source code – Techdirt (original) (raw)
NSO Group Asked Israeli Government To Help It Hide Malware Docs From WhatsApp
from the surely-something-only-an-honest-company-would-do dept
Before the news had broken that NSO Group’s clients were utilizing its powerful spyware to target journalists, dissidents, activists, religious leaders, opposition party members, and anyone else that might have irritated the autocrats and human rights abusers that made up a disproportionate percentage of its customer list, NSO was sued by Meta and WhatsApp.
That lawsuit alleged NSO Group had illegally accessed and utilized WhatsApp’s software and servers to distribute malware to surveillance targets. It’s a problematic lawsuit — one that seeks to see the CFAA (which has been abused perpetually since its inception) read as outlawing any access that might violate terms of service, including access that simply allowed NSO software to reach targets using WhatsApp.
NSO has since tried multiple times to have the lawsuit thrown out. One of its more creative efforts tried to portray NSO Group as nothing more than a stand-in for the governments it sold to. By portraying itself this way, NSO hoped to invoke sovereign immunity. That argument was rejected by two consecutive levels of the judiciary. NSO would have been better served by sticking to its first argument: that it could not be held directly accountable for actions performed by its customers, especially since that’s pretty much the only argument it’s left with at this point in time.
Having failed to get the lawsuit dismissed, the litigation moved forward. Finally, it reached a point NSO hoped it never would: discovery. Earlier this year, the court ordered NSO to turn over a bunch of info, including the source code of the malware that traveled through Meta’s servers to infect WhatsApp users.
The source code has yet to be delivered to the court and WhatsApp. It may never get there. As Harry Davies and Stephanie Kirchgaessner report for The Guardian, NSO Group called on a higher power to help it dodge its courtroom obligations:
Israeli officials seized documents about Pegasus spyware from its manufacturer, NSO Group, in an effort to prevent the company from being able to comply with demands made by WhatsApp in a US court to hand over information about the invasive technology.
Documents suggest the seizures were part of an unusual legal manoeuvre created by Israel to block the disclosure of information about Pegasus, which the government believed would cause “serious diplomatic and security damage” to the country.
Neat! And it comes with a form of plausible deniability built in: the Israeli government could claim it seized this information as part of its own investigation of NSO Group. Of course, that investigation is already closed and it wasn’t publicly announced until long after NSO was in (international) hot water. The government concluded it did nothing wrong when it used NSO spyware. It didn’t have much to say about NSO itself, although it did (very belatedly) limit the countries NSO could sell to.
But this is just a weird form of regulatory capture. NSO Group was formed by former Israeli intelligence officers. For years, Israel’s government helped broker deals for NSO with nearby nations, engaging in a malware-powered form of diplomacy.
The last thing NSO wanted was for this lawsuit to move to the point where it might need to start producing documents. The outstanding order for code production posed a threat to NSO’s secrecy, even if there’s almost zero chance it would be denied any request to seal these documents. With NSO being mostly former government employees and the Israel government being composed of current government employees, NSO asked and received. With this move, a sovereign that is not party to this lawsuit has done what NSO couldn’t on its own: prevent an American entity from obtaining its source code.
The origin of this information isn’t NSO or the Israeli government. It’s the product of leaks and hacking. And it shows NSO knew this reckoning was coming, long before it became somewhat of a household name following the leak of targeting data. This appears to have happened not long after WhatsApp filed its lawsuit against NSO in late 2019.
Israel’s hidden intervention in the case can be revealed after a consortium of media organisations led by the Paris-based non-profit Forbidden Stories, and including the Guardian and Israeli media partners, obtained a copy of a secret court order relating to the 2020 seizure of NSO’s internal files.
Details of the seizures and Israel’s contacts with NSO regarding the WhatsApp case are laid bare in a separate cache of emails and documents reviewed by the Guardian. They originate from a hack of data from Israel’s ministry of justice obtained by the transparency group Distributed Denial of Secrets and shared with Forbidden Stories.
According to the documents, NSO first approached the Israeli government in the early months of 2020, asking for a “blocking order” that would hopefully prevent it from having to hand over anything to WhatsApp. When WhatsApp served its discovery request in June 2020, NSO Group and government officials met to “discuss issues related to disclosure.” After some back-and-forth between NSO’s legal reps and government officials, the government performed a perfunctory raid of NSO offices for the sole purpose of leaving it with almost nothing to turn over in response to the US court order.
Three days later, in mid-July 2020, Israel made a significant but secret intervention. At an urgent meeting with NSO, Israeli officials presented the company with an order issued by a Tel Aviv court granting the government powers to execute a search warrant at its office, access its internal computer systems and seize files.
This subterfuge appears to have worked, at least so far. According to WhatsApp’s lawyers, NSO has only turned over 17 pages of documents in response to its discovery requests. Obviously, none of these documents are responsive to the court order demanding NSO turn over its software to WhatsApp.
On the surface, it might not look any more unusual than, say, the Justice Department filing a motion to keep documents from being produced by one of its contractors in the interest of public safety, operational secrecy, or whatever other excuse it might use. But it’s nowhere near comparable. NSO Group never informed the US court that these documents had been seized. And it appears its lawyers — some of which are US-based — never informed the court it was seeking the assistance of the Israeli government to keep these documents from being produced.
It will certainly be interesting to see how the court responds to these revelations. However, sanctions can’t make NSO Group turn over information now in the hands of its own personal Jesus: the Israeli government. And it’s unlikely any US court has the power to pierce the sovereign immunity that controls this action, no matter how transparent the self-interest.
Filed Under: distributed denial of secrets, israel, lawsuit, malware, pegasus, privacy, source code, spyware, surveillance
Companies: nso group, whatsapp
NSO Group Continues To Use The Lawsuit Filed Against It By WhatsApp To Harass Canadian Security Researchers
from the if-you-can't-beat-'em,-fuck-with-'em dept
Israeli malware manufacturer NSO Group spent years making good money selling to bad people. Its only concern for the longest time was how long it would take nearby autocrats and totalitarians to start targeting Israeli citizens.
To be fair, the Israeli government shares at least some of the blame. Surrounded by entities that would love to see it erased from the earth, the government helped broker deals with unfriendly countries — a perverse form of diplomacy that allowed some of its worst enemies to gain access to extremely powerful spyware.
NSO is no longer the local darling in Israel. In fact, none of its competitors are either. The country achieved terminal embarrassment velocity following the leak of documents that appeared to show many of NSO’s customers were abusing access to its Pegasus spyware to target journalists, dissidents, human rights lawyers, political opponents, and even the occasional ex-wife and her lawyer.
NSO has also been sued multiple times. The first tech firm to sue NSO was WhatsApp. Backed by Meta, WhatsApp took NSO to court for using WhatsApp’s US-based servers to deliver malware packages to users targeted by NSO’s absolute shitlist of customers.
Some of what WhatsApp observed might have been due to the FBI taking a bespoke version of NSO’s Pegasus for a spin before deciding it would be pretty much impossible to use it without doing a ton of damage to the Fourth Amendment.
This lawsuit has not gone well for NSO. It invoked a variety of defenses, including sovereign immunity, reasoning that it was a stand-in for the governments it sold to. And, as such, it was entitled to the same immunity often granted foreign governments by US courts.
This tactic didn’t work. Not only did multiple courts (district, appellate, the Top Court in the Land) reject NSO immunity overtures, but the original court handling this lawsuit ordered the company to turn over its code to WhatsApp. And that order meant all the code, not just the stuff involving NSO’s flagship spyware, Pegasus.
Far from the nation’s courts, Canadians have been giving NSO (and its competitors) fits for years. Citizen Lab — a group of Canadian malware researchers linked to the University of Toronto — has been examining NSO’s malware for years. More importantly, it’s been detecting infections and allowing those targeted by NSO spyware to rid themselves of these infections. In every case, Citizen Lab has exposed the targeting of the usual people: dissidents, opposition leaders, journalists, lawyers, diplomats, etc. The company continues to pretend this malware is sold to target the most dangerous criminals despite all evidence to the contrary.
With NSO now being asked to turn over its source code, it has decided to drag a non-party into the mix by going after Citizen Lab repeatedly during this lawsuit. (This is something its financial backers did years before NSO was a defendant in multiple lawsuits and an international pariah.)
As Shawn Musgrave reports for The Intercept, NSO appears to be engaged in a campaign of harassment against Citizen Lab… presumably because it has run out of believable defenses and/or solid litigation strategies.
FOR YEARS, CYBERSECURITY researchers at Citizen Lab have monitored Israeli spyware firm NSO Group and its banner product, Pegasus. In 2019, Citizen Lab reported finding dozens of cases in which Pegasus was used to target the phones of journalists and human rights defenders via a WhatsApp security vulnerability.
Now NSO, which is blacklisted by the U.S. government for selling spyware to repressive regimes, is trying to use a lawsuit over the WhatsApp exploit to learn “how Citizen Lab conducted its analysis.”
[…]
With the lawsuit now moving forward, NSO is trying a different tactic: demanding repeatedly that Citizen Lab, which is based in Canada, hand over every single document about its Pegasus investigation. A judge denied NSO’s latest attempt to get access to Citizen Lab’s materials last week.
While it’s good to see a court shut down this obvious attempt to turn Citizen Lab into a co-litigant, the fact remains that Citizen Lab has never been a party to this lawsuit. This is nothing more than NSO attempting to obtain information it has no legal reason to request, possibly because it’s still aching from being ordered to turn over its own information: i.e, its source code.
It also may be even more petty than the previous hypothetical: it may be trying to get Citizen Lab to burn up some of its limited resources fighting stupid requests for stuff Citizen Lab should even be asking for, much less expecting a judge to sign off on.
Whatever it is, it certainly isn’t good litigation. This reeks of desperation. These are the acts of litigant that has run out of options. NSO is just flailing, hoping to drag down a non-party with it as it heads towards a seemingly-inevitable loss.
And this certainly isn’t a winning strategy. It’s not even capable of maintaining the miserable status quo NSO Group is currently mired in. Citizen Lab (obviously) refused these demands for information (justifiably!) and the judge handling the case has made it clear there’s almost zero chance of NSO being able to drag anything out of this particular thorn in its side.
Citizen Lab opposed NSO’s demands on numerous grounds, particularly given “NSO’s animosity” toward its research.
In the latest order, Hamilton concluded that NSO’s demand was “plainly overbroad.” She left open the possibility for NSO to try again, but only if it can point to evidence that specific individuals that Citizen Lab categorized as “civil society” targets were actually involved in “criminal/terrorist activity.”
lol at that last sentence. Does anyone think anyone, much less an aggrieved NSO Group, has any evidence Citizen Lab is involved in “criminal/terrorist activity?” All it has done is expose abuse of malware sold by NSO Group to governments with long histories of corruption and/or human rights abuses.
NSO is just going to keep on losing. Reap/sow. Lie down with dogs. The foreseeable consequences of actions. Etc. Etc. Etc. Citizen Lab will keep performing its important work. And, with any luck, NSO will soon collapse under the weight of its hubris. Hope the (temporary) shekels were worth it.
Filed Under: canada, discovery, harassment, source code, spyware, surveillance
Companies: citizen lab, meta, nso group, whatsapp
NSO Group Ordered To Turn Over Spyware Code To WhatsApp
from the UNDERSEAL.EXE dept
The time has come to pay the discovery piper for NSO Group. The phone exploit firm formed by former Israeli spies was supported unilaterally by the Israeli government as it courted human rights abusers and autocrats. The Israeli government apparently felt selling powerful phone exploits to its enemies got caught with its third-party pants down when numerous news agencies exposed just how often NSO’s customers abused its powerful spyware to target journalists, activists, lawyers, dissidents, religious leaders, and anyone else who annoyed its customers.
NSO Group has been sued multiple times. One of the first lawsuits filed in the US featured Meta (formerly Facebook) as a plaintiff, suing on behalf of WhatsApp, its encrypted communications acquisition. NSO tried multiple times to escape this lawsuit. It claimed it was a private sector equivalent of a government agency and, therefore, should be protected by sovereign immunity. This argument was rejected, leaving NSO with the option of arguing its actions (or, rather, the actions of its customers, which it claimed it couldn’t control) weren’t subject to US law.
That other argument might have worked if NSO Group’s customers weren’t using WhatsApp’s US-based servers to deliver malware payloads. Once something like this happens, US law comes into play and, without the protective cover of sovereign immunity, NSO Group must continue to respond to lawsuits filed by US tech companies.
Everything NSO tried in hopes of earning an early exit from US lawsuits was aimed at preventing the very thing that’s happening now. NSO and its (few remaining) backers can probably survive an expensive settlement. What the company is unlikely to survive is a (possibly) public outing of its malware code.
As Stephanie Kirchgaessner reports for The Guardian, NSO has been ordered to turn over the source code for pretty much all of its malware to Meta/WhatsApp.
NSO Group, the maker of one the world’s most sophisticated cyber weapons, has been ordered by a US court to hand its code for Pegasus and other spyware products to WhatsApp as part of the company’s ongoing litigation.
[…]
In reaching her decision, Hamilton considered a plea by NSO to excuse it of all its discovery obligations in the case due to “various US and Israeli restrictions”.
Ultimately, however, [Judge Phyllis Hamilton] sided with WhatsApp in ordering the company to produce “all relevant spyware” for a period of one year before and after the two weeks in which WhatsApp users were allegedly attacked: from 29 April 2018 to 10 May 2020. NSO must also give WhatsApp information “concerning the full functionality of the relevant spyware”.
WhatsApp already has a pretty good idea how NSO Group malware operates. It has already managed to detect actual deployments via its servers. The irony here, of course, is that the incidents that most likely exposed NSO’s exploitation of WhatsApp servers were trial runs of a US-oriented version of NSO’s Pegasus phone exploit by the FBI. (The FBI ultimately decided it couldn’t deploy this malware constitutionally.) A months-long investigation by the FBI into the “mysterious” NSO purchase by a supposedly “unknown” government agency ultimately revealed that it was the FBI itself shelling out bucks for malware it couldn’t deploy without violating the Constitution.
The order [PDF] issued by Judge Hamilton makes it clear NSO has to hand over more than just its Pegasus code to WhatsApp.
As to category (1), as stated at the hearing, the court adopts plaintiffs’ definition of “all relevant spyware” as set forth in their motion: “any NSO spyware targeting or directed at Whatsapp servers, or using Whatsapp in any way to access Target Devices.” As also stated at the hearing, defendants have not identified a basis for limiting its production to the Pegasus program, or to any particular single operating system.
[…]
As to the timeframe of documents that must be produced, the court concludes that, at this stage of the case, the Richmark factors weigh in favor of production for “all relevant spyware” for a period of one year before the alleged attack to one year after the alleged attack; in other words, from April 29, 2018 to May 10, 2020. If, after reviewing the relevant spyware from that timeframe, plaintiffs are able to provide evidence that any attack lasted beyond that timeframe, plaintiffs may seek further discovery at that time.
hahahahaaaaaaaaaa
We can be sure NSO’s lawyers are now busy crafting extremely restrictive proposed protective orders to prevent WhatsApp/Meta for making this information available to the public via court filings, blogs posts, transparency reports, or any other options this company has at its disposal.
I imagine these motions (along with other efforts to seal docket entries) will be granted, since NSO has continually claimed its customers use its malware to target high-value targets like suspected terrorists and other violent criminals. But this court remains free to weigh NSO’s CYA statements against the brutal reality: that its malware is often used to target people governments don’t like, rather than the “terrorists” and “violent criminals” governments claim they’re interested in apprehending.
Equally amusing is the fact that the same court has denied NSO’s demands for any communications between WhatsApp/Meta and Toronto’s Citizen Lab that were initiated following the filing of this lawsuit. It’s easy to see why NSO would love access to these communications, considering Citizen Lab has constantly and continually exposed abusive NSO malware deployments over the past several years while also publishing whatever exploit code it’s been able to extract during these investigations.
But, as the court notes, NSO has already undercut its own argument for additional discovery on its end by attempting to move the goalposts to cover only perceived misuses against “civil society” by its customers. This attempt to obtain further communications is backed only by NSO’s perception of the tone of WhatsApp’s lawsuit, rather than its listed causes for action — allegations that cover not only “abusive” deployments of malware but also “legitimate” deployments that, nonetheless, occurred without the platform’s permission and definitely violated WhatsApp’s terms of service.
So, the lawsuit will move forward. And it’s NSO that obligated to start explaining itself — not just to Meta/WhatsApp, but the court itself. Now that there’s source code on the line, NSO Group might start examining it other options, the most likely of which would be paying WhatsApp a considerable sum of money while promising not to use the company’s US servers to deploy malware. Most entities, at worst, have to deal with the consequences often expressed as having to lay in a bed that they’ve made. But NSO’s actions exceed this idiom. NSO, for all intents and purposes, shat the bed before making it, which makes lying it it feel that much worse.
Filed Under: malware, pegasus, source code, spyware, surveillance
Companies: meta, nso group, whatsapp
As Free Speech Enthusiast Elon Plans To Release Twitter’s Source Code, Twitter Desperately Seeking Identity Of FreeSpeechEnthusiast Who Leaked Twitter Source Code
from the troll-speech-enthusiast dept
Ever since Elon Musk made his initial bid to buy Twitter, he’s talked about “open sourcing” the algorithm. He mentioned it last April in the first interview he gave, on the TED stage, to talk about his plans with Twitter. And since taking over the company at the end of October, he’s mentioned it over and over again.
Indeed, on February 21st, he promised that Twitter would release its “algorithm” as open source code “next week.”
And then, two weeks ago, he announced that “all code used to recommend tweets” will be released as open source on March 31st (i.e., this Friday).
Who knows if he’ll meet his deadline this time (he has a habit of missing deadlines pretty regularly).
However, over the weekend something vaguely interesting happened, in that it was revealed that someone had already, um, “open sourced” Twitter’s source code for it, by posting a repository of at least some of the code to Github. This was revealed in a DMCA notice that Twitter sent to Github, followed by a DMCA subpoena demanding the identity of the person who posted it along with any one who downloaded it.
Now, I initially wasn’t going to write about this. Leaks happen, and I think it’s perfectly fine for Twitter to issue the DMCA takedown for such a leak. But what caught my attention was the username of the leaker. According to the DMCA notice, the leaker went by “FreeSpeechEnthusiast,” and their account is (at the moment) still up on GitHub showing a single contribution on January 3rd (which makes me wonder if the code was sitting there for anyone to find for a whole month and a half):
That name choice takes this from a garden variety leak operation to an ultimate troll attempt against admitted troll Elon Musk. After all, Musk himself continually (if ridiculously) refers to himself as a “free speech absolutist.”
So, given both Elon’s repeated promises to reveal the source code and his publicly stated (if often violated) commitment to “free speech,” the leak of the source code by someone using the name FreeSpeechEnthusiast seems like it was designed directly as a troll move to Musk, goading him into exposing his own hypocrisy (which is way easier than many people may have thought).
Well played, FreeSpeechEnthusiast, well played.
As for the actual leak, again, it’s not clear how much source code was actually leaked or how problematic it is. As I understand it (and would expect) the full source code for Twitter is cumbersome and complex. Releasing a full dump of it would be difficult even if authorized, so I’m guessing it’s not everything.
And while you can find lots of quotes from “cybersecurity experts” about how this may expose vulnerabilities, my guess is that the risk of that is actually fairly low at first? Given enough time, yes, someone can probably find some messy code and some vulnerabilities, but Twitter had (at one time) lots of engineers who were focused on finding and patching those vulnerabilities themselves, and so whatever remains is likely nothing obvious, and anyone going through the code now would first have to figure out how it all worked, which may be no easy task in the first place.
Indeed, this is why, from the beginning, I’ve said that Elon’s promises to open source the code was mostly meaningless, because there are almost no examples of companies taking large, complex systems in proprietary code, and open sourcing them and finding anything valuable come out of it, because there’s so much baggage and complexity for people to even figuring out what the hell anything really does.
This is also why Musk’s announced plans to fix things that people find in the code he still promises to release this week also seems a bit silly, as there’s a reasonable interpretation of this as: “we fired everyone who understands our code, so we’re going to open it up to get engineers to clean up our code for free for the world’s richest man.”
It’s also why the better approach would have just been to improve the API and to allow more developers to build more tools, services, and features on top of Twitter code, but Elon’s already killed off that whole idea.
In the end, this particular story isn’t likely to be that big a deal, but it seemed worth commenting on solely for the lulz of the epic trolling job whoever leaked the code did in highlighting Musk’s hypocrisy. Again.
Filed Under: copyright, dmca, elon musk, free speech, freespeechenthusiast, leak, open source, release, source code, subpoena, troll
Companies: github, twitter
Trump Given 30 Days To Have His Social Media Site Comply With Open Source License
from the tick-tock dept
Plenty of people have raised concerns that Donald Trump’s sketchy new social media site, Truth Social, is just a lightly reskinned Mastodon, which is violating Mastodon’s fairly strict AGPLv3 license. As we had previously discussed, the aggressive (and sloppy) terms of service for the site claim that the code is proprietary, and even claims that “all source code, databases, functionality, software, website designs, audio, video, text, photographs, and graphics on the Site (collectively, the ?Content?) and the trademarks, service marks, and logos contained therein (the ?Marks?) are owned or controlled by us or licensed to us…”
Of course, part of the reason that Mastodon uses such a license is to encourage others to take the code and build on it if they abide by the terms of the license. And the nature of Mastodon’s license is that if you use it, you must make the complete source code available of what you build with it. The key bit of the license:
You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
> a) The work must carry prominent notices stating that you modified it, and giving a relevant date. > > b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to “keep intact all notices”. > > c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. > > d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so.
It’s not clear that any of these conditions have been met. So, now the Software Freedom Conservancy has given Trump 30 days to bring the code into compliance — specifically by providing the source code to Truth Social to the early users who were able to sign up — or, under the license terms, Trump’s “rights in the software are permanently terminated.”
Early evidence strongly supports that Trump’s Group publicly launched a so-called ?test site? of their ?Truth Social? product, based on the AGPLv3’d Mastodon software platform. Many users were able to create accounts and use it ? briefly. However, when you put any site on the Internet licensed under AGPLv3, the AGPLv3requires that you provide (to every user) an opportunity to receive the entire Corresponding Source for the website based on that code. These early users did not receive that source code, and Trump’s Group is currently ignoring their very public requests for it. To comply with this important FOSS license, Trump’s Group needs to immediately make that Corresponding Source available to all who used the site today while it was live. If they fail to do this within 30 days, their rights and permissions in the software are automatically and permanently terminated. That’s how AGPLv3’s cure provision works ? no exceptions ? even if you’re a real estate mogul, reality television star, or even a former POTUS.
I and my colleagues at Software Freedom Conservancy are experts at investigating non-compliance with copyleft license and enforcing those licenses once we confirm the violations. We will be following this issue very closely and insisting that Trump’s Group give the Corresponding Source to all who use the site.
I think that’s called being put on notice. It will be interesting to see how Trump responds — and what happens next.
Filed Under: agpl, copyright, donald trump, licenses, open source, source code
Companies: mastodon, software freedom conservancy, truth social
One Developer Gets GTA3 And Vice City Source Code Un-DMCAd On GitHub
from the rockstar dept
The strange flip-flop by Rockstar Games on being open and cool with its fans continues. By way of context and a bit of throat clearing, recall that Rockstar is both the company that whipped out the ban-hammer on Grand Theft Auto 5 players over the use of mods, and the company that paid out money to a modder that fixed that same games long loading times. In addition, Rockstar is both the company that happily used intellectual property to try to silence a documentary while also being the company that enthusiastically embraced gamers making short films out of GTA footage.
In other words, when it comes to being open with the gaming and modding community surrounding its games, Rockstar has something of a dual personality. The restrictive side of the company is the one that showed up early in 2021 when a bunch of GTA fans managed to reverse engineer the source code for GTA3 and GTA: Vice City.
Deriving the source code through reverse-engineering was a huge milestone for the GTA hacking scene. Players would still need the original game assets to run either classic GTA title, but with accessible source code, modders and devs could begin porting the game to new platforms or adding new features. That’s exactly what’s happened this past year with Super Mario 64.
A week after the code went public on GitHub, Rockstar’s parent company, Take-Two Interactive, issued a DMCA takedown claiming that the reversed-engineered source code contained “copyrighted materials owned by Take-Two.” GitHub pulled the fan-derived code and all its related forks.
Entirely too often, that would be the end of the story. Modders and enthusiasts go out and try to do something cool with a Rockstar game, get their hands slapped, and give it all up. That didn’t happen in this case. Instead, one developer out of New Zealand, named Theo, issued a counter-notice to GitHub. Theo’s notice explained that, no, the code that had been produced did not contain the original work done by Rockstar. Instead, this was all brand new coding done by these fan-developers to produce essentially the same game. As Theo explained, this new code functions like the original source code, but is not identical.
As of now, Theo’s fork has been restored to GitHub. And, now, everyone waits to see if Rockstar wants to turn this all into an actual legal battle or not.
While it’s possible Take-Two could challenge Theo’s counter-claim in court at a later date, this is still a nice win for the Grand Theft Auto III and Vice City modding scene. It’s also another reminder that modders, pirates, and fan developers are often the only ones doing the work to keep old games around in an easily playable form.
One would hope Rockstar would see the wisdom in letting this go. It seems hard to imagine how this reverse-engineered code and it allowing modders to try and do new and interesting things with two games that are 20 years old at this point could somehow be a serious threat to Rockstar. More to the point, this is an opportunity for the company to instead embrace and encourage its fans to do these new and interesting things, potentially keeping alive the interest in these games and the franchise as a whole.
As to whether Rockstar will see the wisdom in that, well, for now we wait.
Filed Under: copyright, dmca, gta, gta3, source code
Companies: rockstar
Good Idea: As Video Game Preservation Often Falls To Fan Groups, Release Every Game's Source Code
from the pirate-preservation dept
When it comes to the video game industry, there has been some recent recognition that copyright laws and the ways that publishers utilize them have hampered the ability to preserve this sort of art. In the olden days of a decade or so ago, the challenges around preserving video games centered around both the publisher’s unwillingness to allow a group access to source code to preserve a game and the deterioration of physical game media. But in these modern times, this has changed. Now, the challenges are the publisher copyright question… and that same publisher’s ability to simply stop supporting the online resources modern games and platforms require to run. Given the ongoing war on emulators by the likes of Nintendo and a rather insane industry stance that preservation is trumped by copyright concerns, there is a very real risk of losing the ability to preserve video game history at all.
Recent rumors that Sony is going to shut down online stores for a bunch of old hardware, has thrown the question of what happens to digital purchases in sharp relief.
Yesterday, TheGamer reported that Sony has plans to shut down the online PS3, PS Vita, and PSP stores that service those older consoles. While this has yet to be confirmed, and Sony has not responded to Kotaku’s request for comment, the internet discourse around this potentially troubling news immediately began to swirl.
If these stores go away, PS3, PS Vita, and PSP players will be unable to purchase new digital games. While there aren’t yet concrete details about what, if anything, is happening, the rumors have many PlayStation gamers understandably worried about the continued viability of their digital purchases.
Add to all of that the question of game preservation. With purchases being digital and potentially just going away at Sony’s whim, and with source code locked up by developers and publishers… what happens to antiquated PlayStation games when the cord is pulled? How would a museum or interest group preserve these games? How will future generations be able to enjoy and participate in this art?
The answer, of course, is piracy.
This kind of real preservation is rarely done by corporations. Instead, communities form around games and keep them alive for years beyond their normal commercial lifespans. These people are doing some impressive things. Look at the continued work on the unofficial but fantastic PC port of Super Mario 64. Or just a few days ago, The Hidden Palace uploaded over 700 PlayStation 2 game prototypes and dev builds, uncovering and preserving a huge bit of game history in one fell swoop.
Meanwhile, publishers like Nintendo use lawyers to crack down on the availability of emulator-playable ROMs for games that are no longer sold. Nintendo even explicitly limits how long it will sell certain games. None of this helps preserve these works. In fact, it actively hurts efforts to do so.
And so the public’s interest in video game preservation sits on a single train track, with the copyright enforcement train hurtling towards it from one direction and publishers’ decisions to stop supporting the online resources needed for digital purchases from the other. The result, if left alone, will be a train wreck, at least as far as the public interest is concerned.
So, what’s the fix? Well, as per usual, the fix would be for game developers and publishers to give up just a bit of control over their products in a way that would allow preservation to occur.
Release all games on PC, preferably alongside their source code. Having PC game releases with source code would make certain aspects of game preservation much easier, and could allow even the oldest games to survive for decades to come. It frees games from being tied to one single platform or the whims of whatever capitalist entity published it.
This isn’t a wild, unproven theory. One of the most-ported and played classic games is the original Doom. id Software released its source code back in 1997, only four years after Doom’s launch. Since then fans have created numerous “source ports” of the game, to the point that Doom’s now playable on almost any device with a screen.
As a result, Doom has also stayed relevant. That’s important, because while the source ports have made it extremely easy to play Doom without buying it (all it takes is a quick search to find the necessary content files) that hasn’t hurt the IP. I’d argue the opposite! One possible reason Doom is still around—and we just got a big DLC expansion for the series’ latest game, Doom Eternal—is people still give a shit about Doom in 2021. And people still give a shit because it’s incredibly easy to play Doom. It’s only a few clicks away and its enthusiastic community has taken its source code in directions id never imagined.
This doesn’t directly solve the PlayStation problem, of course, though there are avenues to explore there as well. But it’s at least a start towards giving the public the tools to do the game preservation themselves, since developers and publishers often are incapable or unwilling to do it. And, as the Kotaku post notes, this should be seen not as some threat to the gaming industry, but a boon. Doom is the perfect example as to why.
But, regardless, it is well past time that we do something about this. It is not tenable that we lose what is now a couple decades worth of art preservation just because it’s being sacrificed at the copyright altar.
Filed Under: archives, copyright, emulators, history, piracy, playstation, preservation, ps vita, ps3, psp, source code, video games
Companies: sony
Federal Court Says State Regulation That Compels Production Of Code May Violate The First Amendment
from the weird-twist-but-an-important-one dept
A rather interesting First Amendment opinion has been handed down by a federal court in Arizona. (h/t Volokh Conspiracy)
At the heart of it is new mandates for data sharing and data protection by car dealers. In 2019, the Arizona state legislature passed the Dealer Data Security Law, which mandates changes to dealer management systems (DMSs), including the institution of protective measures to limit breaches or leaks of sensitive data held by car dealers.
The law also requires DMS providers to integrate with third parties (like the dealerships themselves) and adopt standardized processes that will facilitate these integrations and improve compatibility between systems. The plaintiffs — two DMS providers — sued the state’s Attorney General (along with the Arizona Automobile Dealers Association) claiming this new law violated the Constitution by compelling speech, namely the creation of new computer code and documentation.
And so, this law and its good intentions (more compatibility, better protection of sensitive data) is possibly on its way to being declared unconstitutional. As the court sees it [PDF], compelling the production of code violates the First Amendment.
Plaintiffs have sufficiently alleged that the Dealer Law abridges their freedom of speech. Plaintiffs claim that the law violates their free speech rights three ways: (1) by abridging their protected interest in exercising editorial discretion in the content of their computer systems; (2) by requiring that Plaintiffs draft code to facilitate disclosure; and (3) by functionally mandating that Plaintiffs write documents explaining the new standards they have adopted to comply with the Dealer Law. Because Plaintiffs’ second proposed interest is sufficient to support its claim, the Court need not address the other assertions.
The court points to previous decisions by federal courts finding that software code is not only expressive, but worthy of First Amendment protections. Not all code falls under these protections, but the demands made by the state appear to do so in this case.
Plaintiffs have sufficiently alleged that the code they must draft to comply with the Dealer Law communicates substantively with the user of the program. The Amended Complaint alleges “Plaintiffs must draft code to receive and respond to requests from `authorized integrators’. . . who will interact with the code by commanding it to communicate the information they choose to request.” (Doc. 121 at 51.) It also states that the code will express the creative choices of the software developers and communicate those choices “to those who would access the Plaintiff’s DMSs, as well as to other third-party programmers.” Id. at 52. Taken as true, these allegations sufficiently allege a protected interest in the content of the code.
The AG argued there’s no First Amendment violation here because the law does not tell DMS providers what to say. It only orders them to adopt a data sharing framework that complies with the law. According to the AG, this merely mandates function and access, not how this is accomplished.
Wrong, says the court — at least at this stage of litigation.
Plaintiffs’ allegations go beyond the functional capability of their code because they claim users will interact with their program in a substantive way. Defendants’ arguments that the Dealer Law is more properly considered a regulation on conduct therefore amount to disagreements about the factual consequences of the law and the drafted code.
It may be several months before this is resolved, but these arguments against the government’s intrusion into private parties’ software code has implications that reach beyond the specifics of this case. This is the same argument Apple made when fighting against the federal government’s attempt to compel the production of an encryption backdoor in the San Bernardino case.
Under well-settled law, computer code is treated as speech within the meaning of the First Amendment…. The Supreme Court has made clear that where, as here, the government seeks to compel speech, such action triggers First Amendment protections….. Compelled speech is a content-based restriction subject to exacting scrutiny… and so may only be upheld if it is narrowly tailored to obtain a compelling state interest….
This may find its way to the appellate level if the state is unwilling to take a loss in the lower court or if the plaintiffs’ First Amendment arguments are ultimately unsuccessful. Once courts start deciding code isn’t speech, they invite the government to engage in far more nefarious proxy tinkering than the mild regulatory intercession on display here. Important constitutional questions are often answered during cases like these — ones without national attention or particularly compelling plaintiffs/defendants. But they still need to be answered and courts still need to consider the long-term effects of their decisions. The First Amendment protects a lot of code, even code targeted by something more benign than a demand for an encryption backdoor.
Filed Under: 1st amendment, arizona, compelled speech, dealer data security law, free speech, source code
Cybersecurity Firm Finds A Bunch Of Clearview's Secret Stuff Sitting Around In An Poorly-Secured Cloud Storage Bucket
from the just-scraping-it-from-the-unsecured-web-so-to-speak dept
As if we needed any further evidence that Clearview is a terrible company. The web-scraping, facial recognition provider has been pitching its unproven tech to an assortment of law enforcement agencies, one-percenters, and questionable governments for a little while now. It shows no sign of slowing down either, no matter how many people (including members of Congress) are now aware of its business practices and cheerful exploitation of billions of images found all over the web.
Someone grabbed a few internal Clearview documents and shared them with BuzzFeed earlier this year. Maybe they shouldn’t have bothered. Clearview likes harvesting data and images as quickly as possible. But it’s apparently less concerned with keeping its scraped stash secure from outsiders. As Zack Whittaker reports for TechCrunch, Clearview’s internal files have been accessed by a security researcher, giving us yet another reason to distrust Hoan Ton-That’s company.
Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.
The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.
If you’ve ever wanted to roll your own affront to humanity, Clearview helpfully left a starter kit out in the open. Of course, it’s nothing without a few billion scraped images, so it’s not exactly an all-in-one-kit. Maybe some Clearview insider could have hooked Hussein up with its stash of personal info. Couldn’t have hurt to ask. And he could have. Included in the repository were the company’s Slack tokens, which would have allowed anyone to access the company’s internal communications. Also included in the storage buckets: 70,000 security cam videos of residents entering and leaving a residential building.
Hussein did disclose this issue to Clearview, but declined to take the offered bug bounty since it would have forbidden him from publicly discussing his findings. For refusing to shut up, Hussein was thanked by being called a criminal by Clearview’s founder.
Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.
Lovely. Well, I’m sure this won’t be the last public gaffe by the Company Most Likely To Trigger New Privacy Legislation (State or Federal). People have seen things Clearview never wanted them to see. And they’ve shared this stuff with the public, which now knows quite a bit about this app-based embodiment of oversharing and the damage done. It’s in the midst of a very Ring-esque news cycle where every bit of new reporting makes it look even worse. But unlike Ring, it doesn’t have the billions of Amazon to back it when its fortunes start to fade.
Filed Under: facial recognition, leaks, mossab hussein, security, source code
Companies: clearview, clearview ai, spidersilk
Techdirt Podcast Episode 227: Rep. Mark Takano On Tech In Congress
from the teaching-lawmakers dept
With all the misconceptions, political projects, and flat-out panics about tech in Congress these days, it sometimes feels like any positive legislative progress regarding technology is impossible. But once in a while you find a lawmaker who is out there pushing smart bills about tech, such as one that aims to help solve this whole mess by restoring and redesigning the Office of Technology Assessment to help educate Congress in the digital age. This week, we’re joined by Rep. Mark Takano to discuss his plans to bring tech literacy back to Congress.
Follow the Techdirt Podcast on Soundcloud, subscribe via iTunes or Google Play, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt.
Filed Under: evidence, mark takano, ota, source code