Announcement

Collapse
No announcement yet.

Gnash Flash Player Still Advancing, But No New Release

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Gnash Flash Player Still Advancing, But No New Release

    Phoronix: Gnash Flash Player Still Advancing, But No New Release

    Gnash, the Free Software Foundation project to have an open-source implementation of Adobe's Flash/SWF run-time, hasn't seen a release in almost exactly one and a half years. While it's been 18 months without a new release, development continues and there's been a number of features committed...

    http://www.phoronix.com/vr.php?view=MTQyNDI

  • Luke
    replied
    Camera DRM would exclude existing/foreign/hacked cameras

    [QUOTE=dee.;347804]Yes, until they require every HD-capable video camera to have an RFID chip, identifying it to the computer, thus alerting the OS that the screen may be being recorded... well, not likely to happen, but it wouldn't be the most grandiose scheme hollywood has come up with...

    Countermeansures would include using cameras that exist today, removing the RFID chip, removing the receiver's antenna, buying export/foreign models on Ebay, etc. Lots of people would refuse to buy any camera set to, say, read a special pattern in DRM content and not record it, or warn computers of its presence. Hackers would write new camera firmware to counter this, the whole DRM/trusted OS arms race would be repeated. Meanwhile the entire camera industry would fear consumer rejection and would fight tooth and nail. For the most part, efforts to DRM one device against another have been defeated this way, going all the way back to VCR's and the famous Betamax case.


    Originally posted by dee. View Post
    Well, that probably depends on the browser, and how securely they implement the EME protocol. Of course it'd be preferable that browsers didn't implement it at all. But this is a bit worse than Sony's copy protection - at least with Sony's DRM, you could bypass the DRM, or if you listened to the CD in a CD player, it didn't matter anyway - but with EME, if you don't allow the service to load questionable binary blobs on your machine, you can't view the content, at all (unless of course you just torrent it). That means that in order to view to content (legally) you'll have to trust some arbitrary code to be executed on your computer, and with all the NSA stuff and data mining, the incentive for them to install some type of spyware or to just snoop around your hard drive is massive.
    Under this circumstance people might decide they don't want that content at all -or don't want it UNLESS it is pirated. When the RIAA lawsuits began, tens of millions of people (myself included) responded with anger by refusing to buy any more prerecorded CD's. Losses from the de facto boycott exceeded losses from "piracy" and the lawsuits were abandoned. Some say no defendant ever paid a penny of those file sharing judgements. I literally do not have a single "legal" proprietary media file in my entire file system and I intend to keep it that way!

    As for data mining, I certainly won't allow any browser that is compatable with that kind of extension on any of my machines with encrypted hard drives. Much of that and I may have to split machines that access any network from machines that carry raw video clips, with publication-ready files travelling by flash drive to the networked machine. I have to assume the NSA will be able to bypass browsers asking for permission, so that means I have to remove that kind of support entirely or blacklist updating to any browser that contains such support.
    Last edited by Luke; 07-31-2013, 09:11 PM. Reason: typo

    Leave a comment:


  • dee.
    replied
    Originally posted by Luke View Post
    The real hole in DRM is this: instead of using encryption to prevent a third party from intercepting and copying content, it is an attempt to prevent an untrusted but intended recipient from copying the decrypted content. It's one thing to write a note in code, quite another to force the person who decrypts the note to burn the plaintext after reading it. No encryption scheme can bypass that, and no DRM can stop existing 1080P cameras from recording existing 1080p monitors. Therefore, hard DRM won't give Hollywood less piracy than browser-only Flash style DRM, it will just cost them customers.
    Yes, until they require every HD-capable video camera to have an RFID chip, identifying it to the computer, thus alerting the OS that the screen may be being recorded... well, not likely to happen, but it wouldn't be the most grandiose scheme hollywood has come up with...

