Free Longse 'ONVIF' VMS Released, Partially Stolen From Milestone, Video Insight

By Brian Karas, Published Jul 06, 2016, 10:42am EDT

A new VMS is being offered free, no time limit and up to 64 cameras.

This offering, which partially steals from Milestone and Video Insight, is coming from one of the most disruptive Chinese entrants.

In this note, we reveal the company behind this VMS, and how this may impact the market.

VMS ******** - ****** *********

********* ***,**** ****** ******* ******,  ****** *** **** functions of * ***: ****** discovery, ********* ******* (**********, motion, *********), **** ******* with ******** ****** *******, and *****-****** ********.  

[******] *** ****** **** interface is ****** ****** **** ***** Insight's. ********:


********* ** ************* **** Longse ***** ******, *** VMS ** ********** **** and *** ** ************, unlike **** **** *****.  ***** *** * reference ** ** ******* max ******* ** *** ***** screen, *** **** **** would *********** **** *******.

*** *.* ******* **** July **** ** ********* here.

********* **** *** ** OS * ******* ** the *** ****** *** client, ******** ***** *****.  ***** ****** ** ** X ******, *** **** *** offer * ******* ** their ****** *** ** X.

*** *** ************* ** the ******* ****** *** client ******* ** ** replicated ** *** ** X *******.  *** ** X ****** *** ******* to * ******* ******, and ****-*****.

Server ********* ***** ********* ********

*********'* ******* ***** ********* is ******** * ****-***** of *********'* ******** **** interface:

*** ** * ***** interface **** * **** further, ********* *********'* **** logo *** * ********* to ********* ** *** License *******.  *** ********* screenshots *** ***** **** the ********* ** * Video ******* ******:

*** "*** ********" ****** on ** * **** "XProtect **** **** **** network..."


Milestone **** *** **********

********* **** **** *** not ********* ****** / Herospeed's *** ***. ***** noting ****** ** * camera *******, ********* *********:

********* **** *** ********* have *** ************, ******** or *** ********* **** Longse. ***********, ********* ***** and ********** ***** ******** to ******* **** **** this ****** ********* ******’* VMS *********.

Longse ****** ********* **********

**** ***** ** *** VMS ******** *** **** Milestone, * ****** ************** replied "* ******* **** our ********, **** *** is **** *** **** Milestone".

****** *******

******** ******** **** *** of *** ******* ************* is * ****** **** by ******.  ******* ***** relentless ******** *** ******* has ****** **** **** more ***** ***** ***** than ******** * ********* or ********* *****, *** this **** *** ****** company ** *********** **** if *********, ** ***** parent ******* *****, *** prove ************.  

********* *** **** * difficult ***** ****** ** they ****** ******, ******* courts **** *** ************* sided **** ******* ********* pursuing ************ *****, ** ******* ****** ***** *** in ****.

**** ******* ** ** the **** ********* ** Longse's ***-**** ******* *** aggressive *******.  ********** **** ******* **** **** **** ********* ** *******, but ****** **** ******** is ** **** *****-********, particularly ** ******** ** the ******** *** *** need ** ** ********* by **** *** *********.  Surprisingly ** **** *** seen ******* ** **** VMS ** ****** **** promotions ***.


***** *** ******** ******* of *** *******, **** of * ***** ***** force *** *******, *** infringement ** *********'* ************ property, Herospeed ** ******** ** impact *** ***-*** ** the *** ******.  ** does **** *** ********* to **** *** ***-*** market **** **** ***********, as ** ** **** to ******* **** **** for ***** **** *** only ******* *** ***** functionality.

Update - ******** **** *********

********* *** **** *** matter *** **** ********, sharing *** ********* *******:

  • ********* ******** * ****** during **** **** * Chinese *******, ********* ****** Technology **., ******* (“******”) was ******** * **** VMS *******, ******** “*********” which *** * *********** similar ********** ** *** user ********* ** ********.
  • ******* ************** ******** **** Longse’s ********* *.*.**.* ******* used ******* **** ********, including *****, ******, ***** and ****, ****** ** did *** **** *** correlation **** ******** ** have *** **** *************.
  • ****** *** *** **** authorized ** ** ****** any ********** **** ********* to **** ******** *********** similar ** ********** ** XProtect.
  • ** ********* ****, ********* formally ********* **** ****** remove ******* **** *** Herospeed ******* **** **** from ******** *** ****** subsequently ******** **** **** request.
  • ************, ********* ******** *** partner ********* **** ******
  • ********* ***** **** *** customers ** ** ***** that ***** ** ** technical *********** ******* ******** and *** ****** ********* product.  ********* **** *** accept *** ************** *** the ****** ********* ******* and ****** ******* **** it ** *** *** purpose.

Comments (68)

Looks like Video Insight to me.

Good eye. There are definitely elements that look to be ripped straight from VI:

Unbelievable! If this is true which is appears to be, this is a disgrace!

I noticed on the "add new users" there is a - The open platform company!

Good catch, that is in both the OS X and Windows admin interfaces.

Does milestone offer OSX client?

No, Milestone does not have an OS X client, though Video Insight does have a Mac Client.

Neither VI or Milestone have an OS X server.

Do you think they wrote their own code but just plagiarized the design, or did they take the EXEs directly, load them into a dissembler and modify strings etc i.e. like a typical hacked pirated version?

Having a look at the similarities between this VMS and Milestone in the "C:\Program files\..." folder and in the registry and may yield some clues.

Wow. John, are your guys going to do a more in-depth comparison of the two softwares? Also, if one has the HeroSpeed client, can they connect to a Milestone server?

You're asking the wrong questions U4, at this stage your question should be:

Also, if one has the Herospeed client, do they have to reformat their computer afterwards?

But seriously, I'd like to know more about the extent to which criminal law may have been violated. Installers need to know if it is safe to install this software (especially on customers machines), and Longse needs to know if it is safe for him to walk through U.S. customs without being arrested :-)

...which appears to use code stolen from Milestone, is coming from one of the most disruptive Chinese entrants.

Stolen UI design or stolen source code or stolen binaries?

One ominous sign is "Herospeed" and "Milestone" are both 9 characters. Which, when doing a binary patch, makes it possible to replace one with the other without worrying about pesky C null string terminators...

If the binaries are stolen then a comparison between the two EXEs using windiff.exe may show some entertaining results, assuming the code hasn't been obfuscated.

I have downloaded and installed. It seems to be a stolen UI. The DB is mysql.

I probably have just turned my PC into a Zombie by installing this ;)

Yes, I think there is going to be a few of us reformatting our computers this weekend :-)

...and when you run this software, as I may do (in a VM), does it make dubious encrypted tcp connections to Chinese servers? I would not trust this software at all.

Chinese courts have not traditionally sided with foreign companies pursuing infringement cases,

This VMS would also be competing with Hikvision and hence the Chinese government, so you'd think the Chinese courts would be less forgiving in this case.

at the bottom of their page, they list Milestone, Axxon and ONVIF logos - though no explanation of what these mean (i.e. not on a 'compatible with' page, etc)

There were warning signs, though who could have known?

Here is the splash page from Longse's website:

Why would they show a trademark for "VMS"?

Maybe because Milestone lists their own 'Smart Client' with the mark after XProtect?

And why stop there?






...nice tag line

Hikvision thinks so too:

I can't find any reference on their website as to where this free VMS is? Can someone point me to it? Did they already remove it?

There is a link to version "6.1" in the article.

I also could find the windows server components in their website. There is a lack of any details or documentation What features and functions are there? Their website really only has a few items on it, the rest is just placeholders or pretty graphics and generic text...

They don't list the vms, so are they removing it/hiding it on purpose?

Does it support camera motion detection?

I might need to install it to a VM and play with it.

"I might need to install it to a VM and play with it."

Out of general curiosity, I assume.... Because if anyone deployed it, of course they'd pay a royalty to Milestone and Video Insight, right? No here is actually excited about it as being a product they'd use, personally or professionally, right?

while we could do with a solid comparison to Milestone (since they have gone into charging like wounded bull mode) this is a scary direction... can't wait to see what Milestone say.

Well it's been fun, no doubt, but IMHO, what is going on here is Longse has taken Milestone's/VI's English text, a jpg or two and some screen layouts/flow and graphical assets and incorporated those into their program.

But I see no evidence of source code or binary code pilfering.

Why would they do this? Because, it's hard writing English language copy is my guess.

The mere existence of a Herospeed VMS running on OSX with features identical to its Windows version confirms this.

The use of the Wolf jpg and Milestone/Xprotect trademarks were probably just accidentally left in, and since Longse doesn't need them will most likely be replaced.

I don't see a design patent for Milestones UI, so I'm not sure they can successfully pursue anything barring Longse from selling, once it removes the obvious IP.


...but lets not be naive by discounting other possibilities.

About 15 years ago I worked for a north american manufacturer who had at least one of their alarm panels counterfeited by a Chinese company and sold in China. The counterfeiters copied and manufactured the circuit board directly (with no need to understand how it functioned), and they worked out they could extract the software out of the eeprom, so they cloned completely functional panels with no R&D costs to recuperate. And when I think about how hard everyone worked on the R&D of those products...

I wonder if any companies have done the same with cameras? and if we'd even know about it.

counterfeited by a Chinese company and sold in China

Related: Ubiquiti - Chinese Counterfeiter

...but lets not be naive by discounting other possibilities.

I just don't think it's likely that Longse stole actual code (source or binary) from Milestone and/or Video Insight and munged them together to make frankensteined Windows Client and Server executables; Do you think that Milestone the Server talks to Video Insight as a client right out of the box?

Then we have to imagine that they wrote another version based on that exact feature set to act as a VMS server running on OSX. Which no one has done yet, besides them.

Again it doesn't seem likely, do you think it is?

Let me make it clear, I don't condone whatever they did misuse and I don't put it past anyone to steal anything; and cloning a camera's mainboard in one shot is certainly possible. But this is not a wholesale duplication.

And if Herospeed was actually a clone or a near clone of some version of Xprotect, not XVIprotect, I would be more suspicious.

It appears may have stolen what was clear text and graphics and functionally duplicated some Xprotect and Video Insight which is defintely still wrong.

But this is not a wholesale duplication.

To be clear, this is why the title of the post is 'partially stolen'.

I am not sure who you are arguing against who is claiming 'wholesale duplication'.

That said, even the partially stolen part, as you acknowledge, is quite wrong.

The wholesale duplication was in reference to the Ubiquiti scandal.

But you're talking as if everyone is saying for sure that they are definitely using modified binaries, or stolen source code. But I don't think they are saying that, none of us know for sure.

I think you are probably right, but I will play devils advocate...

Then we have to imagine that they wrote another version based on that exact feature set to act as a VMS server running on OSX. Which no one has done yet, besides them.

Again it doesn't seem likely, do you think it is?

I have done exactly this sort of thing in the past many times, writing camera emulators for example. For a subset of features it may not be that hard to take a client and a server, reverse engineer a well designed XML protocol using a tool like Wireshark, and write a different server back end. In fact even if the protocol is published, in some cases it is easier just to use Wireshark to understand the protocol than it is to read the protocol documents directly. Again this may not be as hard as you think, neither is extending an application by making changes directly to the binary (to disable features they can't emulate for example). I once saw an amazing example of how a raw EXE was extended without source code -why did they do it? because it was too hard to write the application again from scratch.

Where does the licensing and copy protection lie in a VMS? probably in the server, so I am thinking the UI's may be totally unprotected from this kind of exploit unless they design their protocols around it.

Did they do this with Hero VMS? Probably not, and I don't know or care, but it is sufficient that it is hypothetically possible. As such VMS companies should make efforts to make sure their products can't be exploited in this way.

I totally disagreed with anyone stealing from another.

Longse is a low ball, second class outfit, SHAME ON YOU LONGSE!

However, I bet in the long run we will, see that the industry will move towards VERY LOW cost or FREE VMS software in the future. There will be a complete SHAKE DOWN on the vendors charging excessively for licensing. What is excessive? Hell I don't know but I do know how customers feel and the questions they ask about paying year after year.

Thank you for reading this Rant!

I bet in the long run we will, see that the industry will move towards VERY LOW cost or FREE VMS software in the future.

Sure, when you can copy other people's work, it is a lot easier to give it away for free...

In all seriousness, I do agree about the general trend, especially for fundamental capabilities like live and recorded video, ONVIF streaming / configuration, etc.

On the other hand, there may be some shake down but also a flight up market as the paid vendors continue to add more niche / advanced features that are irrelevant to basic users but worth a premium to enterprise users (Genetec Security Center, Milestone Corporate, the ongoing improvements to Exacq, etc. are examples of that).

