Hacker News new | past | comments | ask | show | jobs | submit login
Google Widevine Content Decryption Module DMCA (github.com/github)
679 points by abbe98 on Nov 13, 2020 | hide | past | favorite | 371 comments



I am missing a party in this discussion: The role of the github monoculture. Because all these repos are hosted by the same party, one lawyer writing one letter can cause global disruption.

Github did nothing wrong here. They got an important, maybe controlling share of the market by creating a great product. While they might have a monopoly, I see no abuse of it.

But that's irrelevant for the rest of the world. The simple existance of the monoculture makes all of us vulnerable to attacks.


The GH monoculture isn't great, but it's less of a problem than other monoculture threats we've faced, due to git's distributed nature. Thus far GH has not changed git itself, and since every repository is canonical, it's easy to change what the "main" repository is at the snap of a finger. Self host, move to sr.ht, whatever.

I try to think of GH as a convenient mirror service that happens to provide a lot of discoverability. Nice, but in no way essential.


This is only true if you don’t use GitHub for reviews/issue tracking/etc. You’re correct that it’s trivial to move the code, but that’s only a fraction of the critical history and tooling for a large collaborative project.


True, but I've seen many projects that use both GitHub and JIRA (i.e. not BitBucket). Those work totally fine for issue tracking, project management, etc. It's the same amount of friction for what you're proposing. The main thing you are missing out on is a UI for merging and PRs, which is nontrivial but not a moat that can keep a monopoly afloat.

Of course if JIRA shut down that'd be annoying too, but I could re-create my project in another project manager.

To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline. Issue tracking and PRs don't seem like big issues to me.


> To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline.

Sure, and these are definitely important – but your project isn't directly threatened if they are pulled out from under you. You'll just be operating with degraded CI quality for a while.


It feels like there's a missing product to go with git: a free and distributed issue management and review system. GitHub should be a view on the data rather than the sole owner of the data


There is git-bug ( https://github.com/MichaelMure/git-bug ). Not at the same level as Bugzilla, but usable. Issues are stored in hidden branches in the git repo itself.


Many of the projects that are on github were once on Google Code and migrated over issues.


I get emails for all comments and PRs. It would be annoying to lose the GH interface but not repo ending. Allowing issues or pulls to exist only on GH is equivalent to having only a single copy of a something important on an old laptop. Basic backups of any kind solves this issue.


I believe iTerm uses GitLab for issues and GitHub for source control. GitHub issues didn't have a core feature they needed issues, but it was already canonical for code.


Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project "google style" where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....

Also the idea that mono-culture is less of a threat because git is a DVCS ignores all of the data in issues, wiki, network effect, and all of the other non-git things that make up github, none of these are distributed or really portable and for many projects this makes them decidedly not a "mirror service with discoverability"


> where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....

Do you have an example of this? This seems like it would be a hard sell as there haven't been many (any?) breaking changes to Git itself in a long while.


Most recent would be the master / main controversy

And while not git proper, you could point to Git-LFS as this example as well.


Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project

I haven't heard of this, got an example?


Arguably, email is as distributed/standards-based as it gets, and we still ended up with Gmail – RFC compliant and all.


A nice reminder that it's pretty easy to setup your own Gitea and Drone. Happy to share details of folks are interested.


Where are you setting up Gitea and Drone that is protected against DMCA requests? Any US-based host will happily act on DMCA requests.

What I'm familiar with is using PRQ (of TPB fame) + Njalla (by TPB co-founder, Peter Sunde), PRQ provides the machines and Njalla the domain, both pro-privacy and will fight claims to protect you, if you're only breaking "piracy" laws (digital ones).


There ain't no stopping the DMCA train. I started hosting my own code at gopherworks.io if you want to see what that roughly looks like.

My idea is that, as I said, I can't stop the DMCA train but it's a whole lot harder to take on thousands of small Giteas and SourceHuts than it is to open a pull request on GitHub. We can get the meta-wins of GitHub later by designing some aggregators that talk to Gitea and SourceHut in efficient ways in the future, but for now the pressing matter is to decentralize code hosting, in my view.


> There ain't no stopping the DMCA train

There is for sure, check out PRQ and Njalla for just one selection of services that would allow you to ignore DMCA requests.

Yeah, I'm really interested in a federated ecosystem of Giteas for sure (https://github.com/go-gitea/gitea/issues/1612), seems ForgeFed might be the way to get there. https://discourse.gitea.io/t/forgefed-federation-in-gitea/11...


Thanks for that link! I've been pondering these things on my own for quite a bit. Seems like there's a quorum of like-minds now, so I guess I should probably join the discussion.


They can only make a DMCA request if they know where to send it.

I guess you could host a gitea server behind a Tor hidden service on the VPS of your choice.


While that would work for most text transfers (or otherwise low-bandwidth usage), many other use cases would be near impossible to get to work with good performance over Tor. Think video hosting and similar.


Use vm to to connect to vpn to purchase vps hosting in a foreign country with good internet outside the jurisdiction of U.S. Maybe do some research to see if hosting provider has a history of complying with U.S. laws or cooperating with U.S. law enforcement.


Why does nobody use Tor hidden services to host git repositories? Would be an awesome use of Tor.

I suppose the next best thing is decentralized collaboration via email.


A federated code hosting platform would solve this problem. Having an account on one and being able to create issues or merge requests on others, would make getting away from Github much easier.

Right now, any other self-hosted code-host needs you to sign-up or use OAuth2, which frankly is quite annoying. Whoever suggests mailing lists should really get with the times. It is not a fun experience in the slightest.


Multiple existing self-hosted Git hosting solutions have expressed their interest in supporting this: https://forgefed.peers.community/


It's really quite strange that issues aren't able to be just cloned/PR-ed like the rest of a git project. But I guess it protects git hosts to keep that [ironic] difficulty in propagation in.


It was one thing when it was the RIAA that was coming for our repositories. Now that it is Google, I'm extremely sad and disappointed.

I think the time has come for there to be a repository hosting service that is based somewhere in Switzerland :)


I hate to break it to you but Google hasn't been the company you seem to think they still are for a very long time.


To me it was the day they removed the discussion filter functionality from their search engine. It was a purely advertising driven move: from now on people searching for a keyword couldn't anymore filter for other people talking about that thing but rather they would be inundated by shops selling that thing or shills promoting it. That plot however was probably much older, since the obvious wonderful alternative, Dejanews, wasn't available anymore for having been already bought by Google many years before.


I've found that a lot of people are adding "reddit" to their searches as a poor-man's discussion filter. It sort of works but it's also sad in how it's another reflection of how centralized and concentrated the web has become.


That's certainly what I'm doing, and I'm hoping that there will be some alternative by the time reddit becomes useless (it seems to be moving in that direction, although not too quickly for the smaller niche subreddits).


I've also had good success with "forum".


`-cart -checkout -"check out" -clearance -discount -sales -PayPal -shipping` is what I use on occasion to remove e-commerce sites from the results.


You just gave me some serious deja-vu. Who remembers when TPB were going to buy Sealand in order to host trackers out of the reach of authorities?


Turns out buying Sealand in order to continue to run ThePirateBay was over-engineering, as ThePirateBay is still alive and running today, albeit in a slightly different form than before.


For now? It seems like a lot of torrent info sites have been closed down (just from reading https://torrentfreak.com/, maybe more pop up than get taken down?).


Don't know. Swedish police (et al) have been trying forever to shut it down, and while they have momentarily succeeded, it always seems to come back up.

I'm no longer familiar with the architecture of TPB, but they seem to be running things in a much more decentralized fashion nowadays, where bunch of independent sites (at least independent domains) are running a frontend with the same database content. Unsure how that works behind the scenes.

But rest assure, you can always find a domain which is not blocked and that is mirroring the content of the proper TPB. In my case, thepiratebay.org is blocked by my ISP, but thepiratebay.party is just a few hours behind (confirmed via VPN)

Compare the following pages for example (if thepiratebay.org works for you)

- https://thepiratebay.org/search.php?q=user:dauphong

- https://thepiratebay.party/user/dauphong/


>...buy Sealand in order to host trackers out of the reach of authorities?

Sealand is within the territorial waters of the UK. No sovereign nation has recognized Sealand's independence from the UK. Even if one did, according to international law, artificial islands and structures don't possess the status of islands.


Isn't Sealand just a couple of underwater charges planted by some clandestine operatives away from not existing?


You and I could conquer Sealand next week if we really wanted to.



Sealand is a bad storm away from not existing.


Switzerland, along most western countries due to ratifying the relevant WIPO treaties, has copyright laws broadly similar to the DMCA: https://www.admin.ch/opc/en/classified-compilation/19920251/...


What about Trinidad and Tobago?

I remember there was an international ruling where the US was in a trade violation, and I thought the country was permitted to waive IP enforcement until they were compensated.

I am having trouble finding the reference.


Not sure about Trinidad and Tobago. Antigua was the one given the right to violate US copyrights to pressure the US to abandon it's illegal gambling restrictions. It was given that right by the WTO.

https://www.nytimes.com/2007/12/21/business/worldbusiness/21...

Keep in mind, there is a big difference between being allowed to violate US copyrights and waiving IP enforcement.


Considering that it's a DRM module, it's not a surprise. I believe anyone with a DRM module that does not protect it is at risk of losing their license with the content owners. That basically why DRM exists to begin with.

Blaming the content service is easy since they're user-facing, but it's shallow. Content-related restrictions are, in my experience, almost always dictated by the content owner. Region locks, availability windows, use of DRM, DMCAs for anti-DRM, etc, are all at the requirement of the content owners.

I don't think these modern Internet-based service providers care about that stuff much, they have little incentive to. It's driven by contracts.

Incidentally, this is always the reason behind region locks. Service X or content Y isn't available in your country? Don't blame the streaming service, blame the content owner.


Switzerland won't stay neutral and definitely isn't some untouchable fantasy land; it has to be stored outside the boundaries of individual countries, ergo, decentralized solutions like some other commenters mentioned. Git is great for that. I wonder if, in addition to IFPS and the like that were mentioned, if there is a tracker or index of git remotes out there - just a big list of servers hosting git, ranging from the big ones like github to someone's raspberry pi hooked up to the internet to idk, usb sticks in a geocache.


Sounds like someone (not me) needs to register "thegitbay.org" or similar. And maybe a .onion variant too. ;)


I2P Gitlab how to: https://geti2p.net/en/docs/applications/gitlab

Existing server: http://git.idk.i2p/zlatinb/muwire

Can't find the clearnet address


Throw in a Handshake domain and bases should be converted from the URL angle.


Sourcehut may be a good option as well.

Drew seems like the type to fight illegitimate DMCA's.

Edit: I'm curious, why the downvotes? I am legitimately trying to be helpful. I recognize if you have personal differences with ddevault, but he puts his code where his mouth is.

If I'm misunderstanding said downvotes, please enlighten me.

Edit 2: Many thanks to those who have responded. It appears I misunderstood about this specific instance, where the DMCA does have some legitimacy.


Didn't downvote, but I think you overestimate anyone if you think they'll go to court for you against an org as big as the RIAA or Google (unless perhaps if it's the EFF).


My (flawed?) understanding of DMCA is that the project whom a DMCA is filed against can counter-file if they believe the DMCA is illegitimate, after which the burden of going to court is between the group that filed the DMCA and the group they targeted.

Someone else in this thread linked this, which seems like a useful resource as well: https://sourcehut.org/blog/2020-10-29-how-mailing-lists-prev...

Edit: It was biryani_chicken who linked the resource above.

Also, I misunderstood about the legitimacy of this specific claim, my brain had yet to shift gear from the youtube-dl shenanigans.

Thanks for the response!


The problem with both RIAA and Google takedown demands is never about the DMCA takedown in relation to copyright infringement, its the circumvention (it seems that EFF understand this very well, but most online commentors didn't get this, which was exarcabated by GitHub using the DMCA takedown repo). Now, no one knows if GitHub were also directly targeted by legal threats as an acessory to "enable" the distribution of circumvention tools, which RIAA and Google is arguing.

Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.


He might not be able to fight the DMCA takedown, but makes it easier for contributors to not get too disrupted by it: https://sourcehut.org/blog/2020-10-29-how-mailing-lists-prev...


This is absolutely a legitimate DMCA notice. The repos in question are created with the sole intention of bypassing a DRM scheme, which allows for takedown under DMCA 1201.


It is a valid DMCA notice, but not for that reason. The repo contained Google copyrighted code.


It’s both:

> It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.

> Additionally, the Git repo contains several files that violate Google’s copyrights:

> <a bunch of files>

> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.


> > It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.

That bit is probably irrelevant to the DMCA takedown procedure, which only applies to "material that is claimed to be infringing or to be the subject of infringing activity". I don't think there's much clear precedent to what "be the subject of infringing activity" means, but decryption tools that don't use stolen code definitely don't qualify as "material that is claimed to be infringing".

And if Google does want to claim that the circumvention tool is infringing a Google copyright rather than merely running afoul of an unrelated provision of the DMCA, then Google has to specifically identify their own work of decryption code that the circumvention tool is ripping off. All this notice specifically identifies in the way of actual infringement are two documentation PDFs and an API header file (and we all know where Google stands on API copyright).


> It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.

"Their belief" is meaningless, to get a circumvention tool removed they need a court order.


Or a polite request to github, apparently, which seems to work too.

I don't feel as bad about it here as about youtube-dl. I disagree, mind you -- I'd like github to act as a neutral service provider -- but this one is a place where I can see why githu might hold a different opinion. It's an ideological split like abortion, gun control, or similar, where reasonable people can violently disagree.

The whole "Sensitive Data takedown request" is also a github thing, but this one is a written policy:

https://docs.github.com/en/free-pro-team@latest/github/site-...

It has nothing to do with the DMCA.


It contained a private key!


IANAL but i don't see 1201 mentioned in https://www.law.cornell.edu/uscode/text/17/512


It might be a legitimate DMCA notice, but the DMCA does not apply globally.


But it does apply to GitHub, an American company.


Almost every western country has ratified the 1996 WIPO Copyright Treaty, which requires laws broadly similar to the DMCA. The DMCA is just the US's implementation of the WIPO treaty.


Drew does not fight DMCAs, he's said so himself. Why would he? His company must follow the law.


> His company must follow the law.

Of course. That being said, wasn't there a big discussion when this happened to youtube-dl about how that was almost certainly not a legitimate DMCA? That being the case, disregarding it would not be illegal, at least to my (quite limited) understanding.

It appears I misunderstood in this specific case as there is a much stronger case for this DMCA to be considered legitimate.


Its not against the law to fight dmca notices that aren't legit. Its an unnessary risk that does not benefit him, but its definitely not illegal.

That said at least part of this notice seems legit.


dude, just donate to the eff. you don't need to volunteer someone else to take on a legal battle for you


I'm not volunteering someone else to fight, I'm mentioning their payed service, which seems like it could be useful for this use case.

I'm sorry if that's offensive.

(Also, I donate to the EFF)


The EFF has been supported heavily by Google in the past. Some of the lawyers at Google worked at the EFF and vice versa. Moreover, they often have private fundraising parties for Google staffers. I doubt they're going to bite the hand that feeds them.


What successes has EFF had?


https://www.eff.org/cases/2018-dmca-rulemaking

Something they've participated in every 2 years since 2000, as documented here: https://www.eff.org/cases?group=0-9


[deleted]


Lawful evil.


Possibly because if anything is, this is a legitimate claim. Ignoring the "it's a tool to circumvent DRM" nonsense (which is a "legitimate" claim under the DMCA).

The repository itself is pirated code - it is code held under copyright by google, and google doesn't want it to be public, therefore anyone distributing it is violating copyright. The DMCA claim is substantially less than what they could do. Actual copyright violations have very large fines.


Just use some decentralized forge like git-ssb.


Underwater in the middle of the ocean, using starlink for connectivity.


Since Starlink is operated by a US company, they'd be able to shut you down.


Not once they're operating on Mars, according to their TOS agreement!


RIAA would have tried to extract even more money from artists to buy state of the art weaponised submarines and an army of seamen.


It's gonna be a full-fledged pirate ship with big-ass cannons then.


On a ship they are called guns. Big-ass Guns


Big-ass Guns are not effective against missiles launched at you from great heights and/or distances.


I'd love to see the day we're launching missiles at foreign ships over copyright violations.


Make it so


I think space is becoming a reasonable frontier.

Until then, something IPFS based.


This is maybe one of the few use cases where a cryptocurrency can help; in a similar vein to the effectiveness of BitTorrent.

Specifically, Filecoin (built by the IPFS folks) could be used as a datastore for git. You can send DMCAs to pseudonymous Filecoin operators all you want; but the content will still be up if one operator keeps hosting it.

Hopefully it will also encourage all commits and repositories to be PGP signed (and not through a centralized FVEY platform), strengthening security, authenticity, and trust.


Filecoin isn't a datastore, it's a coin. IPFS is the datastore. However, I'd probably use something that works better, maybe Dat or Zeronet.


Space-based crypto-funded storage for guaranteeing that one operator.

The best part about non-GEO satellites is that, although you can't see them 24/7 from one location, that also makes it incredibly difficult to jam their uplinks continuously.


It was going to happen. When Google was making money off of piracy by just running a search engine, it was happy to encourage it and celebrate the philosophy. Now that they're cashing big checks from advertisers and content companies, well, they're just following the money.


Only Level 3, sadly, which means it can decrypt Standard Definition (480p) videos. This has been out for a while.

Some reputable people in the pirating industry have actually cracked Level 1, which means they can decrypt 4K! :-)


This is just not true. It's up to individual content providers to decide what resolutions to supply via L3, and for Netflix and Amazon Prime, that resolution is 1080p.


>and for Netflix [...], that resolution is 1080p.

Do you have a source for that? This page[1] says Firefox and Chrome on Windows, Linux, and Mac only go up to 720p. Chrome on ChromeOs goes up to 1080p, is that still L3?

[1] https://help.netflix.com/en/node/23742


https://i.imgur.com/uveeA6a.png

https://addons.mozilla.org/en-GB/firefox/addon/netflix-1080p...

It seems that many streaming platforms disable 1080p by default, and I assume that this is only for performance reasons (some hardware struggles to run an obfuscated software video decoder...) - it's not a DRM limitation, and in netflix's case it can be re-enabled via trivial changes to the frontend JS.


Of course you can watch the test streams, but try watching a recent movie from a third party studio and see if it reports the same resolution.


This is true, but if you care about quality you'd go directly to the third party source.

All of the content I actually use Netflix for is available in 1080p on L3 (Which matters to me, since L3 is the highest supported level on desktop x86 Linux).


How do you open this debugging info?


Ctrl-Alt-Shift-D, at least in FF.

The mentioned addon works pretty reliably for me, watching 1080p in FF on Linux, at least for Netflix original content.


Ctrl + Alt + Shift + D


Level 1 means everything is done in a secure enclave from what i understand.

I wonder if google does something similar to bluray AACS where if a level 1 device is compromised they can revoke just that device (or manufacturer's key). If not, i wonder why they don't.

(To clarify my curiosity is in an abstract way, i am ideologically opposed to DRM)


Yes, they can revoke or downgrade the level. And sometimes devices share the same key

Recent instance of such a downgrade, causing a ton of (Philips) TVs to stop playing HD content apparently: https://www.reddit.com/r/netflix/comments/jq9wdb/netflix_cap...

This is the tracker from the screenshots by the way: https://t.me/s/wvcrl


>If not, i wonder why they don't.

mainly because it's hard to trace back which device key got leaked, especially if all you have to go on are whatever the ripped videos. if you had the tools it'd be much easier, but that's probably kept under tight wraps by the piracy groups.


Hmm. Good point.

I suppose if you have the entire decoding process in a secure enclave you could also make it watermark the resulting file with which key was used to decrypt.


Widevine L1 does in fact watermark the decrypted bitstream. I don't think it's still true today, but there was a period last year where releasing decrypted L1 content without re-encoding meant sacrificing an NVIDIA Shield. The Shield was the only L1 capable player which had a known weakness and Widevine would revoke the device key based on the watermark in the bitstream.

Nowadays the piracy groups seem to have found a way around this. Presumably they found a way to strip the watermark, but we can only speculate as the groups guard their methods closely for obvious reasons.


what happens if the pirates have two compromised devices, and they compare the output between the two to foil your watermarking scheme?


I guess the watermarking scheme would include some randomness so you cant just trivially diff, but making a robust scheme is probably hard.

That said it doesn't need to be that robust, since the pirate only has to slip up once to get caught and its hard to know for sure if you got the entire watermark out.


The pirate can also add some randomness of their own to diffuse the watermark.


That's harder than you would think. See https://en.m.wikipedia.org/wiki/Cinavia


  > The intent is to prevent all copying, both counterfeit copies and legal copies of one's own content (for example, format shifting).
  > 
  > Verance claims on their website that, while the watermark is able to survive recording through microphones (such as recording a film in a movie theater with a camcorder), as well as compression and encoding, it is imperceptible to human hearing, as well as that the presence of the watermark does not affect audio quality.

A Herculean effort to create artificial scarcity. Thank you, capitalism.


Indeed, i find it equal parts disgusting and fascinating.


Well, under pure capitalism, intellectual property wouldn't exist and these sort of efforts would be pointless.


Although it's claimed that this survives arbitrary transcoding, I'm really not convinced that's mathematically possible. I think it's much more likely that they've just chosen to embed information at a very low bit rate.

Having never heard of this before, I did the natural hackernews reader thing -- search for a bypass -- and came across this interesting forum discussion [1] from ~2014, in which a large number of people state that a reverb effect gets rid of it. The original author writes:

> get an program named Audacity open the converted audio file in freemake > and open the file in Audacity choose File>Open then Edit>Select>All > then go to Effect>GVerb > make sure to have the following configuration:

> roomsize (m):1.0 > reverb time (s): 0.1 > Damping: 0.0 > Input Bandwidth: 0.20 > Dry Signal (db): -7.0 > Early reflection level (db): 0.0 > Tail Level: -17.5

Other methods of bypass include using a player that doesn't check for the watermark, patching out the checking code in a firmware image, and simply swapping the HD-DVD / Blueray audio with one from a DVD.

[1] https://web.archive.org/web/20141208081801/http://club.myce....

---- Edit ----

Some further useful information -- and a statement that they've put the details in their patent!

> The Cinavia detection is sensitive to pitches and time sequence of features. The specific feature that detector looks for, is already clearly stated in Verance patent US5940135:

> [2] www.google.com/patents/US5940135

> If you study the patent document you will know the feature is delayed correlation. They also use hopping to change the delay of the correlation within the pattern of the same watermark. The actual delay, and the hopping pattern between delays, is their secret and security. That information I cannot disclose. Nor is it needed to defeat Cinavia.

> The fact of the matter is Cinavia added an artificial signal to rapidly change the delayed correlation in short time internals. Analysis the audio and you can see it causes an un-natural ripples in the frequency space. If you can see those un-natural ripples, you can smooth it out and remove it. Just remember, in real world, different frequency components of a sound does not change that rapidly. They generally decay over a fraction of a second, and human ear can not catch it if a frequency shows up and then rapidly goes away. So the way to defeat Cinavia is do not let any frequency component go in and out so rapidly. If it shows up, let it stay for a little while longer. Stretch it out a bit, before letting it decay out.

> That will defeat Cinavia for sure. Make everything vary more slowly and smooth out any ripples. It also beautifies the sound quality.

> When people sing, the pace of their singing is much slower than normal speech, right? A sentence that takes 3 second to speak, a singer will spend half a minute to sing the same sentence out. The slow varying is what makes music beautiful, and it is also what can kill Civania!

[2] http://www.google.com/patents/US5940135


Wow. Thanks for that link.


No, from the repo mirror[0]:

> Widevine's least secure security level, L3, as used in most browsers and PCs, is implemented 100% in software (i.e no hardware TEEs), thereby making it reversible and bypassable.

0: https://news.ycombinator.com/item?id=25078497


GP comment said L1 - what connection does that have to your comment, which seems to be about L3?


> Level 1 means everything is done in a secure enclave from what i understand.

This line said level 3 originally, must have been edited; but it doesn't look like it was archived on the IA, so I can't prove it.


What kind of secure enclave? There have been a lot of catastrophic vulnerabilities in secure enclaves, over the past year or three.


Whichever one your device has. Its a technology that google licenses out. If you are making a device that has a secure enclave you can apply for a license for level 1 widevine.

If indeed level 1 has been breached, presumably it happened via one of those weaker secure enclaves.


I'd just like to take a second to appreciate the irony/oxymoron of there being weaker "secure" enclaves


...and the idea of a secure computer in general...


I'm guessing that the people who have this cracked keep it a secret so only their inner group has the method which lets them leak all of the new content and Google has no idea which key or process has been cracked.


Well one key is known to be leaked:

> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.


> If not, i wonder why they don't.

The potential for a DOS-attack would be immense.


Any resources on Level 1 decryption?


One method appears to be playing back on a legitimate player, then using HDCP strippers on hdmi/displayport outputs[1]. I've seen some 4k releases that clearly show the streaming site's playback controls, for instance.

[1] search for "hdcp bypass" on ebay


I remember cheap chinese hdmi splitters used to inadvertently strip hdcp; is that still current?


Yes, but you could just explicitly search for a hdcp stripper and it'll work.


Capture HDMI. Strip DHCP.

Refer to the perfectly legal NeTV2 + trivial modification if you understand the HDL.


Is that considered decryption? Wouldn't that both decrypt and decompress? What if someone wants the original compressed stream so the video doesn't need to be re-compressed?


That can't be done without hardware hacks, which can (often) be traced to isolated hardware which the manufacturers will then lock out or force a software upgrade for, making it impossible to use in the future. That's why most 4k pirate releases are re-encoded from HDMI, not lossless rips of the original stream as they are for 720p and 1080p.


Will that reduce the quality of the audio/video?


There have been a bunch of papers recently about using undervolting to break secure enclaves. No idea about how applicable that is, but that might be a possible attack vector.


It's probably kept under wraps by large scene groups, they don't want to show their methods and have them patched out.


In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies

They are practically asking for Streisand Effect... if you distribute your key with the software, then whatever form it is in, I would not consider it "private" at all!


This is DeCSS all over again. Was that ever resolved? It seems to me the original DeCSS complaints were more or less dropped because technology moved on and they couldn't mount a defense in a real court, and had to rely on bluffing.


Case was dropped by the DVD CCA in Norway because the number was no longer secret. That isn't relevant for section 1201 of the DMCA. It cares only if the program's intent was to bypass copy protection. DeCSS, and even libdvdcss, are absolutely infringing on this, and can't be hosted in USA repositories.


How is one supposed to exercise their right to Fair Use without "bypassing" technological measures via tools like these? I think there is solid legal DMCA ground for them to remain hosted in the US, without even needing to reach for the whole "freedom of speech" thing.

I won't even get into how I think GitHub is being overly courteous to media companies by extending takedown ability for alleged Section 1201 violations. I'm firmly convinced the only remedy the DMCA offers for that is via the courts, and that the takedown process explicitly requires the identification of infringing material, not circumvention tools.


These laws are similar in what seems like a number of countries, and the reason why they're like this is quite simple: They want to have the cake (getting money from extra charges on stuff like DVD/BD burners, writeable media, hard drives etc. -- which you get charged to offset fair use and related rights) and also eat it (effectively denying you the rights you already paid for with those surcharges).

In a normal world, I can only do one of these. Either I take the money, and render services or goods OR I don't take the money, and then don't render the services. But in RIAA/DMCA/GEMA/...-Crazytown you get to charge people AND actively avoid delivering anything.


The Librarian of Congress (if I remember right) can declare three year exemptions to the anti-circumvention provisions. They have to be reviewed and renewed every time. Jailbreaking a smartphone is one example of an exemption that was granted in the past.

It really is a ridiculously one-sided law that gives all power to private media entities.


You don't. Which is why that part of DMCA at least should be repealed.


Fair use is about copyright. The DMCAs anti-circumvention section means you can't distribute software designed to circumvent DRM, even if that software isn't itself infringing. So I don't see how fair use could apply.


At a minimum, Google's counsel testified under penalty of perjury in this takedown letter that they took Fair Use into consideration, so there must be at least some application here. (And if there isn't, that sure is a strange sentence to have in the letter - almost as if they are misusing this takedown letter template after all!)

Fair Use is about using copyrighted content, which is widely shackled behind DRM. Any court can easily see that in order to exercise your right to use that content in a Fair Use sort of way, you must break the DRM. Therefore, the existence and availability of DRM-breaking tools is a necessary condition for Fair Use to be exercised at all in conjunction with the modern media landscape.


DMCA does not include fair use as an allowable reason to circumvent DRM. That is one of the reasons why DRM sometimes shows up in weird places because it effectively limits fair use rights (see also all the right to repair stuff that people have been talking sbout lately)

IANAL


>DMCA does not include fair use as an allowable reason to circumvent DRM. //

Could you cite the law you're referring to here please?

The UK CDPA as amended to follow the EU's Marrakech directive seems to say anything that prevents you from exercising your Fair Dealing rights to make content accessible for disabled people is void if it contradicts these rights. This seems necessarily to allow for circumvention of DRM (for people with disabilities and specific registered companies) but that also appears to mean production of circumvention means needs to be legal otherwise such accessibility will be impossible.


DMCA is the Digital Millennium Copyright Act, the latest amendment to USA copyright law. Text of the law is here: https://www.copyright.gov/legislation/dmca.pdf . GitHub is a division of a US company, Microsoft, so it is bound by US law.


Actually, it is more complicated than that. To exercise fair use defense (yes, it is a defense and not a right in US Copyright law), you must be able to use a process that is non-invasive (as stated in DMCA). So, if a DRM is preventing you to screenshot it, you are actually required to use a camera and exercise the analog hole. This is definitely disappointing, and I am not personally endorsing it, but the law as it stands does not lend credence. (Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.)


> (Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos. This was conspicuously absent from all discussions I've read.)

It's absent because RIAA's intent is not stated. They did a blanket takedown, unprompted. As far as I can tell they never requested any particular modification. IIRC the only hint that it might be related is a mention that the rolling cipher algorithm that YouTube-dl "circumvents" was ruled to be DRM under German law.

However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)


> However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)

This is definitely untested in court but I won't be surprised if it is indeed part of marketing. The problem with the tests is that they do download the video, even if it is a small amount and since ytdl does not reject the video for downloading at all it is technically infrigment, probably without a valid fair use defense. If ytdl has actively rejected that (for example if the test units are specifically to prevent downloading those types of videos), they may have a stonger defense against RIAA claims.


Well... the tests do not actually download the videos.


Not in their entirety, but it still downloaded a second for each of those videos. Interpret that as you wish, but I will not be surprised if RIAA will use this.


Congress did not intend fair use to be an affirmative defense. It is clearly a right under US copyright law. The rights granted to copyright owners in section 106 are expressly “subject to” the fair use defense. The fair use section of the Act, section 107, provides expressly that fair use “is not an infringement of copyright", rather than an infringement with an affirmative defense. In Lenz v. Universal the courts say that fair use is "distinct from affirmative defenses where a use infringes a copyright, but there is no liability due to a valid excuse.” and that “fair use is ‘authorized by the law’ and a copyright holder must consider the existence of fair use before sending a takedown notification….”


Fair use applies to copyrighted content, not circumvention tools.


This nonsense about "it's a defence not a right" discredits you.

It's a right because where it applies there is no tort. Like an allowed right of way over private property. Yes, if a you have someone abusing your rights by filling frivolous suits then "it's a defence", of course it is they're trying to assert a right they don't have.

Such needless couching of public rights in an authoritarian way is really offensive to the purposes of copyright, which is granted by the public - the demos - to private parties. It's not a natural right, and so yes, under Fair Use there is no right being infringed that a valid claim of tort can be made for; so one does have a right to do those things.


Thankfully in some countries the courts will just dismiss the case :

https://www.nytimes.com/2006/10/09/technology/09steal.html

Two years later, their case was dismissed :

https://www.generation-nt.com/drm-stopdrm-dadvsi-justice-loi... (fr)

They were considered as 'irresponsible' due to 'either psychological issues, force majeure or legitimate self-defense".

(Note that they even seem to have shared the DMCA infringing software on their website.)


Material doesn't infringe rappers^w people do, context is important as well. For example in UK Fair Dealing time-shifting of live broadcasts is allowed, but retention or sharing (eg watching a recording of a TV show with another person!) is not.

I think both the USA and UK DDAs allow copying as part of production of accessible content.

Honestly though, I'm not sure how this fits with "circumvention" the wording (UK) appears to allow it.


> How is one supposed to exercise their right to Fair Use without "bypassing" technological measures via tools like these?

Fair use is not a right. It's a defence. You're still infringing copyright, but this is an infringement that they cannot punish. Importantly, law makers see fair use as a restriction of the rights of the copyright holder, not as a right granted to users of that IP.

People have always known that DMCA interferes with these defences. See for example this from 2001: https://repository.uchastings.edu/cgi/viewcontent.cgi?articl...


> You're still infringing copyright

Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work ... is not an infringement of copyright.

https://www.law.cornell.edu/uscode/text/17/107


The 9th Circuit in Lenz v. Universal disagrees.


> right to Fair Use

There is no such thing AFAIK.


For those downvoting, see: https://www.govinfo.gov/content/pkg/CHRG-109hhrg27003/html/C...

> It is important to be clear about what the fair use doctrine is not. Fair use is not a right. It is a defense. [...]

It's not hard to find more links explaining the same thing (e.g., see http://www.copyhype.com/2013/08/why-copyright-is-a-right-and...), but I'm happy to be proven wrong...


Congress did not intend fair use to be an affirmative defense. It is clearly a right under US copyright law. The rights granted to copyright owners in section 106 are expressly “subject to” the fair use defense. The fair use section of the Act, section 107, provides expressly that fair use “is not an infringement of copyright", rather than an infringement with an affirmative defense. In Lenz v. Universal the courts say that fair use is "distinct from affirmative defenses where a use infringes a copyright, but there is no liability due to a valid excuse.” and that “fair use is ‘authorized by the law’ and a copyright holder must consider the existence of fair use before sending a takedown notification….”


It might not be an "affirmative" defense, but to my understanding that doesn't imply it's a right. A "right" as I understand it is something that is illegal for others to violate, and that government generally has a duty to protect. But there's nothing unlawful about creating something that's uncopyable, or about guarding what you have so closely that others are unable to copy it; in fact, I would've assumed being able to do so is itself your right. And should you create something that's uncopyable, nobody will be able to copy it, even if it would be fair use for them to do so. They might be upset about this, but their rights definitely aren't being violated by your creation or protection of that thing—and the government can't force you to make your stuff copyable. (Or maybe it can with additional legislation, but I'm pretty sure we don't have such legislation.) That means "fair use" isn't anyone's right... it's just a valid defense (whether "affirmative" or otherwise).


By this logic free speech isn't a right because the government is under no obligation to provide you with a platform to exercise it.


Offering you a platform is not the same thing as ensuring that it's even physically possible. The argument wasn't about the government hosting copyrightable content for you or delivering it to you; it was about ensuring it is even possible for you to copy content.


Preventing something from being copyable is only possible by not distributing it. If you can see it you can copy it.

The copyright holder could prevent you from copying it by never distributing it, but that doesn't mean you don't have a right to fair use, it only means you don't have the ability to exercise that right. Much the same as you can't exercise freedom of the press if you can't afford a printing press (or any modern equivalent).

It might be physically impossible for you to have an abortion, e.g. because you're infertile, but that doesn't mean you don't have a right to one under existing precedent.


Fair use is a right, and if the law doesn't accurately reflect that, then the law needs to be changed.


When a "right" is spoken of in legal discussions (which this clearly is), it implies a "right by law". If you want to talk about another right, like your "moral right", you'd usually say exactly that.

But yes, even rights defined in the law can and do get redefined, newly introduced or removed.


You're wrong: You can break copy protection if you own the rights to a work. This means you can e.g. circumvent Window's license checking if you own a copy of it already. The DMCA does not criminalize that, nor could it, and this is probably why py-kms is still up on github after a copyright challenge.

This was a change that I am assuming was added before any complaint could be mounted about this use case for fear of striking more of the DMCA down than just that provision that was modified.


It was "resolved" by new laws being introduced almost globally that make development, distribution etc. and potentially even possession of "circumvention devices" illegal, making it possible to do such takedown requests in most countries that provide infrastructure.


CSS only used 40 bit keys to comply with US export controls, so with modern computers you can just bruteforce it without knowing the key, so the key is very much a moot point at this point.


Not even modern, my athlon did that under 20 minutes, mplayer cached the key once it decrypted the DVDs.


The only difference between Widevine and DeCSS is you can rotate the Widevine key.


That should be a big difference. Have they made sure that all the netflix boxes out there support this?


Boxes are unlikely to use this key. The letter implies that this key is for the weakest (software-only) level of protection, used on generic PCs.


What do smart tvs and tv boxes use?


Each device usually has its own unique Widevine L1 keybox, with a separate intermediate key for each model.


"secret" when it's distributed with every installation of Google Chrome.

This is your brain on DRM.


Similarly to the youtube-dl case. Maybe Google was indeed behind it ?


Time for some DeCSS-style t-shirts/stickers again... maybe something like this[0]? ;)

[0] https://imgur.com/a/ajKeDfp


It would be great, although the real difference here is that the DeCSS key was almost impossible to change once it was leaked, while the Youtube key is comparatively trivial to change.


Just in case someone is looking for editable version: https://pastebin.com/Rbj6nd3q


42 ways to share code

https://webcache.googleusercontent.com/search?q=cache:http:/...

Predates so-called "Streisand Effect"


I see that what you posted is on google's servers. Doesn't that mean they are effectively distributing it themselves?


> Predates so-called "Streisand Effect"

DeCSS was released in 1999; Mecha Streisand episode of South Park was 1998.


What has South Park got to do with it? The "Streisand Effect" was because of Streisand suing a photographer in 2003 causing people to realise where she lived and getting photos of her house, and the phrase was coined in 2005 by Techdirt.


There must be some kind of Mandela effect going on since I feel quite sure I was using this in 1998 after Streisand voiced distaste at the South Park episode.


Mecha-Streisand re-appeared in South Park’s 200th’s episode in 2010; Perhaps that’s what you were thinking of?


It's not an issue to them in this case, as presumably they can just change the key once the DMCA is successful and they have set precedent.


I thought copyrights on numbers were deemed invalid? Copyright applies to data as it appears right? You can encode a number in any base, the idea that a company has copyright on every base encoding is equivalent to me saying I have copyright on every key because I wrote a program that enumerates all keys.


> I thought copyrights on numbers were deemed invalid?

They are invalid. It's interesting since it implies copyright itself must be invalid.

All intellectual property is data, information, a collection of bits... Also known as a number. Copyrighted works are actually just numbers. Really big numbers. Creators are just trying to discover those numbers through their labor.


It also means such a program would be illegal, since it would also necessarily involve the creation of numbers that can be interpreted as truly illegal content.



The private key mentioned in the notice is here: https://archive.softwareheritage.org/browse/origin/content/?...


I thought it might be nice to create another mirror, just in case: https://github.com/cryptonek/widevine-l3-decryptor

Hopefully, it will hang at least till monday, so some of you will be able to clone.

It is based on commit ed8a97745c69b8cc0fc7f59cec9474b216b49e16 which is latest archived by Web Archive (and signed by Github!). By the way, it is still possible to fetch original repo, provided you know the commit id above :)


Excellent, thanks. Hadn't heard of this decryptor project before, now I can take a look through it to see how it works. :)

Pity they don't seem to have `git clone` support, and only allow downloading a tarball. Anyway, that's still a lot better than nothing. :)


How do I clone it to get .git directory? downloaded tar doesnt contain it.


Trying to get Widevine going on iOS / macOS has been a royal pain in the ass so far (crashes when you touch the lib while having a debugger attached, so you can't even debug your own code unless you swap in a severely castrated development version that only works on the simulator) and Google guards access to the official libs and docs like it's the precioussss.

To me this is just one of the many developer hostile steps I've seen. I understand they don't want you to access illegal content too easily but honestly the only thing that could drive me back to Torrenting is the declining quality of content on Netflix & co.


I honestly believe this is just a small component, which is a part of the long term strategy of the RIAA and others: a periodical check to test the waters to see where public opinion is at, to be able to guage if they can implement more dramatic and restrictive DRM mechanisms yet [1].

They are either 1) waiting for us to be too exhausted to notice/care/fight back, or 2) seeing whether they have to go further to 'protect content creators' by lobbying for more draconian laws that allow for the use of new DRM strategies. It reminds me of reading about how Corporate personhood was invented to protect freed slaves [2], yet is now used as a way for business owners to avoid personal liability/responsibility. One could even argue that Corporate personhoood is one of the most destructive forces that exists today; causing some of the worst crimes in modern history [3].

It's important we continue to fight back and set a precedent for protecting users over corporations or governments.

[1] https://en.wikipedia.org/wiki/The_Right_to_Read

[2] https://www.history.com/news/14th-amendment-corporate-person...

[3] https://www.counterpunch.org/2013/02/05/corporate-personhood...


> It reminds me of reading about how Corporate personhood was invented to protect freed slaves [2]

Why not Magna Carta while you're at it ?


Some self hosting options:

Gitea:

https://gitea.io/

sourcehut:

https://sourcehut.org/

Gogs:

https://gogs.io/

Gitlab:

https://gitlab.com/


This has been brought up before in the other threads, but just because you self host doesn't mean you can ignore DMCA takedown requests. You can choose to ignore such DMCA requests if they decide to send one to your self-hosted website, but not honoring it means you think you're not infringing on their copyright and are willing to go to court over it. If they don't want to go this far, or you try to not include contact info, they'll probably first send a DMCA to your web host/registrar who will suspend your hosting/website unless you counter-notice, which still means you've got to be ready to fight a lawsuit (note that Cloudflare forwards DMCA requests to your web host company, so you can't hide behind CF).


I would be very interested what they can do when I run this locally on my own machine at home (true self-host). Plus I live in the Netherlands...


Dutch law also has provisions against DRM circumvention technologies, so if they have proof that you're doing it, you can expect a lawsuit.

They won't find proof if you host the code on a git instance that's only accessible to you, but if you share that server with the internet, you can expect the RIAA (or more likely, their friends over at BREIN) to sue you (after getting your details from your ISP through another lawsuit).

Responding to a DMCA is free, copyright lawsuits are purposely expensive. You'd better have money for a good lawyer or good legal insurance if you plan on sharing your local Gitlab with such code.

One thing I considered is getting myself an instance of a small Gitlab clone with little attack surface and hosting the code on TOR. Ignoring the potential ethical issues, that should provide good defence against legal repercussions from groups like the RIAA and the MPAA. There's always a possibility that you'd get Kim Dotcom'd if your code gets popular enough, though.


You still got your ISP which likely includes some verbiage in the contract about prohibited use (but even if it doesn't, if the law makes it illegal, you and your ISP can be taken to court with it).


In the US, I have seen Verizon Fios shut off a user’s connection in response to a DMCA takedown notice (hosting a server at home).


>DMCA

Is a very US specific request.


DMCA itself is obviously an US law, but many Western countries have similar laws.


As someone outside of the US, luckily it seems most US companies think that US law applies globally.

I've got quite a few DMCA notices from rights holders, but never anything actually relevant to the country of my citizenship, where I live, or where the server is based.

So, naturally, I can just ignore them.


Point me at them, please.


Eg every EU country has laws broadly equivalent to the DMCA as a result of EU Directive 2001/29/EC [1]

The DMCA itself is just the US's implementation of the 1996 WIPO Copyright Treaty. 96 other countries have ratified it [2]

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...

[2] https://www.wipo.int/treaties/en/ShowResults.jsp?lang=en&tre...


Well, since youtube-dl was the news, they have cited a German decision on the takedown request, which solely references German law. I don't know German enough to find this specific law, but I do know that by default copyright associations have a presumption to copyrights over certain media (like GEMA's case in music, which is used on YouTube around 2010, and Google was found guilty of that and therefore Google pays royalties to GEMA).


Just out of curiosity, how does it go with Cloudflare Workers? Obviously, any proxying is done dynamically in your own code, with no DNS records saved with Cloudflare. What's actually counted as a "web host company" or "origin" to which claims are forwarded with Workers?


CF indeed becomes the actual host of the content, so I imagine (if it gets routed correctly) trust&safety will suspend the worker and/or the worker KV namespace until you contact support to counter.


Are any of these Tor friendly?


I think the friendliest will be sourcehut, which is both FOSS and works without JS too.


Here's a guide for gitlab and i2p https://geti2p.net/en/docs/applications/git-bundle


They’re self-hosted, as in 127.0.0.1 or 192.168.x.y


You can send any traffic through Tor, so yes.


For has a significant impact on latency, and use of JavaScript is often discouraged because it can be made to deanonymize users.


Wherein, Google asserts a copyright on the API for their license system, the protobuf file. Maybe this file is more creative than the Java APIs?

Additionally, the Git repo contains several files that violate Google’s copyrights: Google license_protcol.proto (see Google copyright at the top of the file): /widevine-l3-decryptor/blob/main/license_protocol.proto


Isn't DRM... Completely fucking pointless? I can go on The Pirate Bay and find 4K rips of all movies and shows I want. If DRM can't prevent that, what's the point?

All it does is infringe on our rights to be able to do what we want on our own devices. It's crazy.


> Isn't DRM... Completely fucking pointless?

> All it does is infringe on our rights to be able to do what we want on our own devices.

No, but this is exactly the point of DRM and the legal protections around circumventing it. It never was about copyright protection. Copyright infringement was already illegal before the DMCA, and the introduction of DRM didn't make a dent in the amount of copyright infringement.

The point of making DRM circumvention illegal is for me to be able to sell you a bunch of bits, but ensure that I don't have any commercial competition in regards to how you use those bits. You can't legally make a device that plays DVDs without the blessing of a cartel known as DVD FLLC. You can't legally make a device that plays music from iTunes without the blessing of Apple. Etc. It's about retaining monopolistic control over media distribution and use, by forbidding certain forms of competition in the market.

Getting a law passed that forbids market competition (in many countries! not just the US) under the guise of being about copyright protection, is one of the greatest cons I've ever heard of, but that is what has happened.


DRM is mostly legal instrument. If you want to be able to sue people based on circumventing protections, courts need to consider your "content protection" "effective", which essentially means that it takes more than five minutes to circumvent. It also means that, since we're now talking about DRM that'll be protected by patents, copyright and obscurity/NDAs, that these DRM mechanisms centralize power to the owners of the DRM. This can then be easily leveraged to control and restrict e.g. the features playback devices may have.


If this were true, DRM would be trivial and made with easy to implement things like "detect if user right clicks, and pop up a message saying 'sorry copying not allowed'".

DRM is not that - a massive technical effort has gone into implementing DRM deep in system architectures. Modifications have been done across every layer of the stack, across hundreds of companies of differing goals.

You only go to that much effort, at that great a cost, if you are hoping for DRM to actually work, rather than just be a thing you can hold up in court and say "we tried to protect it your honor, we really did".


The "level of security" (~tech effort) is the main competitive selling point when DRM-vendors lobby studios for endorsement. The studios are probably partly being sold a pipe dream of "unbreakable DRM", but the person you responded to also has a point.

Weak or nonexistent DRM reduces the provable malicious intent of a ripper. The more effort it takes to break a DRM, the less likely it seems that you don't understand that what you are doing is wrong.


Recent events have shown that even simple google cypher may be effective. Even more effective is modifying your product to fit customers by NOT region locking your content, by not splitting it over multiple platforms. Using law to pretend that the global network does not exist is simply dumb and leads to piracy. DRM won't save backwards digital rights owners.


Region unlocking is unlikely to help to curb piracy, as the poorest regions won't be able to afford to buy the digital 'goods' at 'worldwide' prices.


Clearly this is not well thought out, but nobody is going to admit it. Any law that is trying to control human nature is pointless.


Like the law that you are not allowed to punch someone in the face because they annoy you?

I don't think it's the best tool to teach people not to punch each other in the face, but I wouldn't go so far to call it pointless either.


> Any law that is trying to control human nature is pointless.

Yet religions still seem be around and getting humans to do dumb things? ;)


From the removed repo:

> This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.


> Isn't DRM... Completely fucking pointless?

It never ceases to amaze me how easy it is to boil frogs, even if the frogs in question are high-IQ, technically sophisticated HN readers.

Right now, you can still circumvent DRM, because you can still buy something that's approximately a general purpose computer (even if it will invariably already come with some remote-acessible hardware level spyware outside your control). But if current trends continue, this will not be the case by the end of the decade.

Also, preventing private individuals from receiving and distributing unauthorized copies is only one way in which DRM is useful to companies.



La France se libère, part deux?


Denuvo has been fairly successful despite what the pirates say. Several extremely popular games have gone many months with no crack. DRM isn't completely pointless, but it does require securing everything for it to work. Denuvo would be pointless if it weren't for the various secure virtualization features which are built into the CPU itself.


Denuvo actually didn't promise that it won't be cracked forever. It promise the consumer it won't be cracked in N day after the release. Primary purpose is to stop the day 1 pirate from hurting the selling count hard.

The movie industry doesn't seems like use it in the same way.

It's kind of silly that normal user was prevented from watch the video normally while pirates do whatever they want becuase the 4k hdmi hdcp can be easily removed by just a dongle.


DRM in the movie industry is mainly targeted at device vendors instead of customers. They want control over the playback experience and have a say which features the playback devices offer to users. Something that allows recording parts or skipping of the ads? Not great! That's also why there is a Widevine device revocation database for playback devices, while I'm not aware of something like that existing for Denuvo.


Sadly, if they actually cared about the consumer, then they would remove DRM after those N days. Since they don't, I just don't buy these games (Sonic Mania damnit!) , and I'm probably not alone..


There are suspicions that some publishers just pay money to the scene groups who able to circumvent it successfully.


Because it doesn't have to be 100% effective to do its job. If your choices are to fork over $20 for a copy, pay $10/month for a streaming service, or pirate it from a shady site, most people would go with the first two options. The main goal is stopping casual piracy, aka. asking your friend to make you a copy.


I find it goes the other way. I pirate things when legal services become too cumbersome, unethical, or dirty. DRM often does that. I won't avoid all DRM, but there's a threshold. The RIAA crossed with youtube-dl.

When I was in college, price was an issue, and piracy was there to save the $10/month for most students, but the alternative was not having the music/software/etc., rather than a legal sale. The actual financial loss was close to zero. I think the reason for DRM isn't so much to prevent profit-losing piracy, as control.

Movie and record companies want to differentiate pricing by market. They want records of who watch what and where. They want to be able to expire things, explicitly or implicitly (if I go Android<->Apple, my iTunes/Google Play collections become less helpful). That has business value.

As for paying customers, when I was a student, they could have milked me for $5. As a professional, I don't really care what it costs, and I don't want to bother with piracy, and I'll do whatever's most ethical. The RIAA just told me what's most ethical is not listening to new music, followed by pirating music, followed by buying music.

I got enough music.


RIAA is a cancer that is growing on artists. I don't know any who would like their art to be gatekeeped in this mafia-esque manner. These days most artist understand that legitimate fans will buy their art if it is easy and affordable. Nobody needs RIAA today and these type of organisations who profit off of artists without bringing any value should be made illegal.


Ah yeah, Amazon remotely removing 1984 from Kindles was incredible. It could only have been worse if it was Fahrenheit 451 !


That would be the case without DRM. With DRM my options are:

- Pay $20 for a copy that I can't play on all of my devices, and that I may be unable to play at some point in the future if the producer decides they don't want me to anymore.

- Pay $10/month for a streaming service that won't allow me to watch at full resolution on several of my devices, and has no guarantee that the content I want will continue to be available.

- Not consume the media at all.

- Download it from a shady pirate site, but then assuming it actually is what I think it is (which is questionable) be able to use it however I want.

No good options.


The piracy option is not all that shady at all (there are good sites, and even the bad sites just need you to know what a magnet link is and not clicking on other download links), and you can get DRM-less copies in any combination of size/quality/encoding you want. It always boggles my mind how people in developed countries have not (all) caught on to this. You can even easily stream the content, using, e.g., peerflix. There is even opensource software that creates a media server, though I have not tried them. And these are all just the mainstream stuff. There is lots of niche piracy, e.g., Telegram channels and groups that post books, movies, TV series, etc. Telegram bots that just give you any music you request (I personally found them better than a premium Spotify subscription). Google shared drives that have everything. Sites that offer direct download links of everything (these sometimes specialize to a certain category, e.g., games). Piracy is so mature that it was and is much better than the best money can buy.


Any peer-to-peer solution is very likely to (at least in my country) contain honeypots to find the IPs of people downloading (which is not illegal afaik) and seeding (which is illegal) copyrighted media. They then take those IPs to the respective ISP to obtain your identity and send you "pay us or we sue you" letters.

It's a pretty effective deterrent if you ask me.


Just buy a VPS/VPN that is okay with torrenting. (My suggestion is to try the different services and stick with one that doesn't ban you.)(I have never encountered one that cared, but some VPNs did feel like they throttled torrent traffic.)


Or just shut off your internet connection.


Plex + Sonarr + Radarr + Deluge running on a seedbox is far far beyond what most people think piracy is. That setup can search for shows for you across multiple public and private trackers, download them, sort them, watch for new episodes or movies, notify you when they are downloaded.


I personally have settled for the 3rd option and I don't feel any loss for that reason. The really create FOMO in people, just look at how many paid Disney to watch Mulan early even with a subscription.


The market is littered by art like products driven by analytics and it is hard to find good art. Sometimes I play some new releases on Tidal when I am working and there is rarely something that would make me store it in my own playlist. Everything is the same and they protect it like these were some nuclear plans.


I just started to learn about DJing, and the recommended software is Serato.

The lite version, you cannot use your own mp3s, but it has support for streaming services.

Spotify was removed months ago, but Tidal is available.

