Announcement

Collapse
No announcement yet.

Gnash Flash Player Still Advancing, But No New Release

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    I'll never allow DRM extensions in my browser

    Originally posted by dee. View Post
    IF they become widespread. There's still hope we can keep DRM away from web standards. Especially in the form of this shitty EME thing, since it really solves nothing and is actually worse than Flash. Flash at least is a single standard that everyone uses, and it works reasonably well on Linux. If EME becomes widespread, it'll just replace Flash with 10 zillion proprietary browser extensions, one for each corporation/website, and you can guess if they're going to support Linux...
    If this comes as browser extensions, no distro should install any of them by default. If they do, I will remove them on all systems I distribute. Any browser with baked-in DRM support rather than extensions I won't use, staying with older versions or "stripped" versions that can be custom-compiled. We don't need this shit anymore than we needed iTunes support for Crapple's former DRM scheme.

    I never enable any kind of "premium content" in any browser or computer, for any purposes. Any media with DRM that nobody has cracked I don't want in my house or on my systems. I even went so far as to remove HAL to disable DRM support in Flash. If enough people refuse to use paid media, not only DRM but the corporations behind it would go away. Remember, no copyright law ever prohibits you from ignoring proprietary content entirely.

    With DRM support in Flash on my machines deliberately broken, the only videos I find that won't play are those where my security and NoScript settings block them and I can't find out what to enable without enabling untrusted 3ed party servers that might try to fingerprint the browser or do other malicious things. I control my computers, Hollywood and the RIAA/MPAA do not and never will.

    We should do everything we can to obstruct and impede development of HTML 5 DRM. That can include sabotaging agreement on common standards, encouraging Mozilla to ignore any API required by DRM extensions, making sure the Linux kernel can never be "secured" against interception of A/V streams by whoever owns the machine and has root, etc. If the DRM extensions have to check for a special kernel, I suspect most distros would think twice about letting a browser query that kind of data. I keep mine locked up with a custom apparmor profile to impede that sort of crap.

    Comment


    • #22
      Originally posted by smitty3268 View Post
      We've already had this discussion, and that's not true. The browser will form an abstraction layer. There will be 1 plugin for windows, 1 for mac, and.... Well, probably none for linux. Unless some corporation steps up and starts selling them.
      Source? Do you have some evidence I'm not aware of? Because what EME does is, it defines a format to load browser plugins on the fly from websites. Not only is this a huge security risk, what makes you think everyone would be satisfied with one solution for DRM video? In all likelihood, Google will create their own plugin, Netflix will have their own, Microsoft, Apple... other streaming sites... There'll be several, mark my words. And we'll be very lucky if any of them support Linux.

      Originally posted by Luke
      If this comes as browser extensions, no distro should install any of them by default.
      It does, but those extensions won't be installed by default anywhere. They'll be loaded on the fly from the website you're accessing.

      Comment


      • #23
        - Continued Google Android enablement work and as part of that making OpenGL ES 1 (GLES1) support work.
        They really should look at OpenGL ES 2!
        Seriously version 1 isn't even used much in mainstream software.
        And with version 3 switching to the programmable shaders of OpenGL ES 2 is going to make it easier to port stuff to that.

        Comment


        • #24
          Originally posted by Luke View Post
          We should do everything we can to obstruct and impede development of HTML 5 DRM. That can include sabotaging agreement on common standards, encouraging Mozilla to ignore any API required by DRM extensions, making sure the Linux kernel can never be "secured" against interception of A/V streams by whoever owns the machine and has root, etc. If the DRM extensions have to check for a special kernel, I suspect most distros would think twice about letting a browser query that kind of data. I keep mine locked up with a custom apparmor profile to impede that sort of crap.
          I agree 100%. I'm going to expand on this topic a bit more, since there are so many people confused on the issue...

          The situation now is, that we basically have two de-facto standards for streaming DRM content on the web: Flash and Silverlight. The problem with this is, Flash doesn't work on mobile devices, and Silverlight only works on Windows. What everyone wants, is a way to view content on all platforms. Sounds simple? It is, until you bring DRM into the picture.

          The proponents of EME argue, that if we don't give the content producers what they want - a way to stream DRM content over the web - they will simply bypass the web, and create their platform-specific implementations for streaming content, kind of like what Netflix does now - an iOS app for streaming DRM content on iOS, another app for doing the same on Android, etc.

          The problem with that argument is, that EME will not solve that issue. Basically, what EME is, is a standard, that allows embedding binary blobs into webpages, with javascript wrappers. These binary blobs are allowed to use platform-specific capabilities, including but not limited to, actually drawing the content on the screen. In other words, they are platform-specific plugins, that are loaded on the browser when you open the webpage. Due to the nature of DRM, they will of course be 100% proprietary black boxes, with no way to discern what these plugins actually do on your computer - but that's ok, we can trust them. It's not like DRM content producers have ever tried to do anything sinister, like install rootkits on people's computers. Oh wait...

          So when the EME proponents argue that we have to let them add DRM to web standards or they stop using the web - how exactly is the situation with EME any better? With proprietary EME plugins, different ones for each streaming service, for each platform - how is that in practice any different from having specific streaming apps on different platforms? It's the same thing, only this EME thing makes it easier for the DRM producers, it makes it easier to "mask" the DRM and make it "convenient" and "invisible" for users - as long as the users use the right platform, right architecture, right OS, right browser... how is that any better at all?

          Another thing the EME proponents argue is: if we don't give the hollywood content producers a way to bring DRM content on the web, they'll just ignore the web. That's a very backwards argument, since the content producers are more dependent on the web than the web is of the content producers. If they take their content off the web, it's they who lose, not the web. The web will go on just fine without them. New content producers, who are willing to work with an open web, will take their place, and the old dinosaurs will die - free markets in action.

          Then, maybe they will introduce a single DRM module, which runs on all platforms, and all will be fine. Maybe, but what guarantee is there of that happening, and is it likely to happen? Should we just do nothing and hope big corporations decide to do the right thing all on their own, nevermind about profits? The problem is, that to build a truly robust DRM system, the control of the computer needs to be taken away from the user. In order to prevent the user from breaking the DRM, every part of the OS needs to be protected - this naturally excludes open source (except for heavily tivoized systems). So companies who really want to be anal about their DRM will not release their DRM modules for any open source OS, where the user can just break the DRM by taking a screen capture or recording. They'll want total "trusted computing", provided by platforms like Windows 8.

          So it's much better to just keep DRM away from web standards and stick with Flash/Silverlight for DRM-content... and if companies want to implement their own DRM solutions, make it hard for them, make it inconvenient for the users, so that they will lose market share to non-DRM providers. EME does nothing but masks the problem and gives corporations a justification for using it. EME is nothing but openwashing and doesn't solve anything.

          Comment


          • #25
            Way to block on-the-fly browser extensions will be needed

            Originally posted by dee. View Post
            It does, but those extensions won't be installed by default anywhere. They'll be loaded on the fly from the website you're accessing.
            That's a totally unacceptable security risk. If they set their extensions to come from their own server, NoScript won't be able to separate sites doing this from those that just use JavaScript to set up the video playback. If all HTML5 video that is not DRMed will play with JavaScript disabled, that would be a workaround.

            Unless the browsers include the ability to block all on-the-fly extensions, I will boycott any browser update to a version including the DRM support. If Mozilla does this, choices will be older Firefox or to compile it myself with the DRM shit removed/disabled. Surely someone will publish non DRM supporting forks of popular open soure browsers, given the security implications of permitting websites to install extensions!

            I refuse to watch any video I cannot download from the site with or without their permission, and won't upload video to any site that attempts to DRM their users. Before I would tolerate that I would send
            my news videos to archive.org as downloadable files without streaming support. Since I don't charge for content nor pay for content, I have no use for DRM, and zero tolerance for the security holes it would bring,
            Last edited by Luke; 31 July 2013, 02:29 PM.

            Comment


            • #26
              Originally posted by Luke View Post
              That's a totally unacceptable security risk. If they set their extensions to come from their own server, NoScript won't be able to separate sites doing this from those that just use JavaScript to set up the video playback. If all HTML5 video that is not DRMed will play with JavaScript disabled, that would be a workaround.
              I'm pretty sure such extensions won't be installed without the user's consent, or else it would be a security hole the size of the Sun.

              Comment


              • #27
                Originally posted by Luke View Post
                That's a totally unacceptable security risk. If they set their extensions to come from their own server, NoScript won't be able to separate sites doing this from those that just use JavaScript to set up the video playback. If all HTML5 video that is not DRMed will play with JavaScript disabled, that would be a workaround.
                Agreed, it's a horrible security risk. If this thing catches on (let's hope it doesn't) there will probably be need for a certification system of some kind, not that it makes the risk acceptable as you'll still have to trust proprietary, closed-source binary blobs to view content. And even assuming you're on a "reputable" site, not some malware fountain, let's not forget the Sony rootkits. Who's to say these DRM modules won't try something similar?

                Unless the browsers include the ability to block all on-the-fly extensions, I will boycott any browser update to a version including the DRM support. If Mozilla does this, choices will be older Firefox or to compile it myself with the DRM shit removed/disabled. Surely someone will publish non DRM supporting forks of popular open soure browsers, given the security implications of permitting websites to install extensions!
                I very much doubt that mozilla will include EME in Firefox, even if it becomes a standard - or if they do, they will do it in a way that alerts the user when a site wants to use it. If not, I'm certain it will be trivial to write a Firefox plugin that blocks all EME content, probably NoScript will implement that functionality as well.

                However, it will also be likely that some (if not most) CDM's ("content distribution module", things that EME loads on the computer) won't even run on open-source browsers. The more paranoid "content providers" will want to implement some "trusted computing" schemes, which means another layer of DRM in the browser - and that excludes open-source browsers, because open-source DRM is an oxymoron. Most likely, these CDM's will also not even run on an open-source OS (except for heavily tivoized ones maybe), because the "content providers" will want to ensure that you won't use any kind of screen capture, so there needs to be some DRM built-in right in to the OS.

                I refuse to watch any video I cannot download from the site with or without their permission, and won't upload video to any site that attempts to DRM their users. Before I would tolerate that I would send
                my news videos to archive.org as downloadable files without streaming support. Since I don't charge for content nor pay for content, I have no use for DRM, and zero tolerance for the security holes it would bring,
                A sensible attitude. The thing about DRM is that in order for it to work, the software needs to work against the user. The control of the hardware needs to be taken away from the user, and that excludes all kinds of FOSS software, because DRM can't work in FOSS - people would just fork a version without the DRM. This means that any DRM software is by necessity a closed-source proprietary black box, with no way to discern what it does on your computer.

                I encourage everyone to support businesses who sell DRM-free content, like Humble Bundle. DRM is entirely unnecessary, it harms business, and we need to tell the Hollywood and their friends that we don't need their bullshit in our web.

                Originally posted by GreatEmerald
                I'm pretty sure such extensions won't be installed without the user's consent, or else it would be a security hole the size of the Sun.
                In any sane browser, yes. I'm very certain Firefox won't run any extensions without user permission. But IE, the browser made by the people who invented ActiveX? Who knows! Chrome? Who knows... Google is one of the corporations campaigning for this thing, after all.

                Comment


                • #28
                  Limitations of DRM will cost them customers

                  Originally posted by dee. View Post
                  However, it will also be likely that some (if not most) CDM's ("content distribution module", things that EME loads on the computer) won't even run on open-source browsers. The more paranoid "content providers" will want to implement some "trusted computing" schemes, which means another layer of DRM in the browser - and that excludes open-source browsers, because open-source DRM is an oxymoron. Most likely, these CDM's will also not even run on an open-source OS (except for heavily tivoized ones maybe), because the "content providers" will want to ensure that you won't use any kind of screen capture, so there needs to be some DRM built-in right in to the OS.
                  The real hole in DRM is this: instead of using encryption to prevent a third party from intercepting and copying content, it is an attempt to prevent an untrusted but intended recipient from copying the decrypted content. It's one thing to write a note in code, quite another to force the person who decrypts the note to burn the plaintext after reading it. No encryption scheme can bypass that, and no DRM can stop existing 1080P cameras from recording existing 1080p monitors. Therefore, hard DRM won't give Hollywood less piracy than browser-only Flash style DRM, it will just cost them customers.

                  In 2004 I published my media work as .ogg open source audio, as Audacity easily wrote those by default. Unfortunately Windows machines of that time could not play it unless users installed software. Therefore, I lost most of my potential listeners until I discovered libmp3lame and was able to publish mp3 files. DRM requiring people to install Windows 8 (or 9, etc) will have this problem even worse, and users will simply declare the site or service "broken" and move on. Thus, if this browser DRM takes off I suspect a lot of sites would use it like Flash DRM. If they choose to leave the Web, I will never miss them.

                  Comment


                  • #29
                    What about EME used by malicious websites?

                    Originally posted by dee. View Post
                    Agreed, it's a horrible security risk. If this thing catches on (let's hope it doesn't) there will probably be need for a certification system of some kind, not that it makes the risk acceptable as you'll still have to trust proprietary, closed-source binary blobs to view content. And even assuming you're on a "reputable" site, not some malware fountain, let's not forget the Sony rootkits. Who's to say these DRM modules won't try something similar?
                    That Sony rootkit, as you recall, installed itself whether or not users gave their permission for it to be installed. Clicking "no" installed the DRM and the rootkit, just leaving out the player as I recall. What's to say attackers don't find ways to bypass demands by the browser to ask permission to install the extensions, so they can install silently? The only defense will be to block the whole thing, just as disabling Autorun, not using Windows, or blacking out the second session of the CD blocked Sony "Extended Copy Protection" or ECP from installing. Once installed, you were looking at an OS reinstall, preferably with a transition to something like Ubuntu Breezy Badger.

                    Comment


                    • #30
                      Originally posted by Luke View Post
                      The real hole in DRM is this: instead of using encryption to prevent a third party from intercepting and copying content, it is an attempt to prevent an untrusted but intended recipient from copying the decrypted content. It's one thing to write a note in code, quite another to force the person who decrypts the note to burn the plaintext after reading it. No encryption scheme can bypass that, and no DRM can stop existing 1080P cameras from recording existing 1080p monitors. Therefore, hard DRM won't give Hollywood less piracy than browser-only Flash style DRM, it will just cost them customers.
                      Yes, until they require every HD-capable video camera to have an RFID chip, identifying it to the computer, thus alerting the OS that the screen may be being recorded... well, not likely to happen, but it wouldn't be the most grandiose scheme hollywood has come up with...

                      Originally posted by Luke
                      That Sony rootkit, as you recall, installed itself whether or not users gave their permission for it to be installed. Clicking "no" installed the DRM and the rootkit, just leaving out the player as I recall. What's to say attackers don't find ways to bypass demands by the browser to ask permission to install the extensions, so they can install silently? The only defense will be to block the whole thing, just as disabling Autorun, not using Windows, or blacking out the second session of the CD blocked Sony "Extended Copy Protection" or ECP from installing. Once installed, you were looking at an OS reinstall, preferably with a transition to something like Ubuntu Breezy Badger.
                      Well, that probably depends on the browser, and how securely they implement the EME protocol. Of course it'd be preferable that browsers didn't implement it at all. But this is a bit worse than Sony's copy protection - at least with Sony's DRM, you could bypass the DRM, or if you listened to the CD in a CD player, it didn't matter anyway - but with EME, if you don't allow the service to load questionable binary blobs on your machine, you can't view the content, at all (unless of course you just torrent it). That means that in order to view to content (legally) you'll have to trust some arbitrary code to be executed on your computer, and with all the NSA stuff and data mining, the incentive for them to install some type of spyware or to just snoop around your hard drive is massive.

                      And even this type of DRM isn't unbreakable - people can save the EME plugins, disassemble them and crack the protection... which in turn will just force the content providers to swap the DRM module, and this will just escalate into an endless war where the law-abiding customer suffers the most. Pirates remain largely unaffected.

                      Comment

                      Working...
                      X