About HeheStreams — Josh Brody
Back to my main sitejosh.mn
Josh Brody

About HeheStreams

HeheStreams allowed users to watch sports live and on-demand from any device, at any time. It started as a joke in February 2016 and ended with an acquihire in July 2021—but it was one of those “we want you dead” more than it was “we want your talent” ones. In October 2021, the U.S. Government charged me in connection with it—and for my piss-poor handling of disclosing bugs to a sports league.

I’ll primarily focus on the website here.

Why’d you do it?

It started as a proof of concept. My beloved BallStreams—a website for watching NBA games—pulled the rug on me and fellow fans, and we were left SOL.

I posted the proof of concept on Reddit, hoping someone else would pick up the slack. Nobody did. I got e-popular; it felt good.

It soon started taking up a lot of my time. I felt an obligation to fix the site when grown men told me my shitty basketball streaming website wasn’t working for them. After a few months I slapped a paywall on it, thinking it was ludicrous that anyone would pay for such a thing; I’d have a clean break.

Nope.

It was weird to reach product-market fit. While it was, indeed, a subscription website, the motivation for starting and maintaining it wasn’t financial. I was employed as a respectable software engineer for the entirety of the website’s existence. It was a mix of passion project and an escape—a home I built for myself.

It didn’t help that my mom was actively dying.

What was the main attraction of using your site?

Many Americans are subject to blackouts: geographical restrictions that disallow users from watching their local team(s), or nationally televised broadcasts. This effectively forces them to buy a cable package to see their local teams. A cable package averages $80/month and includes a bunch of channels people don’t watch, as our viewing habits have drastically changed this century.

Allowing users to bypass those blackouts was the primary driver. To this day I don’t believe my users were more attracted to the price. I’m certain that I could have charged $80/month myself (it was $100/year, or $25 for a fifth of a season) and had a better time financially.

I took a lot of pride in being honest and forthcoming and establishing trust with my users. This is hard to scale to millions of users. I didn’t have that problem though.

Why the name?

It was meant to be a joke.

How much did you make?

Less than my $3M restitution.

No, really, how much did you make?

Above.

How many customers did you have?

More than one, and they were from all walks of life. Did you know that professional athletes have the same issues as people who work at Discount Tire?

This includes LeBron and Tom Brady.

The US Government maintains I had at least 33,004 subscribers, so I tend to run with that number because it gives me more street cred.

How many people officially worked with you?

It was just me. I had a person make the cute graphics on the homepage and paid $60 for a stinger on the Roku app.

Speaking of Roku—BrightScript is a clinically awful programming language, and I wish it on nobody.

How did the site work?

TorrentFreak has the most accurate representation of how it worked, so I’ll defer to them for the lite technical details. However, it involved me reverse-engineering DRM authentications and private APIs to provide the streams directly from the source. I didn’t have a single server encoding anything.

Broad strokes of the stack: It was an uninspired Rails-based monolith with server-side rendering, and one feature that used React. There were 227 tables, running the typical PostgreSQL/Redis setup.

Along the way, I pulled out some of the internals and open-sourced them. One of them exists today as the most popular open-source package of its kind for managing scheduled event sequences: Caffeinate. I used it to handle lifecycle emails to my customers: welcome, getting started, you-haven’t-watched-anything-yet, etc.

I used Grape for managing the API endpoints. I can’t remember why I did this. I do enjoy using Grape, though.

Many of the programming patterns I used are discussed in my upcoming Ruby on Rails book Caboose on the Loose.

Can you talk more about how the website worked?

Broad strokes from what’s publicly known:

Let’s pretend a sitting senator wants to watch a Lakers game while they’re at Disney Land in California. From their end, they tap play and it works. From my end, there’s a pipeline.

First, behind the scenes I need to authenticate into an account with a provider. (Let’s pretend it’s Hulu since they were never mad at me and we can keep with the Disney theme.) I need to check that my account hasn’t been banned and isn’t rate limited and hasn’t been hit too recently—I don’t want to set off alarms on the provider’s side—periodically I’d check the status of the account, and this wasn’t some sort of decay algorithm but instead I used pattern matching against the behavior of users on my own site to shape the “behavior” of these checks.

Once that request returns a 200, I store the session. Then I fetch the actual stream for a given team (or national broadcast, or both)—sometimes this was done via a different proxy because of geolocation, sometimes not—depends on the stream and the platform and the content, and every provider is different. Then there’s different user agents and different headers required to get certain formats. Because users login from their home IP and watch from work, this is a reasonable no-op from the abuse engineer side, kind of; critical minds can easily find a way to add a point of interest.

After retrieving that stream URL I had to manipulate the stream format and it—more than 20 ways sometimes, so customers could watch on iPhone, Android, Roku, FireTV, LG TV, Samsung, browser, their Smart Fridge, their Tesla—each stream is packaged differently.

Then there’s the DRM handshake (AES key-based HLS streams started becoming increasingly uncommon, to my disappointment). It wasn’t my DRM but the platform’s DRM and sometimes a vendor DRM and sometimes a vendor-platform DRM. There’s three major DRM flavors: Widevine, Playready, and Fairplay (four if you count clearkey but that shit’s more broke than I am and I have $3M in restitution). Anyway, each DRM flavor had then had a different setup for each device that it supported—the Widevine implementation is different in Samsung smart TVs which was different on Fire Stick. Sometimes each stream type had a different setup, too.

Turtles all the way down; I usually love turtles.

I had to do all this without raising alarms.

How many apps did you support?

If it had a networking stack and a display, it was probably supported: Apple TV, Android, FireOS, Chromecast, fourth-generation game consoles and newer, Roku (BrightScript is an awful language), smart TVs, smart fridges, Teslas, and the usual web platforms.

Wow, this was a lot of work. Were you employed during this time?

Shoutout to my colleagues watching me burn myself out at UseSixty, AdQuick, and AngelList. Many of my fellow developers knew about HeheStreams, and one happened to be a subscriber prior to my employment.

Do you have any fun stories?

Plenty.

Someone once asked for the manager, claiming that I didn’t have the “capacity to work with people who had mental illnesses.” That was a wild, wild email.

It was always weird to see who was using the site. I had a lot of internal tracking for abuse, which included associating IP addresses to users. I could see which groups of users (see above mentions of athletes) were at which hotels in different cities. Absolutely batshit to see in practice, all things considered.

I was once bringing a TV back from Best Buy in an Uber because it wouldn’t fit in my car. On the way back, the driver asked if I watched sports. I chuckled and said, “Sometimes.” He asked how I watched them, and I said I had to deal with shitty streams on the internet (see: mine). He suggested my website. I had him send me his referral link and gave him a little “congrats you won a free subscription for life.”

(I guess that means I should say I had more than three users.)

How do you feel about the state of streaming these days?

Intentionally leaving this blank, while saying as much as I can by not omitting it entirely.

Do you currently do any other shady shit?

I eat a lot of ice cream, which probably isn’t healthy for me. So, no.

How many commits did you make to the repo?

Closer to 6,900 than 6,850; about 5,000 deploys.

Any other cool parts?

The abuse layer was interesting. Mine—not a provider’s.

On my way in, I knew what worked and what didn’t. I deployed what I would have made for them on my own site. If customers shared accounts or hammered the feeds, service would degrade, the trust I built with customers would be at risk, and the upstream platforms would re-engage in the game of cat and mouse. My anti-abuse layer had to be better than theirs.

I carefully measured the scale my users would have on a given provider—I don’t mean technical impact, I mean the signals they’d send to any given provider. Sharing an account with buddies is cool, but it could very well cause my service to degrade. Any service hiccups could impact the trust I built with customers, and the upstream platforms would re-engage in the game of cat and mouse. My anti-abuse layer had to be better than theirs.

I was really clear about this to my users. The rule was one connection per live stream (any number of games); up to 3 for on-demand. The on-demand streams were live immediately after the conclusion of the game—the exception being NBA until 2019, who would take anywhere from 30-90 minutes to put up their archives.

Scaling illegally (and elegantly)

I didn’t make any attempt to hide my tracks. Sometimes I was feeling paranoid and I’d jump on a VPN but that feeling would wear off and I was back to using my residential IP.

I collected credit card points from hosting bills.

What ultimately did you learn from it?

Well, HeheStreams wasn’t supposed to work. It was a joke that outgrew its punchline—a proof of concept that turned into a case study in scale, ethics, and curiosity. The site is gone, but the business and product lessons keep refactoring themselves.

Anything else?

I had a civil settlement reached in July 2021 with rightsholders. This resulted in me shutting down the website. It was three months later that I got tagged by the feds.