It is just so easy to create content now, the signal to noise ratio is pretty low.


Actually there are DRM-free websites selling music, e.g., https://bandcamp.com


That doesn't make any sense. Not only is it not any harder to get it from some website than from your friend, the way people get it from their friend is by sharing the original disc or their Netflix password, which the DRM doesn't prevent in any way.


Yes movie DRM does seem completely pointless. Game DRM on the other hand does seem to hold up for the first few months which is where most of the sales happen. It would be nice if devs dropped the DRM once it is cracked though.



Thanks for that. I found this interesting old discussion on Denuvo too (skim/skip the OP, seems to be BS, but the top comment is interesting).

https://www.reddit.com/r/CrackStatus/comments/43dgej/how_den...


Super interesting, thanks for posting


The point isn't to protect content, but to need permission from the DRM makers to make a viable browser (or TV, or music player, or ebook reader, or...) Without their blessing, it won't work with locked content, and your users will go to a competitor favored by the DRM owners.


Isn’t the point to generate license revenue for the DRM IP holders?


Not just pointless. It's unethical and crooked.


You can record data coming to the LCD panel or record the TV screen by a camera. With just degraded quality. On the other hand, I can't even take a screenshot of DRM-protected content on Android which can be very annoying sometimes.


DRM is an extra fee imposed on the parties that follow the letter of the law. It's like building permits but the transfer of wealth is to a private entity instead of the state (which has its pros and cons).


Like others said, for non-interactive media it is mostly pointless, but for executable code (especially stuff that's online or will update a lot, like games) it does some work.


We just stop consuming stupid DRM shows and music. There r tons of other media available and music from unknown talented composers/artists.


> The Pirate Bay and find 4K rips of all movies and shows I want.

What? There's almost no 4K rips for shows or movies. To me it seems it's working pretty well.


Private torrent trackers have them all. I’ve contacted multiple members and asked them for their secrets and none replied.

I’ve requested several Amazon and Netflix shows and got the pure, not reencoded, unencrypted files.


You're clearly not looking in the right places :)


For shows 4k is not the norm.


RARBG has 4K rips of the newest Mandalorian episode, which was released today. DRM doesn't work.


Not necessarily. It can be good in a different setting: guaranteeing that medical software is at least signed by the developer and untampered.


That's what cryptographic signatures are for. No need for DRM.


> Isn't DRM... Completely fucking pointless?

Yes. It just slows down the less skilled from breaking the protection.

There will always be one or a team of more highly skilled hackers that eventually defeats it.

It always only a matter of time when it gets broken. But again, there's always the analogue hole. [0]

[0] https://en.wikipedia.org/wiki/Analog_hole


Google, you're disappointing.

You're not cool, and you definitely not good.

I hope the future moves on without you.


It will take a long time. They are well on their way to becoming the next IBM but that means at least a good 30 years of being relevant.

Brain drain takes a long time because most of the people still at Google now are ok with this kind of thing.


Not as disappointing as Americans who enacted abusive DMCA law which makes hosting such keys illegal. Blaming a company to follow law you've passed is lopsided.


Don't blame Americans. Blame the RIAA / MPAA for bribing politicians, and blame those politicians for going along with it. Plenty of citizens complained.


I blame them both: The company that choose to use this awful law, and the ones who actively choose not to repeal it.


This might be a good explanation why my Philips 55POS9002 oled tv can no longer stream 4K with Netflix/Prime/YouTube. A Widevine certificate was revoked for some Philips TVs. Maybe the RSA key was leaked in the Philips firmware.


Have you tried to get a refund? This kind of remotely downgrading a physical purchase is an outrage.


Not yet. Apparently Philips (TP Vision actually) is working on resolving the issue. If they can’t fix it I will definitely go back to the store (Dutch law makes them responsible for any defects) and try to get some kind of refund.


Be sure to report the defect. Even if you already know they're working on a solution, which you can acknowledge (or ask them to confirm) in your message, you need to make it clear that you observed a defect with the bought product without undue delay for warranty to apply to you. (More info at Consuwijzer.nl, the website from the autoriteit consument & markt .)

Since I had some trouble with a certain model airplane store in den bosch, I know a thing or two about Dutch warranty law (and a bit about how it relates to European law; the Dutch one is more broad). Was a huge pain and cost me a ton of time and I didn't really have anyone who already knew the law or was willing to dive into it to double check my work (juridisch loket was also fairly unhelpful). Feel free, you or anyone, to shoot me an email if you have further or other questions on the topic.


From what I read, the decryption is done in software. It might be interesting if they send an over the air update to fix this.


They should host the software in France, like VideoLan.

https://www.videolan.org/legal.html

>>> Are libdvdcss and libaacs legal? libdvdcss is a library that can find and guess keys from a DVD in order to decrypt it. This method is authorized by a French law decision CE 10e et 9e sous­sect., 16 juillet 2008, n° 301843 on interoperability.

>>> Patents and codec licenses. Neither French law nor European conventions recognize software as patentable (see French section below). Therefore, software patents licenses do not apply on VideoLAN software.


"Neither French law nor European conventions recognize software as patentable"

Wait for the Unitary Patent to come to reality:

https://ffii.org/donate-now-to-save-europe-from-software-pat...

French courts won't have a say anymore.


There is very little explanation in this article, don't understand what this is about.

Seems to be hinting toward something coming up in German law, that would not be applicable in other EU countries. The EU is very fragmented, every country mostly applies its own laws.


The software patent directive has been replaced by another attempt to achieve the same, via a central patent court for Europe:

https://ffii.org/ffii-oppose-the-third-attempt-to-impose-sof...


France has an anti-circumvention law.


The anti-circumvention law from France (and Europe) is rendered null by a variety of other laws, notably the one on interoperability.

See decision 301843 https://www.legifrance.gouv.fr/ceta/id/CETATEXT000019216315/


Looks like someone missed the most recent forks. There are still a number of repos not listed in the DMCA complaint that have the extension content: https://github.com/tomer8007/widevine-l3-decryptor/network/m...



Is this a leak? Was it previously publicly known? Will this allow me to watch netflix on my arm linux box like DeCSS allowed me to watch DVD's in early 2000's?


Today, Apple and Google have been exposed in anti-user shenanigans.

The future looks bleak.


They've both been anti-user for a long time.


Google says API’s can be copyrighted now. I thought the oracle case was ongoing:

> Additionally, the Git repo contains several files that violate Google’s copyrights: Google license_protcol.proto (see Google copyright at the top of the file): /widevine-l3-


This doesn't claim that they're infringing on the copyright of their API, rather that they infringed on their copyrighted code (even if the code is just declaring the API).

It's fairly unlikely that someone would reimplement the API and then add in a Google copyright header. It's pretty clear that it was directly copied.


Does this mean I have to update the MAFIAA.org website to add Google now?


Sure. But you seem to be specifically missing Github's owner Microsoft :

https://web.archive.org/web/20201025014127/https://www.riaa....


Funny how people think anyone cares to hide this key after it is out now.

Leaked = known

Do they need to take action? Obvious but not because the key is out but because it would look bad if Google wouldn't do anything.

Content providers might hesitate to do deals like this again.


I'm generally of the opinion that if a creator doesn't want you to watch or listen to something, you shouldn't watch or listen to it.

The solution to DRM is not to work around it, it is that everyone refuses to use or pay for it.


"voting with your dollar" does less than most boycotts which are basically worthless. I mean, you could cut yourself off from nearly every form of entertainment created in the last 150 years going forward to stick it to the man I guess... Personally, I'll stick with paying for stuff when I want and can afford to and if a company charges too much or places too many restrictions on the works they've bought the rights to from a creator I'll consider seeking out alternative means to get what I want or work around those restrictions.

It's a nice balance that lets me reward companies that acquire great works that are priced well and not overly encumbered by DRM while still letting me participate in our culture.


> I'll consider seeking out alternative means to get what I want or work around those restrictions.

But consider the time-value you're expending in doing so, versus just not engaging.

Invert the scenario: say that you sent Big Media Corp a bagful of poker chips in payment for watching something. Do you think they'd expend their time going down to the casino to cash them in? Of course not.

So why waste your time playing around their rules? Just walk away.


> But consider the time-value you're expending in doing so, versus just not engaging.

Most;y it's because I really do want the content. When you replace money with time/effort you still have to do the math to see if it's worth it to you. I think most of the time that math checks out, but there certainly have been times when it wasn't and I didn't bother.

There are places where I usually do follow your philosophy of 'just walk away' for example: websites that don't display basic content without javascript or need you to disable ad-blockers. 9.8 times out of 10, I'll just click away because I really just don't care that much. Everyone has their own tolerances for putting up with broken things. Mine my just be higher than most in some areas but they are defiantly lower in others.


Exactly this.

Doesn't need to be a political statement or be aimed at achieving some secondary agenda.

It is enough to just not spend time and money on things that only stand in your way or violate your rights (the right to make a personal backup copy is still a right isnt it?).

You do not have to break anyones rules to just _not_ engage with people who assume their paying customers are all criminals and violate the spirit of copyright law doing so.


Agreed. I don't watch movies or TV shows anymore except for the occasional trip to the big screen (last movie was Avengers, next movie I'll go will be Tenet).

Not to mention I don't have a credit card and can't pay for stuff even if I wanted (last tv show I watched was HBO's Westworld will probably skip next season though).

Only thing I pay for is Spotify through a family plan, relative has a credit card of course.


Do you not use a credit card by choice? Because you can probably just use a debit card.


> creator doesn't want you to watch or listen to something, you shouldn't watch or listen to it

Their goal is to reduce infringement on their copyright. Rightsholders generally offer plenty of ways to watch or listen to the work in a non-infringing way.


Say what you want about fossil[0], but having the issues be part of the repo would come in real handy in times like this.

0: https://fossil-scm.org


What countries are there that do not honor the DMCA? That would be a good place to host these types of software.



It comes as part of WIPO usually. I checked the list and could find the following countries that don't seem to be a signatory:

- Palau

- Micronesia

- Palestine

The first 2 are under "Free association" with the US, but have their own copyright laws. All three have their own TLD (.pw, .fm, and .ps)


> It comes as part of WIPO usually.

No, it does not. DMCA is a US-specific implementation of WIPO treaties. Parties residing in other countries are under no obligation to honer it (beyond complying with local laws) and will not benefit from its safe-harbor provisions even if they did.


Other comments, replying to people suggesting to host in Switzerland or so, say that similar protections apply there. Now GP is downvoted with as sole response that other countries don't have DMCA. Can't have it both ways: yes, DMCA is a USA law but that doesn't mean that other WIPO signatories don't have similar laws that lawyers will be sure to find if people move stuff there.


https://github.com/github/dmca/pull/8283 added widevine decryptor to dmca idk if theyll take it down


The proper way to add stuff into the dmca repository is to fetch the entire git history from the repo, git merge --allow-unrelated-histories, and then make a pull request from that. This way, we could just

    git fetch https://github.com/github/dmca  225ce7ac70aec3002599ba4cc8cee7197e0f1cee
to update our existing clones of widevine-l3-decryptor from the dmca repo.

So... can someone push that please? I don't have the recent commits. :-(


If you don't like DRM, just stop downloading DRM-encumbered content.


The proliferation of DRM technology may look like the result of bad consumer choices, but the reality is more nuanced. What percentage of consumers know that their content is DRM encumbered, or what DRM is even? This is a result of subtle consumer behaviour manipulation.

Let's take the case of widevine itself. It wouldn't have proliferated if Encrypted Media Encryptions (EME) standard wasn't shoehorned into web standards by Google. EME allowed companies like Netlify and Spotify to demand proprietary plugins like Widevine in an otherwise completely open standard. Independent browser implementations became impossible at that point. EFF and Mozilla protested. EFF withdrew from W3C and Mozilla was arm twisted into agreeing. Now look at this from consumer perspective. Vast majority of users simply wouldn't have noticed these moves that would ruin the web in some way for them later. Most of them wouldn't have noticed DRM being rolled out. Everything seems to be normal - for a while. With this and a few other moves, it's clear that DRM based content will be unviable on independent browsers and open operating systems. At that point, most consumers will negligently decide that these browsers and OSs can't play DRM content because of software quality issues, and will switch over to locked down systems. That wouldn't have happened if DRM was presented as is to consumers from the beginning itself.

A few people who hate DRM holding out is not a solution for this. At this point, consumers have funded DRM based streaming companies to grow into megacorps and they have killed their competition. For consumers, it will be a choice between freedom of platform choice and availability of media. This is why EME should never have been allowed in the first place.

Another example of the futility of 'Don't use what you don't like' argument is Chrome. Chrome gained market share over Firefox using similar tactics. Now we don't have a viable alternative for blink web engine. This is an ambush on consumer rights - sneaking in silently and then killing it.


Github is an abusive Lawyer's dream. One DMCA notice and they can DDOS thousands of volunteers work.

While Git itself is fairly decentralized, we need a user-friendly GUI and project management system.


Is that what happened here? I doubt thousands had worked on this repo.

They exist, they're just not as popular as github.


After RIAA stunt corporations see that Github is weak. They are coming for your repos! I wish Microsoft would have stood up for the community, but for them it is all about profit.



The youtube-dl fiasco has given a bunch of lawyers the precedent (or perhaps idea) they needed to fight open source software. It’s a shame.


The keys they are trying to suppres can be found at many locations now, one of them is https://pastebin.com/QxhukwBR


Already removed


No problem, now it's here: https://pastebin.com/0U14ahpm


And in rot13 in case anyone gets it in their heads to auto-remove copies based on content (upload filter style)

https://pastebin.com/bGNq9ahn


At least in the past it seems like China doesn't care about copyright or the DMCA. Why not host a repository there? There are a lot of ethical issues but if your goal is to avoid the DMCA, why not?


Really Google? Shame on you. We can't trust our industry peers anymore than the RIAA and MPAA? Seriously?

Whatever happened to the Google that started "chilling effects" as an act of civil disobedience?


at least thanks to git a lot of people have a full local repo copies and can restore them online fast, maybe not in github, but anywhere else

btw, if would be nice if git would allow a salt be configured per repo for their hashes, and if needed to resalt whole repo; this would make commit bashed censor like github does impossible and expensive and unreliable if they need to hash all files


You could just rebase on top of a new initial commit, no? Might lose some metadata but this otherwise does exactly what you asked for...



so......... can any one here in clear terms explain how to use this.... that chrome only extension thing is hot right now but i read somewhere its windows only..


Haven't looked at the code, but the above is a private key that is likely embedded in a non-obvious way in the Widevine level 3 binary used to decrypt content.

Users of Widevine industry wide would use the public key derived from this previously unknown private key generally to encrypt or derive a secondary symmetric encryption key that is then used to performantly decrypt the symmetrically encrypted stream. Asym crypto is slow. Symmetric is fast.

The fact this key is leaked means it is quite likely a new version of the program will be pushed with a different key, but for any data still using this version of Widevine, this is the key piece of information to unraveling the entire cryptosystem by masquerading as an intended stream endpoint. You'd have to trawl the source for any other relevant goodies like parameters and algo names, but all of those tend to be unprotected in the clear, with only the key material being subject to overt secrecy.

Again, haven't trawled the code myself, but that would be the gist of it if I have any intuition whatsoever on applied cryptosystems for media streaming.


it is very clear what github is becoming if value open source as a developer find alternatives github.com could not any longer be trusted.

self host


Git over uncensorable storage.


Youtube on DRM next year then?


I'm happy to see bi-partisan support for breaking the FAANG companies up. Enough is enough.


RMS was right...youtube-dl, now this...and apple computer apps not working fiasco...etc...was the crazy communist guy not so crazy after all?


Just to quickly help the Streisand effect, this is the private key, extracted from [1]:

-----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC10dxEGINZbF0nIoMtM8705Nqm6ZWdb72DqTdFJ+UzQIRIUS59lQkYLvdQp71767vz0dVlPTikHmiv dYHRc7Fo6JsmSUsGR3th+fU6d1Wt6cwpMTUXj/qODmubDK/ioVDW7wz9OFlSsCBvylOYp9v2+u/VXwACnBXNxCDezjx4RKcqMFT31WTxqU9OM9J86ChMOW4bFA41aLAJ ozB+02xis7OV175XdQ5vkVXM9ys6ZoRF/K6NXeHiwcZFtMKyphXAxqU7uGY2a16bC3TEG5/km6Jru3Wxy4nKlDyUjWISwH4llWjdSi99r2c1fSCXlMCrW0CHoznn+22l YCKtYe8JAgMBAAECggEAGOPDJvFCHd43PFG9qlTyylR/2CSWzigLRfhGsClfd24oDaxLVHav+YcIZRqpVkr1flGlyEeittjQ1OAdptoTGbzp7EpRQmlLqyRoHRpT+MxO Hf91+KVFk+fGdEG+3CPgKKQt34Y0uByTPCpy2i10b7F3Xnq0Sicq1vG33DhYT9A/DRIjYr8Y0AVovq0VDjWqA1FW5OO9p7vky6e+PDMjSHucQ+uaLzVZSc7vWOh0tH5M 0GVk17YpBiB/iTpw4zBUIcaneQX3eaIfSCDHK0SCD6IRF7kl+uORzvWqiWlGzpdG2B96uyP4hd3WoPcZntM79PKm4dAotdgmalbueFJfpwKBgQDUy0EyA9Fq0aPF4LID HqDPduIm4hEAZf6sQLd8Fe6ywM4p9KOEVx7YPaFxQHFSgIiWXswildPJl8Cg5cM2EyMU1tdn5xaR4VIDk8e2JEDfhPtaWskpJp2rU2wHvAXOeAES7UFMrkhKVqqVOdbo IhlLdcYp5KxiJ3mwINSSO94ShwKBgQDavJvF+c8AINfCaMocUX0knXz+xCwdP430GoPQCHa1rUj5bZ3qn3XMwSWa57J4x3pVhYmgJv4jpEK+LBULFezNLV5N4C7vH63a Zo4OF7IUedFBS5B508yAq7RiPhN2VOC8LRdDh5oqnFufjafF82y9d+/czCrVIG43D+KO2j4F7wKBgDg/HZWF0tYEYeDNGuCeOO19xBt5B/tt+lo3pQhkl7qiIhyO8KXr jVilOcZAvXOMTA5LMnQ13ExeE2m0MdxaRJyeiUOKnrmisFYHuvNXM9qhQPtKIgABmA2QOG728SX5LHd/RRJqwur7a42UQ00Krlr235F1Q2eSfaTjmKyqrHGDAoGAOTrd 2ueoZFUzfnciYlRj1L+r45B6JlDpmDOTx0tfm9sx26j1h1yfWqoyZ5w1kupGNLgSsSdimPqyR8WK3/KlmW1EXkXIoeH8/8aTZlaGzlqtCFN4ApgKyqOiN44cU3qTrkhx 7MY+7OUqB83tVpqBGfWWeYOltUud6qQqV8v8LFsCgYEAnOq+Ls83CaHIWCjpVfiWC+R7mqW+ql1OGtoaajtA4AzhXzX8HIXpYjupPBlXlQ1FFfPem6jwa1UTZf8CpIb8 pPULAN9ZRrxG8V+bvkZWVREPTZj7xPCwPaZHNKoAmi3Dbv7S5SEYDbBX/NyPCLE4sj/AgTPbUsUtaiw5TvrPsFE= -----END PRIVATE KEY-----

[1] https://archive.softwareheritage.org/browse/origin/content/?...


I can hardly understand the motivation of the corporations keeping to invest in DRM and software activation bullshit tech despite it's obvious it is going to be cracked inevitably (and quickly).


The goal of DRM is and always have been to lock users inside a platform, not to prevent piracy. It gives companies market power because users cannot easily switch to a better alternative without losing their entire digital collection.

https://www.defectivebydesign.org/faq#copyright

> DRM is not about limiting copyright infringement. Such an argument attempts to make DRM appear beneficial to authors and is based entirely on a (very successfully advertised) misrepresentation of DRM's purpose. To illustrate the absurdity of the argument, consider the nature of file sharing: to obtain a copy of a file without permission, downloaders go to a friend or a file sharing network, not a DRM-encumbered distribution platform. If DRM existed only to prevent unauthorized sharing, every distribution method for that particular piece of media would have to be distributed by an uncrackable DRM-encumbered distribution platform, which is impossible on its own. So long as one copy becomes available without DRM, countless more are easily produced. Industry proponents of DRM are well aware that DRM is not a copyright enforcement mechanism. DRM is only marketed as a copyright enforcement mechanism to mislead authors into tolerating and even defending it.


> The goal of DRM is and always have been to lock users inside a platform,

In that case it fails to accomplish that goal for the same reason. It doesn't work and will be defeated. When you download a song, or movie, or ebook that has been stripped of its DRM you aren't tied to anything. Why introduce unnecessary annoyances for paying customers which often drives them to pirate copies that aren't crippled by DRM? As long as something works like they want it to, most people wont care what platform they use to get it.


> As long as something works like they want it to, most people wont care what platform they use to get it.

For almost anything, there are (at least in big cities and in the Internet) many vendors offering nearly the same with nearly the same quality level at nearly the same prices.

But I can't say I don't care whom do I get the same service thing every particular time. I'm more likely to choose whoever feels more nice and offers even slightly more freedom and flexibility. Once I've chosen a vendor I'm much more likely to stick with them (and choose them every time I need something else they can offer) as long as I don't feel severely dissatisfied.

E.g. once I've got a GMail (GMail is and has always been the very best e-mail service anyway, you can hardly be dissatisfied with it) account I would use everything Google if only they didn't piss me off politically (with stiff like this particular discussion subject) and scare me by terminating other's peoples accounts. But I actually am migrating everything I can away from Google and Gmail because Google seems becoming more and more evil (I even suspect RIAA only attacked ytdl after Google told them to).


That's fair, I think most people will stick with whatever easiest.


Up until some line gets crossed (like Op). The definition of the line is subjective for each user.


Very good point, and I would add that line can be moved based on individual circumstances. I've seen people complain about issues with a service, but the moment I offer an alternative and a way to migrate (painlessly for me to do, and I typically offer to help them) suddenly all is good with their service and they're sticking with it. I've even pushed a little further in the past to say I will do ALL of the work for you, just sit back and relax and in a couple hours done. Most still refuse and I don't get why once all barriers have been removed.


Maybe because it was a hush hush compromise intended to make it possible rather than impossible to watch netflix on linux at slightly reduced quality. Windows and Mac PCs with closed source browser would watch at full quality due to hardware drm. No one was motivated until now it seems to blow the lid off the weaker libre drm since a likely outcome is it just get turned off and services require hardware drm only going forward. We'll be lucky if we can still play videos on Linux or Chromium one year from now.


I wonder whether the situation will improve now that Firefox has support for hardware decoding on Linux. After all, the DRM could be completely handled by the GPU without any help from the driver. Just feed it some binary stream and tell it where to put it.

Although the issue with your compromise theory is that not all browsers are supported for high definition even on MacOS or Windows, at least theoretically (don't have a Netflix account to check). In particular, Chrome isn't supported, although Chrome-based Edge is.

From the Netflix help page on watching UHD [0]:

    Netflix is available in Ultra HD on Windows and Mac computers with:
      Microsoft Edge for Windows
      Windows 10 App
      Safari for MacOS 11.0 or later
From the Netflix help page on watching on Windows [1]:

    Windows computers support streaming in the following browser resolutions:
      Google Chrome up to 720p
      Internet Explorer up to 1080p
      Microsoft Edge up to 4K*
      Mozilla Firefox up to 720p
      Opera up to 720p
      Windows 8 app up to 1080p
      Windows 10 app up to 4K*
The situation is similar on MacOS, where only Safari supports 1080p [2]

[0] https://help.netflix.com/en/node/13444 [1] https://help.netflix.com/en/node/23931 [2] https://help.netflix.com/en/node/55764


If I can't watch movies on Linux I'll just skip watching them or torrent them. I already hate dealing with running an OSX vm just to IM my parents, and without hardware acceleration I doubt video decoding would work anyway.


Has that Cinavia nonsense been cracked though? It's the reason I haven't knowingly bought anything Sony in the last decade.


If I made a facemask with that printed on it (as a QR code or whatever) would google stop trying to identify my face? Or would that paint a huge red target on my face?


Some HN'ers might be too young to remember the DeCSS [0] saga and, in particular, the t-shirts.

The EFF, who successfully represented two defendants accused of publishing the DeCSS source code in the two main cases, has the details [1]:

> In Bunner, the [ DVD Copy Control Association ] summarily dismissed its claims after the California Supreme Court ruled that computer programs could be preliminarily restrained from publication only in very narrow circumstances. The California Court of Appeals ruled that those circumstances were not met in Mr. Bunner's case because the program was not a trade secret at the time it was published, but instead was widely available around the world.

> In Pavlovich, the California Supreme Court ruled that Matthew Pavlovich, a Texas resident who published DeCSS on the Internet, could not be forced to stand trial in California. The landmark decision laid out clear jurisdiction rules for claims arising from publishing information on the Internet. DVD CCA's attempt to seek U.S. Supreme Court review of the decision was also rejected.

Additionally, the one known author of DeCSS was acquitted in a criminal trial in Norway.

Obligatory EFF donation link: https://supporters.eff.org/donate/

--

[0]: https://en.wikipedia.org/wiki/DeCSS

[1]: https://www.eff.org/cases/dvdcca-v-bunner-and-dvdcca-v-pavlo...

--

EDIT: See also "AACS encryption key controversy" and the "free speech flag": https://en.wikipedia.org/wiki/AACS_encryption_key_controvers...


Probably a good idea to also incorporate that into some very-clearly-satire related artwork on the mask, to help with the legality. :)


WideVine has support for revoking private keys if they get leaked, which duped a bunch of smart TV customers before. I'm pretty sure the key is useless already, or will be very soon. Google can just roll new keys whenever the old ones get published through their Chrome update mechanisms.



What would Google do if I emailed it to my own gmail account?

Delete the email? Ban me?


Sure, why not both?

They deleted/locked accounts for less during the G+ real name frenzy.


I emailed you the key, please report if you are banned so we can all learn the answer


"As per our phone conversation, ..."




Geez, man! At least format it correctly so folks can copy and paste! :-)

  -----BEGIN PRIVATE KEY-----
  MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC10dxEGINZbF0nIoMtM870
  5Nqm6ZWdb72DqTdFJ+UzQIRIUS59lQkYLvdQp71767vz0dVlPTikHmivdYHRc7Fo6JsmSUsG
  R3th+fU6d1Wt6cwpMTUXj/qODmubDK/ioVDW7wz9OFlSsCBvylOYp9v2+u/VXwACnBXNxCDe
  zjx4RKcqMFT31WTxqU9OM9J86ChMOW4bFA41aLAJozB+02xis7OV175XdQ5vkVXM9ys6ZoRF
  /K6NXeHiwcZFtMKyphXAxqU7uGY2a16bC3TEG5/km6Jru3Wxy4nKlDyUjWISwH4llWjdSi99
  r2c1fSCXlMCrW0CHoznn+22lYCKtYe8JAgMBAAECggEAGOPDJvFCHd43PFG9qlTyylR/2CSW
  zigLRfhGsClfd24oDaxLVHav+YcIZRqpVkr1flGlyEeittjQ1OAdptoTGbzp7EpRQmlLqyRo
  HRpT+MxOHf91+KVFk+fGdEG+3CPgKKQt34Y0uByTPCpy2i10b7F3Xnq0Sicq1vG33DhYT9A/
  DRIjYr8Y0AVovq0VDjWqA1FW5OO9p7vky6e+PDMjSHucQ+uaLzVZSc7vWOh0tH5M0GVk17Yp
  BiB/iTpw4zBUIcaneQX3eaIfSCDHK0SCD6IRF7kl+uORzvWqiWlGzpdG2B96uyP4hd3WoPcZ
  ntM79PKm4dAotdgmalbueFJfpwKBgQDUy0EyA9Fq0aPF4LIDHqDPduIm4hEAZf6sQLd8Fe6y
  wM4p9KOEVx7YPaFxQHFSgIiWXswildPJl8Cg5cM2EyMU1tdn5xaR4VIDk8e2JEDfhPtaWskp
  Jp2rU2wHvAXOeAES7UFMrkhKVqqVOdboIhlLdcYp5KxiJ3mwINSSO94ShwKBgQDavJvF+c8A
  INfCaMocUX0knXz+xCwdP430GoPQCHa1rUj5bZ3qn3XMwSWa57J4x3pVhYmgJv4jpEK+LBUL
  FezNLV5N4C7vH63aZo4OF7IUedFBS5B508yAq7RiPhN2VOC8LRdDh5oqnFufjafF82y9d+/c
  zCrVIG43D+KO2j4F7wKBgDg/HZWF0tYEYeDNGuCeOO19xBt5B/tt+lo3pQhkl7qiIhyO8KXr
  jVilOcZAvXOMTA5LMnQ13ExeE2m0MdxaRJyeiUOKnrmisFYHuvNXM9qhQPtKIgABmA2QOG72
  8SX5LHd/RRJqwur7a42UQ00Krlr235F1Q2eSfaTjmKyqrHGDAoGAOTrd2ueoZFUzfnciYlRj
  1L+r45B6JlDpmDOTx0tfm9sx26j1h1yfWqoyZ5w1kupGNLgSsSdimPqyR8WK3/KlmW1EXkXI
  oeH8/8aTZlaGzlqtCFN4ApgKyqOiN44cU3qTrkhx7MY+7OUqB83tVpqBGfWWeYOltUud6qQq
  V8v8LFsCgYEAnOq+Ls83CaHIWCjpVfiWC+R7mqW+ql1OGtoaajtA4AzhXzX8HIXpYjupPBlX
  lQ1FFfPem6jwa1UTZf8CpIb8pPULAN9ZRrxG8V+bvkZWVREPTZj7xPCwPaZHNKoAmi3Dbv7S
  5SEYDbBX/NyPCLE4sj/AgTPbUsUtaiw5TvrPsFE=
  -----END PRIVATE KEY-----
Or, just provide the various components:

  p = 49429002897777261000839566786960900348661596779839481928152034285352681641807686782292757653824830822496391192085567895071852258385592280527115222429444042313542936301974046594875899181233742229945549738766655661560628018266563543784515148821370566306893780280151659623161213410927305309695027848755504091783

  q = 53602170802863928289500972217307025477290164757146419371852251620670300136901587204821451746991406880988053571342615187459978423766579984968561470104139545987787266751875098417999761783952366342302556060906681062460952347680147798276356366502237505269309185857430061068092584194979239221868593482021566547439

  n = 2952619226006031733278005132921693726100042011592660779869675820212138145939883834312253789060663461194528411412874982355146048292836507534000115353036163880492136645451564382009196182566124637478277389304691251397819894417106558057773147299342857185830516918343274468842497499522414750028740163342718036209925403503207235945059541974923084211147227388348091101183403929204074586611952779802158116643840147678791643283706927948872797793849591629882391903699724329001797545580009544763555067611040895630150211640906898700482769873702547829023169433411394249565049633221004211830736052381384491512655254513796679593737

  d = 142033101700003260678755863863267700134374886049156296238778043258513471417667391237505300342672722921505586813412391537592394712287451780540489111338082979901966887630936873112829448279475520471433931949082770983040743133849146064289054900225131501940560027662491217132619227565578893295128589581903273904124801461070363532834633728769178636552784294153467969250254358604276515140477045217505629092433114246051368410587618590542410950189868285511930901887132942539241081579465767831350539339965000260768249119651905050152151634478714116343168832447694793716937575319879226685046081583200335708696821445923072794535

  e = 65537


Thanks! Also shared on Aether (getaether.net) just in case

Disclaimer: I am not affiliated with the Aether software/platform.


Wait why does it need a private key that's pushed to everyone's device? How does that actually secure anything?

I skimmed the code but I'm still not seeing it.


Technically: one must have the private key to perform decryption. There are many schemes that attempt to protect the original key and derive a decryption key, or do various other things to prevent disclosure of the private side of a key pair.

Practically: the point is not to "secure" anything, but to make it obvious that any infringement is due to "circumventing a protection device." Circumvention is also not allowed under DMCA, because it was obvious to the authors of the law that to view content one must indeed decrypt it.



This inspired me to research and download Brave Browser. Thanks Streisand Effect! So nice to have a browser that doesn't feel like bloatware


What on earth does that have to do with this topic?


> What on earth does that have to do with this topic?

Presumably, Brave doesn't include the Widevine DRM components from Chrome?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: