Hacker News new | past | comments | ask | show | jobs | submit login
Google Widevine Content Decryption Module DMCA (github.com/github)
679 points by abbe98 on Nov 13, 2020 | hide | past | favorite | 371 comments

I am missing a party in this discussion: The role of the github monoculture. Because all these repos are hosted by the same party, one lawyer writing one letter can cause global disruption.

Github did nothing wrong here. They got an important, maybe controlling share of the market by creating a great product. While they might have a monopoly, I see no abuse of it.

But that's irrelevant for the rest of the world. The simple existance of the monoculture makes all of us vulnerable to attacks.

The GH monoculture isn't great, but it's less of a problem than other monoculture threats we've faced, due to git's distributed nature. Thus far GH has not changed git itself, and since every repository is canonical, it's easy to change what the "main" repository is at the snap of a finger. Self host, move to sr.ht, whatever.

I try to think of GH as a convenient mirror service that happens to provide a lot of discoverability. Nice, but in no way essential.

This is only true if you don’t use GitHub for reviews/issue tracking/etc. You’re correct that it’s trivial to move the code, but that’s only a fraction of the critical history and tooling for a large collaborative project.

True, but I've seen many projects that use both GitHub and JIRA (i.e. not BitBucket). Those work totally fine for issue tracking, project management, etc. It's the same amount of friction for what you're proposing. The main thing you are missing out on is a UI for merging and PRs, which is nontrivial but not a moat that can keep a monopoly afloat.

Of course if JIRA shut down that'd be annoying too, but I could re-create my project in another project manager.

To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline. Issue tracking and PRs don't seem like big issues to me.

> To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline.

Sure, and these are definitely important – but your project isn't directly threatened if they are pulled out from under you. You'll just be operating with degraded CI quality for a while.

It feels like there's a missing product to go with git: a free and distributed issue management and review system. GitHub should be a view on the data rather than the sole owner of the data

There is git-bug ( https://github.com/MichaelMure/git-bug ). Not at the same level as Bugzilla, but usable. Issues are stored in hidden branches in the git repo itself.

Many of the projects that are on github were once on Google Code and migrated over issues.

I get emails for all comments and PRs. It would be annoying to lose the GH interface but not repo ending. Allowing issues or pulls to exist only on GH is equivalent to having only a single copy of a something important on an old laptop. Basic backups of any kind solves this issue.

I believe iTerm uses GitLab for issues and GitHub for source control. GitHub issues didn't have a core feature they needed issues, but it was already canonical for code.

Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project "google style" where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....

Also the idea that mono-culture is less of a threat because git is a DVCS ignores all of the data in issues, wiki, network effect, and all of the other non-git things that make up github, none of these are distributed or really portable and for many projects this makes them decidedly not a "mirror service with discoverability"

> where by they tell upstream what they are doing and if upstream wants to continue to be "Github compatible" well upstream better adopt it as well....

Do you have an example of this? This seems like it would be a hard sell as there haven't been many (any?) breaking changes to Git itself in a long while.

Most recent would be the master / main controversy

And while not git proper, you could point to Git-LFS as this example as well.

Well they have changed Git, but it has been in a mostly open and upstream way, though they have used their market dominance for force changes inside of the Git project

I haven't heard of this, got an example?

Arguably, email is as distributed/standards-based as it gets, and we still ended up with Gmail – RFC compliant and all.

A nice reminder that it's pretty easy to setup your own Gitea and Drone. Happy to share details of folks are interested.

Where are you setting up Gitea and Drone that is protected against DMCA requests? Any US-based host will happily act on DMCA requests.

What I'm familiar with is using PRQ (of TPB fame) + Njalla (by TPB co-founder, Peter Sunde), PRQ provides the machines and Njalla the domain, both pro-privacy and will fight claims to protect you, if you're only breaking "piracy" laws (digital ones).

There ain't no stopping the DMCA train. I started hosting my own code at gopherworks.io if you want to see what that roughly looks like.

My idea is that, as I said, I can't stop the DMCA train but it's a whole lot harder to take on thousands of small Giteas and SourceHuts than it is to open a pull request on GitHub. We can get the meta-wins of GitHub later by designing some aggregators that talk to Gitea and SourceHut in efficient ways in the future, but for now the pressing matter is to decentralize code hosting, in my view.

> There ain't no stopping the DMCA train

There is for sure, check out PRQ and Njalla for just one selection of services that would allow you to ignore DMCA requests.

Yeah, I'm really interested in a federated ecosystem of Giteas for sure (https://github.com/go-gitea/gitea/issues/1612), seems ForgeFed might be the way to get there. https://discourse.gitea.io/t/forgefed-federation-in-gitea/11...

Thanks for that link! I've been pondering these things on my own for quite a bit. Seems like there's a quorum of like-minds now, so I guess I should probably join the discussion.

They can only make a DMCA request if they know where to send it.

I guess you could host a gitea server behind a Tor hidden service on the VPS of your choice.

While that would work for most text transfers (or otherwise low-bandwidth usage), many other use cases would be near impossible to get to work with good performance over Tor. Think video hosting and similar.

Use vm to to connect to vpn to purchase vps hosting in a foreign country with good internet outside the jurisdiction of U.S. Maybe do some research to see if hosting provider has a history of complying with U.S. laws or cooperating with U.S. law enforcement.

Why does nobody use Tor hidden services to host git repositories? Would be an awesome use of Tor.

I suppose the next best thing is decentralized collaboration via email.

A federated code hosting platform would solve this problem. Having an account on one and being able to create issues or merge requests on others, would make getting away from Github much easier.

Right now, any other self-hosted code-host needs you to sign-up or use OAuth2, which frankly is quite annoying. Whoever suggests mailing lists should really get with the times. It is not a fun experience in the slightest.

Multiple existing self-hosted Git hosting solutions have expressed their interest in supporting this: https://forgefed.peers.community/

It's really quite strange that issues aren't able to be just cloned/PR-ed like the rest of a git project. But I guess it protects git hosts to keep that [ironic] difficulty in propagation in.

It was one thing when it was the RIAA that was coming for our repositories. Now that it is Google, I'm extremely sad and disappointed.

I think the time has come for there to be a repository hosting service that is based somewhere in Switzerland :)

I hate to break it to you but Google hasn't been the company you seem to think they still are for a very long time.

To me it was the day they removed the discussion filter functionality from their search engine. It was a purely advertising driven move: from now on people searching for a keyword couldn't anymore filter for other people talking about that thing but rather they would be inundated by shops selling that thing or shills promoting it. That plot however was probably much older, since the obvious wonderful alternative, Dejanews, wasn't available anymore for having been already bought by Google many years before.

I've found that a lot of people are adding "reddit" to their searches as a poor-man's discussion filter. It sort of works but it's also sad in how it's another reflection of how centralized and concentrated the web has become.

That's certainly what I'm doing, and I'm hoping that there will be some alternative by the time reddit becomes useless (it seems to be moving in that direction, although not too quickly for the smaller niche subreddits).

I've also had good success with "forum".

`-cart -checkout -"check out" -clearance -discount -sales -PayPal -shipping` is what I use on occasion to remove e-commerce sites from the results.

You just gave me some serious deja-vu. Who remembers when TPB were going to buy Sealand in order to host trackers out of the reach of authorities?

Turns out buying Sealand in order to continue to run ThePirateBay was over-engineering, as ThePirateBay is still alive and running today, albeit in a slightly different form than before.

For now? It seems like a lot of torrent info sites have been closed down (just from reading https://torrentfreak.com/, maybe more pop up than get taken down?).

Don't know. Swedish police (et al) have been trying forever to shut it down, and while they have momentarily succeeded, it always seems to come back up.

I'm no longer familiar with the architecture of TPB, but they seem to be running things in a much more decentralized fashion nowadays, where bunch of independent sites (at least independent domains) are running a frontend with the same database content. Unsure how that works behind the scenes.

But rest assure, you can always find a domain which is not blocked and that is mirroring the content of the proper TPB. In my case, thepiratebay.org is blocked by my ISP, but thepiratebay.party is just a few hours behind (confirmed via VPN)

Compare the following pages for example (if thepiratebay.org works for you)

- https://thepiratebay.org/search.php?q=user:dauphong

- https://thepiratebay.party/user/dauphong/

>...buy Sealand in order to host trackers out of the reach of authorities?

Sealand is within the territorial waters of the UK. No sovereign nation has recognized Sealand's independence from the UK. Even if one did, according to international law, artificial islands and structures don't possess the status of islands.

Isn't Sealand just a couple of underwater charges planted by some clandestine operatives away from not existing?

You and I could conquer Sealand next week if we really wanted to.

Sealand is a bad storm away from not existing.

Switzerland, along most western countries due to ratifying the relevant WIPO treaties, has copyright laws broadly similar to the DMCA: https://www.admin.ch/opc/en/classified-compilation/19920251/...

What about Trinidad and Tobago?

I remember there was an international ruling where the US was in a trade violation, and I thought the country was permitted to waive IP enforcement until they were compensated.

I am having trouble finding the reference.

Not sure about Trinidad and Tobago. Antigua was the one given the right to violate US copyrights to pressure the US to abandon it's illegal gambling restrictions. It was given that right by the WTO.


Keep in mind, there is a big difference between being allowed to violate US copyrights and waiving IP enforcement.

Considering that it's a DRM module, it's not a surprise. I believe anyone with a DRM module that does not protect it is at risk of losing their license with the content owners. That basically why DRM exists to begin with.

Blaming the content service is easy since they're user-facing, but it's shallow. Content-related restrictions are, in my experience, almost always dictated by the content owner. Region locks, availability windows, use of DRM, DMCAs for anti-DRM, etc, are all at the requirement of the content owners.

I don't think these modern Internet-based service providers care about that stuff much, they have little incentive to. It's driven by contracts.

Incidentally, this is always the reason behind region locks. Service X or content Y isn't available in your country? Don't blame the streaming service, blame the content owner.

Switzerland won't stay neutral and definitely isn't some untouchable fantasy land; it has to be stored outside the boundaries of individual countries, ergo, decentralized solutions like some other commenters mentioned. Git is great for that. I wonder if, in addition to IFPS and the like that were mentioned, if there is a tracker or index of git remotes out there - just a big list of servers hosting git, ranging from the big ones like github to someone's raspberry pi hooked up to the internet to idk, usb sticks in a geocache.

Sounds like someone (not me) needs to register "thegitbay.org" or similar. And maybe a .onion variant too. ;)

I2P Gitlab how to: https://geti2p.net/en/docs/applications/gitlab

Existing server: http://git.idk.i2p/zlatinb/muwire

Can't find the clearnet address

Throw in a Handshake domain and bases should be converted from the URL angle.

Sourcehut may be a good option as well.

Drew seems like the type to fight illegitimate DMCA's.

Edit: I'm curious, why the downvotes? I am legitimately trying to be helpful. I recognize if you have personal differences with ddevault, but he puts his code where his mouth is.

If I'm misunderstanding said downvotes, please enlighten me.

Edit 2: Many thanks to those who have responded. It appears I misunderstood about this specific instance, where the DMCA does have some legitimacy.

Didn't downvote, but I think you overestimate anyone if you think they'll go to court for you against an org as big as the RIAA or Google (unless perhaps if it's the EFF).

My (flawed?) understanding of DMCA is that the project whom a DMCA is filed against can counter-file if they believe the DMCA is illegitimate, after which the burden of going to court is between the group that filed the DMCA and the group they targeted.

Someone else in this thread linked this, which seems like a useful resource as well: https://sourcehut.org/blog/2020-10-29-how-mailing-lists-prev...

Edit: It was biryani_chicken who linked the resource above.

Also, I misunderstood about the legitimacy of this specific claim, my brain had yet to shift gear from the youtube-dl shenanigans.

Thanks for the response!

The problem with both RIAA and Google takedown demands is never about the DMCA takedown in relation to copyright infringement, its the circumvention (it seems that EFF understand this very well, but most online commentors didn't get this, which was exarcabated by GitHub using the DMCA takedown repo). Now, no one knows if GitHub were also directly targeted by legal threats as an acessory to "enable" the distribution of circumvention tools, which RIAA and Google is arguing.

Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.

He might not be able to fight the DMCA takedown, but makes it easier for contributors to not get too disrupted by it: https://sourcehut.org/blog/2020-10-29-how-mailing-lists-prev...

This is absolutely a legitimate DMCA notice. The repos in question are created with the sole intention of bypassing a DRM scheme, which allows for takedown under DMCA 1201.

It is a valid DMCA notice, but not for that reason. The repo contained Google copyrighted code.

It’s both:

> It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.

> Additionally, the Git repo contains several files that violate Google’s copyrights:

> <a bunch of files>

> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.

> > It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.

That bit is probably irrelevant to the DMCA takedown procedure, which only applies to "material that is claimed to be infringing or to be the subject of infringing activity". I don't think there's much clear precedent to what "be the subject of infringing activity" means, but decryption tools that don't use stolen code definitely don't qualify as "material that is claimed to be infringing".

And if Google does want to claim that the circumvention tool is infringing a Google copyright rather than merely running afoul of an unrelated provision of the DMCA, then Google has to specifically identify their own work of decryption code that the circumvention tool is ripping off. All this notice specifically identifies in the way of actual infringement are two documentation PDFs and an API header file (and we all know where Google stands on API copyright).

> It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.

"Their belief" is meaningless, to get a circumvention tool removed they need a court order.

Or a polite request to github, apparently, which seems to work too.

I don't feel as bad about it here as about youtube-dl. I disagree, mind you -- I'd like github to act as a neutral service provider -- but this one is a place where I can see why githu might hold a different opinion. It's an ideological split like abortion, gun control, or similar, where reasonable people can violently disagree.

The whole "Sensitive Data takedown request" is also a github thing, but this one is a written policy:


It has nothing to do with the DMCA.

It contained a private key!

IANAL but i don't see 1201 mentioned in https://www.law.cornell.edu/uscode/text/17/512

It might be a legitimate DMCA notice, but the DMCA does not apply globally.

But it does apply to GitHub, an American company.

