, the interesting thing happened since obviously there was a trial, the producers went on cameras and expressed their gratitude to the police. It was truly the biggest piracy takedown operation of all time, anywhere in the world.

Vamosi:  The story would not have been possible were it not for a loan engineer in the propaganda department in China.

Von Sychowski: I want to give a shout out because there was, you know there was a real hero in this, and it is the engineer who actually uncovered that first part copy as I said of allied jeweling, I'm going to get his name right but Julian Fenn from the Quality Control Bureau of the Chinese, you know, propaganda department, and he's still out there, he's still surveying the internet for, you know pirated copies, and doing the hard thankless job of trying to track down, and you know prevent films from being stolen and being illegally shared and distributed. So while it's easy to you know get caught up in the sort of gangster low end gangster glamour of the two horses gang. It is the engineers, and, you know, who are the true heroes of this because they designed the specification in the first place, which, You know how to been unheard to would have prevented this, and it was an engineer who enabled the culmination of this three year hump for ghosts, number one, to succeed and taking down this piracy ring, saying this really was one of the case where really the Chinese authorities were the good guys, and they did the great job in terms of exposing this and bringing down the perpetrators, but of course they by themselves cannot fix what was inherently problem with early generation software so in theory, we could see a ghost to or ghost number three of ghosts number four. This is one of those nice stories that has good heroes and villains. Obviously, there are people who may be, you know, we're a little bit, cutting some corners again we're not going to point fingers or we're bit too eager to rush things to the market. But again, at this point, you know, it's not about blame. It's not a, it's about sorting out. And what was interesting to me is after I published, we published the story is, I thought that there was going to be more attention to it, you know, like any journalist you're paying enough to think that your story is going to be read appreciate everybody, but there was pretty much a deafening silence that came out of Hollywood after this. And this from a place that loves to shout about any victories over pirates and want to highlight the damage that copyright theft does to the industry. But again, this was a sensitive topic, and it's a bit about that old saw about, you know, washing your dirty linen in public. So I hope that you know we've been able to and I think we've been able to bring attention to what is still an important story, and a great success story in preventing copyright theft. While at same time acknowledging that, heck no system is completely foolproof. Even something as well designed, and it really is super well designed, as Hollywood's digital cinema initiative specification for moving from 35 to digital.


Vamosi: So the story of ghost number one ended in 2019. But, as with any Marvel motion picture today, there's always a scene after the end credits ACOTA. So, despite all the advanced digital piracy controls within DCI digital piracy of pristine motion pictures, unfortunately, continues to this day, which is why Patrick is presenting a talk at SecTor 2021

Von Sychowski: And this the reason we're talking about it today, is that we've obviously had a pandemic which shut down cinemas, not just in China temporarily but here in the US, but in the meantime, you know, we've seen the appearance of pristine High Definition copies of first on films appear on pirate sites, again, and it has nothing to do with any ghost server, it has to do with Hollywood's deciding on a new release strategy of films, one that would either bypass cinemas, or go in parallel to a theatrical release, and to put it online on premium video on demand or subscription services so HBO Max Disney plus premier access meant that films that previously came up in a shaky bad pirated copy that was Kamcord in the cinema. Now, literally minutes after it is released. You have a perfect High Definition, maybe even a 4k copy of Black Widow, Jungle Cruise or, you know, Godzilla versus Kong, because the students have decided that, you know, during the pandemic. We're going to have to think beyond cinemas and we're going to test, straight to consumer release as there was this trend during the pandemic for new motion pictures, To have a day and date release which simply means in film terms, that there was a simultaneous release of the film on multiple platforms. Most commonly, theater and home video with the pandemic and full bloom. They were simply going to release the films online. Remember, a critical component of this anti piracy technology was a close tie with the hardware digital projector by removing the theatrical release, by going straight to online streaming, they kind of neglected that critical part. What we're seeing is that there's been a bit of a U turn. Warner Brothers has announced that HBO Max is not going to release their big titles, Dan date with cinemas from next year. And Disney has said that they're not going to do any more of these releases day and date after they got into trouble, obviously with Scarlett Johansson suing them for lost earnings because box office diminished for Black Widow, but also because films that were released exclusively in the cinema, like, Marvel's Shang chi or free guy did so much better at the box office and they'll still get make money and digital releases to the home, while at the same time, there were no pristine copies of those films floating around online because piracy is so much more difficult when there's only legitimate theatrical release. So the studio's invested all this work in DCI, and they worked on watermarking the films and creating digital certificates for the projection hardware, and then the studio said, Oh, heck, let's just release straight to video. And they're somehow surprised. There was piracy. Yeah, I'm not sure if they were surprised, but it's been pointed out to them numerous times, but we have to remember there were different dynamics here, We're never going to get as out of Myron, CEO of AMC and darling of the Reddit daytraders, you're not gonna have a billion dollar opening weekend on a premium video on demand, just not gonna happen your bond is going to do much better by staying true to cinema and waiting for theaters to be available to be open and rather than going by Amazon or anything else. So, there was more money to be made in cinemas, because people are. Well for one thing sick of streaming after, you know however many months of lockdown. But because cinema is more than a way of consuming films, it is a social experience, it is something we go out and do together it's something we enjoy together, just like we're not going to stay home and keep having food delivered to us once restaurants are open, so that's why cinema lives on.

Vamosi: I want to thank Patrick for his original reporting on this and for updating his story for his presentation in 2021 Digital piracy isn't about sticking it to the man, it's really about hurting the little guy. The construction worker, the stunt driver, the people you see in the end credits, as you're waiting for that final scene in any Marvel movie. Those are the people who are the victims. Remember that the next time you think it's fun to download a first run feature film for free. And as a side note, be sure to run some antivirus on your digital device after you do so, remember, often you get what you pay for, and malware, it's always free.

Let's keep the conversation going or DM me @robertvamosi on Twitter, or join me on Reddit or discord. The deets are available at

The Hacker Mind is brought to you every two weeks, commercial free from ForAllSecure.

For The Hacker Mind, I remain your one-time cinema auteur, Robert Vamosi

Share this post

Fancy some inbox Mayhem?

Subscribe to our monthly newsletter for expert insights and news on DevSecOps topics, plus Mayhem tips and tutorials.

By subscribing, you're agreeing to our website terms and privacy policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Add Mayhem to Your DevSecOps for Free.

Get a full-featured 30 day free trial.

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem