I am missing a party in this discussion: The role of the github monoculture. Because all these repos are hosted by the same party, one lawyer writing one letter can cause global disruption.
Github did nothing wrong here. They got an important, maybe controlling share of the market by creating a great product. While they might have a monopoly, I see no abuse of it.
But that's irrelevant for the rest of the world. The simple existance of the monoculture makes all of us vulnerable to attacks.
The GH monoculture isn't great, but it's less of a problem than other monoculture threats we've faced, due to git's distributed nature. Thus far GH has not changed git itself, and since every repository is canonical, it's easy to change what the "main" repository is at the snap of a finger. Self host, move to sr.ht, whatever.
I try to think of GH as a convenient mirror service that happens to provide a lot of discoverability. Nice, but in no way essential.
This is only true if you don’t use GitHub for reviews/issue tracking/etc. You’re correct that it’s trivial to move the code, but that’s only a fraction of the critical history and tooling for a large collaborative project.
True, but I've seen many projects that use both GitHub and JIRA (i.e. not BitBucket). Those work totally fine for issue tracking, project management, etc. It's the same amount of friction for what you're proposing. The main thing you are missing out on is a UI for merging and PRs, which is nontrivial but not a moat that can keep a monopoly afloat.
Of course if JIRA shut down that'd be annoying too, but I could re-create my project in another project manager.
To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline. Issue tracking and PRs don't seem like big issues to me.
> To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline.
Sure, and these are definitely important – but your project isn't directly threatened if they are pulled out from under you. You'll just be operating with degraded CI quality for a while.
It feels like there's a missing product to go with git: a free and distributed issue management and review system. GitHub should be a view on the data rather than the sole owner of the data
There is git-bug ( https://github.com/MichaelMure/git-bug ). Not at the same level as Bugzilla, but usable. Issues are stored in hidden branches in the git repo itself.
I get emails for all comments and PRs. It would be annoying to lose the GH interface but not repo ending. Allowing issues or pulls to exist only on GH is equivalent to having only a single copy of a something important on an old laptop. Basic backups of any kind solves this issue.
I believe iTerm uses GitLab for issues and GitHub for source control. GitHub issues didn't have a core feature they needed issues, but it was already canonical for code.
Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project "google style" where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....
Also the idea that mono-culture is less of a threat because git is a DVCS ignores all of the data in issues, wiki, network effect, and all of the other non-git things that make up github, none of these are distributed or really portable and for many projects this makes them decidedly not a "mirror service with discoverability"
> where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....
Do you have an example of this? This seems like it would be a hard sell as there haven't been many (any?) breaking changes to Git itself in a long while.
Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project
Where are you setting up Gitea and Drone that is protected against DMCA requests? Any US-based host will happily act on DMCA requests.
What I'm familiar with is using PRQ (of TPB fame) + Njalla (by TPB co-founder, Peter Sunde), PRQ provides the machines and Njalla the domain, both pro-privacy and will fight claims to protect you, if you're only breaking "piracy" laws (digital ones).
There ain't no stopping the DMCA train. I started hosting my own code at gopherworks.io if you want to see what that roughly looks like.
My idea is that, as I said, I can't stop the DMCA train but it's a whole lot harder to take on thousands of small Giteas and SourceHuts than it is to open a pull request on GitHub. We can get the meta-wins of GitHub later by designing some aggregators that talk to Gitea and SourceHut in efficient ways in the future, but for now the pressing matter is to decentralize code hosting, in my view.
Thanks for that link! I've been pondering these things on my own for quite a bit. Seems like there's a quorum of like-minds now, so I guess I should probably join the discussion.
While that would work for most text transfers (or otherwise low-bandwidth usage), many other use cases would be near impossible to get to work with good performance over Tor. Think video hosting and similar.
Use vm to to connect to vpn to purchase vps hosting in a foreign country with good internet outside the jurisdiction of U.S. Maybe do some research to see if hosting provider has a history of complying with U.S. laws or cooperating with U.S. law enforcement.
A federated code hosting platform would solve this problem. Having an account on one and being able to create issues or merge requests on others, would make getting away from Github much easier.
Right now, any other self-hosted code-host needs you to sign-up or use OAuth2, which frankly is quite annoying. Whoever suggests mailing lists should really get with the times. It is not a fun experience in the slightest.
It's really quite strange that issues aren't able to be just cloned/PR-ed like the rest of a git project. But I guess it protects git hosts to keep that [ironic] difficulty in propagation in.
To me it was the day they removed the discussion filter functionality from their search engine. It was a purely advertising driven move: from now on people searching for a keyword couldn't anymore filter for other people talking about that thing but rather they would be inundated by shops selling that thing or shills promoting it.
That plot however was probably much older, since the obvious wonderful alternative, Dejanews, wasn't available anymore for having been already bought by Google many years before.
I've found that a lot of people are adding "reddit" to their searches as a poor-man's discussion filter. It sort of works but it's also sad in how it's another reflection of how centralized and concentrated the web has become.
That's certainly what I'm doing, and I'm hoping that there will be some alternative by the time reddit becomes useless (it seems to be moving in that direction, although not too quickly for the smaller niche subreddits).
Turns out buying Sealand in order to continue to run ThePirateBay was over-engineering, as ThePirateBay is still alive and running today, albeit in a slightly different form than before.
For now? It seems like a lot of torrent info sites have been closed down (just from reading https://torrentfreak.com/, maybe more pop up than get taken down?).
Don't know. Swedish police (et al) have been trying forever to shut it down, and while they have momentarily succeeded, it always seems to come back up.
I'm no longer familiar with the architecture of TPB, but they seem to be running things in a much more decentralized fashion nowadays, where bunch of independent sites (at least independent domains) are running a frontend with the same database content. Unsure how that works behind the scenes.
But rest assure, you can always find a domain which is not blocked and that is mirroring the content of the proper TPB. In my case, thepiratebay.org is blocked by my ISP, but thepiratebay.party is just a few hours behind (confirmed via VPN)
Compare the following pages for example (if thepiratebay.org works for you)
>...buy Sealand in order to host trackers out of the reach of authorities?
Sealand is within the territorial waters of the UK. No sovereign nation has recognized Sealand's independence from the UK. Even if one did, according to international law, artificial islands and structures don't possess the status of islands.
I remember there was an international ruling where the US was in a trade violation, and I thought the country was permitted to waive IP enforcement until they were compensated.
Not sure about Trinidad and Tobago. Antigua was the one given the right to violate US copyrights to pressure the US to abandon it's illegal gambling restrictions. It was given that right by the WTO.
Considering that it's a DRM module, it's not a surprise. I believe anyone with a DRM module that does not protect it is at risk of losing their license with the content owners. That basically why DRM exists to begin with.
Blaming the content service is easy since they're user-facing, but it's shallow. Content-related restrictions are, in my experience, almost always dictated by the content owner. Region locks, availability windows, use of DRM, DMCAs for anti-DRM, etc, are all at the requirement of the content owners.
I don't think these modern Internet-based service providers care about that stuff much, they have little incentive to. It's driven by contracts.
Incidentally, this is always the reason behind region locks. Service X or content Y isn't available in your country? Don't blame the streaming service, blame the content owner.
Switzerland won't stay neutral and definitely isn't some untouchable fantasy land; it has to be stored outside the boundaries of individual countries, ergo, decentralized solutions like some other commenters mentioned. Git is great for that. I wonder if, in addition to IFPS and the like that were mentioned, if there is a tracker or index of git remotes out there - just a big list of servers hosting git, ranging from the big ones like github to someone's raspberry pi hooked up to the internet to idk, usb sticks in a geocache.
Drew seems like the type to fight illegitimate DMCA's.
Edit: I'm curious, why the downvotes? I am legitimately trying to be helpful. I recognize if you have personal differences with ddevault, but he puts his code where his mouth is.
If I'm misunderstanding said downvotes, please enlighten me.
Edit 2: Many thanks to those who have responded. It appears I misunderstood about this specific instance, where the DMCA does have some legitimacy.
Didn't downvote, but I think you overestimate anyone if you think they'll go to court for you against an org as big as the RIAA or Google (unless perhaps if it's the EFF).
My (flawed?) understanding of DMCA is that the project whom a DMCA is filed against can counter-file if they believe the DMCA is illegitimate, after which the burden of going to court is between the group that filed the DMCA and the group they targeted.
The problem with both RIAA and Google takedown demands is never about the DMCA takedown in relation to copyright infringement, its the circumvention (it seems that EFF understand this very well, but most online commentors didn't get this, which was exarcabated by GitHub using the DMCA takedown repo). Now, no one knows if GitHub were also directly targeted by legal threats as an acessory to "enable" the distribution of circumvention tools, which RIAA and Google is arguing.
Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.
This is absolutely a legitimate DMCA notice. The repos in question are created with the sole intention of bypassing a DRM scheme, which allows for takedown under DMCA 1201.
> It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.
> Additionally, the Git repo contains several files that violate Google’s copyrights:
> <a bunch of files>
> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.
> > It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.
That bit is probably irrelevant to the DMCA takedown procedure, which only applies to "material that is claimed to be infringing or to be the subject of infringing activity". I don't think there's much clear precedent to what "be the subject of infringing activity" means, but decryption tools that don't use stolen code definitely don't qualify as "material that is claimed to be infringing".
And if Google does want to claim that the circumvention tool is infringing a Google copyright rather than merely running afoul of an unrelated provision of the DMCA, then Google has to specifically identify their own work of decryption code that the circumvention tool is ripping off. All this notice specifically identifies in the way of actual infringement are two documentation PDFs and an API header file (and we all know where Google stands on API copyright).
Or a polite request to github, apparently, which seems to work too.
I don't feel as bad about it here as about youtube-dl. I disagree, mind you -- I'd like github to act as a neutral service provider -- but this one is a place where I can see why githu might hold a different opinion. It's an ideological split like abortion, gun control, or similar, where reasonable people can violently disagree.
The whole "Sensitive Data takedown request" is also a github thing, but this one is a written policy:
Almost every western country has ratified the 1996 WIPO Copyright Treaty, which requires laws broadly similar to the DMCA. The DMCA is just the US's implementation of the WIPO treaty.
Of course. That being said, wasn't there a big discussion when this happened to youtube-dl about how that was almost certainly not a legitimate DMCA? That being the case, disregarding it would not be illegal, at least to my (quite limited) understanding.
It appears I misunderstood in this specific case as there is a much stronger case for this DMCA to be considered legitimate.
The EFF has been supported heavily by Google in the past. Some of the lawyers at Google worked at the EFF and vice versa. Moreover, they often have private fundraising parties for Google staffers. I doubt they're going to bite the hand that feeds them.
Possibly because if anything is, this is a legitimate claim. Ignoring the "it's a tool to circumvent DRM" nonsense (which is a "legitimate" claim under the DMCA).
The repository itself is pirated code - it is code held under copyright by google, and google doesn't want it to be public, therefore anyone distributing it is violating copyright. The DMCA claim is substantially less than what they could do. Actual copyright violations have very large fines.
This is maybe one of the few use cases where a cryptocurrency can help; in a similar vein to the effectiveness of BitTorrent.
Specifically, Filecoin (built by the IPFS folks) could be used as a datastore for git. You can send DMCAs to pseudonymous Filecoin operators all you want; but the content will still be up if one operator keeps hosting it.
Hopefully it will also encourage all commits and repositories to be PGP signed (and not through a centralized FVEY platform), strengthening security, authenticity, and trust.
Space-based crypto-funded storage for guaranteeing that one operator.
The best part about non-GEO satellites is that, although you can't see them 24/7 from one location, that also makes it incredibly difficult to jam their uplinks continuously.
It was going to happen. When Google was making money off of piracy by just running a search engine, it was happy to encourage it and celebrate the philosophy. Now that they're cashing big checks from advertisers and content companies, well, they're just following the money.
This is just not true. It's up to individual content providers to decide what resolutions to supply via L3, and for Netflix and Amazon Prime, that resolution is 1080p.
Do you have a source for that? This page[1] says Firefox and Chrome on Windows, Linux, and Mac only go up to 720p. Chrome on ChromeOs goes up to 1080p, is that still L3?
It seems that many streaming platforms disable 1080p by default, and I assume that this is only for performance reasons (some hardware struggles to run an obfuscated software video decoder...) - it's not a DRM limitation, and in netflix's case it can be re-enabled via trivial changes to the frontend JS.
This is true, but if you care about quality you'd go directly to the third party source.
All of the content I actually use Netflix for is available in 1080p on L3 (Which matters to me, since L3 is the highest supported level on desktop x86 Linux).
Level 1 means everything is done in a secure enclave from what i understand.
I wonder if google does something similar to bluray AACS where if a level 1 device is compromised they can revoke just that device (or manufacturer's key). If not, i wonder why they don't.
(To clarify my curiosity is in an abstract way, i am ideologically opposed to DRM)
mainly because it's hard to trace back which device key got leaked, especially if all you have to go on are whatever the ripped videos. if you had the tools it'd be much easier, but that's probably kept under tight wraps by the piracy groups.
I suppose if you have the entire decoding process in a secure enclave you could also make it watermark the resulting file with which key was used to decrypt.
Widevine L1 does in fact watermark the decrypted bitstream. I don't think it's still true today, but there was a period last year where releasing decrypted L1 content without re-encoding meant sacrificing an NVIDIA Shield. The Shield was the only L1 capable player which had a known weakness and Widevine would revoke the device key based on the watermark in the bitstream.
Nowadays the piracy groups seem to have found a way around this. Presumably they found a way to strip the watermark, but we can only speculate as the groups guard their methods closely for obvious reasons.
I guess the watermarking scheme would include some randomness so you cant just trivially diff, but making a robust scheme is probably hard.
That said it doesn't need to be that robust, since the pirate only has to slip up once to get caught and its hard to know for sure if you got the entire watermark out.
> The intent is to prevent all copying, both counterfeit copies and legal copies of one's own content (for example, format shifting).
>
> Verance claims on their website that, while the watermark is able to survive recording through microphones (such as recording a film in a movie theater with a camcorder), as well as compression and encoding, it is imperceptible to human hearing, as well as that the presence of the watermark does not affect audio quality.
A Herculean effort to create artificial scarcity. Thank you, capitalism.
Although it's claimed that this survives arbitrary transcoding, I'm really not convinced that's mathematically possible. I think it's much more likely that they've just chosen to embed information at a very low bit rate.