Almost every western country has ratified the 1996 WIPO Copyright Treaty, which requires laws broadly similar to the DMCA. The DMCA is just the US's implementation of the WIPO treaty.

Drew does not fight DMCAs, he's said so himself. Why would he? His company must follow the law.

> His company must follow the law.

Of course. That being said, wasn't there a big discussion when this happened to youtube-dl about how that was almost certainly not a legitimate DMCA? That being the case, disregarding it would not be illegal, at least to my (quite limited) understanding.

It appears I misunderstood in this specific case as there is a much stronger case for this DMCA to be considered legitimate.

Its not against the law to fight dmca notices that aren't legit. Its an unnessary risk that does not benefit him, but its definitely not illegal.

That said at least part of this notice seems legit.

dude, just donate to the eff. you don't need to volunteer someone else to take on a legal battle for you

I'm not volunteering someone else to fight, I'm mentioning their payed service, which seems like it could be useful for this use case.

I'm sorry if that's offensive.

(Also, I donate to the EFF)

The EFF has been supported heavily by Google in the past. Some of the lawyers at Google worked at the EFF and vice versa. Moreover, they often have private fundraising parties for Google staffers. I doubt they're going to bite the hand that feeds them.

What successes has EFF had?


Something they've participated in every 2 years since 2000, as documented here: https://www.eff.org/cases?group=0-9

Possibly because if anything is, this is a legitimate claim. Ignoring the "it's a tool to circumvent DRM" nonsense (which is a "legitimate" claim under the DMCA).

The repository itself is pirated code - it is code held under copyright by google, and google doesn't want it to be public, therefore anyone distributing it is violating copyright. The DMCA claim is substantially less than what they could do. Actual copyright violations have very large fines.

Just use some decentralized forge like git-ssb.

Underwater in the middle of the ocean, using starlink for connectivity.

Since Starlink is operated by a US company, they'd be able to shut you down.

Not once they're operating on Mars, according to their TOS agreement!

RIAA would have tried to extract even more money from artists to buy state of the art weaponised submarines and an army of seamen.

It's gonna be a full-fledged pirate ship with big-ass cannons then.

On a ship they are called guns. Big-ass Guns

Big-ass Guns are not effective against missiles launched at you from great heights and/or distances.

I'd love to see the day we're launching missiles at foreign ships over copyright violations.

Make it so

I think space is becoming a reasonable frontier.

Until then, something IPFS based.

This is maybe one of the few use cases where a cryptocurrency can help; in a similar vein to the effectiveness of BitTorrent.

Specifically, Filecoin (built by the IPFS folks) could be used as a datastore for git. You can send DMCAs to pseudonymous Filecoin operators all you want; but the content will still be up if one operator keeps hosting it.

Hopefully it will also encourage all commits and repositories to be PGP signed (and not through a centralized FVEY platform), strengthening security, authenticity, and trust.

Filecoin isn't a datastore, it's a coin. IPFS is the datastore. However, I'd probably use something that works better, maybe Dat or Zeronet.

Space-based crypto-funded storage for guaranteeing that one operator.

The best part about non-GEO satellites is that, although you can't see them 24/7 from one location, that also makes it incredibly difficult to jam their uplinks continuously.

It was going to happen. When Google was making money off of piracy by just running a search engine, it was happy to encourage it and celebrate the philosophy. Now that they're cashing big checks from advertisers and content companies, well, they're just following the money.

Only Level 3, sadly, which means it can decrypt Standard Definition (480p) videos. This has been out for a while.

Some reputable people in the pirating industry have actually cracked Level 1, which means they can decrypt 4K! :-)

This is just not true. It's up to individual content providers to decide what resolutions to supply via L3, and for Netflix and Amazon Prime, that resolution is 1080p.

>and for Netflix [...], that resolution is 1080p.

Do you have a source for that? This page[1] says Firefox and Chrome on Windows, Linux, and Mac only go up to 720p. Chrome on ChromeOs goes up to 1080p, is that still L3?

[1] https://help.netflix.com/en/node/23742



It seems that many streaming platforms disable 1080p by default, and I assume that this is only for performance reasons (some hardware struggles to run an obfuscated software video decoder...) - it's not a DRM limitation, and in netflix's case it can be re-enabled via trivial changes to the frontend JS.

Of course you can watch the test streams, but try watching a recent movie from a third party studio and see if it reports the same resolution.

This is true, but if you care about quality you'd go directly to the third party source.

All of the content I actually use Netflix for is available in 1080p on L3 (Which matters to me, since L3 is the highest supported level on desktop x86 Linux).

How do you open this debugging info?

Ctrl-Alt-Shift-D, at least in FF.

The mentioned addon works pretty reliably for me, watching 1080p in FF on Linux, at least for Netflix original content.

Ctrl + Alt + Shift + D

Level 1 means everything is done in a secure enclave from what i understand.

I wonder if google does something similar to bluray AACS where if a level 1 device is compromised they can revoke just that device (or manufacturer's key). If not, i wonder why they don't.

(To clarify my curiosity is in an abstract way, i am ideologically opposed to DRM)

Yes, they can revoke or downgrade the level. And sometimes devices share the same key

Recent instance of such a downgrade, causing a ton of (Philips) TVs to stop playing HD content apparently: https://www.reddit.com/r/netflix/comments/jq9wdb/netflix_cap...

This is the tracker from the screenshots by the way: https://t.me/s/wvcrl

>If not, i wonder why they don't.

mainly because it's hard to trace back which device key got leaked, especially if all you have to go on are whatever the ripped videos. if you had the tools it'd be much easier, but that's probably kept under tight wraps by the piracy groups.

Hmm. Good point.

I suppose if you have the entire decoding process in a secure enclave you could also make it watermark the resulting file with which key was used to decrypt.

Widevine L1 does in fact watermark the decrypted bitstream. I don't think it's still true today, but there was a period last year where releasing decrypted L1 content without re-encoding meant sacrificing an NVIDIA Shield. The Shield was the only L1 capable player which had a known weakness and Widevine would revoke the device key based on the watermark in the bitstream.

Nowadays the piracy groups seem to have found a way around this. Presumably they found a way to strip the watermark, but we can only speculate as the groups guard their methods closely for obvious reasons.

what happens if the pirates have two compromised devices, and they compare the output between the two to foil your watermarking scheme?

I guess the watermarking scheme would include some randomness so you cant just trivially diff, but making a robust scheme is probably hard.

That said it doesn't need to be that robust, since the pirate only has to slip up once to get caught and its hard to know for sure if you got the entire watermark out.

The pirate can also add some randomness of their own to diffuse the watermark.

That's harder than you would think. See https://en.m.wikipedia.org/wiki/Cinavia

  > The intent is to prevent all copying, both counterfeit copies and legal copies of one's own content (for example, format shifting).
  > Verance claims on their website that, while the watermark is able to survive recording through microphones (such as recording a film in a movie theater with a camcorder), as well as compression and encoding, it is imperceptible to human hearing, as well as that the presence of the watermark does not affect audio quality.

A Herculean effort to create artificial scarcity. Thank you, capitalism.

Indeed, i find it equal parts disgusting and fascinating.

Well, under pure capitalism, intellectual property wouldn't exist and these sort of efforts would be pointless.

Although it's claimed that this survives arbitrary transcoding, I'm really not convinced that's mathematically possible. I think it's much more likely that they've just chosen to embed information at a very low bit rate.

Having never heard of this before, I did the natural hackernews reader thing -- search for a bypass -- and came across this interesting forum discussion [1] from ~2014, in which a large number of people state that a reverb effect gets rid of it. The original author writes:

> get an program named Audacity open the converted audio file in freemake > and open the file in Audacity choose File>Open then Edit>Select>All > then go to Effect>GVerb > make sure to have the following configuration:

> roomsize (m):1.0 > reverb time (s): 0.1 > Damping: 0.0 > Input Bandwidth: 0.20 > Dry Signal (db): -7.0 > Early reflection level (db): 0.0 > Tail Level: -17.5

Other methods of bypass include using a player that doesn't check for the watermark, patching out the checking code in a firmware image, and simply swapping the HD-DVD / Blueray audio with one from a DVD.

[1] https://web.archive.org/web/20141208081801/http://club.myce....

---- Edit ----

Some further useful information -- and a statement that they've put the details in their patent!

> The Cinavia detection is sensitive to pitches and time sequence of features. The specific feature that detector looks for, is already clearly stated in Verance patent US5940135:

> [2] www.google.com/patents/US5940135

> If you study the patent document you will know the feature is delayed correlation. They also use hopping to change the delay of the correlation within the pattern of the same watermark. The actual delay, and the hopping pattern between delays, is their secret and security. That information I cannot disclose. Nor is it needed to defeat Cinavia.

> The fact of the matter is Cinavia added an artificial signal to rapidly change the delayed correlation in short time internals. Analysis the audio and you can see it causes an un-natural ripples in the frequency space. If you can see those un-natural ripples, you can smooth it out and remove it. Just remember, in real world, different frequency components of a sound does not change that rapidly. They generally decay over a fraction of a second, and human ear can not catch it if a frequency shows up and then rapidly goes away. So the way to defeat Cinavia is do not let any frequency component go in and out so rapidly. If it shows up, let it stay for a little while longer. Stretch it out a bit, before letting it decay out.

> That will defeat Cinavia for sure. Make everything vary more slowly and smooth out any ripples. It also beautifies the sound quality.

> When people sing, the pace of their singing is much slower than normal speech, right? A sentence that takes 3 second to speak, a singer will spend half a minute to sing the same sentence out. The slow varying is what makes music beautiful, and it is also what can kill Civania!

[2] http://www.google.com/patents/US5940135

Wow. Thanks for that link.

No, from the repo mirror[0]:

> Widevine's least secure security level, L3, as used in most browsers and PCs, is implemented 100% in software (i.e no hardware TEEs), thereby making it reversible and bypassable.

0: https://news.ycombinator.com/item?id=25078497

GP comment said L1 - what connection does that have to your comment, which seems to be about L3?

> Level 1 means everything is done in a secure enclave from what i understand.

This line said level 3 originally, must have been edited; but it doesn't look like it was archived on the IA, so I can't prove it.

What kind of secure enclave? There have been a lot of catastrophic vulnerabilities in secure enclaves, over the past year or three.

Whichever one your device has. Its a technology that google licenses out. If you are making a device that has a secure enclave you can apply for a license for level 1 widevine.

If indeed level 1 has been breached, presumably it happened via one of those weaker secure enclaves.

I'd just like to take a second to appreciate the irony/oxymoron of there being weaker "secure" enclaves

...and the idea of a secure computer in general...

I'm guessing that the people who have this cracked keep it a secret so only their inner group has the method which lets them leak all of the new content and Google has no idea which key or process has been cracked.

Well one key is known to be leaked:

> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.

> If not, i wonder why they don't.

The potential for a DOS-attack would be immense.

Any resources on Level 1 decryption?

One method appears to be playing back on a legitimate player, then using HDCP strippers on hdmi/displayport outputs[1]. I've seen some 4k releases that clearly show the streaming site's playback controls, for instance.

[1] search for "hdcp bypass" on ebay

I remember cheap chinese hdmi splitters used to inadvertently strip hdcp; is that still current?

Yes, but you could just explicitly search for a hdcp stripper and it'll work.

Capture HDMI. Strip DHCP.

Refer to the perfectly legal NeTV2 + trivial modification if you understand the HDL.

Is that considered decryption? Wouldn't that both decrypt and decompress? What if someone wants the original compressed stream so the video doesn't need to be re-compressed?

That can't be done without hardware hacks, which can (often) be traced to isolated hardware which the manufacturers will then lock out or force a software upgrade for, making it impossible to use in the future. That's why most 4k pirate releases are re-encoded from HDMI, not lossless rips of the original stream as they are for 720p and 1080p.

Will that reduce the quality of the audio/video?

There have been a bunch of papers recently about using undervolting to break secure enclaves. No idea about how applicable that is, but that might be a possible attack vector.

It's probably kept under wraps by large scene groups, they don't want to show their methods and have them patched out.

In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies

They are practically asking for Streisand Effect... if you distribute your key with the software, then whatever form it is in, I would not consider it "private" at all!

This is DeCSS all over again. Was that ever resolved? It seems to me the original DeCSS complaints were more or less dropped because technology moved on and they couldn't mount a defense in a real court, and had to rely on bluffing.

Case was dropped by the DVD CCA in Norway because the number was no longer secret. That isn't relevant for section 1201 of the DMCA. It cares only if the program's intent was to bypass copy protection. DeCSS, and even libdvdcss, are absolutely infringing on this, and can't be hosted in USA repositories.

How is one supposed to exercise their right to Fair Use without "bypassing" technological measures via tools like these? I think there is solid legal DMCA ground for them to remain hosted in the US, without even needing to reach for the whole "freedom of speech" thing.

I won't even get into how I think GitHub is being overly courteous to media companies by extending takedown ability for alleged Section 1201 violations. I'm firmly convinced the only remedy the DMCA offers for that is via the courts, and that the takedown process explicitly requires the identification of infringing material, not circumvention tools.

These laws are similar in what seems like a number of countries, and the reason why they're like this is quite simple: They want to have the cake (getting money from extra charges on stuff like DVD/BD burners, writeable media, hard drives etc. -- which you get charged to offset fair use and related rights) and also eat it (effectively denying you the rights you already paid for with those surcharges).

In a normal world, I can only do one of these. Either I take the money, and render services or goods OR I don't take the money, and then don't render the services. But in RIAA/DMCA/GEMA/...-Crazytown you get to charge people AND actively avoid delivering anything.

The Librarian of Congress (if I remember right) can declare three year exemptions to the anti-circumvention provisions. They have to be reviewed and renewed every time. Jailbreaking a smartphone is one example of an exemption that was granted in the past.

It really is a ridiculously one-sided law that gives all power to private media entities.

You don't. Which is why that part of DMCA at least should be repealed.

Fair use is about copyright. The DMCAs anti-circumvention section means you can't distribute software designed to circumvent DRM, even if that software isn't itself infringing. So I don't see how fair use could apply.

At a minimum, Google's counsel testified under penalty of perjury in this takedown letter that they took Fair Use into consideration, so there must be at least some application here. (And if there isn't, that sure is a strange sentence to have in the letter - almost as if they are misusing this takedown letter template after all!)

Fair Use is about using copyrighted content, which is widely shackled behind DRM. Any court can easily see that in order to exercise your right to use that content in a Fair Use sort of way, you must break the DRM. Therefore, the existence and availability of DRM-breaking tools is a necessary condition for Fair Use to be exercised at all in conjunction with the modern media landscape.

DMCA does not include fair use as an allowable reason to circumvent DRM. That is one of the reasons why DRM sometimes shows up in weird places because it effectively limits fair use rights (see also all the right to repair stuff that people have been talking sbout lately)


>DMCA does not include fair use as an allowable reason to circumvent DRM. //

Could you cite the law you're referring to here please?

The UK CDPA as amended to follow the EU's Marrakech directive seems to say anything that prevents you from exercising your Fair Dealing rights to make content accessible for disabled people is void if it contradicts these rights. This seems necessarily to allow for circumvention of DRM (for people with disabilities and specific registered companies) but that also appears to mean production of circumvention means needs to be legal otherwise such accessibility will be impossible.

DMCA is the Digital Millennium Copyright Act, the latest amendment to USA copyright law. Text of the law is here: https://www.copyright.gov/legislation/dmca.pdf . GitHub is a division of a US company, Microsoft, so it is bound by US law.

Actually, it is more complicated than that. To exercise fair use defense (yes, it is a defense and not a right in US Copyright law), you must be able to use a process that is non-invasive (as stated in DMCA). So, if a DRM is preventing you to screenshot it, you are actually required to use a camera and exercise the analog hole. This is definitely disappointing, and I am not personally endorsing it, but the law as it stands does not lend credence. (Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.)

> (Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos. This was conspicuously absent from all discussions I've read.)

It's absent because RIAA's intent is not stated. They did a blanket takedown, unprompted. As far as I can tell they never requested any particular modification. IIRC the only hint that it might be related is a mention that the rolling cipher algorithm that YouTube-dl "circumvents" was ruled to be DRM under German law.

However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)

> However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)

This is definitely untested in court but I won't be surprised if it is indeed part of marketing. The problem with the tests is that they do download the video, even if it is a small amount and since ytdl does not reject the video for downloading at all it is technically infrigment, probably without a valid fair use defense. If ytdl has actively rejected that (for example if the test units are specifically to prevent downloading those types of videos), they may have a stonger defense against RIAA claims.

Well... the tests do not actually download the videos.

Not in their entirety, but it still downloaded a second for each of those videos. Interpret that as you wish, but I will not be surprised if RIAA will use this.

Congress did not intend fair use to be an affirmative defense. It is clearly a right under US copyright law. The rights granted to copyright owners in section 106 are expressly “subject to” the fair use defense. The fair use section of the Act, section 107, provides expressly that fair use “is not an infringement of copyright", rather than an infringement with an affirmative defense. In Lenz v. Universal the courts say that fair use is "distinct from affirmative defenses where a use infringes a copyright, but there is no liability due to a valid excuse.” and that “fair use is ‘authorized by the law’ and a copyright holder must consider the existence of fair use before sending a takedown notification….”

Fair use applies to copyrighted content, not circumvention tools.

This nonsense about "it's a defence not a right" discredits you.

It's a right because where it applies there is no tort. Like an allowed right of way over private property. Yes, if a you have someone abusing your rights by filling frivolous suits then "it's a defence", of course it is they're trying to assert a right they don't have.

Such needless couching of public rights in an authoritarian way is really offensive to the purposes of copyright, which is granted by the public - the demos - to private parties. It's not a natural right, and so yes, under Fair Use there is no right being infringed that a valid claim of tort can be made for; so one does have a right to do those things.

Thankfully in some countries the courts will just dismiss the case :


Two years later, their case was dismissed :

https://www.generation-nt.com/drm-stopdrm-dadvsi-justice-loi... (fr)

They were considered as 'irresponsible' due to 'either psychological issues, force majeure or legitimate self-defense".

(Note that they even seem to have shared the DMCA infringing software on their website.)

Material doesn't infringe rappers^w people do, context is important as well. For example in UK Fair Dealing time-shifting of live broadcasts is allowed, but retention or sharing (eg watching a recording of a TV show with another person!) is not.

I think both the USA and UK DDAs allow copying as part of production of accessible content.

Honestly though, I'm not sure how this fits with "circumvention" the wording (UK) appears to allow it.

> How is one supposed to exercise their right to Fair Use without "bypassing" technological measures via tools like these?

Fair use is not a right. It's a defence. You're still infringing copyright, but this is an infringement that they cannot punish. Importantly, law makers see fair use as a restriction of the rights of the copyright holder, not as a right granted to users of that IP.

People have always known that DMCA interferes with these defences. See for example this from 2001: https://repository.uchastings.edu/cgi/viewcontent.cgi?articl...

> You're still infringing copyright

Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work ... is not an infringement of copyright.


The 9th Circuit in Lenz v. Universal disagrees.

> right to Fair Use

There is no such thing AFAIK.

For those downvoting, see: https://www.govinfo.gov/content/pkg/CHRG-109hhrg27003/html/C...

> It is important to be clear about what the fair use doctrine is not. Fair use is not a right. It is a defense. [...]

It's not hard to find more links explaining the same thing (e.g., see http://www.copyhype.com/2013/08/why-copyright-is-a-right-and...), but I'm happy to be proven wrong...

Congress did not intend fair use to be an affirmative defense. It is clearly a right under US copyright law. The rights granted to copyright owners in section 106 are expressly “subject to” the fair use defense. The fair use section of the Act, section 107, provides expressly that fair use “is not an infringement of copyright", rather than an infringement with an affirmative defense. In Lenz v. Universal the courts say that fair use is "distinct from affirmative defenses where a use infringes a copyright, but there is no liability due to a valid excuse.” and that “fair use is ‘authorized by the law’ and a copyright holder must consider the existence of fair use before sending a takedown notification….”

It might not be an "affirmative" defense, but to my understanding that doesn't imply it's a right. A "right" as I understand it is something that is illegal for others to violate, and that government generally has a duty to protect. But there's nothing unlawful about creating something that's uncopyable, or about guarding what you have so closely that others are unable to copy it; in fact, I would've assumed being able to do so is itself your right. And should you create something that's uncopyable, nobody will be able to copy it, even if it would be fair use for them to do so. They might be upset about this, but their rights definitely aren't being violated by your creation or protection of that thing—and the government can't force you to make your stuff copyable. (Or maybe it can with additional legislation, but I'm pretty sure we don't have such legislation.) That means "fair use" isn't anyone's right... it's just a valid defense (whether "affirmative" or otherwise).

By this logic free speech isn't a right because the government is under no obligation to provide you with a platform to exercise it.

Offering you a platform is not the same thing as ensuring that it's even physically possible. The argument wasn't about the government hosting copyrightable content for you or delivering it to you; it was about ensuring it is even possible for you to copy content.

Preventing something from being copyable is only possible by not distributing it. If you can see it you can copy it.

