Page 5 of 6 FirstFirst ... 3456 LastLast
Results 41 to 50 of 56

Thread: Cisco Open-Sources H.264 Codec, Pushes WebRTC

  1. #41
    Join Date
    Jan 2013
    Posts
    1,458

    Default

    Quote Originally Posted by smitty3268 View Post
    That simply doesn't make any sense. How exactly is the codec going to leak information? Is it simply going to pipe everything from your machine to an NSA IP address after it decodes on your machine? Do you really think people aren't going to notice the GBs of data flowing out of their network? Or is it going to do some kind of fancy visual recognition AI code that tries to figure out what's going on and translates that into a small text file somehow? That's probably even more ridiculous. All this stuff would get caught the second it happened to anyone. The point of breaking encryption is that they can just record what goes over the channel without you noticing. Putting something in the codec does NOTHING. If it did, codecs would include encryption already. They don't, because that's not what codecs do.
    The codec would only have to provide a backdoor to the system. This could then be used as an infection vector to infect the user's computer with malware/spyware.

    If you truly want to be secure, you need an air gap between your machine and the network. Nothing else is 100% effective.
    Bullshit. No, nothing is 100% effective, and nothing can ever be 100% effective - that's fine, because we only need it to be 99.999...% effective for all practical purposes. Saying "nothing is 100% effective" is just a red herring, entirely irrelevant, because it's not what security and privacy is about.

    Hey, if someone happens to guess your 4096-bit keyword, your crypto is broken... it could happen! The chances are 1 in 24096, but it could happen - therefore, no crypto is 100% secure! Yet, in practice, we can use that crypto, because it's practically impossible to guess that keyword. It's theoretically not 100% effective/secure, but it doesn't have to be to be usable.

    I guarantee you the NSA has a full handbook full of undisclosed flaws they've found in linux and OSS software that they can exploit against any target they want, just like they have 0 day exploits for windows and proprietary software.
    Again, bullshit. If you have evidence, show it, or gtfo. That's just the kind of sour-grapes-whining heard from windows fanboys when you point out to them that Microsoft freely and voluntarily shares all Windows exploits & vulnerabilities to NSA before they are patched. "Oh, but I'm sure they have Linux exploits too!" Never any evidence is given for these claims, just that it has to be there... it can't be that windows is inferior in any way, oh no...

    The NSA is not some kind of X Files or Men in black, they don't have any alien technology. Linux is used in many security-conscious applications, and security professionals are constantly auditing the code. A properly hardened Linux-system will not be easily penetrated by NSA, if the user doesn't do anything stupid.

    It's kind of amusing actually - what you are asking for is DRM, isn't it? Some way of preventing an outside source from copying your private video. lol
    You also seem to be very confused about what DRM is. DRM != privacy software.

    Example: PGP is a way of preventing an outside source from reading your communications/viewing your data, it's an encryption method. A software used for privacy. The users have control here, only the sender and intended recipient of the communication/data have access to it. The key here is user control.

    DRM is fundamentally user-hostile: it's a way of wresting the control of the computer away from the user. It's a way to make software/data "tamper proof", in order to prevent copying/unauthorized use/etc.

    There's a very clear difference: one is for the benefit for the user, and is entirely controlled by the user. The other is user-hostile, and can never be in the user's control, can never be open-source.

  2. #42
    Join Date
    May 2013
    Posts
    538

    Default Codec in browser only sees public video

    Quote Originally Posted by smitty3268 View Post
    That simply doesn't make any sense. How exactly is the codec going to leak information? Is it simply going to pipe everything from your machine to an NSA IP address after it decodes on your machine? Do you really think people aren't going to notice the GBs of data flowing out of their network? Or is it going to do some kind of fancy visual recognition AI code that tries to figure out what's going on and translates that into a small text file somehow? That's probably even more ridiculous. All this stuff would get caught the second it happened to anyone. The point of breaking encryption is that they can just record what goes over the channel without you noticing. Putting something in the codec does NOTHING. If it did, codecs would include encryption already. They don't, because that's not what codecs do.

    If you truly want to be secure, you need an air gap between your machine and the network. Nothing else is 100% effective. I guarantee you the NSA has a full handbook full of undisclosed flaws they've found in linux and OSS software that they can exploit against any target they want, just like they have 0 day exploits for windows and proprietary software.

    It's kind of amusing actually - what you are asking for is DRM, isn't it? Some way of preventing an outside source from copying your private video. lol
    A codec used in a browser could not send back the URL of a played video, it could not see it. A video published from a browser can be tracked by much easier means-and need not be played in browser to be published from it anyway, so again the codec is a non-issue. Even if the codec was presumed malicious, at worst that would not even give parity with Flash, what with all you have to do to keep out malicious Flash code, Flash cookies, and who knows what else. Assuming you still use libx264 in Kdenlive, Mplayer, Gstreamer, Xine, etc, the codec used in the browser won't even interact with your raw files, which should be the only ones you have to be able to deny ownership of. If you have INCOMING video you need to be able to deny ownership of, and Torbrowser won't play it, then you need a public access hotspot anyway, and possibly a live disk OS as a precaution against browser fingerprinting. Use one that comes with all the codecs like Mint so you can use it exactly as shipped.

    Even if Cisco does something huge like creating a write version of the codec that runs in GPU and works with FOSS video editors, someone running just watching total up and down network activity in Conky or gnome-system-monitor with no browser open could compare network activity between it and Libx264 to verify that it was not trying to phone home. I've done this myself to verify a browser not sending data with every keystroke in the URL line, when I compared Chromium with the known spyware on and turned off. Testing anything else would work exactly the same way, hell you don't even need Wireshark unless you are verifying WHAT is being phoned home to, like the folks who busted Google for spyware when Chrome first came out did.

    I would not worry about video codecs other than flash, which is a whole closed binary. I would worry about keyloggers, browser Trojans, and especially about unencrypted hard drives vulnerable to police raids. At least I went to encryption before instead of after a 2008 raid on my house, and it seems they never cracked it. Yes, CISCO is known for hardware compromised by the NSA and others: mostly for routers, the main targets of the NSA's surveillance of the network. My guess is routers handling large volumes of traffic are the targets here, and desperately need FOSS firmware to put a stop to it.

  3. #43
    Join Date
    Oct 2008
    Posts
    3,137

    Default

    Sigh... I really shouldn't get involved in these conversations because it always devolves into idiocy. All i'm asking for is a little common sense. In a list of applications the NSA could target, a codec would rank about 1 millionth out of about a million apps. It makes zero sense, because there are literally thousands of easier targets. The NSA isn't stupid.

    Quote Originally Posted by dee. View Post
    Again, bullshit. If you have evidence, show it, or gtfo.
    LOL. So you won't believe any 0 day exploits exist unless i can prove it by showing them? If i could, then they'd be fixed and wouldn't exist... Anyway, go on any hacker site. There are people out there selling exploits to FOSS software like Firefox just like any of the proprietary browsers. There's no reason why browsers would be fundamentally different in this respect than any other software system. Common sense, people.

    You also seem to be very confused about what DRM is. DRM != privacy software.
    DRM literally means digital rights management. If you want to use it to manage the rights of your own data, privacy software is exactly what it becomes. There's no difference. The only thing you mean is that standard DRM is controlled by others instead of you.

    Ok, enough of this. I'm refusing to waste any more time on this stupid topic. You will not draw me into another long flamefest BO$$ style.

  4. #44
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,113

    Default

    It's not that difficult to think of a scenario using a codec. Try:

    1. The codec is setup to detect certain videos.
    2. NSA adds that video as an ad to all Youtube videos, targeted to your IP/browser.
    3. You are now infected.

  5. #45
    Join Date
    Nov 2012
    Posts
    55

    Default

    > In a list of applications the NSA could target, a codec would rank about 1 millionth out of about a million apps.
    > It makes zero sense, because there are literally thousands of easier targets. The NSA isn't stupid.

    They aren't stupid, and have automatic resources like computers, so with them they go for all the targets they can, not only for the easy ones (which can be achieved, or not, depending on the case).

    > If i could [prove that], then they'd be fixed and wouldn't exist...

    It's basically accusations without proofs. People dislike when they suffer that (e.g. "son of a bitch"), but someone likes doing that to others.

    > Anyway, go on any hacker site. There are people out there selling exploits to FOSS software like Firefox just like any of the proprietary
    > browsers. There's no reason why browsers would be fundamentally different in this respect than any other software system. Common sense,
    > people.

    If someone believed that is true, they would go there, buy it, and then get the DOMINATION. Ow!

    > DRM literally means digital rights management.

    If someone believes that a thing is what marketing says it is... For example if MoneyCorp Inc. is planning a product to make people dependent on it, people can be sure that MoneyCorp is not going to call the product "Dependence maker".

  6. #46
    Join Date
    Sep 2012
    Posts
    681

    Default

    NSA backdoor, really?
    In a video codec?

    Get back on earth...
    The codec cannot have access (because you can sandbox it and/or measure what access it is asking for, and compare it to the source) to:
    - network
    - files on your computer
    - user and kernel land programs of your computer

    What do you think it can do without that?
    Even if you put a "video signal acitvator" (lol), what then? the codec can only communicate with your graphic card (or maybe even just a memory buffer). So it can display pre-recorded NSA message to your screen! yay!

    Guys, seriously. Stop that.

  7. #47

    Default

    "pushes WebRTC"?

    Yeah, it pushes it backwards. It was already decided by IETF that it would use VP8. Cisco just wants to make sure a proprietary standard remains the monopoly.

    And make no mistake, just because they released it under BSD, doesn't mean it's "open source". It's a binary blob you can't modify, otherwise you will not be exempt from paying for it.

    I see this as a major step backwards, and Mozilla is selling its soul to the devil, effectively. Because of this "short term" deal to adopt h.264, and reject VP8, they'll have a lot harder time to push Daala in the future.

    Granted, a big part of the blame is Google's too, who said they would stop supporting h.264 like 2 years, ago, and then bailed on Mozilla, and kept supporting it. Google will come to regret that decision, because this could mean now that the future of VP is dead.

    They MIGHT be able get back in the game with Mozilla's Daala, if they demand all Android OEM's to support it as soon as it's available, and only if Daala is like 4x better than h.264, and 2x better than h.265, and arrives early enough (2015). Anything less than that, and codec stakeholders might not give a damn about switching from h.265, when they've just started switching to it a year earlier.

    But now I'm really worried even Daala won't see big adoption anymore, if everyone starts thinking "MPEG-LA won, and the codec war is over".

    Big screwups from both Google and Mozilla here.
    Last edited by Krysto; 10-31-2013 at 06:18 AM.

  8. #48
    Join Date
    Sep 2006
    Location
    PL
    Posts
    910

    Default

    Quote Originally Posted by phoronix View Post
    Phoronix: Cisco Open-Sources H.264 Codec, Pushes WebRTC
    https://blog.mozilla.org/blog/2013/1...s-h-264-codec/

    We are grateful for Cisco’s contribution, and we will add support for Cisco’s OpenH.264 binary modules to Firefox soon.
    That is misleading journalism, mildly speaking. Cisco will provide their own blob, that would be covered by licensing. They build and distribute that plugin, and other implementations are not covered by it. It might even be opensource, but if it doesn't come from cisco in binary form, it's not protected by license.

    And, if at some point cisco stops renewing their license - poof. I liked it more when firefox relied on external codec frameworks, that was more flexible.
    Last edited by yoshi314; 10-31-2013 at 06:57 AM.

  9. #49
    Join Date
    Jan 2013
    Posts
    1,458

    Default

    Quote Originally Posted by smitty3268 View Post
    Sigh... I really shouldn't get involved in these conversations because it always devolves into idiocy. All i'm asking for is a little common sense. In a list of applications the NSA could target, a codec would rank about 1 millionth out of about a million apps. It makes zero sense, because there are literally thousands of easier targets. The NSA isn't stupid.
    Not the point. The possibility of exploitation is enough, once the possibility is there and we just sort of accept it because it just seems too unlikely that anyone would ever exploit it (like it seemed unlikely that NSA would be spying the entire rest of the world's online traffic) then it's likely that the vulnerability will be exploited some day.

    So we have to demand up front to get software where such possibilities do not exist.

    LOL. So you won't believe any 0 day exploits exist unless i can prove it by showing them? If i could, then they'd be fixed and wouldn't exist... Anyway, go on any hacker site. There are people out there selling exploits to FOSS software like Firefox just like any of the proprietary browsers. There's no reason why browsers would be fundamentally different in this respect than any other software system. Common sense, people.
    That's not what this was about, don't try to move the goalposts. Of course vulnerabilities exist in any software, and the Linux kernel isn't invulnerable to exploits. The point is, that on Linux, the vulnerabilities are generally fixed as soon as the kernel devs are aware of them, instead of them being reported directly to the NSA, and then some day maybe getting patched, if the NSA says it's ok. And everyone is on a level playing field, everyone can see the code.

    You said, that you "guarantee" the NSA has tons of unknown exploits for Linux. How exactly do you guarantee this? If the exploits are unknown, how do you know about them? Do you have some inside NSA information?

    The point is, that it is possible to harden Linux systems to the point of being very secure against exploits - this is why Linux is used in lots of places where security is important. On proprietary systems, particularly ones, whose exploits and vulnerabilities are voluntarily reported to NSA before getting patched, this is not possible, because those kinds of systems already undermine these kinds of efforts by design.

    DRM literally means digital rights management. If you want to use it to manage the rights of your own data, privacy software is exactly what it becomes. There's no difference. The only thing you mean is that standard DRM is controlled by others instead of you.
    Yes, and NSA literally means "national security agency", so obviously they're just an agency that looks after the security of people who live in nations. No worries!

    I can't believe you'd be that stupid. DRM is a term that has a very specific meaning, and no one has ever included privacy software in the definition of DRM. Terms do not always mean what they seem to mean at face value - kidnappers are not kids who take naps, second hand stores don't actually sell second hands, etc. Particularly, with a term like DRM, which is purposefully designed to be misleading - it's something that happens in business and politics all the time, it's why US politicians create laws with really "nice" sounding names. It's called putting a spin on things, or propaganda. It's why "Patriot Act" isn't called "Taking away your civil liberties Act", and people are much more likely to accept a "Defense of Marriage Act" than a "Damn gays should go to hell Act".

    DRM specifically refers to software that restricts the user's control of their own hardware/software in order to protect the interests of someone other than the user. If you use privacy software, you may be managing your digital rights, but you are not using Digital Rights Management.

    Ok, enough of this. I'm refusing to waste any more time on this stupid topic. You will not draw me into another long flamefest BO$$ style.
    You do as you think best. No one is forcing you to post.

  10. #50
    Join Date
    May 2010
    Posts
    15

    Default

    This whole thing is nonsense, and just as nonsensical as the gratis fluendo codec. It gives us 'open source' in the literal sense (we can 'see' the code), without the freedom to modify the code. I can't even recompile the code with secure instrumentation, or for another platform, or whatever.

    Mozilla should be using its power to oppose patent traps, not create them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •