DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
DRM

An Open Letter on DRM To the Inventor of the Web, From the Inventor of Net Neutrality (boingboing.net) 45

Tim Wu, a law professor at the Colombia University, and best known for coining the term "net neutrality," has published an open letter to Tim Berners-Lee, the creator of the web and director of the World Wide Web Consortium (W3C). In the letter, Wu has asked Berners-Lee to "seriously consider extending a protective covenant to legitimate circumventers who have cause to bypass EME, should it emerge as a W3C standard." Cory Doctorow, writes for BoingBoing: But Wu goes on to draw a connection between the problems of DRM and the problems of network discrimination: DRM is wrapped up in a layer of legal entanglements (notably section 1201 of America's Digital Millennium Copyright Act), which allow similar kinds of anticompetitive and ugly practices that make net neutrality so important. This is a live issue, too, because the W3C just held the most contentious vote in its decades-long history, on whether to publish a DRM standard for the web without any of the proposed legal protections for companies that create the kinds of competing products and services that the law permits, except when DRM is involved. As Wu points out, this sets up a situation where the incumbents get to create monopolies that produce the same problems for the open web that network neutrality advocates -- like Berners-Lee -- worry about.
Bitcoin

Backdoor Could Allow Company To Shut Down 70% of All Bitcoin Mining Operations (bleepingcomputer.com) 101

An anonymous reader writes: "An anonymous security researcher has published details on a vulnerability named "Antbleed," which the author claims is a remote backdoor affecting Bitcoin mining equipment sold by Bitmain, the largest vendor of crypto-currency mining hardware on the market," reports Bleeping Computer. The backdoor code works by reporting mining equipment details to Bitmain servers, who can reply by instructing the customer's equipment to shut down. Supposedly introduced as a crude DRM to control illegal equipment, the company forgot to tell anyone about it, and even ignored a user who reported it last fall. One of the Bitcoin Core developers claims that if such command would ever be sent, it could potentially brick the customer's device for good. Bitmain is today's most popular seller of Bitcoin mining hardware, and its products account for 70% of the entire Bitcoin mining market. If someone hijack's the domain where this backdoor reports, he could be in the position to shut down Bitcoin mining operations all over the world, which are nothing more than the computations that verify Bitcoin transactions, effectively shutting down the entire Bitcoin ecosystem. Fortunately, there's a way to mitigate the backdoor's actions using local hosts files.
GNU is Not Unix

Richard Stallman Interviewed By Bryan Lunduke (youtube.com) 171

Many Slashdot readers know Bryan Lunduke as the creator of the humorous "Linux Sucks" presentations at the annual Southern California Linux Exposition. He's now also a member of the OpenSUSE project board and an all-around open source guy. (In September, he released every one of his books, videos and comics under a Creative Commons license, while his Patreon page offers a tip jar and premiums for monthly patrons). But now he's also got a new "daily computing/nerd show" on YouTube, and last week -- using nothing but free software -- he interviewed the 64-year-old founder of the Free Software Foundation, Richard Stallman. "We talk about everything from the W3C's stance on DRM to opinions on the movie Galaxy Quest," Lunduke explains in the show's notes.

Click through to read some of the highlights.
DRM

The Kodi Development Team Wants To Be Legitimate and Bring DRM To the Platform. (torrentfreak.com) 156

New submitter pecosdave writes: The XBMC/ Kodi development team has taken a lot of heat over the years, mostly due to third-party developers introducing piracy plugins to the platform. In many cases, cheap Android computers are often sold with these plugins pre-installed with the Kodi or XBMC name attached to them -- something that caused Amazon to ban sales of such devices. The Kodi team is not happy about this, and has taken the fight to the sellers. The Kodi team is now trying to work with rights holders to introduce DRM and legitimate plugins to the platform. Is this the first step towards creating a true one-stop do it yourself Linux entertainment system?
DRM

American Farmers Are Still Fighting Tractor Software Locks (npr.org) 316

Manufacturers lock consumers into restrictive "user agreements," and inside "there's things like you won't open the case, you won't repair," complains a U.S. advocacy group called The Repair Association. But now the issue is getting some more attention in the American press. An anonymous reader quotes NPR: Modern tractors, essentially, have two keys to make the engine work. One key starts the engine. But because today's tractors are high-tech machines that can steer themselves by GPS, you also need a software key -- to fix the programs that make a tractor run properly. And farmers don't get that key.

"You're paying for the metal but the electronic parts technically you don't own it. They do," says Kyle Schwarting, who plants and harvests fields in southeast Nebraska... "Maybe a gasket or something you can fix, but everything else is computer controlled and so if it breaks down I'm really in a bad spot," Schwarting says. He has to call the dealer. Only dealerships have the software to make those parts work, and it costs hundreds of dollars just to get a service call. Schwarting worries about being broken down in a field, waiting for a dealer to show up with a software key.

The article points out that equipment dealers are using those expensive repair calls to offset slumping tractor sales. But it also reports that eight U.S. states, including Nebraska, Illinois and New York, are still considering bills requiring manufacturers to sell repair software, adding that after Massachusetts passed a similar lar, "car makers started selling repair software."
Government

Should The FBI Have Arrested 'The Hacker Who Hacked No One'? (thedailybeast.com) 227

Last week The Daily Beast ran an article about the FBI's arrest of "the hacker who hacked no one." In December they'd arrested 26-year-old Taylor Huddleston, "the author of a remote administration tool, or RAT, called NanoCore that happens to be popular with hackers." It's been "linked to intrusions in at least 10 countries," reported Kevin Poulsen, but "as Huddleston sees it, he's a victim himself -- hackers have been pirating his program for years and using it to commit crimes."

The article quotes Huddleston's lawyer, as well as a Cornell law professor who warns of the "chilling effect" of its implications on programmers. But it also says security experts who examined the software are "inherently skeptical" of Huddleston's claim that the software was intended for legal use, since that's "a common claim amongst RAT authors." Security researcher Brian Krebs also sees "a more complex and nuanced picture" after "a closer look at the government's side of the story -- as well as public postings left behind by the accused and his alleged accomplices."

Click through for the rest of the story.
Movies

Netflix Now Lets You Download Videos Onto Your PC (pcworld.com) 60

Netflix now offers offline streaming via its Windows 10 PC application, meaning you'll have even more options wherever you're stuck without Internet access. From a report: Netflix added the offline viewing options as part of the most recent update to the Netflix app on Windows 10. Because the Windows Store doesn't show you what version of the Netflix app you're using, just make sure you check for updates using the large blue button in the upper-right corner of the Windows Store app to receive the latest version. You won't need the Creators Update to take advantage of the new feature, either. When you open the app, Netflix will show you a large splash screen that advertises the new "download and go" capability. Unfortunately, if you click the Find me something to download button, the Netflix app doesn't currently display a list of downloadable titles; you'll have to hunt them down yourself. Netflix introduced the same capability on iOS and Android late last year. It's a bold move by Netflix to bring this feature to desktop. There is always the risk of someone finding out a way to break the DRM and easily distribute the files.
The Internet

FSF Activists Want You To Call Tim Berners-Lee About DRM (boingboing.net) 126

"The Free Software Foundation is calling on netizens to make calls to the W3C demanding they not include DRM in Web standards," an anonymous reader writes. Cory Doctorow reports: There's only two weeks left until members of the World Wide Web Consortium vote on whether the web's premier open standards organization will add DRM to the toolkit available to web developers, without effecting any protections for people who discover security vulnerabilities that affect billions of web users, let alone people who adapt web tools for those with disabilities and people who create legitimate, innovative new technologies to improve web video.
Tim Berners-Lee has final say over this change, according to the article, which directs callers to urge him to "keep the web free and open, rather than rescuing DRM from its slow collapse due to the complexity of fielding and supporting it without standards like those the W3C makes."
DRM

W3C Erects DRM As Web Standard (theregister.co.uk) 260

The World Wide Web Consortium (W3C) has formally put forward highly controversial digital rights management as a new web standard. "Dubbed Encrypted Media Extensions (EME), this anti-piracy mechanism was crafted by engineers from Google, Microsoft, and Netflix, and has been in development for some time," reports The Register. "The DRM is supposed to thwart copyright infringement by stopping people from ripping video and other content from encrypted high-quality streams." From the report: The latest draft was published last week and formally put forward as a proposed standard soon after. Under W3C rules, a decision over whether to officially adopt EME will depend on a poll of its members. That survey was sent out yesterday and member organizations, who pay an annual fee that varies from $2,250 for the smallest non-profits to $77,000 for larger corporations, will have until April 19 to register their opinions. If EME gets the consortium's rubber stamp of approval, it will lock down the standard for web browsers and video streamers to implement and roll out. The proposed standard is expected to succeed, especially after web founder and W3C director Sir Tim Berners-Lee personally endorsed the measure, arguing that the standard simply reflects modern realities and would allow for greater interoperability and improve online privacy. But EME still faces considerable opposition. One of its most persistent vocal opponents, Cory Doctorow of the Electronic Frontier Foundation, argues that EME "would give corporations the new right to sue people who engaged in legal activity." He is referring to the most recent controversy where the W3C has tried to strike a balance between legitimate security researchers investigating vulnerabilities in digital rights management software, and hackers trying to circumvent content protection. The W3C notes that the EME specification includes sections on security and privacy, but concedes "the lack of consensus to protect security researchers remains an issue." Its proposed solution remains "establishing best practices for responsible vulnerability disclosure." It also notes that issues of accessibility were ruled to be outside the scope of the EME, although there is an entire webpage dedicated to those issues and finding solutions to them.
Software

Why American Farmers Are Hacking Their Tractors With Ukrainian Firmware (vice.com) 500

Tractor owners across the country are reportedly hacking their John Deere tractors using firmware that's cracked in Easter Europe and traded on invite-only, paid online forums. The reason is because John Deere and other manufacturers have "made it impossible to perform 'unauthorized' repair on farm equipment," which has obviously upset many farmers who see it "as an attack on their sovereignty and quite possibly an existential threat to their livelihood if their tractor breaks at an inopportune time," reports Jason Koebler via Motherboard. As is the case with most modern-day engineering vehicles, the mechanical problems experienced with the newer farming tractors are often remedied via software. From the report: The nightmare scenario, and a fear I heard expressed over and over again in talking with farmers, is that John Deere could remotely shut down a tractor and there wouldn't be anything a farmer could do about it. A license agreement John Deere required farmers to sign in October forbids nearly all repair and modification to farming equipment, and prevents farmers from suing for "crop loss, lost profits, loss of goodwill, loss of use of equipment [...] arising from the performance or non-performance of any aspect of the software." The agreement applies to anyone who turns the key or otherwise uses a John Deere tractor with embedded software. It means that only John Deere dealerships and "authorized" repair shops can work on newer tractors. "If a farmer bought the tractor, he should be able to do whatever he wants with it," Kevin Kenney, a farmer and right-to-repair advocate in Nebraska, told me. "You want to replace a transmission and you take it to an independent mechanic -- he can put in the new transmission but the tractor can't drive out of the shop. Deere charges $230, plus $130 an hour for a technician to drive out and plug a connector into their USB port to authorize the part." "What you've got is technicians running around here with cracked Ukrainian John Deere software that they bought off the black market," he added.
Operating Systems

NetBSD 7.1 Released (netbsd.org) 45

New submitter fisted writes: The NetBSD Project is pleased to announce NetBSD 7.1, the first feature update of the NetBSD 7 release branch. It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements. Some highlights of the 7.1 release are:

-Support for Raspberry Pi Zero.
-Initial DRM/KMS support for NVIDIA graphics cards via nouveau (Disabled by default. Uncomment nouveau and nouveaufb in your kernel config to test).
The addition of vioscsi, a driver for the Google Compute Engine disk.
-Linux compatibility improvements, allowing, e.g., the use of Adobe Flash Player 24.
-wm(4): C2000 KX and 2.5G support; Wake On Lan support; 82575 and newer SERDES based systems now work.
-ODROID-C1 Ethernet now works.
-Numerous bug fixes and stability improvements.

NetBSD is free. All of the code is under non-restrictive licenses, and may be used without paying royalties to anyone. Free support services are available via our mailing lists and website. Commercial support is available from a variety of sources. More extensive information on NetBSD is available from http://www.NetBSD.org.
You can download NetBSD 7.1 from one of these mirror sites.
Movies

How Seven Movie Studios Forced A Pirated Movie Site Offline (hollywoodreporter.com) 136

A major pirated movie site went offline last month after seven Hollywood studios won a preliminary court injunction. An anonymous reader quotes the Hollywood Reporter: The MPAA-member studios sued the operators of PubFilm/PidTV in February, asking the court for a temporary restraining order to shut down what it described as a ring of six interconnected large-scale piracy sites. The suit was initially sealed, but was made public on Friday. Warner Bros, 20th Century Fox, Columbia Pictures, Universal, Disney, Paramount and Viacom are named as plaintiffs in the suit for direct and secondary copyright infringement, trademark infringement and unfair competition.

They're seeking statutory damages of $150,000 per infringement plus restitution of the sites' profits. So, depending on how many instances of infringement are discovered, the damages in this case could be astronomical. The studios claim the sites had more than 8 million visitors each month, nearly half of which were linked to IP addresses in the U.S... The sites are believed to be operated in Vietnam.