The copyright holder could prevent you from copying it by never distributing it, but that doesn't mean you don't have a right to fair use, it only means you don't have the ability to exercise that right. Much the same as you can't exercise freedom of the press if you can't afford a printing press (or any modern equivalent).

It might be physically impossible for you to have an abortion, e.g. because you're infertile, but that doesn't mean you don't have a right to one under existing precedent.

Fair use is a right, and if the law doesn't accurately reflect that, then the law needs to be changed.

When a "right" is spoken of in legal discussions (which this clearly is), it implies a "right by law". If you want to talk about another right, like your "moral right", you'd usually say exactly that.

But yes, even rights defined in the law can and do get redefined, newly introduced or removed.

You're wrong: You can break copy protection if you own the rights to a work. This means you can e.g. circumvent Window's license checking if you own a copy of it already. The DMCA does not criminalize that, nor could it, and this is probably why py-kms is still up on github after a copyright challenge.

This was a change that I am assuming was added before any complaint could be mounted about this use case for fear of striking more of the DMCA down than just that provision that was modified.

It was "resolved" by new laws being introduced almost globally that make development, distribution etc. and potentially even possession of "circumvention devices" illegal, making it possible to do such takedown requests in most countries that provide infrastructure.

CSS only used 40 bit keys to comply with US export controls, so with modern computers you can just bruteforce it without knowing the key, so the key is very much a moot point at this point.

Not even modern, my athlon did that under 20 minutes, mplayer cached the key once it decrypted the DVDs.

The only difference between Widevine and DeCSS is you can rotate the Widevine key.

That should be a big difference. Have they made sure that all the netflix boxes out there support this?

Boxes are unlikely to use this key. The letter implies that this key is for the weakest (software-only) level of protection, used on generic PCs.

What do smart tvs and tv boxes use?

Each device usually has its own unique Widevine L1 keybox, with a separate intermediate key for each model.

"secret" when it's distributed with every installation of Google Chrome.

This is your brain on DRM.

Similarly to the youtube-dl case. Maybe Google was indeed behind it ?

Time for some DeCSS-style t-shirts/stickers again... maybe something like this[0]? ;)

[0] https://imgur.com/a/ajKeDfp

It would be great, although the real difference here is that the DeCSS key was almost impossible to change once it was leaked, while the Youtube key is comparatively trivial to change.

Just in case someone is looking for editable version: https://pastebin.com/Rbj6nd3q

42 ways to share code


Predates so-called "Streisand Effect"

I see that what you posted is on google's servers. Doesn't that mean they are effectively distributing it themselves?

> Predates so-called "Streisand Effect"

DeCSS was released in 1999; Mecha Streisand episode of South Park was 1998.

What has South Park got to do with it? The "Streisand Effect" was because of Streisand suing a photographer in 2003 causing people to realise where she lived and getting photos of her house, and the phrase was coined in 2005 by Techdirt.

There must be some kind of Mandela effect going on since I feel quite sure I was using this in 1998 after Streisand voiced distaste at the South Park episode.

Mecha-Streisand re-appeared in South Park’s 200th’s episode in 2010; Perhaps that’s what you were thinking of?

It's not an issue to them in this case, as presumably they can just change the key once the DMCA is successful and they have set precedent.

I thought copyrights on numbers were deemed invalid? Copyright applies to data as it appears right? You can encode a number in any base, the idea that a company has copyright on every base encoding is equivalent to me saying I have copyright on every key because I wrote a program that enumerates all keys.

> I thought copyrights on numbers were deemed invalid?

They are invalid. It's interesting since it implies copyright itself must be invalid.

All intellectual property is data, information, a collection of bits... Also known as a number. Copyrighted works are actually just numbers. Really big numbers. Creators are just trying to discover those numbers through their labor.

It also means such a program would be illegal, since it would also necessarily involve the creation of numbers that can be interpreted as truly illegal content.

The private key mentioned in the notice is here: https://archive.softwareheritage.org/browse/origin/content/?...

I thought it might be nice to create another mirror, just in case: https://github.com/cryptonek/widevine-l3-decryptor

Hopefully, it will hang at least till monday, so some of you will be able to clone.

It is based on commit ed8a97745c69b8cc0fc7f59cec9474b216b49e16 which is latest archived by Web Archive (and signed by Github!). By the way, it is still possible to fetch original repo, provided you know the commit id above :)

Excellent, thanks. Hadn't heard of this decryptor project before, now I can take a look through it to see how it works. :)

Pity they don't seem to have `git clone` support, and only allow downloading a tarball. Anyway, that's still a lot better than nothing. :)

How do I clone it to get .git directory? downloaded tar doesnt contain it.

Trying to get Widevine going on iOS / macOS has been a royal pain in the ass so far (crashes when you touch the lib while having a debugger attached, so you can't even debug your own code unless you swap in a severely castrated development version that only works on the simulator) and Google guards access to the official libs and docs like it's the precioussss.

To me this is just one of the many developer hostile steps I've seen. I understand they don't want you to access illegal content too easily but honestly the only thing that could drive me back to Torrenting is the declining quality of content on Netflix & co.

I honestly believe this is just a small component, which is a part of the long term strategy of the RIAA and others: a periodical check to test the waters to see where public opinion is at, to be able to guage if they can implement more dramatic and restrictive DRM mechanisms yet [1].

They are either 1) waiting for us to be too exhausted to notice/care/fight back, or 2) seeing whether they have to go further to 'protect content creators' by lobbying for more draconian laws that allow for the use of new DRM strategies. It reminds me of reading about how Corporate personhood was invented to protect freed slaves [2], yet is now used as a way for business owners to avoid personal liability/responsibility. One could even argue that Corporate personhoood is one of the most destructive forces that exists today; causing some of the worst crimes in modern history [3].

It's important we continue to fight back and set a precedent for protecting users over corporations or governments.

[1] https://en.wikipedia.org/wiki/The_Right_to_Read

[2] https://www.history.com/news/14th-amendment-corporate-person...

[3] https://www.counterpunch.org/2013/02/05/corporate-personhood...

> It reminds me of reading about how Corporate personhood was invented to protect freed slaves [2]

Why not Magna Carta while you're at it ?

Some self hosting options:









This has been brought up before in the other threads, but just because you self host doesn't mean you can ignore DMCA takedown requests. You can choose to ignore such DMCA requests if they decide to send one to your self-hosted website, but not honoring it means you think you're not infringing on their copyright and are willing to go to court over it. If they don't want to go this far, or you try to not include contact info, they'll probably first send a DMCA to your web host/registrar who will suspend your hosting/website unless you counter-notice, which still means you've got to be ready to fight a lawsuit (note that Cloudflare forwards DMCA requests to your web host company, so you can't hide behind CF).

I would be very interested what they can do when I run this locally on my own machine at home (true self-host). Plus I live in the Netherlands...

Dutch law also has provisions against DRM circumvention technologies, so if they have proof that you're doing it, you can expect a lawsuit.

They won't find proof if you host the code on a git instance that's only accessible to you, but if you share that server with the internet, you can expect the RIAA (or more likely, their friends over at BREIN) to sue you (after getting your details from your ISP through another lawsuit).

Responding to a DMCA is free, copyright lawsuits are purposely expensive. You'd better have money for a good lawyer or good legal insurance if you plan on sharing your local Gitlab with such code.

One thing I considered is getting myself an instance of a small Gitlab clone with little attack surface and hosting the code on TOR. Ignoring the potential ethical issues, that should provide good defence against legal repercussions from groups like the RIAA and the MPAA. There's always a possibility that you'd get Kim Dotcom'd if your code gets popular enough, though.

You still got your ISP which likely includes some verbiage in the contract about prohibited use (but even if it doesn't, if the law makes it illegal, you and your ISP can be taken to court with it).

In the US, I have seen Verizon Fios shut off a user’s connection in response to a DMCA takedown notice (hosting a server at home).


Is a very US specific request.

DMCA itself is obviously an US law, but many Western countries have similar laws.

As someone outside of the US, luckily it seems most US companies think that US law applies globally.

I've got quite a few DMCA notices from rights holders, but never anything actually relevant to the country of my citizenship, where I live, or where the server is based.

So, naturally, I can just ignore them.

Point me at them, please.

Eg every EU country has laws broadly equivalent to the DMCA as a result of EU Directive 2001/29/EC [1]

The DMCA itself is just the US's implementation of the 1996 WIPO Copyright Treaty. 96 other countries have ratified it [2]

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A...

[2] https://www.wipo.int/treaties/en/ShowResults.jsp?lang=en&tre...

Well, since youtube-dl was the news, they have cited a German decision on the takedown request, which solely references German law. I don't know German enough to find this specific law, but I do know that by default copyright associations have a presumption to copyrights over certain media (like GEMA's case in music, which is used on YouTube around 2010, and Google was found guilty of that and therefore Google pays royalties to GEMA).

Just out of curiosity, how does it go with Cloudflare Workers? Obviously, any proxying is done dynamically in your own code, with no DNS records saved with Cloudflare. What's actually counted as a "web host company" or "origin" to which claims are forwarded with Workers?

CF indeed becomes the actual host of the content, so I imagine (if it gets routed correctly) trust&safety will suspend the worker and/or the worker KV namespace until you contact support to counter.

Are any of these Tor friendly?

I think the friendliest will be sourcehut, which is both FOSS and works without JS too.

Here's a guide for gitlab and i2p https://geti2p.net/en/docs/applications/git-bundle

They’re self-hosted, as in or 192.168.x.y

You can send any traffic through Tor, so yes.

For has a significant impact on latency, and use of JavaScript is often discouraged because it can be made to deanonymize users.

Wherein, Google asserts a copyright on the API for their license system, the protobuf file. Maybe this file is more creative than the Java APIs?

Additionally, the Git repo contains several files that violate Google’s copyrights: Google license_protcol.proto (see Google copyright at the top of the file): /widevine-l3-decryptor/blob/main/license_protocol.proto

Isn't DRM... Completely fucking pointless? I can go on The Pirate Bay and find 4K rips of all movies and shows I want. If DRM can't prevent that, what's the point?

All it does is infringe on our rights to be able to do what we want on our own devices. It's crazy.

> Isn't DRM... Completely fucking pointless?

> All it does is infringe on our rights to be able to do what we want on our own devices.

No, but this is exactly the point of DRM and the legal protections around circumventing it. It never was about copyright protection. Copyright infringement was already illegal before the DMCA, and the introduction of DRM didn't make a dent in the amount of copyright infringement.

The point of making DRM circumvention illegal is for me to be able to sell you a bunch of bits, but ensure that I don't have any commercial competition in regards to how you use those bits. You can't legally make a device that plays DVDs without the blessing of a cartel known as DVD FLLC. You can't legally make a device that plays music from iTunes without the blessing of Apple. Etc. It's about retaining monopolistic control over media distribution and use, by forbidding certain forms of competition in the market.

Getting a law passed that forbids market competition (in many countries! not just the US) under the guise of being about copyright protection, is one of the greatest cons I've ever heard of, but that is what has happened.

DRM is mostly legal instrument. If you want to be able to sue people based on circumventing protections, courts need to consider your "content protection" "effective", which essentially means that it takes more than five minutes to circumvent. It also means that, since we're now talking about DRM that'll be protected by patents, copyright and obscurity/NDAs, that these DRM mechanisms centralize power to the owners of the DRM. This can then be easily leveraged to control and restrict e.g. the features playback devices may have.

If this were true, DRM would be trivial and made with easy to implement things like "detect if user right clicks, and pop up a message saying 'sorry copying not allowed'".

DRM is not that - a massive technical effort has gone into implementing DRM deep in system architectures. Modifications have been done across every layer of the stack, across hundreds of companies of differing goals.

You only go to that much effort, at that great a cost, if you are hoping for DRM to actually work, rather than just be a thing you can hold up in court and say "we tried to protect it your honor, we really did".

The "level of security" (~tech effort) is the main competitive selling point when DRM-vendors lobby studios for endorsement. The studios are probably partly being sold a pipe dream of "unbreakable DRM", but the person you responded to also has a point.

Weak or nonexistent DRM reduces the provable malicious intent of a ripper. The more effort it takes to break a DRM, the less likely it seems that you don't understand that what you are doing is wrong.

Recent events have shown that even simple google cypher may be effective. Even more effective is modifying your product to fit customers by NOT region locking your content, by not splitting it over multiple platforms. Using law to pretend that the global network does not exist is simply dumb and leads to piracy. DRM won't save backwards digital rights owners.

Region unlocking is unlikely to help to curb piracy, as the poorest regions won't be able to afford to buy the digital 'goods' at 'worldwide' prices.

Clearly this is not well thought out, but nobody is going to admit it. Any law that is trying to control human nature is pointless.

Like the law that you are not allowed to punch someone in the face because they annoy you?

I don't think it's the best tool to teach people not to punch each other in the face, but I wouldn't go so far to call it pointless either.

> Any law that is trying to control human nature is pointless.

Yet religions still seem be around and getting humans to do dumb things? ;)

From the removed repo:

> This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.

> Isn't DRM... Completely fucking pointless?

It never ceases to amaze me how easy it is to boil frogs, even if the frogs in question are high-IQ, technically sophisticated HN readers.

Right now, you can still circumvent DRM, because you can still buy something that's approximately a general purpose computer (even if it will invariably already come with some remote-acessible hardware level spyware outside your control). But if current trends continue, this will not be the case by the end of the decade.

Also, preventing private individuals from receiving and distributing unauthorized copies is only one way in which DRM is useful to companies.

La France se libère, part deux?

Denuvo has been fairly successful despite what the pirates say. Several extremely popular games have gone many months with no crack. DRM isn't completely pointless, but it does require securing everything for it to work. Denuvo would be pointless if it weren't for the various secure virtualization features which are built into the CPU itself.

Denuvo actually didn't promise that it won't be cracked forever. It promise the consumer it won't be cracked in N day after the release. Primary purpose is to stop the day 1 pirate from hurting the selling count hard.

The movie industry doesn't seems like use it in the same way.

It's kind of silly that normal user was prevented from watch the video normally while pirates do whatever they want becuase the 4k hdmi hdcp can be easily removed by just a dongle.