I agree and yes we will always need and have the high end vendors with first class products for a premium.

What about high end vendors with third rate products for a premium? Lenel's OnGuard is my example..... How long is there a place for them?

Unfortunately, pretty much forever since companies like Lenel do include niche features that are unlikely to be replicated by free products in the foreseeable future.

Now, if Lenel's premium features are not useful to you, you could certainly migrate away to many of the other existing lower cost offerings on the market.

How about IPVM offering a new or enhanced version of their IP Networking Course?

"IP Networking II., How to protect yourself from your own security system."

Remind me again why we continue to do business with China?

totally agree!

Because you can give them one of these and they will give you one of these .

But when you install one of those, you're giving them one of these....


...and you'd probably never realize it.

If the Chinese want to pay me $500 to look at my garage door/front door, and my walkway, I'm taking it. I hope they don't find out my upload speeds are crap.

You just might if you have NO EXPERIENCE with Networking and you install the camera INCORRECTLY.

Cameras cannot contact anything out a back door without a network just like Guns don't shoot people without operators.

If you even think otherwise than you must also believe that Pencils cause mis-spelled words!!

Yes but all the chatter of a hundred cameras clamoring to get out of an isolated network is annoying ;)

Your first sentence is exactly my opinion of the majority of security integrators, though.

See, I'm sure you can block your cam's from having net.. but this post is about a VMS, how are you going to decide which packets, with all the other packets your VMS is sending, your going to block?

or are you not going to have a VMS that you can access remotely/without complicated procedures for end users like VPN..?


a good UTM or Next Gen firewall appliance will let you block incoming / outgoing traffic based on the geolocation of IPs. Also, such an appliance, when hardened properly, can block all traffic except for specific services / ports to known IPs/domains/services.

We have the technology. The issue is selling that tech / service to the customer. Most SMBs don't know enough / care enough about securing their network to justify the expense, nor do most have some legal requirement to force their hand.

Moreover, most security integrators in that SMB space don't want to spend the time understanding a customer's network enough to configure and hardened such a device appropriately or deal with service calls to add exceptions when services / things are being blocked.

Larger organizations or security conscious ones likely already have such tech and the staff to configure it. Working with them you could make the magic happen :).

Network security is complex, requires knowledge / education and attention to detail to do it right. There is no silver bullet, but there is very little that cannot be done. It always come down to a customer's budget, desire and need. Kind of like physical security no?

Blocking based on assumed location does nothing, all they need is a box on a US or some other "trusted" location the whole "they are sending data to china" thing is hilarious, they just need to bounce it out of any zombie box anywhere

you can't block/allow based on IP's if you don't know what IP your staff will be connecting from, how many mobile phone providers provide a static IP for devices, what happens when someone who needs access to the system goes overseas?

don't get me wrong, there is the ability to do all sorts of things, but they generally involve making life a massive pain in the arse for the end user.

how many mobile phone providers provide a static IP for devices...

AT&T, Verizon, Sprint, T-mobile

none in AU do, do those static IP's follow your managers when they go overseas?

none in AU do...

Optus, Exetel

Pretty much the cost of Labor and then the cost to manufacture over there.

remember when a 720p camera started at $1.5k?

Longse is the next huawei.

Interesting...if they copied already the functionality of top vendors, what to expect from next versions ? :)

Hisilicon at the beginning also just copied TI chips, but now we have strong technological leadership.

It is easy for us to imagine huge Chinese factories with thousands of workers, then hardware engineers, now we have to imagine huge offices with thousands of programmers.

Imagine the size of China market and ask the question: who is providing software for it ?

The only reason why we still don't have strong VMS player from China is because software in China is free! Software for China market is provided by local hardware manufacturers for free! We know that it is normal for small projects, but it is the same for huge city projects! For example, Univew (3rd after HikVision and Dahua in China) has at least 3 times more programmers than Milestone! But fortunately they are busy with hundreds of versions of their VMS for hundreds of huge city projects, so they still don't have out of the box VMS. But mid size projects already demands high end features and they are ready to pay for it, so in few years someone will take VMS market in China and very likely it will be local vendor.

Regarding Longse...looks like VideoInsight interface, Milestone server and Axxon logo are most popular in China :)

We had the same story 15 years ago when we sell software with capture cards for analogue cameras. In Turkey we realized that someone copied capture boards and software. Software was not binary identical or cracked, but GUI was copied exactly! So, it looks exactly like our VMS, but it was different...with a lot of bugs and much less functionally, so I never worry about it :)

Here's Longse / Cantonk / Herospeed marketing:

They are marketing their theft as a feature. Yes, 'more beautiful interface', thanks to Milestone and VideoInsight. Just terrible...

...thanks to Milestone and VideoInsight.

What shameless copycats!

Don't they realize there already is a MileSight VMS?

After further review within our organization it has come to our attention that Milestone Systems does have a signed Milestone Camera Partner (“CaPP”) agreement with Longse, and thus in correction to Milestone’s earlier response that “Milestone does not have a partnership with Longse,” Milestone does indeed have a CaPP partnership presently with Longse. With it said, Milestone does not presently have any distribution, reseller or OEM agreement with Longse. Furthermore, Milestone Legal and Management teams continue to further look into this matter regarding Longse’s VMS solutions.

If Longse is willing to copy/steal product from reputable manufacturers, how likely are they to put back doors, trojans or other malware into the released versions of the stolen product?

Not that I'm defending Longse, but what would be their motivation or benefit for doing this?

If someone paid them, that would be their motivation. Someone who made money from malware could fund this. For Longse, it would be a way to continue to keep prices down while profiting.

Of course, it is risky but so is running an illegal spam marketing campaign and copying Milestone's imagery, brands, text, UI, etc. into their products.

To be clear, I am not suggesting they are doing this but given how their historical business plan, it is something that could happen (certainly far more likely than mainstream brands whether it be Chinese ones like Hikvision or European ones like Axis, etc.)

I think it could easily happen and not just from them intentionally trying to hide malware in their software. If they used another company to write the interface for them, likely such a company would be using hacked Warez program builders and design tools to do the job, it could easily come from sources like that without them even intending to put malware in their own product. Wasn't the Hikvision app infected because they supposedly used a stolen SDK package..?

I used to be part of a US manufacturing company that had world wide offices, and one of the sources of frustration when the IT director when he visited the Chinese offices was every copy of Windows they had on the computers was a pirated version.

But I wouldn't be surprised if some American integrator tries to get it listed on some job spec rationalizing "Where is the real proof they ripped it off? It's never been proven in a court!".

This is the trend of our industry... everyone just wants cheap, cheap, cheap! Well, this is what you get when you allow China to create a disposable mentality in our own countries.

is it a trend in the industry to charge more for a product that has more problems and slower response times

Milestone now won't deal direct with you unless you have Care Premium, even if you are a long term customer you have to pay a setup charge for every site, the cost per licence gone up over 40%, and that's before you add Care Premium

the lack of competition to keep them in check is showing.

Add to it that Milestone support is poor and slow at best. A crazy case logging system where they ask you a question, you update and a day later they update asking the same question. Terrible! Takes weeks to sort issues..

I don't think there is a lack of competition for Milestone... I think there are plenty alternatives, just Milestone has the power of their name branding going for it.

Update: Milestone has said the matter has been resolved, sharing the following details:


  • Milestone received a report during 2016 that a Chinese company, Guangzhou Longse Technology Co., Limited (“Longse”) was offering a free VMS product, entitled “Herospeed” which had a confusingly similar appearance to the user interface of XProtect.
  • Further investigations revealed that Longse’s Herospeed product used content from XProtect, including icons, images, logos and text, though it did not have any correlation with XProtect or have the same functionality.
  • Longse had not been authorized by or sought any permission from Milestone to make software confusingly similar in appearance to XProtect.
  • In September 2016, Milestone formally requested that Longse remove content from its Herospeed product that came from XProtect and Longse subsequently complied with this request.
  • Subsequently, Milestone canceled its partner agreement with Longse
  • Milestone would like its customers to be aware that there is no technical association between XProtect and the Longse Herospeed product.  Milestone does not accept any responsibility for the Longse Herospeed product and cannot warrant that it is fit for purpose.

"confusingly similar in appearance to XProtect"

That was generous of Milestone to not say "intentionally similar".

Read this IPVM report for free.

This article is part of IPVM's 6,810 reports, 914 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports