One method appears to be playing back on a legitimate player, then using HDCP strippers on hdmi/displayport outputs[1]. I've seen some 4k releases that clearly show the streaming site's playback controls, for instance.
There have been a bunch of papers recently about using undervolting to break secure enclaves. No idea about how applicable that is, but that might be a possible attack vector.
Is that considered decryption? Wouldn't that both decrypt and decompress? What if someone wants the original compressed stream so the video doesn't need to be re-compressed?
That can't be done without hardware hacks, which can (often) be traced to isolated hardware which the manufacturers will then lock out or force a software upgrade for, making it impossible to use in the future. That's why most 4k pirate releases are re-encoded from HDMI, not lossless rips of the original stream as they are for 720p and 1080p.
Level 1 means everything is done in a secure enclave from what i understand.
I wonder if google does something similar to bluray AACS where if a level 1 device is compromised they can revoke just that device (or manufacturer's key). If not, i wonder why they don't.
(To clarify my curiosity is in an abstract way, i am ideologically opposed to DRM)
Whichever one your device has. Its a technology that google licenses out. If you are making a device that has a secure enclave you can apply for a license for level 1 widevine.
If indeed level 1 has been breached, presumably it happened via one of those weaker secure enclaves.
mainly because it's hard to trace back which device key got leaked, especially if all you have to go on are whatever the ripped videos. if you had the tools it'd be much easier, but that's probably kept under tight wraps by the piracy groups.
I suppose if you have the entire decoding process in a secure enclave you could also make it watermark the resulting file with which key was used to decrypt.
I guess the watermarking scheme would include some randomness so you cant just trivially diff, but making a robust scheme is probably hard.
That said it doesn't need to be that robust, since the pirate only has to slip up once to get caught and its hard to know for sure if you got the entire watermark out.
> The intent is to prevent all copying, both counterfeit copies and legal copies of one's own content (for example, format shifting).
>
> Verance claims on their website that, while the watermark is able to survive recording through microphones (such as recording a film in a movie theater with a camcorder), as well as compression and encoding, it is imperceptible to human hearing, as well as that the presence of the watermark does not affect audio quality.
A Herculean effort to create artificial scarcity. Thank you, capitalism.
Although it's claimed that this survives arbitrary transcoding, I'm really not convinced that's mathematically possible. I think it's much more likely that they've just chosen to embed information at a very low bit rate.
Having never heard of this before, I did the natural hackernews reader thing -- search for a bypass -- and came across this interesting forum discussion [1] from ~2014, in which a large number of people state that a reverb effect gets rid of it. The original author writes:
> get an program named Audacity open the converted audio file in freemake
> and open the file in Audacity choose File>Open then Edit>Select>All
> then go to Effect>GVerb
> make sure to have the following configuration:
> roomsize (m):1.0
> reverb time (s): 0.1
> Damping: 0.0
> Input Bandwidth: 0.20
> Dry Signal (db): -7.0
> Early reflection level (db): 0.0
> Tail Level: -17.5
Other methods of bypass include using a player that doesn't check for the watermark, patching out the checking code in a firmware image, and simply swapping the HD-DVD / Blueray audio with one from a DVD.
Some further useful information -- and a statement that they've put the details in their patent!
> The Cinavia detection is sensitive to pitches and time sequence of features. The specific feature that detector looks for, is already clearly stated in Verance patent US5940135:
> [2] www.google.com/patents/US5940135
> If you study the patent document you will know the feature is delayed correlation. They also use hopping to change the delay of the correlation within the pattern of the same watermark. The actual delay, and the hopping pattern between delays, is their secret and security. That information I cannot disclose. Nor is it needed to defeat Cinavia.
> The fact of the matter is Cinavia added an artificial signal to rapidly change the delayed correlation in short time internals. Analysis the audio and you can see it causes an un-natural ripples in the frequency space. If you can see those un-natural ripples, you can smooth it out and remove it. Just remember, in real world, different frequency components of a sound does not change that rapidly. They generally decay over a fraction of a second, and human ear can not catch it if a frequency shows up and then rapidly goes away. So the way to defeat Cinavia is do not let any frequency component go in and out so rapidly. If it shows up, let it stay for a little while longer. Stretch it out a bit, before letting it decay out.
> That will defeat Cinavia for sure. Make everything vary more slowly and smooth out any ripples. It also beautifies the sound quality.
> When people sing, the pace of their singing is much slower than normal speech, right? A sentence that takes 3 second to speak, a singer will spend half a minute to sing the same sentence out. The slow varying is what makes music beautiful, and it is also what can kill Civania!
Widevine L1 does in fact watermark the decrypted bitstream. I don't think it's still true today, but there was a period last year where releasing decrypted L1 content without re-encoding meant sacrificing an NVIDIA Shield. The Shield was the only L1 capable player which had a known weakness and Widevine would revoke the device key based on the watermark in the bitstream.
Nowadays the piracy groups seem to have found a way around this. Presumably they found a way to strip the watermark, but we can only speculate as the groups guard their methods closely for obvious reasons.
> Widevine's least secure security level, L3, as used in most browsers and PCs, is implemented 100% in software (i.e no hardware TEEs), thereby making it reversible and bypassable.
I'm guessing that the people who have this cracked keep it a secret so only their inner group has the method which lets them leak all of the new content and Google has no idea which key or process has been cracked.
> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.
This is just not true. It's up to individual content providers to decide what resolutions to supply via L3, and for Netflix and Amazon Prime, that resolution is 1080p.
Do you have a source for that? This page[1] says Firefox and Chrome on Windows, Linux, and Mac only go up to 720p. Chrome on ChromeOs goes up to 1080p, is that still L3?
It seems that many streaming platforms disable 1080p by default, and I assume that this is only for performance reasons (some hardware struggles to run an obfuscated software video decoder...) - it's not a DRM limitation, and in netflix's case it can be re-enabled via trivial changes to the frontend JS.
This is true, but if you care about quality you'd go directly to the third party source.
All of the content I actually use Netflix for is available in 1080p on L3 (Which matters to me, since L3 is the highest supported level on desktop x86 Linux).
Hopefully, it will hang at least till monday, so some of you will be able to clone.
It is based on commit ed8a97745c69b8cc0fc7f59cec9474b216b49e16 which is latest archived by Web Archive (and signed by Github!). By the way, it is still possible to fetch original repo, provided you know the commit id above :)
This is maybe one of the few use cases where a cryptocurrency can help; in a similar vein to the effectiveness of BitTorrent.
Specifically, Filecoin (built by the IPFS folks) could be used as a datastore for git. You can send DMCAs to pseudonymous Filecoin operators all you want; but the content will still be up if one operator keeps hosting it.
Hopefully it will also encourage all commits and repositories to be PGP signed (and not through a centralized FVEY platform), strengthening security, authenticity, and trust.
Space-based crypto-funded storage for guaranteeing that one operator.
The best part about non-GEO satellites is that, although you can't see them 24/7 from one location, that also makes it incredibly difficult to jam their uplinks continuously.
Drew seems like the type to fight illegitimate DMCA's.
Edit: I'm curious, why the downvotes? I am legitimately trying to be helpful. I recognize if you have personal differences with ddevault, but he puts his code where his mouth is.
If I'm misunderstanding said downvotes, please enlighten me.
Edit 2: Many thanks to those who have responded. It appears I misunderstood about this specific instance, where the DMCA does have some legitimacy.
Didn't downvote, but I think you overestimate anyone if you think they'll go to court for you against an org as big as the RIAA or Google (unless perhaps if it's the EFF).
My (flawed?) understanding of DMCA is that the project whom a DMCA is filed against can counter-file if they believe the DMCA is illegitimate, after which the burden of going to court is between the group that filed the DMCA and the group they targeted.
The problem with both RIAA and Google takedown demands is never about the DMCA takedown in relation to copyright infringement, its the circumvention (it seems that EFF understand this very well, but most online commentors didn't get this, which was exarcabated by GitHub using the DMCA takedown repo). Now, no one knows if GitHub were also directly targeted by legal threats as an acessory to "enable" the distribution of circumvention tools, which RIAA and Google is arguing.
Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.
This is absolutely a legitimate DMCA notice. The repos in question are created with the sole intention of bypassing a DRM scheme, which allows for takedown under DMCA 1201.
> It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.
> Additionally, the Git repo contains several files that violate Google’s copyrights:
> <a bunch of files>
> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.
> > It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.
That bit is probably irrelevant to the DMCA takedown procedure, which only applies to "material that is claimed to be infringing or to be the subject of infringing activity". I don't think there's much clear precedent to what "be the subject of infringing activity" means, but decryption tools that don't use stolen code definitely don't qualify as "material that is claimed to be infringing".
And if Google does want to claim that the circumvention tool is infringing a Google copyright rather than merely running afoul of an unrelated provision of the DMCA, then Google has to specifically identify their own work of decryption code that the circumvention tool is ripping off. All this notice specifically identifies in the way of actual infringement are two documentation PDFs and an API header file (and we all know where Google stands on API copyright).
Or a polite request to github, apparently, which seems to work too.
I don't feel as bad about it here as about youtube-dl. I disagree, mind you -- I'd like github to act as a neutral service provider -- but this one is a place where I can see why githu might hold a different opinion. It's an ideological split like abortion, gun control, or similar, where reasonable people can violently disagree.
The whole "Sensitive Data takedown request" is also a github thing, but this one is a written policy:
Almost every western country has ratified the 1996 WIPO Copyright Treaty, which requires laws broadly similar to the DMCA. The DMCA is just the US's implementation of the WIPO treaty.
Possibly because if anything is, this is a legitimate claim. Ignoring the "it's a tool to circumvent DRM" nonsense (which is a "legitimate" claim under the DMCA).
The repository itself is pirated code - it is code held under copyright by google, and google doesn't want it to be public, therefore anyone distributing it is violating copyright. The DMCA claim is substantially less than what they could do. Actual copyright violations have very large fines.
Of course. That being said, wasn't there a big discussion when this happened to youtube-dl about how that was almost certainly not a legitimate DMCA? That being the case, disregarding it would not be illegal, at least to my (quite limited) understanding.
It appears I misunderstood in this specific case as there is a much stronger case for this DMCA to be considered legitimate.
The EFF has been supported heavily by Google in the past. Some of the lawyers at Google worked at the EFF and vice versa. Moreover, they often have private fundraising parties for Google staffers. I doubt they're going to bite the hand that feeds them.
Turns out buying Sealand in order to continue to run ThePirateBay was over-engineering, as ThePirateBay is still alive and running today, albeit in a slightly different form than before.
For now? It seems like a lot of torrent info sites have been closed down (just from reading https://torrentfreak.com/, maybe more pop up than get taken down?).
Don't know. Swedish police (et al) have been trying forever to shut it down, and while they have momentarily succeeded, it always seems to come back up.
I'm no longer familiar with the architecture of TPB, but they seem to be running things in a much more decentralized fashion nowadays, where bunch of independent sites (at least independent domains) are running a frontend with the same database content. Unsure how that works behind the scenes.
But rest assure, you can always find a domain which is not blocked and that is mirroring the content of the proper TPB. In my case, thepiratebay.org is blocked by my ISP, but thepiratebay.party is just a few hours behind (confirmed via VPN)
Compare the following pages for example (if thepiratebay.org works for you)
>...buy Sealand in order to host trackers out of the reach of authorities?
Sealand is within the territorial waters of the UK. No sovereign nation has recognized Sealand's independence from the UK. Even if one did, according to international law, artificial islands and structures don't possess the status of islands.
Switzerland won't stay neutral and definitely isn't some untouchable fantasy land; it has to be stored outside the boundaries of individual countries, ergo, decentralized solutions like some other commenters mentioned. Git is great for that. I wonder if, in addition to IFPS and the like that were mentioned, if there is a tracker or index of git remotes out there - just a big list of servers hosting git, ranging from the big ones like github to someone's raspberry pi hooked up to the internet to idk, usb sticks in a geocache.
I remember there was an international ruling where the US was in a trade violation, and I thought the country was permitted to waive IP enforcement until they were compensated.
Not sure about Trinidad and Tobago. Antigua was the one given the right to violate US copyrights to pressure the US to abandon it's illegal gambling restrictions. It was given that right by the WTO.
To me it was the day they removed the discussion filter functionality from their search engine. It was a purely advertising driven move: from now on people searching for a keyword couldn't anymore filter for other people talking about that thing but rather they would be inundated by shops selling that thing or shills promoting it.
That plot however was probably much older, since the obvious wonderful alternative, Dejanews, wasn't available anymore for having been already bought by Google many years before.
I've found that a lot of people are adding "reddit" to their searches as a poor-man's discussion filter. It sort of works but it's also sad in how it's another reflection of how centralized and concentrated the web has become.
That's certainly what I'm doing, and I'm hoping that there will be some alternative by the time reddit becomes useless (it seems to be moving in that direction, although not too quickly for the smaller niche subreddits).
It was going to happen. When Google was making money off of piracy by just running a search engine, it was happy to encourage it and celebrate the philosophy. Now that they're cashing big checks from advertisers and content companies, well, they're just following the money.
Considering that it's a DRM module, it's not a surprise. I believe anyone with a DRM module that does not protect it is at risk of losing their license with the content owners. That basically why DRM exists to begin with.
Blaming the content service is easy since they're user-facing, but it's shallow. Content-related restrictions are, in my experience, almost always dictated by the content owner. Region locks, availability windows, use of DRM, DMCAs for anti-DRM, etc, are all at the requirement of the content owners.
I don't think these modern Internet-based service providers care about that stuff much, they have little incentive to. It's driven by contracts.
Incidentally, this is always the reason behind region locks. Service X or content Y isn't available in your country? Don't blame the streaming service, blame the content owner.
Isn't DRM... Completely fucking pointless? I can go on The Pirate Bay and find 4K rips of all movies and shows I want. If DRM can't prevent that, what's the point?
All it does is infringe on our rights to be able to do what we want on our own devices. It's crazy.
Yes movie DRM does seem completely pointless. Game DRM on the other hand does seem to hold up for the first few months which is where most of the sales happen. It would be nice if devs dropped the DRM once it is cracked though.
Because it doesn't have to be 100% effective to do its job. If your choices are to fork over $20 for a copy, pay $10/month for a streaming service, or pirate it from a shady site, most people would go with the first two options. The main goal is stopping casual piracy, aka. asking your friend to make you a copy.
That doesn't make any sense. Not only is it not any harder to get it from some website than from your friend, the way people get it from their friend is by sharing the original disc or their Netflix password, which the DRM doesn't prevent in any way.
I find it goes the other way. I pirate things when legal services become too cumbersome, unethical, or dirty. DRM often does that. I won't avoid all DRM, but there's a threshold. The RIAA crossed with youtube-dl.
When I was in college, price was an issue, and piracy was there to save the $10/month for most students, but the alternative was not having the music/software/etc., rather than a legal sale. The actual financial loss was close to zero. I think the reason for DRM isn't so much to prevent profit-losing piracy, as control.
Movie and record companies want to differentiate pricing by market. They want records of who watch what and where. They want to be able to expire things, explicitly or implicitly (if I go Android<->Apple, my iTunes/Google Play collections become less helpful). That has business value.
As for paying customers, when I was a student, they could have milked me for $5. As a professional, I don't really care what it costs, and I don't want to bother with piracy, and I'll do whatever's most ethical. The RIAA just told me what's most ethical is not listening to new music, followed by pirating music, followed by buying music.
RIAA is a cancer that is growing on artists. I don't know any who would like their art to be gatekeeped in this mafia-esque manner. These days most artist understand that legitimate fans will buy their art if it is easy and affordable. Nobody needs RIAA today and these type of organisations who profit off of artists without bringing any value should be made illegal.
That would be the case without DRM. With DRM my options are:
- Pay $20 for a copy that I can't play on all of my devices, and that I may be unable to play at some point in the future if the producer decides they don't want me to anymore.
- Pay $10/month for a streaming service that won't allow me to watch at full resolution on several of my devices, and has no guarantee that the content I want will continue to be available.
- Not consume the media at all.
- Download it from a shady pirate site, but then assuming it actually is what I think it is (which is questionable) be able to use it however I want.
I personally have settled for the 3rd option and I don't feel any loss for that reason. The really create FOMO in people, just look at how many paid Disney to watch Mulan early even with a subscription.
The market is littered by art like products driven by analytics and it is hard to find good art. Sometimes I play some new releases on Tidal when I am working and there is rarely something that would make me store it in my own playlist. Everything is the same and they protect it like these were some nuclear plans.
The piracy option is not all that shady at all (there are good sites, and even the bad sites just need you to know what a magnet link is and not clicking on other download links), and you can get DRM-less copies in any combination of size/quality/encoding you want. It always boggles my mind how people in developed countries have not (all) caught on to this. You can even easily stream the content, using, e.g., peerflix. There is even opensource software that creates a media server, though I have not tried them. And these are all just the mainstream stuff. There is lots of niche piracy, e.g., Telegram channels and groups that post books, movies, TV series, etc. Telegram bots that just give you any music you request (I personally found them better than a premium Spotify subscription). Google shared drives that have everything. Sites that offer direct download links of everything (these sometimes specialize to a certain category, e.g., games). Piracy is so mature that it was and is much better than the best money can buy.
Plex + Sonarr + Radarr + Deluge running on a seedbox is far far beyond what most people think piracy is. That setup can search for shows for you across multiple public and private trackers, download them, sort them, watch for new episodes or movies, notify you when they are downloaded.
Any peer-to-peer solution is very likely to (at least in my country) contain honeypots to find the IPs of people downloading (which is not illegal afaik) and seeding (which is illegal) copyrighted media. They then take those IPs to the respective ISP to obtain your identity and send you "pay us or we sue you" letters.
Just buy a VPS/VPN that is okay with torrenting. (My suggestion is to try the different services and stick with one that doesn't ban you.)(I have never encountered one that cared, but some VPNs did feel like they throttled torrent traffic.)
Denuvo has been fairly successful despite what the pirates say. Several extremely popular games have gone many months with no crack. DRM isn't completely pointless, but it does require securing everything for it to work. Denuvo would be pointless if it weren't for the various secure virtualization features which are built into the CPU itself.
Denuvo actually didn't promise that it won't be cracked forever. It promise the consumer it won't be cracked in N day after the release. Primary purpose is to stop the day 1 pirate from hurting the selling count hard.
The movie industry doesn't seems like use it in the same way.
It's kind of silly that normal user was prevented from watch the video normally while pirates do whatever they want becuase the 4k hdmi hdcp can be easily removed by just a dongle.
DRM in the movie industry is mainly targeted at device vendors instead of customers. They want control over the playback experience and have a say which features the playback devices offer to users. Something that allows recording parts or skipping of the ads? Not great! That's also why there is a Widevine device revocation database for playback devices, while I'm not aware of something like that existing for Denuvo.
Sadly, if they actually cared about the consumer, then they would remove DRM after those N days. Since they don't, I just don't buy these games (Sonic Mania damnit!) , and I'm probably not alone..
> This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.
The point isn't to protect content, but to need permission from the DRM makers to make a viable browser (or TV, or music player, or ebook reader, or...) Without their blessing, it won't work with locked content, and your users will go to a competitor favored by the DRM owners.
DRM is mostly legal instrument. If you want to be able to sue people based on circumventing protections, courts need to consider your "content protection" "effective", which essentially means that it takes more than five minutes to circumvent. It also means that, since we're now talking about DRM that'll be protected by patents, copyright and obscurity/NDAs, that these DRM mechanisms centralize power to the owners of the DRM. This can then be easily leveraged to control and restrict e.g. the features playback devices may have.
Recent events have shown that even simple google cypher may be effective.
Even more effective is modifying your product to fit customers by NOT region locking your content, by not splitting it over multiple platforms. Using law to pretend that the global network does not exist is simply dumb and leads to piracy. DRM won't save backwards digital rights owners.
If this were true, DRM would be trivial and made with easy to implement things like "detect if user right clicks, and pop up a message saying 'sorry copying not allowed'".
DRM is not that - a massive technical effort has gone into implementing DRM deep in system architectures. Modifications have been done across every layer of the stack, across hundreds of companies of differing goals.
You only go to that much effort, at that great a cost, if you are hoping for DRM to actually work, rather than just be a thing you can hold up in court and say "we tried to protect it your honor, we really did".
The "level of security" (~tech effort) is the main competitive selling point when DRM-vendors lobby studios for endorsement. The studios are probably partly being sold a pipe dream of "unbreakable DRM", but the person you responded to also has a point.
Weak or nonexistent DRM reduces the provable malicious intent of a ripper. The more effort it takes to break a DRM, the less likely it seems that you don't understand that what you are doing is wrong.
Like others said, for non-interactive media it is mostly pointless, but for executable code (especially stuff that's online or will update a lot, like games) it does some work.
> All it does is infringe on our rights to be able to do what we want on our own devices.
No, but this is exactly the point of DRM and the legal protections around circumventing it. It never was about copyright protection. Copyright infringement was already illegal before the DMCA, and the introduction of DRM didn't make a dent in the amount of copyright infringement.
The point of making DRM circumvention illegal is for me to be able to sell you a bunch of bits, but ensure that I don't have any commercial competition in regards to how you use those bits. You can't legally make a device that plays DVDs without the blessing of a cartel known as DVD FLLC. You can't legally make a device that plays music from iTunes without the blessing of Apple. Etc. It's about retaining monopolistic control over media distribution and use, by forbidding certain forms of competition in the market.
Getting a law passed that forbids market competition (in many countries! not just the US) under the guise of being about copyright protection, is one of the greatest cons I've ever heard of, but that is what has happened.
It never ceases to amaze me how easy it is to boil frogs, even if the frogs in question are high-IQ, technically sophisticated HN readers.
Right now, you can still circumvent DRM, because you can still buy something that's approximately a general purpose computer (even if it will invariably already come with some remote-acessible hardware level spyware outside your control). But if current trends continue, this will not be the case by the end of the decade.
Also, preventing private individuals from receiving and distributing unauthorized copies is only one way in which DRM is useful to companies.
DRM is an extra fee imposed on the parties that follow the letter of the law. It's like building permits but the transfer of wealth is to a private entity instead of the state (which has its pros and cons).
You can record data coming to the LCD panel or record the TV screen by a camera. With just degraded quality. On the other hand, I can't even take a screenshot of DRM-protected content on Android which can be very annoying sometimes.
This has been brought up before in the other threads, but just because you self host doesn't mean you can ignore DMCA takedown requests. You can choose to ignore such DMCA requests if they decide to send one to your self-hosted website, but not honoring it means you think you're not infringing on their copyright and are willing to go to court over it. If they don't want to go this far, or you try to not include contact info, they'll probably first send a DMCA to your web host/registrar who will suspend your hosting/website unless you counter-notice, which still means you've got to be ready to fight a lawsuit (note that Cloudflare forwards DMCA requests to your web host company, so you can't hide behind CF).
Well, since youtube-dl was the news, they have cited a German decision on the takedown request, which solely references German law. I don't know German enough to find this specific law, but I do know that by default copyright associations have a presumption to copyrights over certain media (like GEMA's case in music, which is used on YouTube around 2010, and Google was found guilty of that and therefore Google pays royalties to GEMA).
As someone outside of the US, luckily it seems most US companies think that US law applies globally.
I've got quite a few DMCA notices from rights holders, but never anything actually relevant to the country of my citizenship, where I live, or where the server is based.
You still got your ISP which likely includes some verbiage in the contract about prohibited use (but even if it doesn't, if the law makes it illegal, you and your ISP can be taken to court with it).
Dutch law also has provisions against DRM circumvention technologies, so if they have proof that you're doing it, you can expect a lawsuit.
They won't find proof if you host the code on a git instance that's only accessible to you, but if you share that server with the internet, you can expect the RIAA (or more likely, their friends over at BREIN) to sue you (after getting your details from your ISP through another lawsuit).
Responding to a DMCA is free, copyright lawsuits are purposely expensive. You'd better have money for a good lawyer or good legal insurance if you plan on sharing your local Gitlab with such code.
One thing I considered is getting myself an instance of a small Gitlab clone with little attack surface and hosting the code on TOR. Ignoring the potential ethical issues, that should provide good defence against legal repercussions from groups like the RIAA and the MPAA. There's always a possibility that you'd get Kim Dotcom'd if your code gets popular enough, though.
Just out of curiosity, how does it go with Cloudflare Workers? Obviously, any proxying is done dynamically in your own code, with no DNS records saved with Cloudflare. What's actually counted as a "web host company" or "origin" to which claims are forwarded with Workers?
CF indeed becomes the actual host of the content, so I imagine (if it gets routed correctly) trust&safety will suspend the worker and/or the worker KV namespace until you contact support to counter.
In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies
They are practically asking for Streisand Effect... if you distribute your key with the software, then whatever form it is in, I would not consider it "private" at all!
This is DeCSS all over again. Was that ever resolved? It seems to me the original DeCSS complaints were more or less dropped because technology moved on and they couldn't mount a defense in a real court, and had to rely on bluffing.
Case was dropped by the DVD CCA in Norway because the number was no longer secret. That isn't relevant for section 1201 of the DMCA. It cares only if the program's intent was to bypass copy protection. DeCSS, and even libdvdcss, are absolutely infringing on this, and can't be hosted in USA repositories.
How is one supposed to exercise their right to Fair Use without "bypassing" technological measures via tools like these? I think there is solid legal DMCA ground for them to remain hosted in the US, without even needing to reach for the whole "freedom of speech" thing.
I won't even get into how I think GitHub is being overly courteous to media companies by extending takedown ability for alleged Section 1201 violations. I'm firmly convinced the only remedy the DMCA offers for that is via the courts, and that the takedown process explicitly requires the identification of infringing material, not circumvention tools.
Fair use is about copyright. The DMCAs anti-circumvention section means you can't distribute software designed to circumvent DRM, even if that software isn't itself infringing. So I don't see how fair use could apply.
At a minimum, Google's counsel testified under penalty of perjury in this takedown letter that they took Fair Use into consideration, so there must be at least some application here. (And if there isn't, that sure is a strange sentence to have in the letter - almost as if they are misusing this takedown letter template after all!)
Fair Use is about using copyrighted content, which is widely shackled behind DRM. Any court can easily see that in order to exercise your right to use that content in a Fair Use sort of way, you must break the DRM. Therefore, the existence and availability of DRM-breaking tools is a necessary condition for Fair Use to be exercised at all in conjunction with the modern media landscape.
DMCA does not include fair use as an allowable reason to circumvent DRM. That is one of the reasons why DRM sometimes shows up in weird places because it effectively limits fair use rights (see also all the right to repair stuff that people have been talking sbout lately)
>DMCA does not include fair use as an allowable reason to circumvent DRM. //
Could you cite the law you're referring to here please?
The UK CDPA as amended to follow the EU's Marrakech directive seems to say anything that prevents you from exercising your Fair Dealing rights to make content accessible for disabled people is void if it contradicts these rights. This seems necessarily to allow for circumvention of DRM (for people with disabilities and specific registered companies) but that also appears to mean production of circumvention means needs to be legal otherwise such accessibility will be impossible.
DMCA is the Digital Millennium Copyright Act, the latest amendment to USA copyright law. Text of the law is here: https://www.copyright.gov/legislation/dmca.pdf . GitHub is a division of a US company, Microsoft, so it is bound by US law.
Actually, it is more complicated than that. To exercise fair use defense (yes, it is a defense and not a right in US Copyright law), you must be able to use a process that is non-invasive (as stated in DMCA). So, if a DRM is preventing you to screenshot it, you are actually required to use a camera and exercise the analog hole. This is definitely disappointing, and I am not personally endorsing it, but the law as it stands does not lend credence. (Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.)
> (Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos. This was conspicuously absent from all discussions I've read.)
It's absent because RIAA's intent is not stated. They did a blanket takedown, unprompted. As far as I can tell they never requested any particular modification. IIRC the only hint that it might be related is a mention that the rolling cipher algorithm that YouTube-dl "circumvents" was ruled to be DRM under German law.
However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)
> However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)
This is definitely untested in court but I won't be surprised if it is indeed part of marketing. The problem with the tests is that they do download the video, even if it is a small amount and since ytdl does not reject the video for downloading at all it is technically infrigment, probably without a valid fair use defense. If ytdl has actively rejected that (for example if the test units are specifically to prevent downloading those types of videos), they may have a stonger defense against RIAA claims.
Not in their entirety, but it still downloaded a second for each of those videos. Interpret that as you wish, but I will not be surprised if RIAA will use this.
Congress did not intend fair use to be an affirmative defense. It is clearly a right under US copyright law. The rights granted to copyright owners in section 106 are expressly “subject to” the fair use defense. The fair use section of the Act, section 107, provides expressly that fair use “is not an infringement of copyright", rather than an infringement with an affirmative defense. In Lenz v. Universal the courts say that fair use is "distinct from affirmative defenses where a use infringes a copyright, but there is no liability due to a valid excuse.” and that “fair use is ‘authorized by the law’ and a copyright holder must consider the existence of fair use before sending a takedown notification….”
This nonsense about "it's a defence not a right" discredits you.
It's a right because where it applies there is no tort. Like an allowed right of way over private property. Yes, if a you have someone abusing your rights by filling frivolous suits then "it's a defence", of course it is they're trying to assert a right they don't have.
Such needless couching of public rights in an authoritarian way is really offensive to the purposes of copyright, which is granted by the public - the demos - to private parties. It's not a natural right, and so yes, under Fair Use there is no right being infringed that a valid claim of tort can be made for; so one does have a right to do those things.
When a "right" is spoken of in legal discussions (which this clearly is), it implies a "right by law". If you want to talk about another right, like your "moral right", you'd usually say exactly that.
But yes, even rights defined in the law can and do get redefined, newly introduced or removed.
Congress did not intend fair use to be an affirmative defense. It is clearly a right under US copyright law. The rights granted to copyright owners in section 106 are expressly “subject to” the fair use defense. The fair use section of the Act, section 107, provides expressly that fair use “is not an infringement of copyright", rather than an infringement with an affirmative defense. In Lenz v. Universal the courts say that fair use is "distinct from affirmative defenses where a use infringes a copyright, but there is no liability due to a valid excuse.” and that “fair use is ‘authorized by the law’ and a copyright holder must consider the existence of fair use before sending a takedown notification….”
It might not be an "affirmative" defense, but to my understanding that doesn't imply it's a right. A "right" as I understand it is something that is illegal for others to violate, and that government generally has a duty to protect. But there's nothing unlawful about creating something that's uncopyable, or about guarding what you have so closely that others are unable to copy it; in fact, I would've assumed being able to do so is itself your right. And should you create something that's uncopyable, nobody will be able to copy it, even if it would be fair use for them to do so. They might be upset about this, but their rights definitely aren't being violated by your creation or protection of that thing—and the government can't force you to make your stuff copyable. (Or maybe it can with additional legislation, but I'm pretty sure we don't have such legislation.) That means "fair use" isn't anyone's right... it's just a valid defense (whether "affirmative" or otherwise).
Offering you a platform is not the same thing as ensuring that it's even physically possible. The argument wasn't about the government hosting copyrightable content for you or delivering it to you; it was about ensuring it is even possible for you to copy content.
Preventing something from being copyable is only possible by not distributing it. If you can see it you can copy it.
The copyright holder could prevent you from copying it by never distributing it, but that doesn't mean you don't have a right to fair use, it only means you don't have the ability to exercise that right. Much the same as you can't exercise freedom of the press if you can't afford a printing press (or any modern equivalent).
It might be physically impossible for you to have an abortion, e.g. because you're infertile, but that doesn't mean you don't have a right to one under existing precedent.
These laws are similar in what seems like a number of countries, and the reason why they're like this is quite simple: They want to have the cake (getting money from extra charges on stuff like DVD/BD burners, writeable media, hard drives etc. -- which you get charged to offset fair use and related rights) and also eat it (effectively denying you the rights you already paid for with those surcharges).
In a normal world, I can only do one of these. Either I take the money, and render services or goods OR I don't take the money, and then don't render the services. But in RIAA/DMCA/GEMA/...-Crazytown you get to charge people AND actively avoid delivering anything.
The Librarian of Congress (if I remember right) can declare three year exemptions to the anti-circumvention provisions. They have to be reviewed and renewed every time. Jailbreaking a smartphone is one example of an exemption that was granted in the past.
It really is a ridiculously one-sided law that gives all power to private media entities.
> How is one supposed to exercise their right to Fair Use without "bypassing" technological measures via tools like these?
Fair use is not a right. It's a defence. You're still infringing copyright, but this is an infringement that they cannot punish. Importantly, law makers see fair use as a restriction of the rights of the copyright holder, not as a right granted to users of that IP.
Material doesn't infringe rappers^w people do, context is important as well. For example in UK Fair Dealing time-shifting of live broadcasts is allowed, but retention or sharing (eg watching a recording of a TV show with another person!) is not.
I think both the USA and UK DDAs allow copying as part of production of accessible content.
Honestly though, I'm not sure how this fits with "circumvention" the wording (UK) appears to allow it.
You're wrong: You can break copy protection if you own the rights to a work. This means you can e.g. circumvent Window's license checking if you own a copy of it already. The DMCA does not criminalize that, nor could it, and this is probably why py-kms is still up on github after a copyright challenge.
This was a change that I am assuming was added before any complaint could be mounted about this use case for fear of striking more of the DMCA down than just that provision that was modified.
CSS only used 40 bit keys to comply with US export controls, so with modern computers you can just bruteforce it without knowing the key, so the key is very much a moot point at this point.
It was "resolved" by new laws being introduced almost globally that make development, distribution etc. and potentially even possession of "circumvention devices" illegal, making it possible to do such takedown requests in most countries that provide infrastructure.
It would be great, although the real difference here is that the DeCSS key was almost impossible to change once it was leaked, while the Youtube key is comparatively trivial to change.
What has South Park got to do with it? The "Streisand Effect" was because of Streisand suing a photographer in 2003 causing people to realise where she lived and getting photos of her house, and the phrase was coined in 2005 by Techdirt.
There must be some kind of Mandela effect going on since I feel quite sure I was using this in 1998 after Streisand voiced distaste at the South Park episode.
I thought copyrights on numbers were deemed invalid? Copyright applies to data as it appears right? You can encode a number in any base, the idea that a company has copyright on every base encoding is equivalent to me saying I have copyright on every key because I wrote a program that enumerates all keys.
> I thought copyrights on numbers were deemed invalid?
They are invalid. It's interesting since it implies copyright itself must be invalid.
All intellectual property is data, information, a collection of bits... Also known as a number. Copyrighted works are actually just numbers. Really big numbers. Creators are just trying to discover those numbers through their labor.
It also means such a program would be illegal, since it would also necessarily involve the creation of numbers that can be interpreted as truly illegal content.
Not as disappointing as Americans who enacted abusive DMCA law which makes hosting such keys illegal. Blaming a company to follow law you've passed is lopsided.
Don't blame Americans. Blame the RIAA / MPAA for bribing politicians, and blame those politicians for going along with it. Plenty of citizens complained.
This might be a good explanation why my Philips 55POS9002 oled tv can no longer stream 4K with Netflix/Prime/YouTube. A Widevine certificate was revoked for some Philips TVs. Maybe the RSA key was leaked in the Philips firmware.
Not yet. Apparently Philips (TP Vision actually) is working on resolving the issue. If they can’t fix it I will definitely go back to the store (Dutch law makes them responsible for any defects) and try to get some kind of refund.
Be sure to report the defect. Even if you already know they're working on a solution, which you can acknowledge (or ask them to confirm) in your message, you need to make it clear that you observed a defect with the bought product without undue delay for warranty to apply to you. (More info at Consuwijzer.nl, the website from the autoriteit consument & markt .)
Since I had some trouble with a certain model airplane store in den bosch, I know a thing or two about Dutch warranty law (and a bit about how it relates to European law; the Dutch one is more broad). Was a huge pain and cost me a ton of time and I didn't really have anyone who already knew the law or was willing to dive into it to double check my work (juridisch loket was also fairly unhelpful). Feel free, you or anyone, to shoot me an email if you have further or other questions on the topic.
Trying to get Widevine going on iOS / macOS has been a royal pain in the ass so far (crashes when you touch the lib while having a debugger attached, so you can't even debug your own code unless you swap in a severely castrated development version that only works on the simulator) and Google guards access to the official libs and docs like it's the precioussss.
To me this is just one of the many developer hostile steps I've seen. I understand they don't want you to access illegal content too easily but honestly the only thing that could drive me back to Torrenting is the declining quality of content on Netflix & co.
at least thanks to git a lot of people have a full local repo copies and can restore them online fast, maybe not in github, but anywhere else
btw, if would be nice if git would allow a salt be configured per repo for their hashes, and if needed to resalt whole repo; this would make commit bashed censor like github does impossible and expensive and unreliable if they need to hash all files
I am missing a party in this discussion: The role of the github monoculture. Because all these repos are hosted by the same party, one lawyer writing one letter can cause global disruption.
Github did nothing wrong here. They got an important, maybe controlling share of the market by creating a great product. While they might have a monopoly, I see no abuse of it.
But that's irrelevant for the rest of the world. The simple existance of the monoculture makes all of us vulnerable to attacks.
The GH monoculture isn't great, but it's less of a problem than other monoculture threats we've faced, due to git's distributed nature. Thus far GH has not changed git itself, and since every repository is canonical, it's easy to change what the "main" repository is at the snap of a finger. Self host, move to sr.ht, whatever.
I try to think of GH as a convenient mirror service that happens to provide a lot of discoverability. Nice, but in no way essential.
This is only true if you don’t use GitHub for reviews/issue tracking/etc. You’re correct that it’s trivial to move the code, but that’s only a fraction of the critical history and tooling for a large collaborative project.
True, but I've seen many projects that use both GitHub and JIRA (i.e. not BitBucket). Those work totally fine for issue tracking, project management, etc. It's the same amount of friction for what you're proposing. The main thing you are missing out on is a UI for merging and PRs, which is nontrivial but not a moat that can keep a monopoly afloat.
Of course if JIRA shut down that'd be annoying too, but I could re-create my project in another project manager.
To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline. Issue tracking and PRs don't seem like big issues to me.
> To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline.
Sure, and these are definitely important – but your project isn't directly threatened if they are pulled out from under you. You'll just be operating with degraded CI quality for a while.
I get emails for all comments and PRs. It would be annoying to lose the GH interface but not repo ending. Allowing issues or pulls to exist only on GH is equivalent to having only a single copy of a something important on an old laptop. Basic backups of any kind solves this issue.
I believe iTerm uses GitLab for issues and GitHub for source control. GitHub issues didn't have a core feature they needed issues, but it was already canonical for code.
It feels like there's a missing product to go with git: a free and distributed issue management and review system. GitHub should be a view on the data rather than the sole owner of the data
There is git-bug ( https://github.com/MichaelMure/git-bug ). Not at the same level as Bugzilla, but usable. Issues are stored in hidden branches in the git repo itself.
Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project "google style" where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....
Also the idea that mono-culture is less of a threat because git is a DVCS ignores all of the data in issues, wiki, network effect, and all of the other non-git things that make up github, none of these are distributed or really portable and for many projects this makes them decidedly not a "mirror service with discoverability"
> where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....
Do you have an example of this? This seems like it would be a hard sell as there haven't been many (any?) breaking changes to Git itself in a long while.
Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project
Where are you setting up Gitea and Drone that is protected against DMCA requests? Any US-based host will happily act on DMCA requests.
What I'm familiar with is using PRQ (of TPB fame) + Njalla (by TPB co-founder, Peter Sunde), PRQ provides the machines and Njalla the domain, both pro-privacy and will fight claims to protect you, if you're only breaking "piracy" laws (digital ones).
While that would work for most text transfers (or otherwise low-bandwidth usage), many other use cases would be near impossible to get to work with good performance over Tor. Think video hosting and similar.
There ain't no stopping the DMCA train. I started hosting my own code at gopherworks.io if you want to see what that roughly looks like.
My idea is that, as I said, I can't stop the DMCA train but it's a whole lot harder to take on thousands of small Giteas and SourceHuts than it is to open a pull request on GitHub. We can get the meta-wins of GitHub later by designing some aggregators that talk to Gitea and SourceHut in efficient ways in the future, but for now the pressing matter is to decentralize code hosting, in my view.
Thanks for that link! I've been pondering these things on my own for quite a bit. Seems like there's a quorum of like-minds now, so I guess I should probably join the discussion.
Use vm to to connect to vpn to purchase vps hosting in a foreign country with good internet outside the jurisdiction of U.S. Maybe do some research to see if hosting provider has a history of complying with U.S. laws or cooperating with U.S. law enforcement.
A federated code hosting platform would solve this problem. Having an account on one and being able to create issues or merge requests on others, would make getting away from Github much easier.
Right now, any other self-hosted code-host needs you to sign-up or use OAuth2, which frankly is quite annoying. Whoever suggests mailing lists should really get with the times. It is not a fun experience in the slightest.
It's really quite strange that issues aren't able to be just cloned/PR-ed like the rest of a git project. But I guess it protects git hosts to keep that [ironic] difficulty in propagation in.
No, it does not. DMCA is a US-specific implementation of WIPO treaties. Parties residing in other countries are under no obligation to honer it (beyond complying with local laws) and will not benefit from its safe-harbor provisions even if they did.
Other comments, replying to people suggesting to host in Switzerland or so, say that similar protections apply there. Now GP is downvoted with as sole response that other countries don't have DMCA. Can't have it both ways: yes, DMCA is a USA law but that doesn't mean that other WIPO signatories don't have similar laws that lawyers will be sure to find if people move stuff there.
If I made a facemask with that printed on it (as a QR code or whatever) would google stop trying to identify my face? Or would that paint a huge red target on my face?
Some HN'ers might be too young to remember the DeCSS [0] saga and, in particular, the t-shirts.
The EFF, who successfully represented two defendants accused of publishing the DeCSS source code in the two main cases, has the details [1]:
> In Bunner, the [ DVD Copy Control Association ] summarily dismissed its claims after the California Supreme Court ruled that computer programs could be preliminarily restrained from publication only in very narrow circumstances. The California Court of Appeals ruled that those circumstances were not met in Mr. Bunner's case because the program was not a trade secret at the time it was published, but instead was widely available around the world.
> In Pavlovich, the California Supreme Court ruled that Matthew Pavlovich, a Texas resident who published DeCSS on the Internet, could not be forced to stand trial in California. The landmark decision laid out clear jurisdiction rules for claims arising from publishing information on the Internet. DVD CCA's attempt to seek U.S. Supreme Court review of the decision was also rejected.
Additionally, the one known author of DeCSS was acquitted in a criminal trial in Norway.
I can hardly understand the motivation of the corporations keeping to invest in DRM and software activation bullshit tech despite it's obvious it is going to be cracked inevitably (and quickly).
The goal of DRM is and always have been to lock users inside a platform, not to prevent piracy. It gives companies market power because users cannot easily switch to a better alternative without losing their entire digital collection.
> DRM is not about limiting copyright infringement. Such an argument attempts to make DRM appear beneficial to authors and is based entirely on a (very successfully advertised) misrepresentation of DRM's purpose. To illustrate the absurdity of the argument, consider the nature of file sharing: to obtain a copy of a file without permission, downloaders go to a friend or a file sharing network, not a DRM-encumbered distribution platform. If DRM existed only to prevent unauthorized sharing, every distribution method for that particular piece of media would have to be distributed by an uncrackable DRM-encumbered distribution platform, which is impossible on its own. So long as one copy becomes available without DRM, countless more are easily produced. Industry proponents of DRM are well aware that DRM is not a copyright enforcement mechanism. DRM is only marketed as a copyright enforcement mechanism to mislead authors into tolerating and even defending it.
> The goal of DRM is and always have been to lock users inside a platform,
In that case it fails to accomplish that goal for the same reason. It doesn't work and will be defeated. When you download a song, or movie, or ebook that has been stripped of its DRM you aren't tied to anything. Why introduce unnecessary annoyances for paying customers which often drives them to pirate copies that aren't crippled by DRM? As long as something works like they want it to, most people wont care what platform they use to get it.
> As long as something works like they want it to, most people wont care what platform they use to get it.
For almost anything, there are (at least in big cities and in the Internet) many vendors offering nearly the same with nearly the same quality level at nearly the same prices.
But I can't say I don't care whom do I get the same service thing every particular time. I'm more likely to choose whoever feels more nice and offers even slightly more freedom and flexibility. Once I've chosen a vendor I'm much more likely to stick with them (and choose them every time I need something else they can offer) as long as I don't feel severely dissatisfied.
E.g. once I've got a GMail (GMail is and has always been the very best e-mail service anyway, you can hardly be dissatisfied with it) account I would use everything Google if only they didn't piss me off politically (with stiff like this particular discussion subject) and scare me by terminating other's peoples accounts. But I actually am migrating everything I can away from Google and Gmail because Google seems becoming more and more evil (I even suspect RIAA only attacked ytdl after Google told them to).
Very good point, and I would add that line can be moved based on individual circumstances. I've seen people complain about issues with a service, but the moment I offer an alternative and a way to migrate (painlessly for me to do, and I typically offer to help them) suddenly all is good with their service and they're sticking with it. I've even pushed a little further in the past to say I will do ALL of the work for you, just sit back and relax and in a couple hours done. Most still refuse and I don't get why once all barriers have been removed.
Maybe because it was a hush hush compromise intended to make it possible rather than impossible to watch netflix on linux at slightly reduced quality. Windows and Mac PCs with closed source browser would watch at full quality due to hardware drm. No one was motivated until now it seems to blow the lid off the weaker libre drm since a likely outcome is it just get turned off and services require hardware drm only going forward. We'll be lucky if we can still play videos on Linux or Chromium one year from now.
I wonder whether the situation will improve now that Firefox has support for hardware decoding on Linux. After all, the DRM could be completely handled by the GPU without any help from the driver. Just feed it some binary stream and tell it where to put it.
Although the issue with your compromise theory is that not all browsers are supported for high definition even on MacOS or Windows, at least theoretically (don't have a Netflix account to check). In particular, Chrome isn't supported, although Chrome-based Edge is.
From the Netflix help page on watching UHD [0]:
Netflix is available in Ultra HD on Windows and Mac computers with:
Microsoft Edge for Windows
Windows 10 App
Safari for MacOS 11.0 or later
From the Netflix help page on watching on Windows [1]:
Windows computers support streaming in the following browser resolutions:
Google Chrome up to 720p
Internet Explorer up to 1080p
Microsoft Edge up to 4K*
Mozilla Firefox up to 720p
Opera up to 720p
Windows 8 app up to 1080p
Windows 10 app up to 4K*
The situation is similar on MacOS, where only Safari supports 1080p [2]
If I can't watch movies on Linux I'll just skip watching them or torrent them. I already hate dealing with running an OSX vm just to IM my parents, and without hardware acceleration I doubt video decoding would work anyway.
p = 49429002897777261000839566786960900348661596779839481928152034285352681641807686782292757653824830822496391192085567895071852258385592280527115222429444042313542936301974046594875899181233742229945549738766655661560628018266563543784515148821370566306893780280151659623161213410927305309695027848755504091783
q = 53602170802863928289500972217307025477290164757146419371852251620670300136901587204821451746991406880988053571342615187459978423766579984968561470104139545987787266751875098417999761783952366342302556060906681062460952347680147798276356366502237505269309185857430061068092584194979239221868593482021566547439
n = 2952619226006031733278005132921693726100042011592660779869675820212138145939883834312253789060663461194528411412874982355146048292836507534000115353036163880492136645451564382009196182566124637478277389304691251397819894417106558057773147299342857185830516918343274468842497499522414750028740163342718036209925403503207235945059541974923084211147227388348091101183403929204074586611952779802158116643840147678791643283706927948872797793849591629882391903699724329001797545580009544763555067611040895630150211640906898700482769873702547829023169433411394249565049633221004211830736052381384491512655254513796679593737
d = 142033101700003260678755863863267700134374886049156296238778043258513471417667391237505300342672722921505586813412391537592394712287451780540489111338082979901966887630936873112829448279475520471433931949082770983040743133849146064289054900225131501940560027662491217132619227565578893295128589581903273904124801461070363532834633728769178636552784294153467969250254358604276515140477045217505629092433114246051368410587618590542410950189868285511930901887132942539241081579465767831350539339965000260768249119651905050152151634478714116343168832447694793716937575319879226685046081583200335708696821445923072794535
e = 65537
WideVine has support for revoking private keys if they get leaked, which duped a bunch of smart TV customers before. I'm pretty sure the key is useless already, or will be very soon. Google can just roll new keys whenever the old ones get published through their Chrome update mechanisms.
Technically: one must have the private key to perform decryption. There are many schemes that attempt to protect the original key and derive a decryption key, or do various other things to prevent disclosure of the private side of a key pair.
Practically: the point is not to "secure" anything, but to make it obvious that any infringement is due to "circumventing a protection device." Circumvention is also not allowed under DMCA, because it was obvious to the authors of the law that to view content one must indeed decrypt it.
After RIAA stunt corporations see that Github is weak. They are coming for your repos! I wish Microsoft would have stood up for the community, but for them it is all about profit.
Wherein, Google asserts a copyright on the API for their license system, the protobuf file. Maybe this file is more creative than the Java APIs?
Additionally, the Git repo contains several files that violate Google’s copyrights:
Google license_protcol.proto (see Google copyright at the top of the file): /widevine-l3-decryptor/blob/main/license_protocol.proto
The proper way to add stuff into the dmca repository is to fetch the entire git history from the repo, git merge --allow-unrelated-histories, and then make a pull request from that. This way, we could just
I honestly believe this is just a small component, which is a part of the long term strategy of the RIAA and others: a periodical check to test the waters to see where public opinion is at, to be able to guage if they can implement more dramatic and restrictive DRM mechanisms yet [1].
They are either 1) waiting for us to be too exhausted to notice/care/fight back, or 2) seeing whether they have to go further to 'protect content creators' by lobbying for more draconian laws that allow for the use of new DRM strategies. It reminds me of reading about how Corporate personhood was invented to protect freed slaves [2], yet is now used as a way for business owners to avoid personal liability/responsibility. One could even argue that Corporate personhoood is one of the most destructive forces that exists today; causing some of the worst crimes in modern history [3].
It's important we continue to fight back and set a precedent for protecting users over corporations or governments.
382 comments
[ 3.1 ms ] story [ 276 ms ] threadSome reputable people in the pirating industry have actually cracked Level 1, which means they can decrypt 4K! :-)
[1] search for "hdcp bypass" on ebay
Refer to the perfectly legal NeTV2 + trivial modification if you understand the HDL.
I wonder if google does something similar to bluray AACS where if a level 1 device is compromised they can revoke just that device (or manufacturer's key). If not, i wonder why they don't.
(To clarify my curiosity is in an abstract way, i am ideologically opposed to DRM)
If indeed level 1 has been breached, presumably it happened via one of those weaker secure enclaves.
mainly because it's hard to trace back which device key got leaked, especially if all you have to go on are whatever the ripped videos. if you had the tools it'd be much easier, but that's probably kept under tight wraps by the piracy groups.
I suppose if you have the entire decoding process in a secure enclave you could also make it watermark the resulting file with which key was used to decrypt.
That said it doesn't need to be that robust, since the pirate only has to slip up once to get caught and its hard to know for sure if you got the entire watermark out.
Having never heard of this before, I did the natural hackernews reader thing -- search for a bypass -- and came across this interesting forum discussion [1] from ~2014, in which a large number of people state that a reverb effect gets rid of it. The original author writes:
> get an program named Audacity open the converted audio file in freemake > and open the file in Audacity choose File>Open then Edit>Select>All > then go to Effect>GVerb > make sure to have the following configuration:
> roomsize (m):1.0 > reverb time (s): 0.1 > Damping: 0.0 > Input Bandwidth: 0.20 > Dry Signal (db): -7.0 > Early reflection level (db): 0.0 > Tail Level: -17.5
Other methods of bypass include using a player that doesn't check for the watermark, patching out the checking code in a firmware image, and simply swapping the HD-DVD / Blueray audio with one from a DVD.
[1] https://web.archive.org/web/20141208081801/http://club.myce....
---- Edit ----
Some further useful information -- and a statement that they've put the details in their patent!
> The Cinavia detection is sensitive to pitches and time sequence of features. The specific feature that detector looks for, is already clearly stated in Verance patent US5940135:
> [2] www.google.com/patents/US5940135
> If you study the patent document you will know the feature is delayed correlation. They also use hopping to change the delay of the correlation within the pattern of the same watermark. The actual delay, and the hopping pattern between delays, is their secret and security. That information I cannot disclose. Nor is it needed to defeat Cinavia.
> The fact of the matter is Cinavia added an artificial signal to rapidly change the delayed correlation in short time internals. Analysis the audio and you can see it causes an un-natural ripples in the frequency space. If you can see those un-natural ripples, you can smooth it out and remove it. Just remember, in real world, different frequency components of a sound does not change that rapidly. They generally decay over a fraction of a second, and human ear can not catch it if a frequency shows up and then rapidly goes away. So the way to defeat Cinavia is do not let any frequency component go in and out so rapidly. If it shows up, let it stay for a little while longer. Stretch it out a bit, before letting it decay out.
> That will defeat Cinavia for sure. Make everything vary more slowly and smooth out any ripples. It also beautifies the sound quality.
> When people sing, the pace of their singing is much slower than normal speech, right? A sentence that takes 3 second to speak, a singer will spend half a minute to sing the same sentence out. The slow varying is what makes music beautiful, and it is also what can kill Civania!
[2] http://www.google.com/patents/US5940135
Nowadays the piracy groups seem to have found a way around this. Presumably they found a way to strip the watermark, but we can only speculate as the groups guard their methods closely for obvious reasons.
> Widevine's least secure security level, L3, as used in most browsers and PCs, is implemented 100% in software (i.e no hardware TEEs), thereby making it reversible and bypassable.
0: https://news.ycombinator.com/item?id=25078497
This line said level 3 originally, must have been edited; but it doesn't look like it was archived on the IA, so I can't prove it.
> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.
Recent instance of such a downgrade, causing a ton of (Philips) TVs to stop playing HD content apparently: https://www.reddit.com/r/netflix/comments/jq9wdb/netflix_cap...
This is the tracker from the screenshots by the way: https://t.me/s/wvcrl
The potential for a DOS-attack would be immense.
Do you have a source for that? This page[1] says Firefox and Chrome on Windows, Linux, and Mac only go up to 720p. Chrome on ChromeOs goes up to 1080p, is that still L3?
[1] https://help.netflix.com/en/node/23742
https://addons.mozilla.org/en-GB/firefox/addon/netflix-1080p...
It seems that many streaming platforms disable 1080p by default, and I assume that this is only for performance reasons (some hardware struggles to run an obfuscated software video decoder...) - it's not a DRM limitation, and in netflix's case it can be re-enabled via trivial changes to the frontend JS.
All of the content I actually use Netflix for is available in 1080p on L3 (Which matters to me, since L3 is the highest supported level on desktop x86 Linux).
The mentioned addon works pretty reliably for me, watching 1080p in FF on Linux, at least for Netflix original content.
Pity they don't seem to have `git clone` support, and only allow downloading a tarball. Anyway, that's still a lot better than nothing. :)
Hopefully, it will hang at least till monday, so some of you will be able to clone.
It is based on commit ed8a97745c69b8cc0fc7f59cec9474b216b49e16 which is latest archived by Web Archive (and signed by Github!). By the way, it is still possible to fetch original repo, provided you know the commit id above :)
I think the time has come for there to be a repository hosting service that is based somewhere in Switzerland :)
Until then, something IPFS based.
Specifically, Filecoin (built by the IPFS folks) could be used as a datastore for git. You can send DMCAs to pseudonymous Filecoin operators all you want; but the content will still be up if one operator keeps hosting it.
Hopefully it will also encourage all commits and repositories to be PGP signed (and not through a centralized FVEY platform), strengthening security, authenticity, and trust.
The best part about non-GEO satellites is that, although you can't see them 24/7 from one location, that also makes it incredibly difficult to jam their uplinks continuously.
Drew seems like the type to fight illegitimate DMCA's.
Edit: I'm curious, why the downvotes? I am legitimately trying to be helpful. I recognize if you have personal differences with ddevault, but he puts his code where his mouth is.
If I'm misunderstanding said downvotes, please enlighten me.
Edit 2: Many thanks to those who have responded. It appears I misunderstood about this specific instance, where the DMCA does have some legitimacy.
Someone else in this thread linked this, which seems like a useful resource as well: https://sourcehut.org/blog/2020-10-29-how-mailing-lists-prev...
Edit: It was biryani_chicken who linked the resource above.
Also, I misunderstood about the legitimacy of this specific claim, my brain had yet to shift gear from the youtube-dl shenanigans.
Thanks for the response!
Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.
> It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.
> Additionally, the Git repo contains several files that violate Google’s copyrights:
> <a bunch of files>
> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.
That bit is probably irrelevant to the DMCA takedown procedure, which only applies to "material that is claimed to be infringing or to be the subject of infringing activity". I don't think there's much clear precedent to what "be the subject of infringing activity" means, but decryption tools that don't use stolen code definitely don't qualify as "material that is claimed to be infringing".
And if Google does want to claim that the circumvention tool is infringing a Google copyright rather than merely running afoul of an unrelated provision of the DMCA, then Google has to specifically identify their own work of decryption code that the circumvention tool is ripping off. All this notice specifically identifies in the way of actual infringement are two documentation PDFs and an API header file (and we all know where Google stands on API copyright).
"Their belief" is meaningless, to get a circumvention tool removed they need a court order.
I don't feel as bad about it here as about youtube-dl. I disagree, mind you -- I'd like github to act as a neutral service provider -- but this one is a place where I can see why githu might hold a different opinion. It's an ideological split like abortion, gun control, or similar, where reasonable people can violently disagree.
The whole "Sensitive Data takedown request" is also a github thing, but this one is a written policy:
https://docs.github.com/en/free-pro-team@latest/github/site-...
It has nothing to do with the DMCA.
The repository itself is pirated code - it is code held under copyright by google, and google doesn't want it to be public, therefore anyone distributing it is violating copyright. The DMCA claim is substantially less than what they could do. Actual copyright violations have very large fines.
Of course. That being said, wasn't there a big discussion when this happened to youtube-dl about how that was almost certainly not a legitimate DMCA? That being the case, disregarding it would not be illegal, at least to my (quite limited) understanding.
It appears I misunderstood in this specific case as there is a much stronger case for this DMCA to be considered legitimate.
That said at least part of this notice seems legit.
I'm sorry if that's offensive.
(Also, I donate to the EFF)
Something they've participated in every 2 years since 2000, as documented here: https://www.eff.org/cases?group=0-9
I'm no longer familiar with the architecture of TPB, but they seem to be running things in a much more decentralized fashion nowadays, where bunch of independent sites (at least independent domains) are running a frontend with the same database content. Unsure how that works behind the scenes.
But rest assure, you can always find a domain which is not blocked and that is mirroring the content of the proper TPB. In my case, thepiratebay.org is blocked by my ISP, but thepiratebay.party is just a few hours behind (confirmed via VPN)
Compare the following pages for example (if thepiratebay.org works for you)
- https://thepiratebay.org/search.php?q=user:dauphong
- https://thepiratebay.party/user/dauphong/
https://narratively.com/the-plot-against-the-principality-of...
Sealand is within the territorial waters of the UK. No sovereign nation has recognized Sealand's independence from the UK. Even if one did, according to international law, artificial islands and structures don't possess the status of islands.
Existing server: http://git.idk.i2p/zlatinb/muwire
Can't find the clearnet address
I remember there was an international ruling where the US was in a trade violation, and I thought the country was permitted to waive IP enforcement until they were compensated.
I am having trouble finding the reference.
https://www.nytimes.com/2007/12/21/business/worldbusiness/21...
Keep in mind, there is a big difference between being allowed to violate US copyrights and waiving IP enforcement.
Blaming the content service is easy since they're user-facing, but it's shallow. Content-related restrictions are, in my experience, almost always dictated by the content owner. Region locks, availability windows, use of DRM, DMCAs for anti-DRM, etc, are all at the requirement of the content owners.
I don't think these modern Internet-based service providers care about that stuff much, they have little incentive to. It's driven by contracts.
Incidentally, this is always the reason behind region locks. Service X or content Y isn't available in your country? Don't blame the streaming service, blame the content owner.
All it does is infringe on our rights to be able to do what we want on our own devices. It's crazy.
https://www.reddit.com/r/CrackWatch/comments/ieo7u4/crack_wa...
https://www.reddit.com/r/CrackStatus/comments/43dgej/how_den...
When I was in college, price was an issue, and piracy was there to save the $10/month for most students, but the alternative was not having the music/software/etc., rather than a legal sale. The actual financial loss was close to zero. I think the reason for DRM isn't so much to prevent profit-losing piracy, as control.
Movie and record companies want to differentiate pricing by market. They want records of who watch what and where. They want to be able to expire things, explicitly or implicitly (if I go Android<->Apple, my iTunes/Google Play collections become less helpful). That has business value.
As for paying customers, when I was a student, they could have milked me for $5. As a professional, I don't really care what it costs, and I don't want to bother with piracy, and I'll do whatever's most ethical. The RIAA just told me what's most ethical is not listening to new music, followed by pirating music, followed by buying music.
I got enough music.
- Pay $20 for a copy that I can't play on all of my devices, and that I may be unable to play at some point in the future if the producer decides they don't want me to anymore.
- Pay $10/month for a streaming service that won't allow me to watch at full resolution on several of my devices, and has no guarantee that the content I want will continue to be available.
- Not consume the media at all.
- Download it from a shady pirate site, but then assuming it actually is what I think it is (which is questionable) be able to use it however I want.
No good options.
The lite version, you cannot use your own mp3s, but it has support for streaming services.
Spotify was removed months ago, but Tidal is available.
It is just so easy to create content now, the signal to noise ratio is pretty low.
It's a pretty effective deterrent if you ask me.
The movie industry doesn't seems like use it in the same way.
It's kind of silly that normal user was prevented from watch the video normally while pirates do whatever they want becuase the 4k hdmi hdcp can be easily removed by just a dongle.
> This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.
I don't think it's the best tool to teach people not to punch each other in the face, but I wouldn't go so far to call it pointless either.
Yet religions still seem be around and getting humans to do dumb things? ;)
DRM is not that - a massive technical effort has gone into implementing DRM deep in system architectures. Modifications have been done across every layer of the stack, across hundreds of companies of differing goals.
You only go to that much effort, at that great a cost, if you are hoping for DRM to actually work, rather than just be a thing you can hold up in court and say "we tried to protect it your honor, we really did".
Weak or nonexistent DRM reduces the provable malicious intent of a ripper. The more effort it takes to break a DRM, the less likely it seems that you don't understand that what you are doing is wrong.
Yes. It just slows down the less skilled from breaking the protection.
There will always be one or a team of more highly skilled hackers that eventually defeats it.
It always only a matter of time when it gets broken. But again, there's always the analogue hole. [0]
[0] https://en.wikipedia.org/wiki/Analog_hole
What? There's almost no 4K rips for shows or movies. To me it seems it's working pretty well.
I’ve requested several Amazon and Netflix shows and got the pure, not reencoded, unencrypted files.
> All it does is infringe on our rights to be able to do what we want on our own devices.
No, but this is exactly the point of DRM and the legal protections around circumventing it. It never was about copyright protection. Copyright infringement was already illegal before the DMCA, and the introduction of DRM didn't make a dent in the amount of copyright infringement.
The point of making DRM circumvention illegal is for me to be able to sell you a bunch of bits, but ensure that I don't have any commercial competition in regards to how you use those bits. You can't legally make a device that plays DVDs without the blessing of a cartel known as DVD FLLC. You can't legally make a device that plays music from iTunes without the blessing of Apple. Etc. It's about retaining monopolistic control over media distribution and use, by forbidding certain forms of competition in the market.
Getting a law passed that forbids market competition (in many countries! not just the US) under the guise of being about copyright protection, is one of the greatest cons I've ever heard of, but that is what has happened.
It never ceases to amaze me how easy it is to boil frogs, even if the frogs in question are high-IQ, technically sophisticated HN readers.
Right now, you can still circumvent DRM, because you can still buy something that's approximately a general purpose computer (even if it will invariably already come with some remote-acessible hardware level spyware outside your control). But if current trends continue, this will not be the case by the end of the decade.
Also, preventing private individuals from receiving and distributing unauthorized copies is only one way in which DRM is useful to companies.
https://news.ycombinator.com/item?id=25081583
https://news.ycombinator.com/item?id=25083782
Gitea:
https://gitea.io/
sourcehut:
https://sourcehut.org/
Gogs:
https://gogs.io/
Gitlab:
https://gitlab.com/
Is a very US specific request.
The DMCA itself is just the US's implementation of the 1996 WIPO Copyright Treaty. 96 other countries have ratified it [2]
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...
[2] https://www.wipo.int/treaties/en/ShowResults.jsp?lang=en&tre...
I've got quite a few DMCA notices from rights holders, but never anything actually relevant to the country of my citizenship, where I live, or where the server is based.
So, naturally, I can just ignore them.
They won't find proof if you host the code on a git instance that's only accessible to you, but if you share that server with the internet, you can expect the RIAA (or more likely, their friends over at BREIN) to sue you (after getting your details from your ISP through another lawsuit).
Responding to a DMCA is free, copyright lawsuits are purposely expensive. You'd better have money for a good lawyer or good legal insurance if you plan on sharing your local Gitlab with such code.
One thing I considered is getting myself an instance of a small Gitlab clone with little attack surface and hosting the code on TOR. Ignoring the potential ethical issues, that should provide good defence against legal repercussions from groups like the RIAA and the MPAA. There's always a possibility that you'd get Kim Dotcom'd if your code gets popular enough, though.
They are practically asking for Streisand Effect... if you distribute your key with the software, then whatever form it is in, I would not consider it "private" at all!
I won't even get into how I think GitHub is being overly courteous to media companies by extending takedown ability for alleged Section 1201 violations. I'm firmly convinced the only remedy the DMCA offers for that is via the courts, and that the takedown process explicitly requires the identification of infringing material, not circumvention tools.
Fair Use is about using copyrighted content, which is widely shackled behind DRM. Any court can easily see that in order to exercise your right to use that content in a Fair Use sort of way, you must break the DRM. Therefore, the existence and availability of DRM-breaking tools is a necessary condition for Fair Use to be exercised at all in conjunction with the modern media landscape.
IANAL
Could you cite the law you're referring to here please?
The UK CDPA as amended to follow the EU's Marrakech directive seems to say anything that prevents you from exercising your Fair Dealing rights to make content accessible for disabled people is void if it contradicts these rights. This seems necessarily to allow for circumvention of DRM (for people with disabilities and specific registered companies) but that also appears to mean production of circumvention means needs to be legal otherwise such accessibility will be impossible.
It's absent because RIAA's intent is not stated. They did a blanket takedown, unprompted. As far as I can tell they never requested any particular modification. IIRC the only hint that it might be related is a mention that the rolling cipher algorithm that YouTube-dl "circumvents" was ruled to be DRM under German law.
However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)
This is definitely untested in court but I won't be surprised if it is indeed part of marketing. The problem with the tests is that they do download the video, even if it is a small amount and since ytdl does not reject the video for downloading at all it is technically infrigment, probably without a valid fair use defense. If ytdl has actively rejected that (for example if the test units are specifically to prevent downloading those types of videos), they may have a stonger defense against RIAA claims.
It's a right because where it applies there is no tort. Like an allowed right of way over private property. Yes, if a you have someone abusing your rights by filling frivolous suits then "it's a defence", of course it is they're trying to assert a right they don't have.
Such needless couching of public rights in an authoritarian way is really offensive to the purposes of copyright, which is granted by the public - the demos - to private parties. It's not a natural right, and so yes, under Fair Use there is no right being infringed that a valid claim of tort can be made for; so one does have a right to do those things.
https://www.nytimes.com/2006/10/09/technology/09steal.html
Two years later, their case was dismissed :
https://www.generation-nt.com/drm-stopdrm-dadvsi-justice-loi... (fr)
They were considered as 'irresponsible' due to 'either psychological issues, force majeure or legitimate self-defense".
(Note that they even seem to have shared the DMCA infringing software on their website.)
There is no such thing AFAIK.
> It is important to be clear about what the fair use doctrine is not. Fair use is not a right. It is a defense. [...]
It's not hard to find more links explaining the same thing (e.g., see http://www.copyhype.com/2013/08/why-copyright-is-a-right-and...), but I'm happy to be proven wrong...
But yes, even rights defined in the law can and do get redefined, newly introduced or removed.
The copyright holder could prevent you from copying it by never distributing it, but that doesn't mean you don't have a right to fair use, it only means you don't have the ability to exercise that right. Much the same as you can't exercise freedom of the press if you can't afford a printing press (or any modern equivalent).
It might be physically impossible for you to have an abortion, e.g. because you're infertile, but that doesn't mean you don't have a right to one under existing precedent.
In a normal world, I can only do one of these. Either I take the money, and render services or goods OR I don't take the money, and then don't render the services. But in RIAA/DMCA/GEMA/...-Crazytown you get to charge people AND actively avoid delivering anything.
It really is a ridiculously one-sided law that gives all power to private media entities.
Fair use is not a right. It's a defence. You're still infringing copyright, but this is an infringement that they cannot punish. Importantly, law makers see fair use as a restriction of the rights of the copyright holder, not as a right granted to users of that IP.
People have always known that DMCA interferes with these defences. See for example this from 2001: https://repository.uchastings.edu/cgi/viewcontent.cgi?articl...
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work ... is not an infringement of copyright.
https://www.law.cornell.edu/uscode/text/17/107
I think both the USA and UK DDAs allow copying as part of production of accessible content.
Honestly though, I'm not sure how this fits with "circumvention" the wording (UK) appears to allow it.
This was a change that I am assuming was added before any complaint could be mounted about this use case for fear of striking more of the DMCA down than just that provision that was modified.
[0] https://imgur.com/a/ajKeDfp
https://webcache.googleusercontent.com/search?q=cache:http:/...
Predates so-called "Streisand Effect"
DeCSS was released in 1999; Mecha Streisand episode of South Park was 1998.
This is your brain on DRM.
They are invalid. It's interesting since it implies copyright itself must be invalid.
All intellectual property is data, information, a collection of bits... Also known as a number. Copyrighted works are actually just numbers. Really big numbers. Creators are just trying to discover those numbers through their labor.
https://web.archive.org/web/20201025014127/https://www.riaa....
The future looks bleak.
You're not cool, and you definitely not good.
I hope the future moves on without you.
Brain drain takes a long time because most of the people still at Google now are ok with this kind of thing.
Since I had some trouble with a certain model airplane store in den bosch, I know a thing or two about Dutch warranty law (and a bit about how it relates to European law; the Dutch one is more broad). Was a huge pain and cost me a ton of time and I didn't really have anyone who already knew the law or was willing to dive into it to double check my work (juridisch loket was also fairly unhelpful). Feel free, you or anyone, to shoot me an email if you have further or other questions on the topic.
Presumably, Brave doesn't include the Widevine DRM components from Chrome?
To me this is just one of the many developer hostile steps I've seen. I understand they don't want you to access illegal content too easily but honestly the only thing that could drive me back to Torrenting is the declining quality of content on Netflix & co.
btw, if would be nice if git would allow a salt be configured per repo for their hashes, and if needed to resalt whole repo; this would make commit bashed censor like github does impossible and expensive and unreliable if they need to hash all files
Github did nothing wrong here. They got an important, maybe controlling share of the market by creating a great product. While they might have a monopoly, I see no abuse of it.
But that's irrelevant for the rest of the world. The simple existance of the monoculture makes all of us vulnerable to attacks.
I try to think of GH as a convenient mirror service that happens to provide a lot of discoverability. Nice, but in no way essential.
Of course if JIRA shut down that'd be annoying too, but I could re-create my project in another project manager.
To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline. Issue tracking and PRs don't seem like big issues to me.
Sure, and these are definitely important – but your project isn't directly threatened if they are pulled out from under you. You'll just be operating with degraded CI quality for a while.
Also the idea that mono-culture is less of a threat because git is a DVCS ignores all of the data in issues, wiki, network effect, and all of the other non-git things that make up github, none of these are distributed or really portable and for many projects this makes them decidedly not a "mirror service with discoverability"
Do you have an example of this? This seems like it would be a hard sell as there haven't been many (any?) breaking changes to Git itself in a long while.
And while not git proper, you could point to Git-LFS as this example as well.
I haven't heard of this, got an example?
What I'm familiar with is using PRQ (of TPB fame) + Njalla (by TPB co-founder, Peter Sunde), PRQ provides the machines and Njalla the domain, both pro-privacy and will fight claims to protect you, if you're only breaking "piracy" laws (digital ones).
I guess you could host a gitea server behind a Tor hidden service on the VPS of your choice.
My idea is that, as I said, I can't stop the DMCA train but it's a whole lot harder to take on thousands of small Giteas and SourceHuts than it is to open a pull request on GitHub. We can get the meta-wins of GitHub later by designing some aggregators that talk to Gitea and SourceHut in efficient ways in the future, but for now the pressing matter is to decentralize code hosting, in my view.
There is for sure, check out PRQ and Njalla for just one selection of services that would allow you to ignore DMCA requests.
Yeah, I'm really interested in a federated ecosystem of Giteas for sure (https://github.com/go-gitea/gitea/issues/1612), seems ForgeFed might be the way to get there. https://discourse.gitea.io/t/forgefed-federation-in-gitea/11...
Right now, any other self-hosted code-host needs you to sign-up or use OAuth2, which frankly is quite annoying. Whoever suggests mailing lists should really get with the times. It is not a fun experience in the slightest.
I suppose the next best thing is decentralized collaboration via email.
https://pastebin.com/bGNq9ahn
- Palau
- Micronesia
- Palestine
The first 2 are under "Free association" with the US, but have their own copyright laws. All three have their own TLD (.pw, .fm, and .ps)
No, it does not. DMCA is a US-specific implementation of WIPO treaties. Parties residing in other countries are under no obligation to honer it (beyond complying with local laws) and will not benefit from its safe-harbor provisions even if they did.
https://news.ycombinator.com/item?id=25081583
https://news.ycombinator.com/item?id=25083782
-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC10dxEGINZbF0nIoMtM8705Nqm6ZWdb72DqTdFJ+UzQIRIUS59lQkYLvdQp71767vz0dVlPTikHmiv dYHRc7Fo6JsmSUsGR3th+fU6d1Wt6cwpMTUXj/qODmubDK/ioVDW7wz9OFlSsCBvylOYp9v2+u/VXwACnBXNxCDezjx4RKcqMFT31WTxqU9OM9J86ChMOW4bFA41aLAJ ozB+02xis7OV175XdQ5vkVXM9ys6ZoRF/K6NXeHiwcZFtMKyphXAxqU7uGY2a16bC3TEG5/km6Jru3Wxy4nKlDyUjWISwH4llWjdSi99r2c1fSCXlMCrW0CHoznn+22l YCKtYe8JAgMBAAECggEAGOPDJvFCHd43PFG9qlTyylR/2CSWzigLRfhGsClfd24oDaxLVHav+YcIZRqpVkr1flGlyEeittjQ1OAdptoTGbzp7EpRQmlLqyRoHRpT+MxO Hf91+KVFk+fGdEG+3CPgKKQt34Y0uByTPCpy2i10b7F3Xnq0Sicq1vG33DhYT9A/DRIjYr8Y0AVovq0VDjWqA1FW5OO9p7vky6e+PDMjSHucQ+uaLzVZSc7vWOh0tH5M 0GVk17YpBiB/iTpw4zBUIcaneQX3eaIfSCDHK0SCD6IRF7kl+uORzvWqiWlGzpdG2B96uyP4hd3WoPcZntM79PKm4dAotdgmalbueFJfpwKBgQDUy0EyA9Fq0aPF4LID HqDPduIm4hEAZf6sQLd8Fe6ywM4p9KOEVx7YPaFxQHFSgIiWXswildPJl8Cg5cM2EyMU1tdn5xaR4VIDk8e2JEDfhPtaWskpJp2rU2wHvAXOeAES7UFMrkhKVqqVOdbo IhlLdcYp5KxiJ3mwINSSO94ShwKBgQDavJvF+c8AINfCaMocUX0knXz+xCwdP430GoPQCHa1rUj5bZ3qn3XMwSWa57J4x3pVhYmgJv4jpEK+LBULFezNLV5N4C7vH63a Zo4OF7IUedFBS5B508yAq7RiPhN2VOC8LRdDh5oqnFufjafF82y9d+/czCrVIG43D+KO2j4F7wKBgDg/HZWF0tYEYeDNGuCeOO19xBt5B/tt+lo3pQhkl7qiIhyO8KXr jVilOcZAvXOMTA5LMnQ13ExeE2m0MdxaRJyeiUOKnrmisFYHuvNXM9qhQPtKIgABmA2QOG728SX5LHd/RRJqwur7a42UQ00Krlr235F1Q2eSfaTjmKyqrHGDAoGAOTrd 2ueoZFUzfnciYlRj1L+r45B6JlDpmDOTx0tfm9sx26j1h1yfWqoyZ5w1kupGNLgSsSdimPqyR8WK3/KlmW1EXkXIoeH8/8aTZlaGzlqtCFN4ApgKyqOiN44cU3qTrkhx 7MY+7OUqB83tVpqBGfWWeYOltUud6qQqV8v8LFsCgYEAnOq+Ls83CaHIWCjpVfiWC+R7mqW+ql1OGtoaajtA4AzhXzX8HIXpYjupPBlXlQ1FFfPem6jwa1UTZf8CpIb8 pPULAN9ZRrxG8V+bvkZWVREPTZj7xPCwPaZHNKoAmi3Dbv7S5SEYDbBX/NyPCLE4sj/AgTPbUsUtaiw5TvrPsFE= -----END PRIVATE KEY-----
[1] https://archive.softwareheritage.org/browse/origin/content/?...
Delete the email? Ban me?
They deleted/locked accounts for less during the G+ real name frenzy.
The EFF, who successfully represented two defendants accused of publishing the DeCSS source code in the two main cases, has the details [1]:
> In Bunner, the [ DVD Copy Control Association ] summarily dismissed its claims after the California Supreme Court ruled that computer programs could be preliminarily restrained from publication only in very narrow circumstances. The California Court of Appeals ruled that those circumstances were not met in Mr. Bunner's case because the program was not a trade secret at the time it was published, but instead was widely available around the world.
> In Pavlovich, the California Supreme Court ruled that Matthew Pavlovich, a Texas resident who published DeCSS on the Internet, could not be forced to stand trial in California. The landmark decision laid out clear jurisdiction rules for claims arising from publishing information on the Internet. DVD CCA's attempt to seek U.S. Supreme Court review of the decision was also rejected.
Additionally, the one known author of DeCSS was acquitted in a criminal trial in Norway.
Obligatory EFF donation link: https://supporters.eff.org/donate/
--
[0]: https://en.wikipedia.org/wiki/DeCSS
[1]: https://www.eff.org/cases/dvdcca-v-bunner-and-dvdcca-v-pavlo...
--
EDIT: See also "AACS encryption key controversy" and the "free speech flag": https://en.wikipedia.org/wiki/AACS_encryption_key_controvers...
https://www.defectivebydesign.org/faq#copyright
> DRM is not about limiting copyright infringement. Such an argument attempts to make DRM appear beneficial to authors and is based entirely on a (very successfully advertised) misrepresentation of DRM's purpose. To illustrate the absurdity of the argument, consider the nature of file sharing: to obtain a copy of a file without permission, downloaders go to a friend or a file sharing network, not a DRM-encumbered distribution platform. If DRM existed only to prevent unauthorized sharing, every distribution method for that particular piece of media would have to be distributed by an uncrackable DRM-encumbered distribution platform, which is impossible on its own. So long as one copy becomes available without DRM, countless more are easily produced. Industry proponents of DRM are well aware that DRM is not a copyright enforcement mechanism. DRM is only marketed as a copyright enforcement mechanism to mislead authors into tolerating and even defending it.
In that case it fails to accomplish that goal for the same reason. It doesn't work and will be defeated. When you download a song, or movie, or ebook that has been stripped of its DRM you aren't tied to anything. Why introduce unnecessary annoyances for paying customers which often drives them to pirate copies that aren't crippled by DRM? As long as something works like they want it to, most people wont care what platform they use to get it.
For almost anything, there are (at least in big cities and in the Internet) many vendors offering nearly the same with nearly the same quality level at nearly the same prices.
But I can't say I don't care whom do I get the same service thing every particular time. I'm more likely to choose whoever feels more nice and offers even slightly more freedom and flexibility. Once I've chosen a vendor I'm much more likely to stick with them (and choose them every time I need something else they can offer) as long as I don't feel severely dissatisfied.
E.g. once I've got a GMail (GMail is and has always been the very best e-mail service anyway, you can hardly be dissatisfied with it) account I would use everything Google if only they didn't piss me off politically (with stiff like this particular discussion subject) and scare me by terminating other's peoples accounts. But I actually am migrating everything I can away from Google and Gmail because Google seems becoming more and more evil (I even suspect RIAA only attacked ytdl after Google told them to).
Although the issue with your compromise theory is that not all browsers are supported for high definition even on MacOS or Windows, at least theoretically (don't have a Netflix account to check). In particular, Chrome isn't supported, although Chrome-based Edge is.
From the Netflix help page on watching UHD [0]:
From the Netflix help page on watching on Windows [1]: The situation is similar on MacOS, where only Safari supports 1080p [2][0] https://help.netflix.com/en/node/13444 [1] https://help.netflix.com/en/node/23931 [2] https://help.netflix.com/en/node/55764
Disclaimer: I am not affiliated with the Aether software/platform.
I skimmed the code but I'm still not seeing it.
Practically: the point is not to "secure" anything, but to make it obvious that any infringement is due to "circumventing a protection device." Circumvention is also not allowed under DMCA, because it was obvious to the authors of the law that to view content one must indeed decrypt it.
https://web.archive.org/web/20201025014127/https://www.riaa....
Additionally, the Git repo contains several files that violate Google’s copyrights: Google license_protcol.proto (see Google copyright at the top of the file): /widevine-l3-decryptor/blob/main/license_protocol.proto
self host
So... can someone push that please? I don't have the recent commits. :-(
They are either 1) waiting for us to be too exhausted to notice/care/fight back, or 2) seeing whether they have to go further to 'protect content creators' by lobbying for more draconian laws that allow for the use of new DRM strategies. It reminds me of reading about how Corporate personhood was invented to protect freed slaves [2], yet is now used as a way for business owners to avoid personal liability/responsibility. One could even argue that Corporate personhoood is one of the most destructive forces that exists today; causing some of the worst crimes in modern history [3].
It's important we continue to fight back and set a precedent for protecting users over corporations or governments.
[1] https://en.wikipedia.org/wiki/The_Right_to_Read
[2] https://www.history.com/news/14th-amendment-corporate-person...
[3] https://www.counterpunch.org/2013/02/05/corporate-personhood...
Why not Magna Carta while you're at it ?