Alternative File Protection

Domenic R. Merenda
Editor's Note: The process of protecting content from theft can involve several strategies and varying tactics to stay one step ahead of thieves. While the most basic method of using .htaccess protection can be enough in many cases, in others, such as when you have a non-Apache web server, other techniques need to be developed. Here's an idea to help you develop your own strategy.

The process of linking directly to an image, or hot-linking, can be a serious drain on a webmaster's hosting bill. A number of different sources can hot-link an image, for just about as many reasons. Other webmasters can link directly to an image on your page, deriving revenue from their sites while sending you the bill. Surfers can post images in forums, displaying your proprietary content for non-members to freely view. Even Google's image search spiders can place your member's section within a few keystrokes of the average surfer.

Many strategies exist to combat hot-linking, but my favorite is prevention through obscurity. In a nutshell, thieves can't steal what they can't find. This article will provide an outline of this method, as well as the quick hack our technical team has implemented to demonstrate its functionality.

The Shell Game
When a hot-linker places your image on another site, they do so by providing a URL to a specific location, in this case, your server. What happens if the file is subsequently deleted or moved? You guessed it: a broken image on the thief's page. What better way to pay back a hot-linker than to protect your images while simultaneously disrupting their efforts?

Edge Productions maintains a large network of sites, some of which include movies. Please excuse our design mess and take a look at The site offers videos of well known porn stars, including Aria Giovanni, Alex Arden, and Amber Michaels. Shortly after the site's launch, we began to notice a rapid increase in the bandwidth consumption that couldn't be accounted for. By doing further checks into our logs, we discovered sites in China that were linking directly to the movies, thereby circumventing our ads and offers, and costing us money. To prevent this from happening, we decided to rename the files. This took an effort on our part to pull webmasters off of other projects simply to rename files and then update the HTML code. The hot-linking stopped for perhaps a week, and then came back stronger than ever.

A Better Mousetrap
By taking a reactive approach, we put ourselves on the defensive, chasing after hot-linkers and sticking our fingers into the holes in the dam. One of our developers came up with the idea of getting proactive instead, suggesting we implement an automatic filename swapping system, and we quickly gave it the green light. The system works in five parts. The first portion of the program makes a backup of the existing files, in case of corruption or an unforeseen mistake in the code. The second step is to take an accounting of the current filenames, and to generate brand new ones using a random alphanumeric string. The next part of the program processes the files, changing filenames and updating the HTML. The fifth step is to log the efforts and allow for debugging, should the process fail. We added the program to the nightly crontab process on the server, and let it run. After 6 months of running with the automatic swapping system, hot-linking has been stopped in its tracks, and users haven't reported any significant problems.

If you were expecting sample code, however, you would be much better off building a similar system yourself. Our spaghetti code leaves something to be desired. Good luck!