• Ar chevron_right

    10 malicious Python packages exposed in latest repository attack / ArsTechnica · Tuesday, 9 August - 18:01 · 1 minute

Supply-chain attacks, like the latest PyPi discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common.

Enlarge / Supply-chain attacks, like the latest PyPi discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common. (credit: Getty Images)

Researchers have discovered yet another set of malicious packages in PyPi , the official and most popular repository for Python programs and code libraries. Those duped by the seemingly familiar packages could be subject to malware downloads or theft of user credentials and passwords.

Check Point Research, which reported its findings Monday , wrote that it didn't know how many people had downloaded the 10 packages, but it noted that PyPi has 613,000 active users, and its code is used in more than 390,000 projects. Installing from PyPi through the pip command is a foundational step for starting or setting up many Python projects. PePy , a site that estimates Python project downloads, suggests most of the malicious packages saw hundreds of downloads.

Such supply-chain attacks are becoming increasingly common, especially among open source software repositories that support a wide swath of the world's software. Python's repository is a frequent target, with researchers finding malicious packages in September 2017 ; June , July , and November 2021; and June of this year. But trick packages have also been found in RubyGems in 2020 , NPM in December 2021 , and many more open source repositories.

Read 5 remaining paragraphs | Comments

  • Ar chevron_right

    Github reverses takedown of reverse-engineered GTA source code / ArsTechnica · Tuesday, 11 May, 2021 - 19:55

The reverse-engineered source code for the PC versions of Grand Theft Auto III and Vice City is back online today , months after it was originally posted and then quickly taken down via a DMCA request from publisher Take-Two.

TorrentFreak reports on the restored version of the project, which was posted as a seemingly identical fork of the original by a New Zealand-based developer named Theo. While the original GitHub poster (who goes by the handle aac) has not contested Take-Two's original takedown, Theo told TorrentFreak he filed a counterclaim to restore his copy of the project, saying it "contained no code owned by Take Two."

A question of law

We've previously looked in-depth at how video game fan coders use reverse-engineering techniques to deconstruct the packaged executable files distributed by a game's original developers. This painstaking, function-by-function process creates raw programming code that can generate exactly the same binary file when compiled (though the code as distributed on GitHub still requires external, copyrighted art and sound assets from a legitimate copy of the games).

Read 4 remaining paragraphs | Comments

  • Ar chevron_right

    GitHub regrets firing Jewish employee who called Trump-incited mob “Nazis” / ArsTechnica · Monday, 18 January, 2021 - 18:48

A mob of Trump supporters tries to break into the Capitol building on January 6, 2021.

Enlarge / Trump-incited mob tries to breach the US Capitol building in Washington, DC on Wednesday, Jan. 6, 2021. (credit: Getty Images | Bloomberg)

GitHub Inc. yesterday apologized for firing a Jewish employee who had urged colleagues to "stay safe" and avoid "Nazis" on the day a mob incited by President Trump stormed the US Capitol. GitHub said it "reversed the decision" and indicated it is trying to hire the employee back.

"Stay safe homies, Nazis are about," the employee, whose identity hasn't been revealed publicly, wrote in an internal Slack chat room on January 6. He was fired two days later, after one "coworker was quick to criticize the employee for using divisive rhetoric," Business Insider reported last week .

"I did not know that, as a Jew, it would be so polarizing to say this word," the former employee wrote in a Slack group for Jewish employees shortly "before his corporate accounts got deactivated," Business Insider wrote. The former employee "is Jewish and had family who died in the Holocaust," the article said.

Read 9 remaining paragraphs | Comments

  • Ar chevron_right

    Growl, once a staple of the Mac desktop experience, has been retired / ArsTechnica · Monday, 30 November, 2020 - 19:35

A Growl notification.

A Growl notification. (credit: Aurich Lawson )

Growl , a key part of the Mac desktop experience for 17 years, is being retired. Christopher Forsythe, who acted as the lead developer for the project for years, announced the retirement in a blog post on Friday.

Launched in 2004, Growl provided notifications for applications on Macs (it was also offered for Windows) before Apple introduced its own Notification Center. Notification Center was added to macOS (then styled Mac OS X) in the Mountain Lion update in 2012, but it first debuted on iOS a year earlier.

Here's a snippet of Forsythe's announcement:

Read 3 remaining paragraphs | Comments

  • Ar chevron_right

    GitHub agrees RIAA claim is bunk, restores popular YouTube download tool / ArsTechnica · Tuesday, 17 November, 2020 - 21:18 · 1 minute

A sign in the shape of the YouTube logo juts out over a glass wall.

Enlarge / A sign featuring the YouTube logo, outside the YouTube Space studios in London on June 4, 2019. (credit: Olly Curtis | Future | Getty Images )

GitHub has reversed its decision to boot YouTube-dl, a popular tool for archiving YouTube videos, from its platform. The company restored repositories this week after "additional information" convinced it that an archiving tool is not in and of itself a copyright violation—no matter what the music industry says.

The repositories in question got shut down in late October, before coming back yesterday. "We share developers' frustration with this takedown—especially since this project has many legitimate purposes," GitHub explained in a corporate blog post . "Our actions were driven by processes required to comply with laws like the DMCA that put platforms like GitHub and developers in a difficult spot. And our reinstatement, based on new information that showed the project was not circumventing a technical protection measure (TPM), was inline with our values of putting developers first."

The initial takedown occurred after the Recording Industry Association of America filed a claim with Microsoft-owned GitHub arguing that the code in those repositories was inherently illegal under US copyright law. At a high level, the law in question basically makes it illegal to crack or bypass DRM in any way, except for a handful of enumerated exemptions .

Read 10 remaining paragraphs | Comments

  • To chevron_right

    Google Takes Down Repositories That Circumvent its Widevine DRM / TorrentFreak · Friday, 13 November, 2020 - 09:41 · 3 minutes

widevine logo With more ways to stream online video than ever before, protecting video continues to be a key issue for copyright holders.

This is often achieved through Digital Rights Management, which is often referred to by the initials DRM. In a nutshell, DRM is an anti-piracy tool that dictates when and where digital content can be accessed.

Google is an important player in this area. The company owns the Widevine DRM technology which is used by many of the largest streaming services including Amazon, Netflix and Disney+. As such, keeping it secure is vital.

Widevine DRM

Widevine DRM comes in different levels. The L1 variant is the most secure, followed by L2 and L3. While the latter still protects content from being easily downloaded, it’s certainly not impossible to bypass, as pirates have repeatedly shown.

Despite its vulnerabilities, Google doesn’t want to make it too easy for the public at large. This became apparent a few hours ago when the company asked the developer platform GitHub to remove dozens of “Widevine L3 Decryptor” repositories.

The code, originally published by security researcher Tomer Hadad, is a proof-of-concept code Chrome extension that shows how easy it is to bypass the low-security DRM. Google was aware of this vulnerability and previously informed Krebs Security that it would address the issue.

Google Targets Widevine L3 Decryptor Code

One option would be to patch the security flaw but, for now, Google appears to be focusing on the takedown route. In a DMCA notice sent to GitHub, the company requests the immediate takedown of dozens of “Widevine L3 Decryptor” copies.

“The following git repository [sic] contain circumvention technology that enables users to illegally access video and audio works protected by copyright,” Google writes .

“This Chrome extension demonstrates how it’s possible to bypass Widevine DRM by hijacking calls to the browser’s Encrypted Media Extensions (EME) and decrypting all Widevine content keys transferred – effectively turning it into a clearkey DRM,” Google adds.

Google sees the code, which was explicitly published for educational purposes only, as a circumvention tool. As such, it allegedly violates section 1201 of the DMCA, an allegation that was also made against the youtube-dl code last month.


The takedown notice includes a long list of repositories that were all made unavailable by GitHub. This doesn’t cover the original code from Tomer Hadad, who already removed his version in late October, citing “ legal reasons .”

Google views this vulnerability as a serious matter and the company says that it has also filed a Sensitive Data takedown request to prevent the Widevine’s ‘secret’ private key from being publicly shared.

Sensitive Data Request

“In addition to this request, we have filed a separate Sensitive Data takedown request of this file: /widevine-l3-decryptor as it contains the secret Widevine RSA private key, which was extracted from the Widevine CDM and can be used in other circumvention technologies.”

That last mention is interesting as private keys, which are simply a string of characters, are not seen as copyrighted or private content by everyone.

“If you distribute your key with the software, then whatever form it is in, I would not consider it “private” at all,” a commenter on Hacker News points out.

Googling the AACS Key

This ‘key controversy’ is reminiscent of an issue that was widely debated thirteen years ago. At the time, a hacker leaked the AACS cryptographic key “09 F9” online which prompted the MPAA and AACS LA to issue DMCA takedown requests to sites where it surfaced.

This escalated into a censorship debate when sites started removing articles that referenced the leak, triggering a massive backlash.

At the time, the controversial AACS key was still readily available through Google’s search engine. In that regard very little has changed. Despite Google’s sensitive data takedown request, the Widevine RSA key is easy to find through its own search engine.

From: TF , for the latest news on copyright battles, piracy and more.

  • To chevron_right

    GitHub Takes Down Pirate Streaming App ‘King Club’ Following MPA Complaint / TorrentFreak · Wednesday, 19 August, 2020 - 09:59 · 2 minutes

kingclub With 40 million users and over 100 million code repositories, GitHub is the largest online developer platform of its kind.

The site is used by individual coders and large organizations to host visually any piece of code imaginable. In addition, GitHub pages can also be used as a hosting service for websites.

While most projects are perfectly legitimate, there are some that attract negative attention. Every week, GitHub receives dozens of takedown notices from copyright holders who claim that their content is published or linked to without permission.

These complaints are often about copied code, but every now and then projects are accused of providing access to copyright-infringing content as well. This is what happened to the Android app “King Club X” which was hosted on GitHub .

king club

King Club is a typical pirate app that scrapes third-party sources for movies and TV-shows, which are then made available to users through an intuitive interface. The app is not available in the official Google Play store but can be installed directly through the APK package.

MPA Targets King Club X

By advertising itself as the “best app to watch unlimited movies & tv-shows for free,” King Club attracted the attention of the MPA, which represents the major Hollywood studios and Netflix. The organization sees the app as a blatant pirate tool and asked GitHub to take action .

“King Club X – your customer – blatantly infringes the MPA Member Studios’ copyrights and countless other copyrights. Indeed, copyright infringement is so prevalent on King Club X that infringement plainly is its predominant use and purpose,” the MPA’s complaint reads.

“By this notification, we are asking for your immediate assistance in stopping your customer’s unauthorized activity. Specifically, we request that you cease providing all supporting services to King Club X, by removing or disabling access to the infringing Website and removing the APK.”

GitHub Takes Action

This notice had the desired effect as the site, which was hosted through GitHub pages, now returns a 404 error. In addition, the linked APK file is gone as well.

The swift removal is a small victory for the MPA and its members. However, these types of apps are very common and often reappear elsewhere, using a different host or a different name. For example, King Club X was previously advertised as Cerebrix TV, which was hosted on GitHub as well.

In addition, the app’s developer also has the option to have the content restored by filing a DMCA counter-notice. This is what a popular Popcorn Time fork did a few weeks ago when the MPA targeted its repository , after which GitHub restored the project .

From: TF , for the latest news on copyright battles, piracy and more.