Having never heard of this before, I did the natural hackernews reader thing -- search for a bypass -- and came across this interesting forum discussion [1] from ~2014, in which a large number of people state that a reverb effect gets rid of it. The original author writes:
> get an program named Audacity open the converted audio file in freemake
> and open the file in Audacity choose File>Open then Edit>Select>All
> then go to Effect>GVerb
> make sure to have the following configuration:
> roomsize (m):1.0
> reverb time (s): 0.1
> Damping: 0.0
> Input Bandwidth: 0.20
> Dry Signal (db): -7.0
> Early reflection level (db): 0.0
> Tail Level: -17.5
Other methods of bypass include using a player that doesn't check for the watermark, patching out the checking code in a firmware image, and simply swapping the HD-DVD / Blueray audio with one from a DVD.
Some further useful information -- and a statement that they've put the details in their patent!
> The Cinavia detection is sensitive to pitches and time sequence of features. The specific feature that detector looks for, is already clearly stated in Verance patent US5940135:
> [2] www.google.com/patents/US5940135
> If you study the patent document you will know the feature is delayed correlation. They also use hopping to change the delay of the correlation within the pattern of the same watermark. The actual delay, and the hopping pattern between delays, is their secret and security. That information I cannot disclose. Nor is it needed to defeat Cinavia.
> The fact of the matter is Cinavia added an artificial signal to rapidly change the delayed correlation in short time internals. Analysis the audio and you can see it causes an un-natural ripples in the frequency space. If you can see those un-natural ripples, you can smooth it out and remove it. Just remember, in real world, different frequency components of a sound does not change that rapidly. They generally decay over a fraction of a second, and human ear can not catch it if a frequency shows up and then rapidly goes away. So the way to defeat Cinavia is do not let any frequency component go in and out so rapidly. If it shows up, let it stay for a little while longer. Stretch it out a bit, before letting it decay out.
> That will defeat Cinavia for sure. Make everything vary more slowly and smooth out any ripples. It also beautifies the sound quality.
> When people sing, the pace of their singing is much slower than normal speech, right? A sentence that takes 3 second to speak, a singer will spend half a minute to sing the same sentence out. The slow varying is what makes music beautiful, and it is also what can kill Civania!
> Widevine's least secure security level, L3, as used in most browsers and PCs, is implemented 100% in software (i.e no hardware TEEs), thereby making it reversible and bypassable.
Whichever one your device has. Its a technology that google licenses out. If you are making a device that has a secure enclave you can apply for a license for level 1 widevine.
If indeed level 1 has been breached, presumably it happened via one of those weaker secure enclaves.
I'm guessing that the people who have this cracked keep it a secret so only their inner group has the method which lets them leak all of the new content and Google has no idea which key or process has been cracked.
> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.
One method appears to be playing back on a legitimate player, then using HDCP strippers on hdmi/displayport outputs[1]. I've seen some 4k releases that clearly show the streaming site's playback controls, for instance.
Is that considered decryption? Wouldn't that both decrypt and decompress? What if someone wants the original compressed stream so the video doesn't need to be re-compressed?
That can't be done without hardware hacks, which can (often) be traced to isolated hardware which the manufacturers will then lock out or force a software upgrade for, making it impossible to use in the future. That's why most 4k pirate releases are re-encoded from HDMI, not lossless rips of the original stream as they are for 720p and 1080p.
There have been a bunch of papers recently about using undervolting to break secure enclaves. No idea about how applicable that is, but that might be a possible attack vector.
In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies
They are practically asking for Streisand Effect... if you distribute your key with the software, then whatever form it is in, I would not consider it "private" at all!
This is DeCSS all over again. Was that ever resolved? It seems to me the original DeCSS complaints were more or less dropped because technology moved on and they couldn't mount a defense in a real court, and had to rely on bluffing.
Case was dropped by the DVD CCA in Norway because the number was no longer secret. That isn't relevant for section 1201 of the DMCA. It cares only if the program's intent was to bypass copy protection. DeCSS, and even libdvdcss, are absolutely infringing on this, and can't be hosted in USA repositories.
How is one supposed to exercise their right to Fair Use without "bypassing" technological measures via tools like these? I think there is solid legal DMCA ground for them to remain hosted in the US, without even needing to reach for the whole "freedom of speech" thing.
I won't even get into how I think GitHub is being overly courteous to media companies by extending takedown ability for alleged Section 1201 violations. I'm firmly convinced the only remedy the DMCA offers for that is via the courts, and that the takedown process explicitly requires the identification of infringing material, not circumvention tools.
These laws are similar in what seems like a number of countries, and the reason why they're like this is quite simple: They want to have the cake (getting money from extra charges on stuff like DVD/BD burners, writeable media, hard drives etc. -- which you get charged to offset fair use and related rights) and also eat it (effectively denying you the rights you already paid for with those surcharges).
In a normal world, I can only do one of these. Either I take the money, and render services or goods OR I don't take the money, and then don't render the services. But in RIAA/DMCA/GEMA/...-Crazytown you get to charge people AND actively avoid delivering anything.
The Librarian of Congress (if I remember right) can declare three year exemptions to the anti-circumvention provisions. They have to be reviewed and renewed every time. Jailbreaking a smartphone is one example of an exemption that was granted in the past.
It really is a ridiculously one-sided law that gives all power to private media entities.
Fair use is about copyright. The DMCAs anti-circumvention section means you can't distribute software designed to circumvent DRM, even if that software isn't itself infringing. So I don't see how fair use could apply.
At a minimum, Google's counsel testified under penalty of perjury in this takedown letter that they took Fair Use into consideration, so there must be at least some application here. (And if there isn't, that sure is a strange sentence to have in the letter - almost as if they are misusing this takedown letter template after all!)
Fair Use is about using copyrighted content, which is widely shackled behind DRM. Any court can easily see that in order to exercise your right to use that content in a Fair Use sort of way, you must break the DRM. Therefore, the existence and availability of DRM-breaking tools is a necessary condition for Fair Use to be exercised at all in conjunction with the modern media landscape.
DMCA does not include fair use as an allowable reason to circumvent DRM. That is one of the reasons why DRM sometimes shows up in weird places because it effectively limits fair use rights (see also all the right to repair stuff that people have been talking sbout lately)
>DMCA does not include fair use as an allowable reason to circumvent DRM. //
Could you cite the law you're referring to here please?
The UK CDPA as amended to follow the EU's Marrakech directive seems to say anything that prevents you from exercising your Fair Dealing rights to make content accessible for disabled people is void if it contradicts these rights. This seems necessarily to allow for circumvention of DRM (for people with disabilities and specific registered companies) but that also appears to mean production of circumvention means needs to be legal otherwise such accessibility will be impossible.
DMCA is the Digital Millennium Copyright Act, the latest amendment to USA copyright law. Text of the law is here: https://www.copyright.gov/legislation/dmca.pdf . GitHub is a division of a US company, Microsoft, so it is bound by US law.
Actually, it is more complicated than that. To exercise fair use defense (yes, it is a defense and not a right in US Copyright law), you must be able to use a process that is non-invasive (as stated in DMCA). So, if a DRM is preventing you to screenshot it, you are actually required to use a camera and exercise the analog hole. This is definitely disappointing, and I am not personally endorsing it, but the law as it stands does not lend credence. (Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.)
> (Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos. This was conspicuously absent from all discussions I've read.)
It's absent because RIAA's intent is not stated. They did a blanket takedown, unprompted. As far as I can tell they never requested any particular modification. IIRC the only hint that it might be related is a mention that the rolling cipher algorithm that YouTube-dl "circumvents" was ruled to be DRM under German law.
However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)
> However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)
This is definitely untested in court but I won't be surprised if it is indeed part of marketing. The problem with the tests is that they do download the video, even if it is a small amount and since ytdl does not reject the video for downloading at all it is technically infrigment, probably without a valid fair use defense. If ytdl has actively rejected that (for example if the test units are specifically to prevent downloading those types of videos), they may have a stonger defense against RIAA claims.
Not in their entirety, but it still downloaded a second for each of those videos. Interpret that as you wish, but I will not be surprised if RIAA will use this.
Congress did not intend fair use to be an affirmative defense. It is clearly a right under US copyright law. The rights granted to copyright owners in section 106 are expressly “subject to” the fair use defense. The fair use section of the Act, section 107, provides expressly that fair use “is not an infringement of copyright", rather than an infringement with an affirmative defense. In Lenz v. Universal the courts say that fair use is "distinct from affirmative defenses where a use infringes a copyright, but there is no liability due to a valid excuse.” and that “fair use is ‘authorized by the law’ and a copyright holder must consider the existence of fair use before sending a takedown notification….”
This nonsense about "it's a defence not a right" discredits you.
It's a right because where it applies there is no tort. Like an allowed right of way over private property. Yes, if a you have someone abusing your rights by filling frivolous suits then "it's a defence", of course it is they're trying to assert a right they don't have.
Such needless couching of public rights in an authoritarian way is really offensive to the purposes of copyright, which is granted by the public - the demos - to private parties. It's not a natural right, and so yes, under Fair Use there is no right being infringed that a valid claim of tort can be made for; so one does have a right to do those things.
Material doesn't infringe rappers^w people do, context is important as well. For example in UK Fair Dealing time-shifting of live broadcasts is allowed, but retention or sharing (eg watching a recording of a TV show with another person!) is not.
I think both the USA and UK DDAs allow copying as part of production of accessible content.
Honestly though, I'm not sure how this fits with "circumvention" the wording (UK) appears to allow it.
> How is one supposed to exercise their right to Fair Use without "bypassing" technological measures via tools like these?
Fair use is not a right. It's a defence. You're still infringing copyright, but this is an infringement that they cannot punish. Importantly, law makers see fair use as a restriction of the rights of the copyright holder, not as a right granted to users of that IP.
Congress did not intend fair use to be an affirmative defense. It is clearly a right under US copyright law. The rights granted to copyright owners in section 106 are expressly “subject to” the fair use defense. The fair use section of the Act, section 107, provides expressly that fair use “is not an infringement of copyright", rather than an infringement with an affirmative defense. In Lenz v. Universal the courts say that fair use is "distinct from affirmative defenses where a use infringes a copyright, but there is no liability due to a valid excuse.” and that “fair use is ‘authorized by the law’ and a copyright holder must consider the existence of fair use before sending a takedown notification….”
It might not be an "affirmative" defense, but to my understanding that doesn't imply it's a right. A "right" as I understand it is something that is illegal for others to violate, and that government generally has a duty to protect. But there's nothing unlawful about creating something that's uncopyable, or about guarding what you have so closely that others are unable to copy it; in fact, I would've assumed being able to do so is itself your right. And should you create something that's uncopyable, nobody will be able to copy it, even if it would be fair use for them to do so. They might be upset about this, but their rights definitely aren't being violated by your creation or protection of that thing—and the government can't force you to make your stuff copyable. (Or maybe it can with additional legislation, but I'm pretty sure we don't have such legislation.) That means "fair use" isn't anyone's right... it's just a valid defense (whether "affirmative" or otherwise).
Offering you a platform is not the same thing as ensuring that it's even physically possible. The argument wasn't about the government hosting copyrightable content for you or delivering it to you; it was about ensuring it is even possible for you to copy content.
Preventing something from being copyable is only possible by not distributing it. If you can see it you can copy it.
The copyright holder could prevent you from copying it by never distributing it, but that doesn't mean you don't have a right to fair use, it only means you don't have the ability to exercise that right. Much the same as you can't exercise freedom of the press if you can't afford a printing press (or any modern equivalent).
It might be physically impossible for you to have an abortion, e.g. because you're infertile, but that doesn't mean you don't have a right to one under existing precedent.
When a "right" is spoken of in legal discussions (which this clearly is), it implies a "right by law". If you want to talk about another right, like your "moral right", you'd usually say exactly that.
But yes, even rights defined in the law can and do get redefined, newly introduced or removed.
You're wrong: You can break copy protection if you own the rights to a work. This means you can e.g. circumvent Window's license checking if you own a copy of it already. The DMCA does not criminalize that, nor could it, and this is probably why py-kms is still up on github after a copyright challenge.
This was a change that I am assuming was added before any complaint could be mounted about this use case for fear of striking more of the DMCA down than just that provision that was modified.
It was "resolved" by new laws being introduced almost globally that make development, distribution etc. and potentially even possession of "circumvention devices" illegal, making it possible to do such takedown requests in most countries that provide infrastructure.
CSS only used 40 bit keys to comply with US export controls, so with modern computers you can just bruteforce it without knowing the key, so the key is very much a moot point at this point.
It would be great, although the real difference here is that the DeCSS key was almost impossible to change once it was leaked, while the Youtube key is comparatively trivial to change.
What has South Park got to do with it? The "Streisand Effect" was because of Streisand suing a photographer in 2003 causing people to realise where she lived and getting photos of her house, and the phrase was coined in 2005 by Techdirt.
There must be some kind of Mandela effect going on since I feel quite sure I was using this in 1998 after Streisand voiced distaste at the South Park episode.
I thought copyrights on numbers were deemed invalid? Copyright applies to data as it appears right? You can encode a number in any base, the idea that a company has copyright on every base encoding is equivalent to me saying I have copyright on every key because I wrote a program that enumerates all keys.
> I thought copyrights on numbers were deemed invalid?
They are invalid. It's interesting since it implies copyright itself must be invalid.
All intellectual property is data, information, a collection of bits... Also known as a number. Copyrighted works are actually just numbers. Really big numbers. Creators are just trying to discover those numbers through their labor.
It also means such a program would be illegal, since it would also necessarily involve the creation of numbers that can be interpreted as truly illegal content.
Hopefully, it will hang at least till monday, so some of you will be able to clone.
It is based on commit ed8a97745c69b8cc0fc7f59cec9474b216b49e16 which is latest archived by Web Archive (and signed by Github!). By the way, it is still possible to fetch original repo, provided you know the commit id above :)
Trying to get Widevine going on iOS / macOS has been a royal pain in the ass so far (crashes when you touch the lib while having a debugger attached, so you can't even debug your own code unless you swap in a severely castrated development version that only works on the simulator) and Google guards access to the official libs and docs like it's the precioussss.
To me this is just one of the many developer hostile steps I've seen. I understand they don't want you to access illegal content too easily but honestly the only thing that could drive me back to Torrenting is the declining quality of content on Netflix & co.
I honestly believe this is just a small component, which is a part of the long term strategy of the RIAA and others: a periodical check to test the waters to see where public opinion is at, to be able to guage if they can implement more dramatic and restrictive DRM mechanisms yet [1].
They are either 1) waiting for us to be too exhausted to notice/care/fight back, or 2) seeing whether they have to go further to 'protect content creators' by lobbying for more draconian laws that allow for the use of new DRM strategies. It reminds me of reading about how Corporate personhood was invented to protect freed slaves [2], yet is now used as a way for business owners to avoid personal liability/responsibility. One could even argue that Corporate personhoood is one of the most destructive forces that exists today; causing some of the worst crimes in modern history [3].
It's important we continue to fight back and set a precedent for protecting users over corporations or governments.
This has been brought up before in the other threads, but just because you self host doesn't mean you can ignore DMCA takedown requests. You can choose to ignore such DMCA requests if they decide to send one to your self-hosted website, but not honoring it means you think you're not infringing on their copyright and are willing to go to court over it. If they don't want to go this far, or you try to not include contact info, they'll probably first send a DMCA to your web host/registrar who will suspend your hosting/website unless you counter-notice, which still means you've got to be ready to fight a lawsuit (note that Cloudflare forwards DMCA requests to your web host company, so you can't hide behind CF).
Dutch law also has provisions against DRM circumvention technologies, so if they have proof that you're doing it, you can expect a lawsuit.
They won't find proof if you host the code on a git instance that's only accessible to you, but if you share that server with the internet, you can expect the RIAA (or more likely, their friends over at BREIN) to sue you (after getting your details from your ISP through another lawsuit).
Responding to a DMCA is free, copyright lawsuits are purposely expensive. You'd better have money for a good lawyer or good legal insurance if you plan on sharing your local Gitlab with such code.
One thing I considered is getting myself an instance of a small Gitlab clone with little attack surface and hosting the code on TOR. Ignoring the potential ethical issues, that should provide good defence against legal repercussions from groups like the RIAA and the MPAA. There's always a possibility that you'd get Kim Dotcom'd if your code gets popular enough, though.
You still got your ISP which likely includes some verbiage in the contract about prohibited use (but even if it doesn't, if the law makes it illegal, you and your ISP can be taken to court with it).
As someone outside of the US, luckily it seems most US companies think that US law applies globally.
I've got quite a few DMCA notices from rights holders, but never anything actually relevant to the country of my citizenship, where I live, or where the server is based.
Well, since youtube-dl was the news, they have cited a German decision on the takedown request, which solely references German law. I don't know German enough to find this specific law, but I do know that by default copyright associations have a presumption to copyrights over certain media (like GEMA's case in music, which is used on YouTube around 2010, and Google was found guilty of that and therefore Google pays royalties to GEMA).
Just out of curiosity, how does it go with Cloudflare Workers? Obviously, any proxying is done dynamically in your own code, with no DNS records saved with Cloudflare. What's actually counted as a "web host company" or "origin" to which claims are forwarded with Workers?
CF indeed becomes the actual host of the content, so I imagine (if it gets routed correctly) trust&safety will suspend the worker and/or the worker KV namespace until you contact support to counter.
Wherein, Google asserts a copyright on the API for their license system, the protobuf file. Maybe this file is more creative than the Java APIs?
Additionally, the Git repo contains several files that violate Google’s copyrights:
Google license_protcol.proto (see Google copyright at the top of the file): /widevine-l3-decryptor/blob/main/license_protocol.proto
Isn't DRM... Completely fucking pointless? I can go on The Pirate Bay and find 4K rips of all movies and shows I want. If DRM can't prevent that, what's the point?
All it does is infringe on our rights to be able to do what we want on our own devices. It's crazy.
> All it does is infringe on our rights to be able to do what we want on our own devices.
No, but this is exactly the point of DRM and the legal protections around circumventing it. It never was about copyright protection. Copyright infringement was already illegal before the DMCA, and the introduction of DRM didn't make a dent in the amount of copyright infringement.
The point of making DRM circumvention illegal is for me to be able to sell you a bunch of bits, but ensure that I don't have any commercial competition in regards to how you use those bits. You can't legally make a device that plays DVDs without the blessing of a cartel known as DVD FLLC. You can't legally make a device that plays music from iTunes without the blessing of Apple. Etc. It's about retaining monopolistic control over media distribution and use, by forbidding certain forms of competition in the market.
Getting a law passed that forbids market competition (in many countries! not just the US) under the guise of being about copyright protection, is one of the greatest cons I've ever heard of, but that is what has happened.
DRM is mostly legal instrument. If you want to be able to sue people based on circumventing protections, courts need to consider your "content protection" "effective", which essentially means that it takes more than five minutes to circumvent. It also means that, since we're now talking about DRM that'll be protected by patents, copyright and obscurity/NDAs, that these DRM mechanisms centralize power to the owners of the DRM. This can then be easily leveraged to control and restrict e.g. the features playback devices may have.
If this were true, DRM would be trivial and made with easy to implement things like "detect if user right clicks, and pop up a message saying 'sorry copying not allowed'".
DRM is not that - a massive technical effort has gone into implementing DRM deep in system architectures. Modifications have been done across every layer of the stack, across hundreds of companies of differing goals.
You only go to that much effort, at that great a cost, if you are hoping for DRM to actually work, rather than just be a thing you can hold up in court and say "we tried to protect it your honor, we really did".
The "level of security" (~tech effort) is the main competitive selling point when DRM-vendors lobby studios for endorsement. The studios are probably partly being sold a pipe dream of "unbreakable DRM", but the person you responded to also has a point.
Weak or nonexistent DRM reduces the provable malicious intent of a ripper. The more effort it takes to break a DRM, the less likely it seems that you don't understand that what you are doing is wrong.
Recent events have shown that even simple google cypher may be effective.
Even more effective is modifying your product to fit customers by NOT region locking your content, by not splitting it over multiple platforms. Using law to pretend that the global network does not exist is simply dumb and leads to piracy. DRM won't save backwards digital rights owners.
> This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.
It never ceases to amaze me how easy it is to boil frogs, even if the frogs in question are high-IQ, technically sophisticated HN readers.
Right now, you can still circumvent DRM, because you can still buy something that's approximately a general purpose computer (even if it will invariably already come with some remote-acessible hardware level spyware outside your control). But if current trends continue, this will not be the case by the end of the decade.
Also, preventing private individuals from receiving and distributing unauthorized copies is only one way in which DRM is useful to companies.
Denuvo has been fairly successful despite what the pirates say. Several extremely popular games have gone many months with no crack. DRM isn't completely pointless, but it does require securing everything for it to work. Denuvo would be pointless if it weren't for the various secure virtualization features which are built into the CPU itself.
Denuvo actually didn't promise that it won't be cracked forever. It promise the consumer it won't be cracked in N day after the release. Primary purpose is to stop the day 1 pirate from hurting the selling count hard.
The movie industry doesn't seems like use it in the same way.
It's kind of silly that normal user was prevented from watch the video normally while pirates do whatever they want becuase the 4k hdmi hdcp can be easily removed by just a dongle.
DRM in the movie industry is mainly targeted at device vendors instead of customers. They want control over the playback experience and have a say which features the playback devices offer to users. Something that allows recording parts or skipping of the ads? Not great! That's also why there is a Widevine device revocation database for playback devices, while I'm not aware of something like that existing for Denuvo.
Sadly, if they actually cared about the consumer, then they would remove DRM after those N days. Since they don't, I just don't buy these games (Sonic Mania damnit!) , and I'm probably not alone..
Because it doesn't have to be 100% effective to do its job. If your choices are to fork over $20 for a copy, pay $10/month for a streaming service, or pirate it from a shady site, most people would go with the first two options. The main goal is stopping casual piracy, aka. asking your friend to make you a copy.
I find it goes the other way. I pirate things when legal services become too cumbersome, unethical, or dirty. DRM often does that. I won't avoid all DRM, but there's a threshold. The RIAA crossed with youtube-dl.
When I was in college, price was an issue, and piracy was there to save the $10/month for most students, but the alternative was not having the music/software/etc., rather than a legal sale. The actual financial loss was close to zero. I think the reason for DRM isn't so much to prevent profit-losing piracy, as control.
Movie and record companies want to differentiate pricing by market. They want records of who watch what and where. They want to be able to expire things, explicitly or implicitly (if I go Android<->Apple, my iTunes/Google Play collections become less helpful). That has business value.
As for paying customers, when I was a student, they could have milked me for $5. As a professional, I don't really care what it costs, and I don't want to bother with piracy, and I'll do whatever's most ethical. The RIAA just told me what's most ethical is not listening to new music, followed by pirating music, followed by buying music.
RIAA is a cancer that is growing on artists. I don't know any who would like their art to be gatekeeped in this mafia-esque manner. These days most artist understand that legitimate fans will buy their art if it is easy and affordable. Nobody needs RIAA today and these type of organisations who profit off of artists without bringing any value should be made illegal.
That would be the case without DRM. With DRM my options are:
- Pay $20 for a copy that I can't play on all of my devices, and that I may be unable to play at some point in the future if the producer decides they don't want me to anymore.
- Pay $10/month for a streaming service that won't allow me to watch at full resolution on several of my devices, and has no guarantee that the content I want will continue to be available.
- Not consume the media at all.
- Download it from a shady pirate site, but then assuming it actually is what I think it is (which is questionable) be able to use it however I want.
The piracy option is not all that shady at all (there are good sites, and even the bad sites just need you to know what a magnet link is and not clicking on other download links), and you can get DRM-less copies in any combination of size/quality/encoding you want. It always boggles my mind how people in developed countries have not (all) caught on to this. You can even easily stream the content, using, e.g., peerflix. There is even opensource software that creates a media server, though I have not tried them. And these are all just the mainstream stuff. There is lots of niche piracy, e.g., Telegram channels and groups that post books, movies, TV series, etc. Telegram bots that just give you any music you request (I personally found them better than a premium Spotify subscription). Google shared drives that have everything. Sites that offer direct download links of everything (these sometimes specialize to a certain category, e.g., games). Piracy is so mature that it was and is much better than the best money can buy.
Any peer-to-peer solution is very likely to (at least in my country) contain honeypots to find the IPs of people downloading (which is not illegal afaik) and seeding (which is illegal) copyrighted media. They then take those IPs to the respective ISP to obtain your identity and send you "pay us or we sue you" letters.
Just buy a VPS/VPN that is okay with torrenting. (My suggestion is to try the different services and stick with one that doesn't ban you.)(I have never encountered one that cared, but some VPNs did feel like they throttled torrent traffic.)
Plex + Sonarr + Radarr + Deluge running on a seedbox is far far beyond what most people think piracy is. That setup can search for shows for you across multiple public and private trackers, download them, sort them, watch for new episodes or movies, notify you when they are downloaded.
I personally have settled for the 3rd option and I don't feel any loss for that reason. The really create FOMO in people, just look at how many paid Disney to watch Mulan early even with a subscription.
The market is littered by art like products driven by analytics and it is hard to find good art. Sometimes I play some new releases on Tidal when I am working and there is rarely something that would make me store it in my own playlist. Everything is the same and they protect it like these were some nuclear plans.
That doesn't make any sense. Not only is it not any harder to get it from some website than from your friend, the way people get it from their friend is by sharing the original disc or their Netflix password, which the DRM doesn't prevent in any way.
Yes movie DRM does seem completely pointless. Game DRM on the other hand does seem to hold up for the first few months which is where most of the sales happen. It would be nice if devs dropped the DRM once it is cracked though.
The point isn't to protect content, but to need permission from the DRM makers to make a viable browser (or TV, or music player, or ebook reader, or...) Without their blessing, it won't work with locked content, and your users will go to a competitor favored by the DRM owners.
You can record data coming to the LCD panel or record the TV screen by a camera. With just degraded quality. On the other hand, I can't even take a screenshot of DRM-protected content on Android which can be very annoying sometimes.
DRM is an extra fee imposed on the parties that follow the letter of the law. It's like building permits but the transfer of wealth is to a private entity instead of the state (which has its pros and cons).
Like others said, for non-interactive media it is mostly pointless, but for executable code (especially stuff that's online or will update a lot, like games) it does some work.
Not as disappointing as Americans who enacted abusive DMCA law which makes hosting such keys illegal. Blaming a company to follow law you've passed is lopsided.
Don't blame Americans. Blame the RIAA / MPAA for bribing politicians, and blame those politicians for going along with it. Plenty of citizens complained.
This might be a good explanation why my Philips 55POS9002 oled tv can no longer stream 4K with Netflix/Prime/YouTube. A Widevine certificate was revoked for some Philips TVs. Maybe the RSA key was leaked in the Philips firmware.
Not yet. Apparently Philips (TP Vision actually) is working on resolving the issue. If they can’t fix it I will definitely go back to the store (Dutch law makes them responsible for any defects) and try to get some kind of refund.
Be sure to report the defect. Even if you already know they're working on a solution, which you can acknowledge (or ask them to confirm) in your message, you need to make it clear that you observed a defect with the bought product without undue delay for warranty to apply to you. (More info at Consuwijzer.nl, the website from the autoriteit consument & markt .)
Since I had some trouble with a certain model airplane store in den bosch, I know a thing or two about Dutch warranty law (and a bit about how it relates to European law; the Dutch one is more broad). Was a huge pain and cost me a ton of time and I didn't really have anyone who already knew the law or was willing to dive into it to double check my work (juridisch loket was also fairly unhelpful). Feel free, you or anyone, to shoot me an email if you have further or other questions on the topic.
>>> Are libdvdcss and libaacs legal? libdvdcss is a library that can find and guess keys from a DVD in order to decrypt it. This method is authorized by a French law decision CE 10e et 9e soussect., 16 juillet 2008, n° 301843 on interoperability.
>>> Patents and codec licenses. Neither French law nor European conventions recognize software as patentable (see French section below). Therefore, software patents licenses do not apply on VideoLAN software.
There is very little explanation in this article, don't understand what this is about.
Seems to be hinting toward something coming up in German law, that would not be applicable in other EU countries. The EU is very fragmented, every country mostly applies its own laws.
Is this a leak? Was it previously publicly known? Will this allow me to watch netflix on my arm linux box like DeCSS allowed me to watch DVD's in early 2000's?
Google says API’s can be copyrighted now. I thought the oracle case was ongoing:
> Additionally, the Git repo contains several files that violate Google’s copyrights:
Google license_protcol.proto (see Google copyright at the top of the file): /widevine-l3-
This doesn't claim that they're infringing on the copyright of their API, rather that they infringed on their copyrighted code (even if the code is just declaring the API).
It's fairly unlikely that someone would reimplement the API and then add in a Google copyright header. It's pretty clear that it was directly copied.
"voting with your dollar" does less than most boycotts which are basically worthless. I mean, you could cut yourself off from nearly every form of entertainment created in the last 150 years going forward to stick it to the man I guess...
Personally, I'll stick with paying for stuff when I want and can afford to and if a company charges too much or places too many restrictions on the works they've bought the rights to from a creator I'll consider seeking out alternative means to get what I want or work around those restrictions.
It's a nice balance that lets me reward companies that acquire great works that are priced well and not overly encumbered by DRM while still letting me participate in our culture.
> I'll consider seeking out alternative means to get what I want or work around those restrictions.
But consider the time-value you're expending in doing so, versus just not engaging.
Invert the scenario: say that you sent Big Media Corp a bagful of poker chips in payment for watching something. Do you think they'd expend their time going down to the casino to cash them in? Of course not.
So why waste your time playing around their rules? Just walk away.
> But consider the time-value you're expending in doing so, versus just not engaging.
Most;y it's because I really do want the content. When you replace money with time/effort you still have to do the math to see if it's worth it to you. I think most of the time that math checks out, but there certainly have been times when it wasn't and I didn't bother.
There are places where I usually do follow your philosophy of 'just walk away' for example: websites that don't display basic content without javascript or need you to disable ad-blockers. 9.8 times out of 10, I'll just click away because I really just don't care that much. Everyone has their own tolerances for putting up with broken things. Mine my just be higher than most in some areas but they are defiantly lower in others.
Doesn't need to be a political statement or be aimed at achieving some secondary agenda.
It is enough to just not spend time and money on things that only stand in your way or violate your rights (the right to make a personal backup copy is still a right isnt it?).
You do not have to break anyones rules to just _not_ engage with people who assume their paying customers are all criminals and violate the spirit of copyright law doing so.
Agreed. I don't watch movies or TV shows anymore except for the occasional trip to the big screen (last movie was Avengers, next movie I'll go will be Tenet).
Not to mention I don't have a credit card and can't pay for stuff even if I wanted (last tv show I watched was HBO's Westworld will probably skip next season though).
Only thing I pay for is Spotify through a family plan, relative has a credit card of course.
> creator doesn't want you to watch or listen to something, you shouldn't watch or listen to it
Their goal is to reduce infringement on their copyright. Rightsholders generally offer plenty of ways to watch or listen to the work in a non-infringing way.
No, it does not. DMCA is a US-specific implementation of WIPO treaties. Parties residing in other countries are under no obligation to honer it (beyond complying with local laws) and will not benefit from its safe-harbor provisions even if they did.
Other comments, replying to people suggesting to host in Switzerland or so, say that similar protections apply there. Now GP is downvoted with as sole response that other countries don't have DMCA. Can't have it both ways: yes, DMCA is a USA law but that doesn't mean that other WIPO signatories don't have similar laws that lawyers will be sure to find if people move stuff there.
The proper way to add stuff into the dmca repository is to fetch the entire git history from the repo, git merge --allow-unrelated-histories, and then make a pull request from that. This way, we could just
The proliferation of DRM technology may look like the result of bad consumer choices, but the reality is more nuanced. What percentage of consumers know that their content is DRM encumbered, or what DRM is even? This is a result of subtle consumer behaviour manipulation.
Let's take the case of widevine itself. It wouldn't have proliferated if Encrypted Media Encryptions (EME) standard wasn't shoehorned into web standards by Google. EME allowed companies like Netlify and Spotify to demand proprietary plugins like Widevine in an otherwise completely open standard. Independent browser implementations became impossible at that point. EFF and Mozilla protested. EFF withdrew from W3C and Mozilla was arm twisted into agreeing. Now look at this from consumer perspective. Vast majority of users simply wouldn't have noticed these moves that would ruin the web in some way for them later. Most of them wouldn't have noticed DRM being rolled out. Everything seems to be normal - for a while. With this and a few other moves, it's clear that DRM based content will be unviable on independent browsers and open operating systems. At that point, most consumers will negligently decide that these browsers and OSs can't play DRM content because of software quality issues, and will switch over to locked down systems. That wouldn't have happened if DRM was presented as is to consumers from the beginning itself.
A few people who hate DRM holding out is not a solution for this. At this point, consumers have funded DRM based streaming companies to grow into megacorps and they have killed their competition. For consumers, it will be a choice between freedom of platform choice and availability of media. This is why EME should never have been allowed in the first place.
Another example of the futility of 'Don't use what you don't like' argument is Chrome. Chrome gained market share over Firefox using similar tactics. Now we don't have a viable alternative for blink web engine. This is an ambush on consumer rights - sneaking in silently and then killing it.
After RIAA stunt corporations see that Github is weak. They are coming for your repos! I wish Microsoft would have stood up for the community, but for them it is all about profit.
At least in the past it seems like China doesn't care about copyright or the DMCA. Why not host a repository there? There are a lot of ethical issues but if your goal is to avoid the DMCA, why not?
at least thanks to git a lot of people have a full local repo copies and can restore them online fast, maybe not in github, but anywhere else
btw, if would be nice if git would allow a salt be configured per repo for their hashes, and if needed to resalt whole repo; this would make commit bashed censor like github does impossible and expensive and unreliable if they need to hash all files
so......... can any one here in clear terms explain how to use this.... that chrome only extension thing is hot right now but i read somewhere its windows only..
Haven't looked at the code, but the above is a private key that is likely embedded in a non-obvious way in the Widevine level 3 binary used to decrypt content.
Users of Widevine industry wide would use the public key derived from this previously unknown private key generally to encrypt or derive a secondary symmetric encryption key that is then used to performantly decrypt the symmetrically encrypted stream. Asym crypto is slow. Symmetric is fast.
The fact this key is leaked means it is quite likely a new version of the program will be pushed with a different key, but for any data still using this version of Widevine, this is the key piece of information to unraveling the entire cryptosystem by masquerading as an intended stream endpoint. You'd have to trawl the source for any other relevant goodies like parameters and algo names, but all of those tend to be unprotected in the clear, with only the key material being subject to overt secrecy.
Again, haven't trawled the code myself, but that would be the gist of it if I have any intuition whatsoever on applied cryptosystems for media streaming.
I can hardly understand the motivation of the corporations keeping to invest in DRM and software activation bullshit tech despite it's obvious it is going to be cracked inevitably (and quickly).
The goal of DRM is and always have been to lock users inside a platform, not to prevent piracy. It gives companies market power because users cannot easily switch to a better alternative without losing their entire digital collection.
> DRM is not about limiting copyright infringement. Such an argument attempts to make DRM appear beneficial to authors and is based entirely on a (very successfully advertised) misrepresentation of DRM's purpose. To illustrate the absurdity of the argument, consider the nature of file sharing: to obtain a copy of a file without permission, downloaders go to a friend or a file sharing network, not a DRM-encumbered distribution platform. If DRM existed only to prevent unauthorized sharing, every distribution method for that particular piece of media would have to be distributed by an uncrackable DRM-encumbered distribution platform, which is impossible on its own. So long as one copy becomes available without DRM, countless more are easily produced. Industry proponents of DRM are well aware that DRM is not a copyright enforcement mechanism. DRM is only marketed as a copyright enforcement mechanism to mislead authors into tolerating and even defending it.
> The goal of DRM is and always have been to lock users inside a platform,
In that case it fails to accomplish that goal for the same reason. It doesn't work and will be defeated. When you download a song, or movie, or ebook that has been stripped of its DRM you aren't tied to anything. Why introduce unnecessary annoyances for paying customers which often drives them to pirate copies that aren't crippled by DRM? As long as something works like they want it to, most people wont care what platform they use to get it.
> As long as something works like they want it to, most people wont care what platform they use to get it.
For almost anything, there are (at least in big cities and in the Internet) many vendors offering nearly the same with nearly the same quality level at nearly the same prices.
But I can't say I don't care whom do I get the same service thing every particular time. I'm more likely to choose whoever feels more nice and offers even slightly more freedom and flexibility. Once I've chosen a vendor I'm much more likely to stick with them (and choose them every time I need something else they can offer) as long as I don't feel severely dissatisfied.
E.g. once I've got a GMail (GMail is and has always been the very best e-mail service anyway, you can hardly be dissatisfied with it) account I would use everything Google if only they didn't piss me off politically (with stiff like this particular discussion subject) and scare me by terminating other's peoples accounts. But I actually am migrating everything I can away from Google and Gmail because Google seems becoming more and more evil (I even suspect RIAA only attacked ytdl after Google told them to).
Very good point, and I would add that line can be moved based on individual circumstances. I've seen people complain about issues with a service, but the moment I offer an alternative and a way to migrate (painlessly for me to do, and I typically offer to help them) suddenly all is good with their service and they're sticking with it. I've even pushed a little further in the past to say I will do ALL of the work for you, just sit back and relax and in a couple hours done. Most still refuse and I don't get why once all barriers have been removed.
Maybe because it was a hush hush compromise intended to make it possible rather than impossible to watch netflix on linux at slightly reduced quality. Windows and Mac PCs with closed source browser would watch at full quality due to hardware drm. No one was motivated until now it seems to blow the lid off the weaker libre drm since a likely outcome is it just get turned off and services require hardware drm only going forward. We'll be lucky if we can still play videos on Linux or Chromium one year from now.
I wonder whether the situation will improve now that Firefox has support for hardware decoding on Linux. After all, the DRM could be completely handled by the GPU without any help from the driver. Just feed it some binary stream and tell it where to put it.
Although the issue with your compromise theory is that not all browsers are supported for high definition even on MacOS or Windows, at least theoretically (don't have a Netflix account to check). In particular, Chrome isn't supported, although Chrome-based Edge is.
From the Netflix help page on watching UHD [0]:
Netflix is available in Ultra HD on Windows and Mac computers with:
Microsoft Edge for Windows
Windows 10 App
Safari for MacOS 11.0 or later
From the Netflix help page on watching on Windows [1]:
Windows computers support streaming in the following browser resolutions:
Google Chrome up to 720p
Internet Explorer up to 1080p
Microsoft Edge up to 4K*
Mozilla Firefox up to 720p
Opera up to 720p
Windows 8 app up to 1080p
Windows 10 app up to 4K*
The situation is similar on MacOS, where only Safari supports 1080p [2]
If I can't watch movies on Linux I'll just skip watching them or torrent them. I already hate dealing with running an OSX vm just to IM my parents, and without hardware acceleration I doubt video decoding would work anyway.
If I made a facemask with that printed on it (as a QR code or whatever) would google stop trying to identify my face? Or would that paint a huge red target on my face?
Some HN'ers might be too young to remember the DeCSS [0] saga and, in particular, the t-shirts.
The EFF, who successfully represented two defendants accused of publishing the DeCSS source code in the two main cases, has the details [1]:
> In Bunner, the [ DVD Copy Control Association ] summarily dismissed its claims after the California Supreme Court ruled that computer programs could be preliminarily restrained from publication only in very narrow circumstances. The California Court of Appeals ruled that those circumstances were not met in Mr. Bunner's case because the program was not a trade secret at the time it was published, but instead was widely available around the world.
> In Pavlovich, the California Supreme Court ruled that Matthew Pavlovich, a Texas resident who published DeCSS on the Internet, could not be forced to stand trial in California. The landmark decision laid out clear jurisdiction rules for claims arising from publishing information on the Internet. DVD CCA's attempt to seek U.S. Supreme Court review of the decision was also rejected.
Additionally, the one known author of DeCSS was acquitted in a criminal trial in Norway.
WideVine has support for revoking private keys if they get leaked, which duped a bunch of smart TV customers before. I'm pretty sure the key is useless already, or will be very soon. Google can just roll new keys whenever the old ones get published through their Chrome update mechanisms.
p = 49429002897777261000839566786960900348661596779839481928152034285352681641807686782292757653824830822496391192085567895071852258385592280527115222429444042313542936301974046594875899181233742229945549738766655661560628018266563543784515148821370566306893780280151659623161213410927305309695027848755504091783
q = 53602170802863928289500972217307025477290164757146419371852251620670300136901587204821451746991406880988053571342615187459978423766579984968561470104139545987787266751875098417999761783952366342302556060906681062460952347680147798276356366502237505269309185857430061068092584194979239221868593482021566547439
n = 2952619226006031733278005132921693726100042011592660779869675820212138145939883834312253789060663461194528411412874982355146048292836507534000115353036163880492136645451564382009196182566124637478277389304691251397819894417106558057773147299342857185830516918343274468842497499522414750028740163342718036209925403503207235945059541974923084211147227388348091101183403929204074586611952779802158116643840147678791643283706927948872797793849591629882391903699724329001797545580009544763555067611040895630150211640906898700482769873702547829023169433411394249565049633221004211830736052381384491512655254513796679593737
d = 142033101700003260678755863863267700134374886049156296238778043258513471417667391237505300342672722921505586813412391537592394712287451780540489111338082979901966887630936873112829448279475520471433931949082770983040743133849146064289054900225131501940560027662491217132619227565578893295128589581903273904124801461070363532834633728769178636552784294153467969250254358604276515140477045217505629092433114246051368410587618590542410950189868285511930901887132942539241081579465767831350539339965000260768249119651905050152151634478714116343168832447694793716937575319879226685046081583200335708696821445923072794535
e = 65537
Technically: one must have the private key to perform decryption. There are many schemes that attempt to protect the original key and derive a decryption key, or do various other things to prevent disclosure of the private side of a key pair.
Practically: the point is not to "secure" anything, but to make it obvious that any infringement is due to "circumventing a protection device." Circumvention is also not allowed under DMCA, because it was obvious to the authors of the law that to view content one must indeed decrypt it.
Github did nothing wrong here. They got an important, maybe controlling share of the market by creating a great product. While they might have a monopoly, I see no abuse of it.
But that's irrelevant for the rest of the world. The simple existance of the monoculture makes all of us vulnerable to attacks.