Firefox

Firefox 57 Brings Better Sandboxing on Linux (bleepingcomputer.com) 124

Catalin Cimpanu, writing for BleepingComputer: Firefox 57, set to be released tomorrow, will ship with improvements to the browser's sandbox security feature for Linux users. The Firefox sandboxing feature isolates the browser from the operating system in a way to prevent web attacks from using a vulnerability in the browser engine and its legitimate functions to attack the underlying operating system, place malware on the filesystem, or steal local files. Chrome has always run inside a sandbox. Initially, Firefox ran only a few plugins inside a sandbox -- such as Flash, DRM, and other multimedia encoding plugins.
Google

Google Working To Remove MINIX-Based ME From Intel Platforms (tomshardware.com) 181

An anonymous reader quotes a report from Tom's Hardware: Intel's Management Engine (ME) technology is built into almost all modern Intel CPUs. At the Embedded Linux Conference, a Google engineer named Ronald Minnich revealed that the ME is actually running its own entire MINIX OS and that Google is working on removing it. Due to MINIX's presence on every Intel system, the barebones Unix-like OS is the most widely deployed operating system in the world. Intel's ME technology is a hardware-level system within Intel CPUs that consists of closed-source firmware running on a dedicated microprocessor. There isn't much public knowledge of the workings of the ME, especially in its current state. It's not even clear where the hardware is physically located anymore.

What's concerning Google is the complexity of the ME. Public interest in the subject piqued earlier this year when a vulnerability was discovered in Intel's Active Management Technology (AMT), but that's just a software that runs on ME--ME is actually an entire OS. Minnich's presentation touched on his team's discovery that the OS in question is a closed version of the open-source MINIX OS. The real focus, though, is what's in it and the consequences. According the Minnich, that list includes web server capabilities, a file system, drivers for disk and USB access, and, possibly, some hardware DRM-related capabilities. It's not known if all this code is explicitly included for current or future ME capabilities, or if it's because Intel simply saw more potential value in keeping rather than removing it.

Intel

MINIX: Intel's Hidden In-chip Operating System (zdnet.com) 271

Steven J. Vaughan-Nichols, writing for ZDNet: Matthew Garrett, the well-known Linux and security developer who works for Google, explained recently that, "Intel chipsets for some years have included a Management Engine [ME], a small microprocessor that runs independently of the main CPU and operating system. Various pieces of software run on the ME, ranging from code to handle media DRM to an implementation of a TPM. AMT [Active Management Technology] is another piece of software running on the ME." [...] At a presentation at Embedded Linux Conference Europe, Ronald Minnich, a Google software engineer reported that systems using Intel chips that have AMT, are running MINIX. So, what's it doing in Intel chips? A lot. These processors are running a closed-source variation of the open-source MINIX 3. We don't know exactly what version or how it's been modified since we don't have the source code. In addition, thanks to Minnich and his fellow researchers' work, MINIX is running on three separate x86 cores on modern chips. There, it's running: TCP/IP networking stacks (4 and 6), file systems, drivers (disk, net, USB, mouse), web servers. MINIX also has access to your passwords. It can also reimage your computer's firmware even if it's powered off. Let me repeat that. If your computer is "off" but still plugged in, MINIX can still potentially change your computer's fundamental settings. And, for even more fun, it "can implement self-modifying code that can persist across power cycles." So, if an exploit happens here, even if you unplug your server in one last desperate attempt to save it, the attack will still be there waiting for you when you plug it back in. How? MINIX can do all this because it runs at a fundamentally lower level. [...] According to Minnich, "there are big giant holes that people can drive exploits through." He continued, "Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared." Also read: Andrew S. Tanenbaum's (a professor of Computer Science at Vrije Universiteit) open letter to Intel.
Printer

MakerBot Launches New 'MakerBot Labs' Platform (hackaday.com) 42

"MakerBot just announced a new Open Source initiative called 'MakerBot Labs'," writes Slashdot reader szczys. "It is a small move, centering around some new APIs and a new extruder which is listed as experimental and not covered by their normal warranty. Largely they missed the mark on making a meaningful move toward openness, but with a new CEO at the helm as of January this could be the first change of the rudder in a larger effort to turn the ship around."

Makerbot's history is "an example of how you absolutely should not operate an open source company," argues Hackaday, saying it's left them skeptical of Makerbot's latest move: It reads like a company making a last ditch effort to win back the users they were so sure they didn't need just a few years ago... The wheels of progress turn slowly in any large organization, and perhaps doubly so in one that has gone through so much turmoil in a relatively short amount of time. It could be that it's taken Goshen these last nine months to start crafting a plan to get MakerBot back into the community's good graces.
From MakerBot's press release: "After setting high industry standards for what makes a quality and reliable 3D printing experience, we're introducing this new, more open platform as a direct response to our advanced users calling for greater freedom with materials and software."
DRM

Denuvo's DRM Now Being Cracked Within Hours of Release (arstechnica.com) 113

Denuvo, an anti-tamper technology and digital rights management scheme, isn't doing a very good job preventing PC games from being copied. According to Ars Technica, Denuvo releases are being publicly cracked within a day of their launch. From the report: This week's release of South Park: The Fractured but Whole is the latest to see its protections broken less than 24 hours after its release, but it's not alone. Middle Earth: Shadow of War was broken within a day last week, and last month saw cracks for Total War: Warhammer 2 and FIFA 18 the very same day as their public release. Then there's The Evil Within 2, which reportedly used Denuvo in prerelease review copies but then launched without that protection last week, effectively ceding the game to immediate potential piracy. Those nearly instant Denuvo cracks follow summer releases like Sonic Mania, Tekken 7, and Prey, all of which saw DRM protection cracked within four to nine days of release. But even that small difference in the "uncracked" protection window can be important for game publishers, who usually see a large proportion of their legitimate sales in those first few days of availability. The presence of an easy-to-find cracked version in that launch window (or lack thereof) could have a significant effect on the initial sales momentum for a big release. If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers.
DRM

Hollywood's International War on Kodi Plugins And Video-Streaming Boxes (eff.org) 57

An anonymous reader quotes the EFF: In the past few years, the sale of pre-configured Kodi boxes, and the availability of a range of plugins providing access to streaming media, has seen the software's popularity balloon -- and made it the latest target of Hollywood's copyright enforcement juggernaut. We've seen this in the appearance of streaming media boxes as an enforcement priority in the U.S. Trade Representative's Special 301 Report, in proposals for new legislation targeting the sale of "illicit" media boxes, and in lawsuits that have been brought on both sides of the Atlantic to address the "problem" that media boxes running Kodi, like any Web browser, can be used to access media streams that were not authorized by the copyright holder...

The difficulty facing the titans of TV is that since neither those who sell Kodi boxes, nor those who write or host add-ons for the software, are engaging in any unauthorized copying by doing so, cases targeting these parties have to rely on other legal theories. So far several legal theories have been used; one in Europe against sellers of Kodi boxes, one in Canada against the owner of the popular Kodi add-on repository TVAddons, and two in the United States against TVAddons and a plugin developer... These lawsuits by big TV incumbents seem to have a few goals: to expand the scope of secondary copyright infringement yet again, to force major Kodi add-on distributors off of the Internet, and to smear and discourage open source, freely configurable media players by focusing on the few bad actors in that ecosystem.

The EFF details the specific lawsuits in each region, and concludes that their courts "should reject these expansions of copyright liability, and TV networks should not target neutral platforms and technologies for abusive lawsuits."
DRM

Corporations Just Quietly Changed How the Web Works (theoutline.com) 248

Adrianne Jeffries, a reporter at The Outline, writes on W3C's announcement from earlier this week: The trouble with DRM is that it's sort of ineffective. It tends to make things inconvenient for people who legitimately bought a song or movie while failing to stop piracy. Some rights holders, like Ubisoft, have come around to the idea that DRM is counterproductive. Steve Jobs famously wrote about the inanity of DRM in 2007. But other rights holders, like Netflix, are doubling down. The prevailing winds at the consortium concluded that DRM is now a fact of life, and so it would be be better to at least make the experience a bit smoother for users. If the consortium didn't work with companies like Netflix, Berners-Lee wrote in a blog post, those companies would just stop delivering video over the web and force people into their own proprietary apps. The idea that the best stuff on the internet will be hidden behind walls in apps rather than accessible through any browser is the mortal fear for open web lovers; it's like replacing one library with many stores that each only carry books for one publisher. "It is important to support EME as providing a relatively safe online environment in which to watch a movie, as well as the most convenient," Berners-Lee wrote, "and one which makes it a part of the interconnected discourse of humanity." Mozilla, the nonprofit that makes the browser Firefox, similarly held its nose and cooperated on the EME standard. "It doesn't strike the correct balance between protecting individual people and protecting digital content," it said in a blog post. "The content providers require that a key part of the system be closed source, something that goes against Mozilla's fundamental approach. We very much want to see a different system. Unfortunately, Mozilla alone cannot change the industry on DRM at this point."
Electronic Frontier Foundation

EFF Resigns From Web Consortium In Wake of EME DRM Standardization (eff.org) 221

New submitter Frobnicator writes: Four years ago, the W3C began standardizing Encrypted Media Extensions, or EME. Several organizations, including the EFF, have argued against DRM within web browsers. Earlier this year, after the W3C leadership officially recommended EME despite failing to reach consensus, the EFF filed the first-ever official appeal that the decision be formally polled for consensus. That appeal has been denied, and for the first time the W3C is endorsing a standard against the consensus of its members.

In response, the EFF published their resignation from the body: "The W3C is a body that ostensibly operates on consensus. Nevertheless, as the coalition in support of a DRM compromise grew and grew -- and the large corporate members continued to reject any meaningful compromise -- the W3C leadership persisted in treating EME as topic that could be decided by one side of the debate. [...] Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. Effective today, EFF is resigning from the W3C."
Jeff Jaffe, CEO of W3C said: "I know from my conversations that many people are not satisfied with the result. EME proponents wanted a faster decision with less drama. EME critics want a protective covenant. And there is reason to respect those who want a better result. But my personal reflection is that we took the appropriate time to have a respectful debate about a complex set of issues and provide a result that will improve the web for its users. My main hope, though, is that whatever point-of-view people have on the EME covenant issue, that they recognize the value of the W3C community and process in arriving at a decision for an inherently contentious issue. We are in our best light when we are facilitating the debate on important issues that face the web."
DRM

HTML5 DRM Standard Is a Go (arstechnica.com) 154

Artem Tashkinov writes: The World Wide Web Consortium (W3C), the industry body that oversees development of HTML and related Web standards, has today published the Encrypted Media Extensions (EME) specification as a Recommendation, marking its final blessing as an official Web standard. Final approval came after the W3C's members voted 58.4 percent to approve the spec, 30.8 percent to oppose, with 10.8 percent abstaining. EME provides a standard interface for DRM protection of media delivered through the browser. EME is not itself a DRM scheme; rather, it defines how Web content can work with third-party Content Decryption Modules (CDMs) that handle the proprietary decryption and rights-management portion. The principal groups favoring the development of EME have been streaming media companies such as Netflix and Microsoft, Google, and Apple, companies that both develop browsers and operate streaming media services. Following the announcement, EFF wrote a letter to W3C director, chief executive officer and team, in which it expressed its disappointment and said it was resignation from the W3C.
Music

EU Sides With RIAA, Says YouTube Underpays For Music Streaming (mercurynews.com) 82

Profits from both CD sales and digital downloads are declining, while online streaming now accounts for the majority of the $7.7 billion U.S. music market, according to a new article. And the music industry's newest complaint is that 25% of music streaming is happening on YouTube, which they believe is paying them too little. An anonymous reader quotes the San Jose Mercury News: Now, the battle is heating up as the European Union is expected to release new rules later this year for how services such as YouTube handle music, potentially upending some of the copyright protections that undergird the Internet... The E.U. has formally recognized that there is a "value gap" between song royalties and what user-upload services such as YouTube earn from selling ads while playing music... How such a law would address the gap is still being decided, but the E.U. has indicated it plans to focus on ensuring copyright holders are "properly remunerated." Even the value gap's existence is disputed.

A recent economic study commissioned by YouTube found no value gap -- in fact, the report said YouTube promotes the music industry, and if YouTube stopped playing music, 85 percent of users would flock to services that offered lower or no royalties. A different study by an independent consulting group pegged the YouTube value gap at more than $650 million in the United States alone. "YouTube is viewed as a giant obstacle in the path to success for the streaming marketplace," said Mitch Glazier, president of the Recording Industry Association of America... YouTube pays an estimated $1 per 1,000 plays on average, while Spotify and Apple music pay a rate closer to $7... The music industry claims YouTube has avoided paying a fair-market rate by hiding behind broad legal protections. In the United States, that's the "safe harbor" provision, which essentially says YouTube is not to blame if someone uploads a copy-protected song -- unless the copyright holder complains.

YouTube argues that its automatic Content ID system recognizes 98% of all copyright-infringing uploads -- and that each year they're already paying the music industry $1 billion in royalties.
DRM

EFF Officially Appeals Tim Berners-Lee Decision On DRM In HTML (techdirt.com) 149

Last week, the World Wide Web Consortium (W3C) decided to officially recommend the use of Encrypted Media Extensions (EME) for protecting copyrighted video on the internet. This will enable web surfers to watch media in a browser that requires Digital Rights Management copy protection without the need for browser-based plugins. "It moves the responsibility for interaction from plugins to the browser," the consortium states at the time. "As such, EME offers a better user experience, bringing greater interoperability, privacy, security, and accessibility to viewing encrypted video on the web." TechDirt shares an update: It's been a foregone conclusion that EME was going to get approved, but there was a smaller fight about whether or not W3C would back a covenant not to sue security and privacy researchers who would be investigating (and sometimes breaking) that encryption. Due to massive pushback from the likes of the MPAA and (unfortunately) Netflix, Tim Berners-Lee rejected this covenant proposal. In response, W3C member EFF has now filed a notice of appeal on the decision. The crux of the appeal is the claimed benefits of EME that Berners-Lee put forth won't actually be benefits without the freedom of security researchers to audit the technology -- and that the wider W3C membership should have been able to vote on the issue. This appeals process has never been used before at the W3C, even though it's officially part of its charter -- so no one's entirely sure what happens next.
DRM

FSF Sees Hopeful Signs Before Sunday's 'Day Against DRM' (defectivebydesign.org) 124

The Free Software Foundation's anti-DRM initiative "Defective By Design" argues that since last year's annual Day Against DRM, "we've seen cracks appearing in the foundation of the DRM status quo." The companies that profit from Digital Restrictions Management are still trying to expand the system of law and technology that weakens our security and curtails our rights, in an effort to prop up their exploitative business models. But since the last International Day Against DRM, the TPP trade agreement -- a key pro-DRM initiative -- crashed and burned. And our allies at the Electronic Frontier Foundation brought major legal and regulatory challenges against DRM in Washington DC... If we play our cards right, this may be the beginning of the end of DRM.

On Sunday, July 9, 2017, we will channel this momentum into the International Day Against DRM. We'll be gathering, protesting, and making -- showing the world that we insist on a future without Digital Restrictions Management. Will you join us? Here's what you can do now:

They're asking supporters to plan a protest, translate their fliers into more languages, voice support in videos and blog posts, or make endorsements. And you can also join the "DRM Elimination crew" mailing list or their Freenode IRC channel #dbd for year-round conversation and collaboration with the anti-DRM movement -- or simply make a donation to show your support.
Businesses

Tim Berners-Lee Approves Web DRM, But W3C Members Have Two Weeks To Appeal (defectivebydesign.org) 137

Reader Atticus Rex writes: A high controversial Web standard has received a seal of approval from Tim Berners-Lee, the inventor of the Web and its chief technical decision-maker. Opponents like the Free Software Foundation and Electronic Frontier Foundation say that the standard, Encrypted Media Extensions, is a step backwards for freedom, privacy, and a host of other rights on the Web.

There's still a two-week window in which members of the W3C can appeal the decision, and the Free Software Foundation is asking people to email and encourage them to do so.
Update: The W3C has announced that it would publish its DRM standard with no protections and no compromises at all.
Books

O'Reilly No Longer Selling Individual Books, Videos Online 82

dovf writes: Just got an email from O'Reilly Media that as of today, they are no longer selling individual books or videos online -- rather, they are encouraging people to sign up for Safari. They are continuing to publish books and videos, "and you'll still be able to buy them at Amazon and other retailers." They also make it clear that we will not lose access to already-purchased content, updates to such content, etc. More details can be found in the FAQ. No mention, though, of whether the content sold at these other retailers will remain DRM-free... From the FAQ: "You can buy all of the books (ebooks and print) at shop.oreilly.com from Amazon and other digital and bricks-and-mortar retailers. We're no longer selling individual books and videos via shop.oreilly.com -- but we are definitely continuing to publish books and videos on the topics you need to know. And of course, every O'Reilly book and video (including O'Reilly conference sessions) is available instantly on Safari." The only mention of "DRM" in the FAQ is in regard to what happens to the digital content you have in your account at members.oreilly.com. According to O'Reilly, "Your DRM-free ebooks and videos are safe and sound, and you'll continue to have free lifetime access to download them anytime, anywhere."
Anime

New 'Lupin III' Commentary Track Celebrates The Glories Of Ignoring Copyrights (terrania.us) 71

In 2004, film critic Roger Ebert "realized that auteurs weren't the only ones who had things to say about movies, and suggested that experts in other fields or even just fans of the movies could create MP3 commentary tracks to discuss their favorite films, which could then be downloaded and played alongside them." This inspired Slashdot reader #14,247 to produce his own commentary on Hayao Miyazaki's first movie, Lupin III: Castle of Cagliostro -- and 13 years later, to release a new commentary track celebrating the film's 35th anniversary. Robotech_Master writes: Among other things, it offers proof that excessive copyright really harms creativity by restricting the uses people are able to make of prior art -- by showing what can happen when people get away with ignoring copyright and creating anyway. Not only were Lupin III and Cagliostro effectively inspired as "fanfic" of characters and works that had come before, many of those characters and works were effectively fanfic themselves -- and Cagliostro in turn inspired parts of a number of other works that came afterward, including a couple by Disney.
Anyone else have a favorite example of a movie that bends the rules of copyright law?
Movies

Studio-Defying VidAngel Launches New Video-Filtering Platform (yahoo.com) 201

Last December VidAngel fought three Hollywood studios in court for the right to stream filtered versions of movies. Now fogez reports that "they have come up with a new tactic in their attempts to bring filtering choice into the streaming media equation. Instead of leveraging the legal loophole that landed them in court, VidAngel is now going to insert themselves as a filtering proxy for services like Netflix and Amazon." From the Hollywood Reporter: Its new $7.99 per month service piggybacks on users' streaming accounts. Customers log into the VidAngel app, link it to their other accounts and then filter out the language, nudity and violence in that content to their heart's desire... "Out of the gate we'll be supporting Netflix and Amazon and HBO through Amazon channels," says Harmon, adding that Hulu, iTunes and Vudu will follow... Harmon says it remains to be seen if the studios will fight VidAngel's new platform, but his biggest concern is how Amazon and Netflix will respond. He says his company has reached out to the streamers, and he hopes they'll raise any concerns through conversation instead of litigation... "VidAngel's philosophy is very libertarian," he says. "Let directors create what they want, and let viewers watch how they want in their own home. That kind of philosophy respects the views of both parties."
The original submission describes the conflict as a "freedom of choice versus Hollywood."
DRM

'Rime' Developer Keeps Promise, Removes Denuvo DRM After Game Gets Cracked (cinemablend.com) 133

An anonymous reader quotes CinemaBlend: Tequila Works and Grey Box had previously announced that the DRM for the PC version of Rime would be removed if it were cracked. Well, in just five days the DRM was cracked and a cracked version of the game was made available online. So, now the DRM will be removed...

Five days after the PC launch of Rime, the cracking scene managed to get into the executable and spill all of its guts, removing the DRM and putting the exe back together so it could be distributed across the usual sites. One of the things noted by the cracker was that he found Denuvo executing hundreds of triggers a second, which caused major slowdown in the performance of Rime on PC. This form of digital rights management resulted in every legitimate customer having to deal with a lot of slowdown and performance hiccups... The sad reality was that those who pirated Rime and used the cracked file essentially gained access to a game that had improved performance and frame-rates over those who actually paid for the game.

The Courts

The Lawyer Who Founded Prenda Law Just Got Disbarred (engadget.com) 62

Long-time Slashdot reader lactose99 writes: One of the original copyright trolls finally got their comeuppance. From TFA: "John L. Steele, a Chicago lawyer who pled guilty to perjury, fraud and money laundering resulting from alleged 'honeypot' schemes, has just been disbarred by an Illinois court." John L. Steele, as you may know, is one of the principals of Prenda Law, a notorious copyright troll who has been featured on /. several times. The article goes on to describe how the Prenda lawyers used honeypot-like tactics to trick people into downloads and then subsequently scammed them for copyright violations.
Their operation brought in $6 million in settlement fees, reports Engadget, adding "While it is illegal to download copyrighted files from file-sharing sites, it is also against the law to extort downloaders."
Security

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com) 53

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.
Android

Netflix Says No To Unlocked Android Smartphones (androidpolice.com) 255

An anonymous reader writes: Last week Netflix app started showing up as "incompatible" on the Play Store for rooted and unlocked Android devices. However, the app itself continued to work fine, leading some to think it could have been an accident. However, Netflix has now confirmed to blog AndroidPolice that blocking modified devices from downloading the app was intentional. This is the full statement: "With our latest 5.0 release, we now fully rely on the Widevine DRM provided by Google; therefore, many devices that are not Google-certified or have been altered will no longer work with our latest app and those users will no longer see the Netflix app in the Play Store."

Slashdot Top Deals