DRM in the movie industry is mainly targeted at device vendors instead of customers. They want control over the playback experience and have a say which features the playback devices offer to users. Something that allows recording parts or skipping of the ads? Not great! That's also why there is a Widevine device revocation database for playback devices, while I'm not aware of something like that existing for Denuvo.

Sadly, if they actually cared about the consumer, then they would remove DRM after those N days. Since they don't, I just don't buy these games (Sonic Mania damnit!) , and I'm probably not alone..

There are suspicions that some publishers just pay money to the scene groups who able to circumvent it successfully.

Because it doesn't have to be 100% effective to do its job. If your choices are to fork over $20 for a copy, pay $10/month for a streaming service, or pirate it from a shady site, most people would go with the first two options. The main goal is stopping casual piracy, aka. asking your friend to make you a copy.

I find it goes the other way. I pirate things when legal services become too cumbersome, unethical, or dirty. DRM often does that. I won't avoid all DRM, but there's a threshold. The RIAA crossed with youtube-dl.

When I was in college, price was an issue, and piracy was there to save the $10/month for most students, but the alternative was not having the music/software/etc., rather than a legal sale. The actual financial loss was close to zero. I think the reason for DRM isn't so much to prevent profit-losing piracy, as control.

Movie and record companies want to differentiate pricing by market. They want records of who watch what and where. They want to be able to expire things, explicitly or implicitly (if I go Android<->Apple, my iTunes/Google Play collections become less helpful). That has business value.

As for paying customers, when I was a student, they could have milked me for $5. As a professional, I don't really care what it costs, and I don't want to bother with piracy, and I'll do whatever's most ethical. The RIAA just told me what's most ethical is not listening to new music, followed by pirating music, followed by buying music.

I got enough music.

RIAA is a cancer that is growing on artists. I don't know any who would like their art to be gatekeeped in this mafia-esque manner. These days most artist understand that legitimate fans will buy their art if it is easy and affordable. Nobody needs RIAA today and these type of organisations who profit off of artists without bringing any value should be made illegal.

Ah yeah, Amazon remotely removing 1984 from Kindles was incredible. It could only have been worse if it was Fahrenheit 451 !

That would be the case without DRM. With DRM my options are:

- Pay $20 for a copy that I can't play on all of my devices, and that I may be unable to play at some point in the future if the producer decides they don't want me to anymore.

- Pay $10/month for a streaming service that won't allow me to watch at full resolution on several of my devices, and has no guarantee that the content I want will continue to be available.

- Not consume the media at all.

- Download it from a shady pirate site, but then assuming it actually is what I think it is (which is questionable) be able to use it however I want.

No good options.

The piracy option is not all that shady at all (there are good sites, and even the bad sites just need you to know what a magnet link is and not clicking on other download links), and you can get DRM-less copies in any combination of size/quality/encoding you want. It always boggles my mind how people in developed countries have not (all) caught on to this. You can even easily stream the content, using, e.g., peerflix. There is even opensource software that creates a media server, though I have not tried them. And these are all just the mainstream stuff. There is lots of niche piracy, e.g., Telegram channels and groups that post books, movies, TV series, etc. Telegram bots that just give you any music you request (I personally found them better than a premium Spotify subscription). Google shared drives that have everything. Sites that offer direct download links of everything (these sometimes specialize to a certain category, e.g., games). Piracy is so mature that it was and is much better than the best money can buy.

Any peer-to-peer solution is very likely to (at least in my country) contain honeypots to find the IPs of people downloading (which is not illegal afaik) and seeding (which is illegal) copyrighted media. They then take those IPs to the respective ISP to obtain your identity and send you "pay us or we sue you" letters.

It's a pretty effective deterrent if you ask me.

Just buy a VPS/VPN that is okay with torrenting. (My suggestion is to try the different services and stick with one that doesn't ban you.)(I have never encountered one that cared, but some VPNs did feel like they throttled torrent traffic.)

Or just shut off your internet connection.

Plex + Sonarr + Radarr + Deluge running on a seedbox is far far beyond what most people think piracy is. That setup can search for shows for you across multiple public and private trackers, download them, sort them, watch for new episodes or movies, notify you when they are downloaded.

I personally have settled for the 3rd option and I don't feel any loss for that reason. The really create FOMO in people, just look at how many paid Disney to watch Mulan early even with a subscription.

The market is littered by art like products driven by analytics and it is hard to find good art. Sometimes I play some new releases on Tidal when I am working and there is rarely something that would make me store it in my own playlist. Everything is the same and they protect it like these were some nuclear plans.

I just started to learn about DJing, and the recommended software is Serato.

The lite version, you cannot use your own mp3s, but it has support for streaming services.

Spotify was removed months ago, but Tidal is available.

It is just so easy to create content now, the signal to noise ratio is pretty low.

Actually there are DRM-free websites selling music, e.g., https://bandcamp.com

That doesn't make any sense. Not only is it not any harder to get it from some website than from your friend, the way people get it from their friend is by sharing the original disc or their Netflix password, which the DRM doesn't prevent in any way.

Yes movie DRM does seem completely pointless. Game DRM on the other hand does seem to hold up for the first few months which is where most of the sales happen. It would be nice if devs dropped the DRM once it is cracked though.

Thanks for that. I found this interesting old discussion on Denuvo too (skim/skip the OP, seems to be BS, but the top comment is interesting).


Super interesting, thanks for posting

The point isn't to protect content, but to need permission from the DRM makers to make a viable browser (or TV, or music player, or ebook reader, or...) Without their blessing, it won't work with locked content, and your users will go to a competitor favored by the DRM owners.

Isn’t the point to generate license revenue for the DRM IP holders?

Not just pointless. It's unethical and crooked.

You can record data coming to the LCD panel or record the TV screen by a camera. With just degraded quality. On the other hand, I can't even take a screenshot of DRM-protected content on Android which can be very annoying sometimes.

DRM is an extra fee imposed on the parties that follow the letter of the law. It's like building permits but the transfer of wealth is to a private entity instead of the state (which has its pros and cons).

Like others said, for non-interactive media it is mostly pointless, but for executable code (especially stuff that's online or will update a lot, like games) it does some work.

We just stop consuming stupid DRM shows and music. There r tons of other media available and music from unknown talented composers/artists.

> The Pirate Bay and find 4K rips of all movies and shows I want.

What? There's almost no 4K rips for shows or movies. To me it seems it's working pretty well.

Private torrent trackers have them all. I’ve contacted multiple members and asked them for their secrets and none replied.

I’ve requested several Amazon and Netflix shows and got the pure, not reencoded, unencrypted files.

You're clearly not looking in the right places :)

For shows 4k is not the norm.

RARBG has 4K rips of the newest Mandalorian episode, which was released today. DRM doesn't work.

Not necessarily. It can be good in a different setting: guaranteeing that medical software is at least signed by the developer and untampered.

That's what cryptographic signatures are for. No need for DRM.

> Isn't DRM... Completely fucking pointless?

Yes. It just slows down the less skilled from breaking the protection.

There will always be one or a team of more highly skilled hackers that eventually defeats it.

It always only a matter of time when it gets broken. But again, there's always the analogue hole. [0]

[0] https://en.wikipedia.org/wiki/Analog_hole

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact