my profile | my password | search | faq & rules | forum home

» Film-Tech Forum ARCHIVE   » Operations   » Digital Cinema Forum   » Updating of servers

Author Topic: Updating of servers Roy Servis Jnr Film Handler Posts: 12 From: London, n/a, United Kingdom Registered: Jul 2015 posted 03-13-2018 04:30 AM                     Hi, Have a question and wanted to know your stance as a community, I have a kdm generation company that has a global TDL and has issued kdm's for approx 68 territories. Each kdm contains a personal unique link that allow the sites to download any valid keys as well as check their details, we are currently discussing whether to allow exhibition the ability to update their servers directly and new keys will be automatically issued. Pros All certs are DCI Compliant so you could only change to another valid server cert via drop down menus. Instant changes less waiting Cons Possibility of rogue users randomly changing a cinemas server details. another username / password to remember (Possibly). I think this would be beneficial to everyone but would love to know your thoughts... Thank you, Roy  |  IP: Logged Marcel Birgelen Film God Posts: 3357 From: Maastricht, Limburg, Netherlands Registered: Feb 2012 posted 03-13-2018 06:32 AM                     I guess you only allow to transfer KDMs to servers that are already listed? Signing up a new server is still a manual process I presume? So the worst somebody could do is transfer KDMs between his/her servers, which is nothing unusual. You can obviously monitor for potential abuse and maybe come up with some limits that do make sense, like only being able to transfer a KDM once per 24 hours or 3 times per e.g. 72 hours. For logins, you should try to allow e-mail addresses, which the user can specify him/herself. I always hate it when something uses their own user/password scheme and forces me to use some vague username and non-configurable password.  |  IP: Logged Carsten Kurz Film God Posts: 4340 From: Cologne, NRW, Germany Registered: Aug 2009 posted 03-13-2018 06:57 AM                     Hi Roy, how many updates to your TDL do you currently process e.g. per day/month? The problem is to analyze the abuse or risc potential. I guess individual sites do not change their servers too often, but they still sum up at your end. There had been a discussion about TDL databases a while back on the ISDCF mailing list, do you read this list? There's an interesting question in it about how one actually authorizes oneself as the owner of the specific device that needs to be registered. So far, when we had changes, we just emailed those to companies like yours, nobody asked us to authorize ourselves. Now, usually there is little incentive to register a device/cert that you don't own so far, but, I could imagine scenarios where this comes up up as a problem. Also for second hand sales, there could or should be a 'request/confirm' transfer scheme, similar to those used to transfer domain names. Some time ago I talked to a german KDM distribution company, they told me they have an irritatingly high number of doubles or even triples in their database. Typically, servers transferred or sold second hand will receive a new registration, but they forget to unregister the old one. In theory, that's easy to handle, but in reality, you don't want to risc a server being thrown out of a specific site/circuit without confirmation. Now think 5 years ahead and imagine the situation then... Another benefit of such interactive access is that not just a server serial or cert could be registered, but other aspects of a site/screen as well, like sound configuration (5.1/7.1/ATMOS), KDM email addresses, etc. could be updated quickly. Some of your competitors offer such a web based database, however, last time I had been there, it didn't allow a full site/screen configuration. - Carsten  |  IP: Logged Leo Enticknap Film God Posts: 7474 From: Loma Linda, CA Registered: Jul 2000 posted 03-13-2018 07:48 AM                        One thing to keep in mind is that changes of server often happen with little or no notice, as the result of a breakdown. I have swapped them out many times in situations whereby the media block or IMB has failed (usually because its battery has died), and the supplier of the replacement has not given us its serial number ahead of shipping. GDC are pretty good about doing this; the other manufacturers less so. Once it arrives on site, we need new KDMs within an hour or two to avoid lost shows. Deluxe Technicolor are very good about this: they can often issue new KDMs within minutes, and it only takes them significantly longer if they're having problems contacting the owner of the movie for permission. Other distributors of encrypted DCPs range from OK to a nightmare to deal with in this situation. This is why I advise everyone I make DCPs for against encryption, pointing out that if their movie is going to a festival on the other side of the world (for example), that they must be prepared for a call or email at 2am demanding a new KDM by 3 unless they want their screening to be canceled. If you've subcontracted your KDM management to one of the big boys (e.g. Deluxe Technicolor), they have the infrastructure to handle this. Smaller operators usually do not. So in short, a system that allows a theater to re-KDM a movie online and without human interaction would potentially be very useful. It should also ideally enable a temporary server/media block category, so that you can tell the system that a given media block serial is only in use at your venue temporarily (e.g. a loaner while your unit is out for repair, or rental equipment brought in for a festival).  |  IP: Logged Michal Matys Film Handler Posts: 70 From: Prague, Czech Republic Registered: Nov 2014 posted 03-13-2018 08:29 AM                    I am with Leo on this one. It happened several times that there was a server failure during weekend and some shows had to be cancelled just because the we were unable to get the KDMs in time.  |  IP: Logged Carsten Kurz Film God Posts: 4340 From: Cologne, NRW, Germany Registered: Aug 2009 posted 03-13-2018 09:32 AM                     Automatic short-Time Re-KDM e.g. for replacement and new media blocks poses a high abuse risc, I am wondering what the studios might say about this. I completely understand the need to achieve this quickly in the mentioned situations from the exhibitor or installer perspective, but I guess the rights-owners want some control mechanism. - Carsten  |  IP: Logged Mark Gulbrandsen Resident Trollmaster Posts: 16657 From: Music City Registered: Jun 99 posted 03-13-2018 11:38 AM                     quote: g. GDC are pretty good about doing this; the other manufacturers less so. GDC Logistics always supplies me the serial number in the "shipped" notification they always email out. This makes it easy to have the new KDM(s) well before the replacement IMB or mommie board even arrives on site.... Mark  |  IP: Logged Roy Servis Jnr Film Handler Posts: 12 From: London, n/a, United Kingdom Registered: Jul 2015 posted 03-20-2018 06:59 AM                     Hi Everyone, Thank you for your responses, Carsten - We process approx 30 server swaps a day globally which has risen to 50-60 with a major release. Leo / Michal / Mark / Carsten We get requests to change a server from a theatre somewhere in the world and in reality we do not know the person who is requesting the actual change but it only goes to the email addresses we have against the site who is requesting and as long as the cert is DCI compliant then we can make the changes and new keys are automatically issued targeting the new server id. Re-issued keys are only valid for the same time frame and version as the previous but with the new cert so there is nothing wrong there. My idea is to allow users in the site to update the cert themselves via a drop down list of certified certs which would then re-issue and speed up the process. I also love the idea of audio and motion etc being updated as well. At the moment I am unable to see the pitfalls in allowing this but am sure there must be some?? I like the idea that as a community being able to share information is a good thing. Regards, Roy  |  IP: Logged Dave Macaulay Film God Posts: 2321 From: Toronto, Canada Registered: Apr 2001 posted 03-20-2018 10:05 AM                     If some unauthorized person changes the server cert for any screen, it wouldn't show up until the next feature - the installed KDM for any open CPL would continue to work. But this is still a real risk: a "hacker" with no agenda, or someone trying to damage your business, could do a lot of changes and cause mass confusion on the next release date. I'm sure you could monitor for unusual amounts of changes. Maybe just a confirmation email with an authorization link that needs to be verified, like I usually get whenever I change a site password? The person requesting a server change would need to have access to the email address where the new KDM is destined so that shouldn't be a problem. Do they need to submit the cert for a new server, or do you generally look those up yourself?  |  IP: Logged Roy Servis Jnr Film Handler Posts: 12 From: London, n/a, United Kingdom Registered: Jul 2015 posted 03-20-2018 10:28 AM                     Hi Dave, We download all the certs directly from the manufacturers sites and never allow anyone to upload a server cert. The system is "self validating". By this I mean that for every KDM the system goes to generate, it has to first prove that the certificate we are targeting has come from one of the server manufacturer signing chains. We hold all of the secure playback signing chains in the system and this means it's impossible for our system to generate KDMs for non secure devices. I like the idea that you could only change a server twice in x amount of hours... Roy  |  IP: Logged Carsten Kurz Film God Posts: 4340 From: Cologne, NRW, Germany Registered: Aug 2009 posted 03-20-2018 03:29 PM                     Hmm, 30-60 updates per day - that's quite a number. The interesting question is - how many of those requests can you direct to a self-service site effectively. Anyway, a customer portal is without a doubt useful. For changing/updating servers, screen configs, etc, for looking up KDMs that may have been lost e.g. due to virus scanners, mistakes, etc. Maybe start something, then just see where it goes to. Have you been able to look into one of your competitors portals? If not, I could provide a few screenshots. One thing that bothers me recently is that our primary kdm delivery address has become abused by spammers during the last years. That's annoying, since you don't want a spam filter to detect false positives on kdm mails. I wish I could change this email address to a new one, but that is venture on its own. Having an interactive system would be nice - even better when all companies would offer it. One important issue from exhibitor perspective is to keep track of all kdm issueing companies/contacts that need to be notified of changes. In germany, we need to address about 8 different companies for a full update roundtrip. A friend recently nearly lost a show when a kdm he received on the day before a showing turned out to have been issued for his previous dolphin board. Some cinemas report changes through their studios/distributors. I prefer to contact the kdm service companies directly. I think we ourselves are pretty well organized, but it needs a bit of discipline and IT skills to keep everything current. - Carsten  |  IP: Logged Harold Hallikainen Jedi Master Film Handler Posts: 906 From: Denver, CO, USA Registered: Aug 2009 posted 03-20-2018 03:54 PM                        I always liked TKR, described at http://isdcf.com/papers/ISDCF-Doc8-TheaterKeyRetrieval-TKR-v03.pdf . But, I guess it's been abandoned. Harold  |  IP: Logged Frank Cox Film God Posts: 2234 From: Melville Saskatchewan Canada Registered: Apr 2011 posted 03-20-2018 04:08 PM                        quote: Carsten Kurz our primary kdm delivery address has become abused by spammers during the last years. That's annoying, since you don't want a spam filter to detect false positives on kdm mails. kdms always come from the same place, so whitelist those incoming addresses for mail received at the address you receive your keys and blacklist the remainder. I do this using procmail, as follows: quote: # Digital Keys :0 * ^From.*(digital\.keys@technicolor\.com|DDCKey@bydeluxe\.com|digital\.keys@bydeluxe\.com|DDCHelp@bydeluxe\.com) .Cinema.DigitalKeys/  |  IP: Logged Carsten Kurz Film God Posts: 4340 From: Cologne, NRW, Germany Registered: Aug 2009 posted 03-20-2018 04:33 PM                     We get our kdms from many different companies, and we did have changes of sender addresses occasionally. That said, whitelisting would still help... The trouble is, we have different systems that touch our kdm mail - our mail server, our mail client, our antivirus program. The antivirus does not support whitelisting and will sometimes sort out emails when they contain ZIPs. @Harold: I think TKR is still worked on. I think on a recent EDCF meeting, someone had done a site survey and found out that many servers are cut off the internet by firewalls. Many exhibitors do not even want their DCI systems to establish outgoing connections. Actually we do this ourselves. When we disable this rule, our router log tells us that our server creates a few megabytes of outgoing traffic per day - we don't know yet what it is. Need to do some wiresharking I guess (and hopefully understand the data...) So, I guess for many exhibitors, a TKR client running on a general purpose computer would probably be more attractive. Then, this brings you closer to a TMS which collects and pushes KDMs for you. Low screen count sites do not have to deal with so many KDMs, and probably also like the idea that the individual email based kdm handling means not just work, but also some human control/feedback. While our kdm count per week is rather low, I would still love to have a system that unpacks all kdms from incoming emails and writes them into a specified folder. I guess some mail programs/OS's can do that with some scripting. - Carsten  |  IP: Logged Roy Servis Jnr Film Handler Posts: 12 From: London, n/a, United Kingdom Registered: Jul 2015 posted 03-20-2018 11:48 PM                     Our biggest hurdle i believe is that whenever a server is changed, we get notified on an email that contains sometimes in excess of 30 different kdm supplier addresses so that everyone is updated at the same time. I can't see anyone updating our site then also sending out an email to the other vendors. I remember the TKR project and i do like the idea, we are working on something similar but it would mean another box for exhibition in an already crowded projection booth, even if it is small :-) many thanks for the great feedback.  |  IP: Logged

All times are Central (GMT -6:00)

Printer-friendly view of this topic

Hop To: Select a Forum: Category: Operations -------------------- Digital Cinema Forum Film Handlers' Forum Large Format Forum Ground Level Feature Info, Trailer Attachments & REAL Credit Offsets Category: Community -------------------- Film-Yak Film Handlers' Movie Reviews The Afterlife Bob Maar's Joke-A-Thon Category: Classified -------------------- Equipment and Supplies Wanted/For Sale Help Wanted/Seeking Employment Category: System -------------------- Software Beta Testing Forum

The Film-Tech Forums are designed for various members related to the cinema industry to express their opinions, viewpoints and testimonials on various products, services and events based upon speculation, personal knowledge and factual information through use, therefore all views represented here allow no liability upon the publishers of this web site and the owners of said views assume no liability for any ill will resulting from these postings. The posts made here are for educational as well as entertainment purposes and as such anyone viewing this portion of the website must accept these views as statements of the author of that opinion and agrees to release the authors from any and all liability.