Github did nothing wrong here. They got an important, maybe controlling share of the market by creating a great product. While they might have a monopoly, I see no abuse of it.
But that's irrelevant for the rest of the world. The simple existance of the monoculture makes all of us vulnerable to attacks.
I try to think of GH as a convenient mirror service that happens to provide a lot of discoverability. Nice, but in no way essential.
Of course if JIRA shut down that'd be annoying too, but I could re-create my project in another project manager.
To me, the bigger impact is things like GitHub Actions and your CI/CD pipeline. Issue tracking and PRs don't seem like big issues to me.
Sure, and these are definitely important – but your project isn't directly threatened if they are pulled out from under you. You'll just be operating with degraded CI quality for a while.
Also the idea that mono-culture is less of a threat because git is a DVCS ignores all of the data in issues, wiki, network effect, and all of the other non-git things that make up github, none of these are distributed or really portable and for many projects this makes them decidedly not a "mirror service with discoverability"
Do you have an example of this? This seems like it would be a hard sell as there haven't been many (any?) breaking changes to Git itself in a long while.
And while not git proper, you could point to Git-LFS as this example as well.
I haven't heard of this, got an example?
What I'm familiar with is using PRQ (of TPB fame) + Njalla (by TPB co-founder, Peter Sunde), PRQ provides the machines and Njalla the domain, both pro-privacy and will fight claims to protect you, if you're only breaking "piracy" laws (digital ones).
My idea is that, as I said, I can't stop the DMCA train but it's a whole lot harder to take on thousands of small Giteas and SourceHuts than it is to open a pull request on GitHub. We can get the meta-wins of GitHub later by designing some aggregators that talk to Gitea and SourceHut in efficient ways in the future, but for now the pressing matter is to decentralize code hosting, in my view.
There is for sure, check out PRQ and Njalla for just one selection of services that would allow you to ignore DMCA requests.
Yeah, I'm really interested in a federated ecosystem of Giteas for sure (https://github.com/go-gitea/gitea/issues/1612), seems ForgeFed might be the way to get there. https://discourse.gitea.io/t/forgefed-federation-in-gitea/11...
I guess you could host a gitea server behind a Tor hidden service on the VPS of your choice.
I suppose the next best thing is decentralized collaboration via email.
Right now, any other self-hosted code-host needs you to sign-up or use OAuth2, which frankly is quite annoying. Whoever suggests mailing lists should really get with the times. It is not a fun experience in the slightest.
I think the time has come for there to be a repository hosting service that is based somewhere in Switzerland :)
I'm no longer familiar with the architecture of TPB, but they seem to be running things in a much more decentralized fashion nowadays, where bunch of independent sites (at least independent domains) are running a frontend with the same database content. Unsure how that works behind the scenes.
But rest assure, you can always find a domain which is not blocked and that is mirroring the content of the proper TPB. In my case, thepiratebay.org is blocked by my ISP, but thepiratebay.party is just a few hours behind (confirmed via VPN)
Compare the following pages for example (if thepiratebay.org works for you)
Sealand is within the territorial waters of the UK. No sovereign nation has recognized Sealand's independence from the UK. Even if one did, according to international law, artificial islands and structures don't possess the status of islands.
I remember there was an international ruling where the US was in a trade violation, and I thought the country was permitted to waive IP enforcement until they were compensated.
I am having trouble finding the reference.
Keep in mind, there is a big difference between being allowed to violate US copyrights and waiving IP enforcement.
Blaming the content service is easy since they're user-facing, but it's shallow. Content-related restrictions are, in my experience, almost always dictated by the content owner. Region locks, availability windows, use of DRM, DMCAs for anti-DRM, etc, are all at the requirement of the content owners.
I don't think these modern Internet-based service providers care about that stuff much, they have little incentive to. It's driven by contracts.
Incidentally, this is always the reason behind region locks. Service X or content Y isn't available in your country? Don't blame the streaming service, blame the content owner.
Existing server: http://git.idk.i2p/zlatinb/muwire
Can't find the clearnet address
Drew seems like the type to fight illegitimate DMCA's.
Edit: I'm curious, why the downvotes? I am legitimately trying to be helpful. I recognize if you have personal differences with ddevault, but he puts his code where his mouth is.
If I'm misunderstanding said downvotes, please enlighten me.
Edit 2: Many thanks to those who have responded. It appears I misunderstood about this specific instance, where the DMCA does have some legitimacy.
Someone else in this thread linked this, which seems like a useful resource as well: https://sourcehut.org/blog/2020-10-29-how-mailing-lists-prev...
Edit: It was biryani_chicken who linked the resource above.
Also, I misunderstood about the legitimacy of this specific claim, my brain had yet to shift gear from the youtube-dl shenanigans.
Thanks for the response!
Also, what RIAA is trying to remove is the code that allows to get the music video files from YouTube, which is served differently to normal videos (not just the test units in question). This was conspicuously absent from all discussions I've read.
> It is our belief that the repo as a whole represents a circumvention tool in violation of 1201 and therefore needs to be removed.
> Additionally, the Git repo contains several files that violate Google’s copyrights:
> <a bunch of files>
> In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.
That bit is probably irrelevant to the DMCA takedown procedure, which only applies to "material that is claimed to be infringing or to be the subject of infringing activity". I don't think there's much clear precedent to what "be the subject of infringing activity" means, but decryption tools that don't use stolen code definitely don't qualify as "material that is claimed to be infringing".
And if Google does want to claim that the circumvention tool is infringing a Google copyright rather than merely running afoul of an unrelated provision of the DMCA, then Google has to specifically identify their own work of decryption code that the circumvention tool is ripping off. All this notice specifically identifies in the way of actual infringement are two documentation PDFs and an API header file (and we all know where Google stands on API copyright).
"Their belief" is meaningless, to get a circumvention tool removed they need a court order.
I don't feel as bad about it here as about youtube-dl. I disagree, mind you -- I'd like github to act as a neutral service provider -- but this one is a place where I can see why githu might hold a different opinion. It's an ideological split like abortion, gun control, or similar, where reasonable people can violently disagree.
The whole "Sensitive Data takedown request" is also a github thing, but this one is a written policy:
It has nothing to do with the DMCA.
Of course. That being said, wasn't there a big discussion when this happened to youtube-dl about how that was almost certainly not a legitimate DMCA? That being the case, disregarding it would not be illegal, at least to my (quite limited) understanding.
It appears I misunderstood in this specific case as there is a much stronger case for this DMCA to be considered legitimate.
That said at least part of this notice seems legit.
I'm sorry if that's offensive.
(Also, I donate to the EFF)
Something they've participated in every 2 years since 2000, as documented here: https://www.eff.org/cases?group=0-9
The repository itself is pirated code - it is code held under copyright by google, and google doesn't want it to be public, therefore anyone distributing it is violating copyright. The DMCA claim is substantially less than what they could do. Actual copyright violations have very large fines.
Until then, something IPFS based.
Specifically, Filecoin (built by the IPFS folks) could be used as a datastore for git. You can send DMCAs to pseudonymous Filecoin operators all you want; but the content will still be up if one operator keeps hosting it.
Hopefully it will also encourage all commits and repositories to be PGP signed (and not through a centralized FVEY platform), strengthening security, authenticity, and trust.
The best part about non-GEO satellites is that, although you can't see them 24/7 from one location, that also makes it incredibly difficult to jam their uplinks continuously.
Some reputable people in the pirating industry have actually cracked Level 1, which means they can decrypt 4K! :-)
Do you have a source for that? This page says Firefox and Chrome on Windows, Linux, and Mac only go up to 720p. Chrome on ChromeOs goes up to 1080p, is that still L3?
It seems that many streaming platforms disable 1080p by default, and I assume that this is only for performance reasons (some hardware struggles to run an obfuscated software video decoder...) - it's not a DRM limitation, and in netflix's case it can be re-enabled via trivial changes to the frontend JS.
All of the content I actually use Netflix for is available in 1080p on L3 (Which matters to me, since L3 is the highest supported level on desktop x86 Linux).
The mentioned addon works pretty reliably for me, watching 1080p in FF on Linux, at least for Netflix original content.
I wonder if google does something similar to bluray AACS where if a level 1 device is compromised they can revoke just that device (or manufacturer's key). If not, i wonder why they don't.
(To clarify my curiosity is in an abstract way, i am ideologically opposed to DRM)
Recent instance of such a downgrade, causing a ton of (Philips) TVs to stop playing HD content apparently:
This is the tracker from the screenshots by the way: https://t.me/s/wvcrl
mainly because it's hard to trace back which device key got leaked, especially if all you have to go on are whatever the ripped videos. if you had the tools it'd be much easier, but that's probably kept under tight wraps by the piracy groups.
I suppose if you have the entire decoding process in a secure enclave you could also make it watermark the resulting file with which key was used to decrypt.
Nowadays the piracy groups seem to have found a way around this. Presumably they found a way to strip the watermark, but we can only speculate as the groups guard their methods closely for obvious reasons.
That said it doesn't need to be that robust, since the pirate only has to slip up once to get caught and its hard to know for sure if you got the entire watermark out.
> The intent is to prevent all copying, both counterfeit copies and legal copies of one's own content (for example, format shifting).
> Verance claims on their website that, while the watermark is able to survive recording through microphones (such as recording a film in a movie theater with a camcorder), as well as compression and encoding, it is imperceptible to human hearing, as well as that the presence of the watermark does not affect audio quality.
Having never heard of this before, I did the natural hackernews reader thing -- search for a bypass -- and came across this interesting forum discussion  from ~2014, in which a large number of people state that a reverb effect gets rid of it. The original author writes:
> get an program named Audacity open the converted audio file in freemake
> and open the file in Audacity choose File>Open then Edit>Select>All
> then go to Effect>GVerb
> make sure to have the following configuration:
> roomsize (m):1.0
> reverb time (s): 0.1
> Damping: 0.0
> Input Bandwidth: 0.20
> Dry Signal (db): -7.0
> Early reflection level (db): 0.0
> Tail Level: -17.5
Other methods of bypass include using a player that doesn't check for the watermark, patching out the checking code in a firmware image, and simply swapping the HD-DVD / Blueray audio with one from a DVD.
---- Edit ----
Some further useful information -- and a statement that they've put the details in their patent!
> The Cinavia detection is sensitive to pitches and time sequence of features. The specific feature that detector looks for, is already clearly stated in Verance patent US5940135:
>  www.google.com/patents/US5940135
> If you study the patent document you will know the feature is delayed correlation. They also use hopping to change the delay of the correlation within the pattern of the same watermark. The actual delay, and the hopping pattern between delays, is their secret and security. That information I cannot disclose. Nor is it needed to defeat Cinavia.
> The fact of the matter is Cinavia added an artificial signal to rapidly change the delayed correlation in short time internals. Analysis the audio and you can see it causes an un-natural ripples in the frequency space. If you can see those un-natural ripples, you can smooth it out and remove it. Just remember, in real world, different frequency components of a sound does not change that rapidly. They generally decay over a fraction of a second, and human ear can not catch it if a frequency shows up and then rapidly goes away. So the way to defeat Cinavia is do not let any frequency component go in and out so rapidly. If it shows up, let it stay for a little while longer. Stretch it out a bit, before letting it decay out.
> That will defeat Cinavia for sure. Make everything vary more slowly and smooth out any ripples. It also beautifies the sound quality.
> When people sing, the pace of their singing is much slower than normal speech, right? A sentence that takes 3 second to speak, a singer will spend half a minute to sing the same sentence out. The slow varying is what makes music beautiful, and it is also what can kill Civania!
> Widevine's least secure security level, L3, as used in most browsers and PCs, is implemented 100% in software (i.e no hardware TEEs), thereby making it reversible and bypassable.
This line said level 3 originally, must have been edited; but it doesn't look like it was archived on the IA, so I can't prove it.
If indeed level 1 has been breached, presumably it happened via one of those weaker secure enclaves.
The potential for a DOS-attack would be immense.
 search for "hdcp bypass" on ebay
Refer to the perfectly legal NeTV2 + trivial modification if you understand the HDL.
They are practically asking for Streisand Effect... if you distribute your key with the software, then whatever form it is in, I would not consider it "private" at all!
I won't even get into how I think GitHub is being overly courteous to media companies by extending takedown ability for alleged Section 1201 violations. I'm firmly convinced the only remedy the DMCA offers for that is via the courts, and that the takedown process explicitly requires the identification of infringing material, not circumvention tools.
In a normal world, I can only do one of these. Either I take the money, and render services or goods OR I don't take the money, and then don't render the services. But in RIAA/DMCA/GEMA/...-Crazytown you get to charge people AND actively avoid delivering anything.
It really is a ridiculously one-sided law that gives all power to private media entities.
Fair Use is about using copyrighted content, which is widely shackled behind DRM. Any court can easily see that in order to exercise your right to use that content in a Fair Use sort of way, you must break the DRM. Therefore, the existence and availability of DRM-breaking tools is a necessary condition for Fair Use to be exercised at all in conjunction with the modern media landscape.
Could you cite the law you're referring to here please?
The UK CDPA as amended to follow the EU's Marrakech directive seems to say anything that prevents you from exercising your Fair Dealing rights to make content accessible for disabled people is void if it contradicts these rights. This seems necessarily to allow for circumvention of DRM (for people with disabilities and specific registered companies) but that also appears to mean production of circumvention means needs to be legal otherwise such accessibility will be impossible.
It's absent because RIAA's intent is not stated. They did a blanket takedown, unprompted. As far as I can tell they never requested any particular modification. IIRC the only hint that it might be related is a mention that the rolling cipher algorithm that YouTube-dl "circumvents" was ruled to be DRM under German law.
However, the bulk of the DMCA seems to be leveled at the marketing of ytdl as a circumvention tool, citing unit tests containing metadata referencing RIAA-owned content (unit tests, apparently, are now part of 'marketing,' I guess.)
This is definitely untested in court but I won't be surprised if it is indeed part of marketing. The problem with the tests is that they do download the video, even if it is a small amount and since ytdl does not reject the video for downloading at all it is technically infrigment, probably without a valid fair use defense. If ytdl has actively rejected that (for example if the test units are specifically to prevent downloading those types of videos), they may have a stonger defense against RIAA claims.
It's a right because where it applies there is no tort. Like an allowed right of way over private property. Yes, if a you have someone abusing your rights by filling frivolous suits then "it's a defence", of course it is they're trying to assert a right they don't have.
Such needless couching of public rights in an authoritarian way is really offensive to the purposes of copyright, which is granted by the public - the demos - to private parties. It's not a natural right, and so yes, under Fair Use there is no right being infringed that a valid claim of tort can be made for; so one does have a right to do those things.
Two years later, their case was dismissed :
They were considered as 'irresponsible' due to 'either psychological issues, force majeure or legitimate self-defense".
(Note that they even seem to have shared the DMCA infringing software on their website.)
I think both the USA and UK DDAs allow copying as part of production of accessible content.
Honestly though, I'm not sure how this fits with "circumvention" the wording (UK) appears to allow it.
Fair use is not a right. It's a defence. You're still infringing copyright, but this is an infringement that they cannot punish. Importantly, law makers see fair use as a restriction of the rights of the copyright holder, not as a right granted to users of that IP.
People have always known that DMCA interferes with these defences. See for example this from 2001: https://repository.uchastings.edu/cgi/viewcontent.cgi?articl...
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work ... is not an infringement of copyright.
There is no such thing AFAIK.
> It is important to be clear about what the fair use doctrine is not. Fair use is not a right. It is a defense. [...]
It's not hard to find more links explaining the same thing (e.g., see http://www.copyhype.com/2013/08/why-copyright-is-a-right-and...), but I'm happy to be proven wrong...
The copyright holder could prevent you from copying it by never distributing it, but that doesn't mean you don't have a right to fair use, it only means you don't have the ability to exercise that right. Much the same as you can't exercise freedom of the press if you can't afford a printing press (or any modern equivalent).
It might be physically impossible for you to have an abortion, e.g. because you're infertile, but that doesn't mean you don't have a right to one under existing precedent.
But yes, even rights defined in the law can and do get redefined, newly introduced or removed.
This was a change that I am assuming was added before any complaint could be mounted about this use case for fear of striking more of the DMCA down than just that provision that was modified.
This is your brain on DRM.
Predates so-called "Streisand Effect"
DeCSS was released in 1999; Mecha Streisand episode of South Park was 1998.
They are invalid. It's interesting since it implies copyright itself must be invalid.
All intellectual property is data, information, a collection of bits... Also known as a number. Copyrighted works are actually just numbers. Really big numbers. Creators are just trying to discover those numbers through their labor.
Hopefully, it will hang at least till monday, so some of you will be able to clone.
It is based on commit ed8a97745c69b8cc0fc7f59cec9474b216b49e16 which is latest archived by Web Archive (and signed by Github!). By the way, it is still possible to fetch original repo, provided you know the commit id above :)
Pity they don't seem to have `git clone` support, and only allow downloading a tarball. Anyway, that's still a lot better than nothing. :)
To me this is just one of the many developer hostile steps I've seen. I understand they don't want you to access illegal content too easily but honestly the only thing that could drive me back to Torrenting is the declining quality of content on Netflix & co.
They are either 1) waiting for us to be too exhausted to notice/care/fight back, or 2) seeing whether they have to go further to 'protect content creators' by lobbying for more draconian laws that allow for the use of new DRM strategies. It reminds me of reading about how Corporate personhood was invented to protect freed slaves , yet is now used as a way for business owners to avoid personal liability/responsibility. One could even argue that Corporate personhoood is one of the most destructive forces that exists today; causing some of the worst crimes in modern history .
It's important we continue to fight back and set a precedent for protecting users over corporations or governments.
Why not Magna Carta while you're at it ?
They won't find proof if you host the code on a git instance that's only accessible to you, but if you share that server with the internet, you can expect the RIAA (or more likely, their friends over at BREIN) to sue you (after getting your details from your ISP through another lawsuit).
Responding to a DMCA is free, copyright lawsuits are purposely expensive. You'd better have money for a good lawyer or good legal insurance if you plan on sharing your local Gitlab with such code.
One thing I considered is getting myself an instance of a small Gitlab clone with little attack surface and hosting the code on TOR. Ignoring the potential ethical issues, that should provide good defence against legal repercussions from groups like the RIAA and the MPAA. There's always a possibility that you'd get Kim Dotcom'd if your code gets popular enough, though.
Is a very US specific request.
I've got quite a few DMCA notices from rights holders, but never anything actually relevant to the country of my citizenship, where I live, or where the server is based.
So, naturally, I can just ignore them.
The DMCA itself is just the US's implementation of the 1996 WIPO Copyright Treaty. 96 other countries have ratified it 
Additionally, the Git repo contains several files that violate Google’s copyrights:
Google license_protcol.proto (see Google copyright at the top of the file): /widevine-l3-decryptor/blob/main/license_protocol.proto
All it does is infringe on our rights to be able to do what we want on our own devices. It's crazy.
> All it does is infringe on our rights to be able to do what we want on our own devices.
No, but this is exactly the point of DRM and the legal protections around circumventing it. It never was about copyright protection. Copyright infringement was already illegal before the DMCA, and the introduction of DRM didn't make a dent in the amount of copyright infringement.
The point of making DRM circumvention illegal is for me to be able to sell you a bunch of bits, but ensure that I don't have any commercial competition in regards to how you use those bits. You can't legally make a device that plays DVDs without the blessing of a cartel known as DVD FLLC. You can't legally make a device that plays music from iTunes without the blessing of Apple. Etc. It's about retaining monopolistic control over media distribution and use, by forbidding certain forms of competition in the market.
Getting a law passed that forbids market competition (in many countries! not just the US) under the guise of being about copyright protection, is one of the greatest cons I've ever heard of, but that is what has happened.
DRM is not that - a massive technical effort has gone into implementing DRM deep in system architectures. Modifications have been done across every layer of the stack, across hundreds of companies of differing goals.
You only go to that much effort, at that great a cost, if you are hoping for DRM to actually work, rather than just be a thing you can hold up in court and say "we tried to protect it your honor, we really did".
Weak or nonexistent DRM reduces the provable malicious intent of a ripper. The more effort it takes to break a DRM, the less likely it seems that you don't understand that what you are doing is wrong.
I don't think it's the best tool to teach people not to punch each other in the face, but I wouldn't go so far to call it pointless either.
Yet religions still seem be around and getting humans to do dumb things? ;)
> This PoC was done to further show that code obfuscation, anti-debugging tricks, whitebox cryptography algorithms and other methods of security-by-obscurity will eventually by defeated anyway, and are, in a way, pointless.
It never ceases to amaze me how easy it is to boil frogs, even if the frogs in question are high-IQ, technically sophisticated HN readers.
Right now, you can still circumvent DRM, because you can still buy something that's approximately a general purpose computer (even if it will invariably already come with some remote-acessible hardware level spyware outside your control). But if current trends continue, this will not be the case by the end of the decade.
Also, preventing private individuals from receiving and distributing unauthorized copies is only one way in which DRM is useful to companies.
The movie industry doesn't seems like use it in the same way.
It's kind of silly that normal user was prevented from watch the video normally while pirates do whatever they want becuase the 4k hdmi hdcp can be easily removed by just a dongle.
When I was in college, price was an issue, and piracy was there to save the $10/month for most students, but the alternative was not having the music/software/etc., rather than a legal sale. The actual financial loss was close to zero. I think the reason for DRM isn't so much to prevent profit-losing piracy, as control.
Movie and record companies want to differentiate pricing by market. They want records of who watch what and where. They want to be able to expire things, explicitly or implicitly (if I go Android<->Apple, my iTunes/Google Play collections become less helpful). That has business value.
As for paying customers, when I was a student, they could have milked me for $5. As a professional, I don't really care what it costs, and I don't want to bother with piracy, and I'll do whatever's most ethical. The RIAA just told me what's most ethical is not listening to new music, followed by pirating music, followed by buying music.
I got enough music.
- Pay $20 for a copy that I can't play on all of my devices, and that I may be unable to play at some point in the future if the producer decides they don't want me to anymore.
- Pay $10/month for a streaming service that won't allow me to watch at full resolution on several of my devices, and has no guarantee that the content I want will continue to be available.
- Not consume the media at all.
- Download it from a shady pirate site, but then assuming it actually is what I think it is (which is questionable) be able to use it however I want.
No good options.
It's a pretty effective deterrent if you ask me.
The lite version, you cannot use your own mp3s, but it has support for streaming services.
Spotify was removed months ago, but Tidal is available.
It is just so easy to create content now, the signal to noise ratio is pretty low.
What? There's almost no 4K rips for shows or movies. To me it seems it's working pretty well.
I’ve requested several Amazon and Netflix shows and got the pure, not reencoded, unencrypted files.
Yes. It just slows down the less skilled from breaking the protection.
There will always be one or a team of more highly skilled hackers that eventually defeats it.
It always only a matter of time when it gets broken. But again, there's always the analogue hole.