    Originally posted by Luke
    That Sony rootkit, as you recall, installed itself whether or not users gave their permission for it to be installed. Clicking "no" installed the DRM and the rootkit, just leaving out the player as I recall. What's to say attackers don't find ways to bypass demands by the browser to ask permission to install the extensions, so they can install silently? The only defense will be to block the whole thing, just as disabling Autorun, not using Windows, or blacking out the second session of the CD blocked Sony "Extended Copy Protection" or ECP from installing. Once installed, you were looking at an OS reinstall, preferably with a transition to something like Ubuntu Breezy Badger.
    Well, that probably depends on the browser, and how securely they implement the EME protocol. Of course it'd be preferable that browsers didn't implement it at all. But this is a bit worse than Sony's copy protection - at least with Sony's DRM, you could bypass the DRM, or if you listened to the CD in a CD player, it didn't matter anyway - but with EME, if you don't allow the service to load questionable binary blobs on your machine, you can't view the content, at all (unless of course you just torrent it). That means that in order to view to content (legally) you'll have to trust some arbitrary code to be executed on your computer, and with all the NSA stuff and data mining, the incentive for them to install some type of spyware or to just snoop around your hard drive is massive.

    And even this type of DRM isn't unbreakable - people can save the EME plugins, disassemble them and crack the protection... which in turn will just force the content providers to swap the DRM module, and this will just escalate into an endless war where the law-abiding customer suffers the most. Pirates remain largely unaffected.

    Leave a comment:


  • Luke
    replied
    What about EME used by malicious websites?

    Originally posted by dee. View Post
    Agreed, it's a horrible security risk. If this thing catches on (let's hope it doesn't) there will probably be need for a certification system of some kind, not that it makes the risk acceptable as you'll still have to trust proprietary, closed-source binary blobs to view content. And even assuming you're on a "reputable" site, not some malware fountain, let's not forget the Sony rootkits. Who's to say these DRM modules won't try something similar?
    That Sony rootkit, as you recall, installed itself whether or not users gave their permission for it to be installed. Clicking "no" installed the DRM and the rootkit, just leaving out the player as I recall. What's to say attackers don't find ways to bypass demands by the browser to ask permission to install the extensions, so they can install silently? The only defense will be to block the whole thing, just as disabling Autorun, not using Windows, or blacking out the second session of the CD blocked Sony "Extended Copy Protection" or ECP from installing. Once installed, you were looking at an OS reinstall, preferably with a transition to something like Ubuntu Breezy Badger.

    Leave a comment:


  • Luke
    replied
    Limitations of DRM will cost them customers

    Originally posted by dee. View Post
    However, it will also be likely that some (if not most) CDM's ("content distribution module", things that EME loads on the computer) won't even run on open-source browsers. The more paranoid "content providers" will want to implement some "trusted computing" schemes, which means another layer of DRM in the browser - and that excludes open-source browsers, because open-source DRM is an oxymoron. Most likely, these CDM's will also not even run on an open-source OS (except for heavily tivoized ones maybe), because the "content providers" will want to ensure that you won't use any kind of screen capture, so there needs to be some DRM built-in right in to the OS.
    The real hole in DRM is this: instead of using encryption to prevent a third party from intercepting and copying content, it is an attempt to prevent an untrusted but intended recipient from copying the decrypted content. It's one thing to write a note in code, quite another to force the person who decrypts the note to burn the plaintext after reading it. No encryption scheme can bypass that, and no DRM can stop existing 1080P cameras from recording existing 1080p monitors. Therefore, hard DRM won't give Hollywood less piracy than browser-only Flash style DRM, it will just cost them customers.

    In 2004 I published my media work as .ogg open source audio, as Audacity easily wrote those by default. Unfortunately Windows machines of that time could not play it unless users installed software. Therefore, I lost most of my potential listeners until I discovered libmp3lame and was able to publish mp3 files. DRM requiring people to install Windows 8 (or 9, etc) will have this problem even worse, and users will simply declare the site or service "broken" and move on. Thus, if this browser DRM takes off I suspect a lot of sites would use it like Flash DRM. If they choose to leave the Web, I will never miss them.

    Leave a comment:


  • dee.
    replied
    Originally posted by Luke View Post
    That's a totally unacceptable security risk. If they set their extensions to come from their own server, NoScript won't be able to separate sites doing this from those that just use JavaScript to set up the video playback. If all HTML5 video that is not DRMed will play with JavaScript disabled, that would be a workaround.
    Agreed, it's a horrible security risk. If this thing catches on (let's hope it doesn't) there will probably be need for a certification system of some kind, not that it makes the risk acceptable as you'll still have to trust proprietary, closed-source binary blobs to view content. And even assuming you're on a "reputable" site, not some malware fountain, let's not forget the Sony rootkits. Who's to say these DRM modules won't try something similar?

    Unless the browsers include the ability to block all on-the-fly extensions, I will boycott any browser update to a version including the DRM support. If Mozilla does this, choices will be older Firefox or to compile it myself with the DRM shit removed/disabled. Surely someone will publish non DRM supporting forks of popular open soure browsers, given the security implications of permitting websites to install extensions!
    I very much doubt that mozilla will include EME in Firefox, even if it becomes a standard - or if they do, they will do it in a way that alerts the user when a site wants to use it. If not, I'm certain it will be trivial to write a Firefox plugin that blocks all EME content, probably NoScript will implement that functionality as well.

    However, it will also be likely that some (if not most) CDM's ("content distribution module", things that EME loads on the computer) won't even run on open-source browsers. The more paranoid "content providers" will want to implement some "trusted computing" schemes, which means another layer of DRM in the browser - and that excludes open-source browsers, because open-source DRM is an oxymoron. Most likely, these CDM's will also not even run on an open-source OS (except for heavily tivoized ones maybe), because the "content providers" will want to ensure that you won't use any kind of screen capture, so there needs to be some DRM built-in right in to the OS.

    I refuse to watch any video I cannot download from the site with or without their permission, and won't upload video to any site that attempts to DRM their users. Before I would tolerate that I would send
    my news videos to archive.org as downloadable files without streaming support. Since I don't charge for content nor pay for content, I have no use for DRM, and zero tolerance for the security holes it would bring,
    A sensible attitude. The thing about DRM is that in order for it to work, the software needs to work against the user. The control of the hardware needs to be taken away from the user, and that excludes all kinds of FOSS software, because DRM can't work in FOSS - people would just fork a version without the DRM. This means that any DRM software is by necessity a closed-source proprietary black box, with no way to discern what it does on your computer.

    I encourage everyone to support businesses who sell DRM-free content, like Humble Bundle. DRM is entirely unnecessary, it harms business, and we need to tell the Hollywood and their friends that we don't need their bullshit in our web.

    Originally posted by GreatEmerald
    I'm pretty sure such extensions won't be installed without the user's consent, or else it would be a security hole the size of the Sun.
    In any sane browser, yes. I'm very certain Firefox won't run any extensions without user permission. But IE, the browser made by the people who invented ActiveX? Who knows! Chrome? Who knows... Google is one of the corporations campaigning for this thing, after all.

    Leave a comment:


  • GreatEmerald
    replied
    Originally posted by Luke View Post
    That's a totally unacceptable security risk. If they set their extensions to come from their own server, NoScript won't be able to separate sites doing this from those that just use JavaScript to set up the video playback. If all HTML5 video that is not DRMed will play with JavaScript disabled, that would be a workaround.
    I'm pretty sure such extensions won't be installed without the user's consent, or else it would be a security hole the size of the Sun.

    Leave a comment:


  • Luke
    replied
    Way to block on-the-fly browser extensions will be needed

    Originally posted by dee. View Post
    It does, but those extensions won't be installed by default anywhere. They'll be loaded on the fly from the website you're accessing.
    That's a totally unacceptable security risk. If they set their extensions to come from their own server, NoScript won't be able to separate sites doing this from those that just use JavaScript to set up the video playback. If all HTML5 video that is not DRMed will play with JavaScript disabled, that would be a workaround.

    Unless the browsers include the ability to block all on-the-fly extensions, I will boycott any browser update to a version including the DRM support. If Mozilla does this, choices will be older Firefox or to compile it myself with the DRM shit removed/disabled. Surely someone will publish non DRM supporting forks of popular open soure browsers, given the security implications of permitting websites to install extensions!

    I refuse to watch any video I cannot download from the site with or without their permission, and won't upload video to any site that attempts to DRM their users. Before I would tolerate that I would send
    my news videos to archive.org as downloadable files without streaming support. Since I don't charge for content nor pay for content, I have no use for DRM, and zero tolerance for the security holes it would bring,
    Last edited by Luke; 07-31-2013, 02:29 PM.

    Leave a comment:


  • dee.
    replied
    Originally posted by Luke View Post
    We should do everything we can to obstruct and impede development of HTML 5 DRM. That can include sabotaging agreement on common standards, encouraging Mozilla to ignore any API required by DRM extensions, making sure the Linux kernel can never be "secured" against interception of A/V streams by whoever owns the machine and has root, etc. If the DRM extensions have to check for a special kernel, I suspect most distros would think twice about letting a browser query that kind of data. I keep mine locked up with a custom apparmor profile to impede that sort of crap.
    I agree 100%. I'm going to expand on this topic a bit more, since there are so many people confused on the issue...

    The situation now is, that we basically have two de-facto standards for streaming DRM content on the web: Flash and Silverlight. The problem with this is, Flash doesn't work on mobile devices, and Silverlight only works on Windows. What everyone wants, is a way to view content on all platforms. Sounds simple? It is, until you bring DRM into the picture.

    The proponents of EME argue, that if we don't give the content producers what they want - a way to stream DRM content over the web - they will simply bypass the web, and create their platform-specific implementations for streaming content, kind of like what Netflix does now - an iOS app for streaming DRM content on iOS, another app for doing the same on Android, etc.

    The problem with that argument is, that EME will not solve that issue. Basically, what EME is, is a standard, that allows embedding binary blobs into webpages, with javascript wrappers. These binary blobs are allowed to use platform-specific capabilities, including but not limited to, actually drawing the content on the screen. In other words, they are platform-specific plugins, that are loaded on the browser when you open the webpage. Due to the nature of DRM, they will of course be 100% proprietary black boxes, with no way to discern what these plugins actually do on your computer - but that's ok, we can trust them. It's not like DRM content producers have ever tried to do anything sinister, like install rootkits on people's computers. Oh wait...

    So when the EME proponents argue that we have to let them add DRM to web standards or they stop using the web - how exactly is the situation with EME any better? With proprietary EME plugins, different ones for each streaming service, for each platform - how is that in practice any different from having specific streaming apps on different platforms? It's the same thing, only this EME thing makes it easier for the DRM producers, it makes it easier to "mask" the DRM and make it "convenient" and "invisible" for users - as long as the users use the right platform, right architecture, right OS, right browser... how is that any better at all?

    Another thing the EME proponents argue is: if we don't give the hollywood content producers a way to bring DRM content on the web, they'll just ignore the web. That's a very backwards argument, since the content producers are more dependent on the web than the web is of the content producers. If they take their content off the web, it's they who lose, not the web. The web will go on just fine without them. New content producers, who are willing to work with an open web, will take their place, and the old dinosaurs will die - free markets in action.

    Then, maybe they will introduce a single DRM module, which runs on all platforms, and all will be fine. Maybe, but what guarantee is there of that happening, and is it likely to happen? Should we just do nothing and hope big corporations decide to do the right thing all on their own, nevermind about profits? The problem is, that to build a truly robust DRM system, the control of the computer needs to be taken away from the user. In order to prevent the user from breaking the DRM, every part of the OS needs to be protected - this naturally excludes open source (except for heavily tivoized systems). So companies who really want to be anal about their DRM will not release their DRM modules for any open source OS, where the user can just break the DRM by taking a screen capture or recording. They'll want total "trusted computing", provided by platforms like Windows 8.

    So it's much better to just keep DRM away from web standards and stick with Flash/Silverlight for DRM-content... and if companies want to implement their own DRM solutions, make it hard for them, make it inconvenient for the users, so that they will lose market share to non-DRM providers. EME does nothing but masks the problem and gives corporations a justification for using it. EME is nothing but openwashing and doesn't solve anything.

    Leave a comment:


  • plonoma
    replied
    - Continued Google Android enablement work and as part of that making OpenGL ES 1 (GLES1) support work.
    They really should look at OpenGL ES 2!
    Seriously version 1 isn't even used much in mainstream software.
    And with version 3 switching to the programmable shaders of OpenGL ES 2 is going to make it easier to port stuff to that.

    Leave a comment:

Working...
X