The court also ordered GoDaddy, VeriSign and Enom to disable all six domain names, to prevent the domains from being transferred, and to do it without communicating or warning the sites' owners first. In response, the defendants purchased a new domain, and then began publicizing it with ads on Google AdSense.
Piracy

A Prenda Copyright Troll Finally Pleaded Guilty (popehat.com) 46

"One of the attorneys behind the Prenda Law 'copyright trolling' scheme has pleaded guilty to federal charges of fraud and money laundering," reports Ars Technica. Long-time Slashdot reader Freshly Exhumed shares this article from the law blog Popehat: The factual basis section -- which Steele admits is true (as to facts he knows) or that the government can prove (as to facts he doesn't know directly) -- is a startling 16 pages long [PDF] and lavishly documents the entire scheme, complete with many details that accusers have been pointing out for years. In short, Steele admits that he and Hansmeier used sham entities to obtain the copyright to (or in some cases film) porn, uploaded it to file-sharing websites, and then filed "false and deceptive" copyright suits against downloaders designed to conceal their role in distributing the films and their stake in the outcomes. They lied to courts themselves, sent others to court to lie, lied at depositions, lied in sworn affidavits, created sham entities as plaintiffs, created fraudulent hacking allegations to try to obtain discovery into the identity of downloaders, used "ruse defendants" (strawmen, in effect) to get courts to approve broad discovery into IP addresses.
Facing a maximum of 40 years in prison, Steele could get his sentence reduced if he testifies against Hansmeier, according to the article, and "Steele appears to have pinned all of his hopes on that option... I've seen a lot of plea agreements in a lot of federal cases, and I don't recall another one that so clearly conveyed the defendant utterly surrendering and accepting everything the government demanded, all in hopes of talking his sentence down later."
DRM

Free Software Foundation Challenges Tim Berners-Lee On DRM (defectivebydesign.org) 207

Slashdot reader Atticus Rex writes: On Monday, W3C (World Wide Web Consortium) director Tim Berners-Lee released a post defending his decision to allow Netflix, Microsoft, Apple and Google to enshrine DRM in Web standards, arguing that blocking it would be pointless. Zak Rogoff, FSF campaigns manager, writes in the response:

"As Director of the W3C (World Wide Web Consortium), Berners-Lee has the ability to block [the DRM proposal] from ratification as an official Web standard... Of course, a refusal to ratify could not immediately stop the use of DRM, but it could meaningfully weaken the position of DRM in the court of public opinion, and put EME proponents Netflix, Microsoft, Apple, and Google on notice that a very prominent figure was willing to stand up to them on behalf of users. Changes in society's technological infrastructure require political movements, not just technological arguments, and political movements benefit greatly from the support of prominent figures."

Berners-Lee takes the position that "The web has to be universal, to function at all. It has to be capable of holding crazy ideas of the moment, but also the well polished ideas of the century. It must be able to handle any language and culture. It must be able to include information of all types, and media of many genres. Included in that universality is that it must be able to support free stuff and for-pay stuff, as they are all part of this world.

"This means that it is good for the web to be able to include movies, and so for that, it is better for HTML5 to have EME than to not have it."
DRM

DRM Company Denuvo Forgets To Secure Its Server, Leaks Two Years Of Emails (torrentfreak.com) 77

Denuvo "left several private directories on its website open to the public," TorrentFreak wrote Sunday, calling it "an embarrassing blunder" for the digital rights management company. "Members of the cracking community are downloading and scrutinizing the contents," the site reports, with one of the finds being an 11-megabyte text file which apparently contains every message sent through Denuvo's web site since 2014. An anonymous reader writes: There's a message from Google's security team, one from Capcom Japan, and "dozens of emails from angry pirates, each looking to vent their anger," according to TorrentFreak. Ars Technica reports that there's also a 2015 message from Microsoft about "an upcoming initiative," as well as messages several game studios, and even one from the producers of Mavis Beacon Teaches Typing. "Combing the log file brings up countless spam messages, along with complaints, confused 'why won't this game work' queries from apparent pirates, and even threats (an example: 'for what you did to arkham knight I will find you and I will kill you and all of your loved ones, this I promise you CEO of this SHIT drm')."

"Since Denuvo's contact page does not contain a link to a private e-mail address -- only a contact form and a phone number to the company's Austrian headquarters -- the form appears to also have been used by many game developers and publishers." And in addition, "much of Denuvo's web database content appears to be entirely unsecured, with root directories for 'fileadmin' and 'logs' sitting in the open right now."

In addition, there's also a slideshow -- which has since been uploaded to Imgur -- bragging that "With over 300 man years of development experience among us, we clearly know what we're doing."
DRM

Windows DRM-Protected Files Used To Decloak Tor Browser Users (bleepingcomputer.com) 150

An anonymous reader writes from a report via BleepingComputer: Downloading and trying to open Windows DRM-protected multimedia files can deanonymize Tor Browser users and reveal their real IP addresses, security researchers from Hacker House have warned. On Windows, multimedia files encoded with special Microsoft SDK will automatically open an IE window and access a URL to check the file's license. Since this request is sent outside of the Tor Browser and without user interaction, this can be used to ping law enforcement servers and detect the user's real IP address and other details. For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography. When a user would try to view the file, the DRM multimedia file would use Internet Explorer to ping a server belonging to the law enforcement agency. The same tactic can also be used to target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos, and more. A video of the attack is available here.
Chrome

Google Quietly Makes 'Optional' Web DRM Mandatory In Chrome (boingboing.net) 95

JustAnotherOldGuy quotes a report from Boing Boing: The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more. Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance. Because of laws like section 1201 of the U.S. Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products. Further reading: Boing Boing and Hacker News.
Chrome

Google Removes Plugin Controls From Chrome, Reports Claim (ghacks.net) 106

An anonymous reader shares a Ghacks report: Google made a change in Chrome 57 that removes options from the browser to manage plugins such as Google Widevine, Adobe Flash, or the Chrome PDF Viewer. If you load chrome://plugins in Chrome 56 or earlier, a list of installed plugins is displayed to you. You can use it, among other things, to disable plugins that you don't require. While you can do the same for some plugins, Flash and PDF Viewer, using Chrome's Settings, the same is not possible for the DRM plugin Widevine, and any other plugin Google may add to Chrome in the future. Starting with Chrome 57, that option is no longer available. This means essentially that Chrome users won't be able to disable -- some -- plugins anymore, or even list the plugins that are installed in the web browser. Please note that this affects Google Chrome and Chromium.Further report on BetaNews.
Intel

Intel Core I7-7700K Kaby Lake Review By Ars Technica: Is the Desktop CPU Dead? (arstechnica.co.uk) 240

Reader joshtops writes: Ars Technica has reviewed the much-anticipated Intel Core i7-7700K Kaby Lake, the recently launched desktop processor from the giant chipmaker. And it's anything but a good sign for enthusiasts who were hoping to see significant improvements in performance. From the review, "The Intel Core i7-7700K is what happens when a chip company stops trying. The i7-7700K is the first desktop Intel chip in brave new post-"tick-tock" world -- which means that instead of major improvements to architecture, process, and instructions per clock (IPC), we get slightly higher clock speeds and a way to decode DRM-laden 4K streaming video. [...] If you're still rocking an older Ivy Bridge or Haswell processor and weren't convinced to upgrade to Skylake, there's little reason to upgrade to Kaby Lake. Even Sandy Bridge users may want to consider other upgrades first, such as a new SSD or graphics card. The first Sandy Bridge parts were released six years ago, in January 2011. [...] As it stands, what we have with Kaby Lake desktop is effectively Sandy Bridge polished to within an inch of its life, a once-groundbreaking CPU architecture hacked, and tweaked, and mangled into ever smaller manufacturing processes and power envelopes. Where the next major leap in desktop computing power comes from is still up for debate -- but if Kaby Lake is any indication, it won't be coming from Intel. While Ars Technica has complained about the minimal upgrades, AnandTech looks at the positive side: The Core i7-7700K sits at the top of the stack, and performs like it. A number of enthusiasts complained when they launched the Skylake Core i7-6700K with a 4.0/4.2 GHz rating, as this was below the 4.0/4.4 GHz rating of the older Core i7-4790K. At this level, 200-400 MHz has been roughly the difference of a generational IPC upgrade, so users ended up with similar performing chips and the difference was more in the overclocking. However, given the Core i7-7700K comes out of the box with a 4.2/4.5 GHz arrangement, and support for Speed Shift v2, it handily mops the floor with the Devil's Canyon part, resigning it to history.
Electronic Frontier Foundation

2016 Saw A Massive Increase In Encrypted Web Traffic (eff.org) 91

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.

Slashdot Top Deals