Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Comment Re:DVDs are better (Score 1) 107

DRM means authenticating through a server (someplace), correct?

DMCA defines a "technological measure which limits access" (what we informally refer to as "DRM") in 1201(a)(3)(b) as

a technological measure “effectively controls access to a work” if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.

Authenticating through a server is one way to implement DRM, but there are many other methods, where DMCA is every bit as applicable.

the DMCA is a thing... but can they do anything if they don't know about you copying/transcoding files to your phone or tablet or whatever?

Generally no, and especially with offline DRM schemes like what DVDs use, the copyright holder can't detect when you read the DVD, so right, you won't get caught. But of course the worst part of DMCA is not that it just prohibits doing things, but prohibits trafficking in tools for doing things. So the software for working with DVD DRM is illegal to create, distribute, sell, etc which means I-know-nothing-about-computers grandma would have to go off the mainstream.

If grandma is a punk rock computer user, no problem. But most people these days apparently want to go to a centralized authority (probably within their own legal jurisdiction) and just click to install things, and any centralized authority is going to be at least somewhat vulnerable to trafficking charges. Or if they solve that problem by being outside US jurisdiction, they might have payment processing issues.

Again, you're not wrong that you can do these things with DVDs (I see how being able to watch them on an unconnected-to-internet bus definitely helps, compared to proprietary streaming) but there are barriers keeping it from being a general solution for everyone. Media without DRM lacks this problem.

Comment Re:Entitled much? (Score 1) 43

I think it's the very fact that you can(and probably should; at least to some degree) do more or less exactly that is what makes this report seem so hysterical.

It's not like it's false that some Yandex software dude will probably cooperate if the FSB tap him on the shoulder and suggest that it's exciting and mandatory; while John Smith, corn-fed American patriot, is at least going to require some sweet-talking; but if you are just blindly grabbing 'package that some dude put on NPM' your problems are far deeper, and much less exciting, than nation-state sabotage. Even when doing their absolute best; programmers make mistakes all the time; so if the project is basically one dude who maybe debugs his own code if it's too broken you have basically no reason to suspect that innocent vulnerabilities are getting caught; along with the risks posed by the relatively frequent compromises of dev credentials on the various repositories, and the risk that you'll be left unsupported if the random guy gets hit by a bus or finds a new hobby and just walks away.

It's fun to pretend that tedious, labor-intensive, problems don't exist by focusing on sexy threats instead; so I'm not surprised that a 'security' vendor would be working this angle; but, fundamentally, if you are just grabbing random garbage off a repository every time one of your junior devs even thinks too hard about docker you are doing it wrong.

It also seems a bit silly because, if your real problem is nation state adversaries rather than nobody actually looking because it seems like it works and why try harder it would likely be relatively trivial for the trojan horse project to add 'legitimacy'. You want multiple maintainers because we can't trust Sinister Yuri to police himself? Ok, it doesn't take a terribly impressive intelligence agency to conjure up a few additional contributors who make changes to the project from North American or western European IPs and time zones and have a thin but plausible trail of assorted tidbits that suggest that they are consultants or employees of random little companies in friendly nations. You call that a security check?

Comment Entitled much? (Score 4, Insightful) 43

"As a whole, the open source community should be paying more attention to this risk and mitigating it."

So, if I'm understanding this right, the solution is for more people to work for free so I can just blindly grab whatever; not for the people already getting their software for nothing to care even slightly about their dependencies?

Comment Re:Better yet, don't use buzzwords. (Score 4, Informative) 142

I think there are (at least) two different distinctions at work; rather than a direct opposition between 'buzzwords' and 'jargon' at the level you describe.

Both are jargons for the purposes of being nonstandard or very locally standardized usages within a particular group; but when people say 'buzzwords' there's a specific pejorative implication, while 'jargon' is usually implied to be legitimate and useful at least within its subject area.

Obviously legitimacy claims, rather than linguistic ones, make the boundary a bit fuzzy; but there are some tells. A jargon term(in the positive/legitimate sense) tends to go places: if someone doing analog signal processing says 'bandwidth' it may confuse ribbon enthusiasts; but it touches on a whole bunch of related concepts: bands have widths and 'wideband' and 'narrowband' are what they sound like they would be; bandpass and bandgap filters do frequency dependent attenuation in ways that either allow a particular band through or heavily attenuate a particular band. When a project manager says 'bandwidth' they mostly just mean ability to do work, with a slight extension available to say you are too busy if you don't want to say you are too busy "I don't have the bandwidth/the team doesn't have the bandwidth". If you try to extend the concept; by, say, combining the 'bandwidth' of two people you end up with The Mythical Man-Month rather than the link aggregation or NIC teaming that you'd get if you told the networking guy that you needed to eliminate a bottleneck. That's what really marks the example phrase as 'buzzword'. You've got a metaphor drawn from baseball that barely even makes sense in the context of the sport(people only 'touch base' if the timings on opposing teams are particularly tight); then 'offline' is at least meaningful in the context that it is drawn from; but actually kind of confusing in context(are you taking it offline because it doesn't need to be handled synchronously or by everyone in the meeting? Because you don't want it on the record? Because it doesn't require drawing on the connected resources it would have if it were online?), then you've got 'align', which is vague at best misleading at worst(is 'aligning your bandwidth' working on the same things, specifically avoiding overlap? some of both?).

That's really, beyond more or less subjective judgements that engineering and science are more respectable than suit stuff, what makes 'buzzwords' feel slimy. Unlike 'jargon', which can be obscure to the layman but tends to have lots of internal connections that are consistent and enlightening; 'buzzwords' tend to be a lot of relatively surface-level borrowings that lack internal implications and which range from merely not-illuminating to actively obfuscating.

Linguistically both are jargons in the sense of being specialized local vocabularies; but 'buzzword' tends to imply little or no useful internal consistency; more or less ad-hoc borrowing of shiny-sounding words from random places; while 'jargons' in the 'respectable' sense are quite often cryptic on the surface; but have relatively massive bodies of internal consistency within the jargon. "Touch base" is practically plain english compared to what a mathematician or a physicist means when they say "field" vs. what a farmer or someone with a lawn in the suburbs means; but it's also shallow: there's nothing illuminating about the implied analogy to baseball, there aren't any additional things to be inferred from the idea that the people touching base are members of opposing teams trying to reach the base first(indeed, that's probably actively misleading); while 'field' as the set with specific operators defined is a little esoteric; but there are large areas of math that use, and in some cases flow from, that definition.

Comment Re:DVDs are better (Score 1) 107

DVDs use DRM? Then, how do they work on an offline DVD player?

Yes, they use DRM. It's described here .. though the rest of your post suggests you already knew the basics.

And yes, you can play, transcode, backup, etc the data. You're right about that. But unfortunately, you're also right about this:

They fall under the DMCA, that's it.

And that's what causes many of the activities you describe, to be illegal unless you get authorization from the copyright holder.

I point this out not because I'm some kind of Law Zealot, but because many people have inhibitions about violating the law, and while it's extremely unlikely you'll get caught, it nevertheless does come with some slight risk.

Offering DVDs as an example of "they can't take it away," like I said, is technically correct, but DVDs are nevertheless a poor example, since so many routine tasks involving them, are illegal. Illegality tends to be a barrier to mainstream acceptance, and hampers utility in other ways.

Matroska files would be a better, more consumer-friendly example of "they can't take it away", since working with them doesn't come with as many legal difficulties (since there's no DRM, so DMCA doesn't apply).

Comment Re:DVDs are better (Score 2) 107

Like books, once you own a DVD it's yours. No one can take it away, alter it, or prevent you from watching when you want. It's always yours.

While that is technically correct ("the best kind...") it's legally incorrect.

DVDs use DRM. So, at any time, the copyright holder can revoke your authorization to watch them, even if there's no technical means to prevent you. (That's assuming they ever granted authorization to watch them in the first place, which is actually pretty unclear. Nowhere on a DVD or its case or paperwork have I seen any text suggesting that the copyright holder has granted permission to watch the DVD. I guess it's just sort of implied.)

DMCA makes it illegal to decrypt DRMed content without authorization from the copyright holder. Authorization is not something you buy (check your receipt; do you see it there?), so it's one of those things which can be given and taken away, at will. And (see above) that can be done without any communication or the consumer's knowledge. What you did legally a week ago might be illegal today, without any communication given to you.

Since you own and physically possess the DVD, you can still do it, but it might be illegal.

DMCA needs to be repealed before there will be any coherent policies that consumers will be able to make unambiguous sense of. So I think even for situations where the content isn't licensed, it's probably best to avoid the word "buy" if there's any DRM.

Comment Re:Isn't this admitting.... (Score 1) 125

Just for the sake of technical correctness; paying for foreign expertise with imperial extraction is a technology. It's over in the pointy section of political science; and going by the number of people who end up dead or in exile after a failed implementation, it's not a trivial matter.

One of the tricky bits, potentially one that they've had trouble with of late, is that pulling it off effectively usually means pretending that that isn't what you are doing, for the legitimacy and prestige, while keeping in mind that that is what you are doing, for realistic planning purposes. It's all well and good for foreigners and low-level patriots to think of 'Russia' and 'the USSR' as essentially synonyms; significantly less helpful if your military or economic planners even periodically lose sight of the fact that that's a handy aspirational position rather than a truth.

Comment For better security, don't use secure services (Score 4, Interesting) 56

It's easy to forget how utterly fucked up things have become, compared to how a few decades ago, we(? well, at least I) thought things would evolve, and one of those has to do with dedicated services for secure communications.

The thing that defies my predictions, is that dedicated services for secure communications, exist at all.

When you wanted to secure email, you didn't use a "secure email" service; you (the user!) just added security onto your insecure email service. Send a PGP/MIME message and the email provider doesn't give a damn that it's encrypted, it just cares about SMTP.

But these days (could I call it the "Age of Lack of Standards"?), everyone is trying to manipulate you into depending on their software and services (inextricably linked; you can't use their software without their service, or their service without their software), so you can't just replace the service or easily "tunnel" security through their presumably-insecure (perhaps even mandated insecure) service. Whatever security they offer, is all you can reasonably get (pretty much the opposite of the classic email situation).

Why do I bring this up? Because the regulations are all about services! Not protocols. Not software. Services. (emphasis mine in all below quotes)

Here's the beginning of The UK Online Safety Act (1)(1)(a):

imposes duties which, in broad terms, require providers of services regulated by this Act to identify, mitigate and manage the risks of harm

Here's good 'ol CALEA (US Code title 47 Section 1002 (a):

Except as provided in subsections (b), (c), and (d) of this section and sections 1007(a) and 1008(b) and (d) of this title, a telecommunications carrier shall ensure that ...

CALEA even mentions encryption:

A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication.

I haven't dived into the details of EU's DSA, but I see a hopeful sign right there at the very beginning of Article 1:

The aim of this Regulation is to contribute to the proper functioning of the internal market for intermediary services by setting out harmonised rules...

Look at all those references to services! Not the code you run; the services you use.

What does it mean? I think it might mean that even in the UK(!) you might be perfectly fine and legal using secure software. You just can't have it rely on some coercible corporation's secure services. Send your encrypted blobs over generic protocols and un-dedicated services, and the law won't apply to your situation. I'm not necessarily saying "Make PGP/MIME Great Again" but I do think following in its spirit is a really great idea.

If you run a service, what you want to be able to tell the government (whether it's US or UK or France/Germany) is "we don't provide any encryption, though some of our customers supply their own."

Stop asking for secure services. Worse is better. Ask for secure software (which assumes that all services are completely hostile) decoupled from any particular service.

Comment Re:Somebody is going to get killed (Score 1) 129

Do I really need to point out how hysterical you sound? Applying the burden of proof and standards of evidence of criminal court to a free association question? Really?

That's basically treating the possibility that someone might not want to go on a date with you as in the same category as the state laying criminal charges against you; which is lunatic tier.

Obviously, anyone treating internet hearsay as particularly reliable is about as sensible as someone who believes online product reviews; but both of those groups are an order of magnitude, or more, less wrong than someone who thinks that internet hearsay or online product reviews need to be on a beyond reasonable doubt basis with FRE and an appeals process and stuff.

Comment Re:What do you mean, "what happens next"? (Score 2) 92

You actually make a reasonably convincing argument for the idea that the republican party does have principles; they just overlap pretty weakly with the ones they pretend at.

The most striking break with history is the bit where Nixon-level criminality used to be politically problematic.

Slashdot Top Deals

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...