Download: Episode 71.
This week Audrey and I chat about about Las Vegas Hotel security issues during DefCon, Foreshadow speculative execution vulnerability, and issues with the music industry business model and copyright.
- [01:06] Devopsdays Portland – SEPTEMBER 11-13, 2018 – RECOMPILERFRIENDS 20% discount
- [01:54] Community Event Planning pre-order
- [02:34] Survey for event organizers
- [03:15] Call for Contributors, Issue 12 Machines and Things
- [04:09] In post-massacre Vegas, security policies clash with privacy values – The Parallax
- [07:48] Open letter to the Hacker Community. | Marc’s Security Ramblings
- [22:15] Chris Dagdigian on Twitter: “this happened to me as well at a Marriott owned hotel property…”
- [23:33] Foreshadow: Breaking the Virtual Memory Abstraction with Transient Out-of-Order Execution
- [31:07] Artists Made Only 12% of Music Industry Revenue in 2017, Citigroup Report Finds | Pitchfork
- [40:01] Recording Industry Hypocrisy On Full Display In Continuing To Push The CLASSICS Act That Expands Copyright | Techdirt
- [50:17] USB Dongle Authentication
- [51:36] Two Factor Auth List
- [54:09] Thru-hiking the US/Mexico border
- [56:04] Natives Outdoors
- [32:45] PUTTING THE BAND BACK TOGETHER: Remastering the World of Music (pdf)
Now Broadcasting LIVE most Fridays
We broadcast our episode recordings LIVE on most Fridays at 12pm PT. Mark your calendars and visit recompilermag.live to tune-in.
We love hearing from you! Feedback, comments, questions…
We’d love hearing from you, so get in touch!
CHRISTIE: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler.
AUDREY: Hi, Christie.
CHRISTIE: It’s Thursday; it’s not Friday. It’s Thursday, August 16th, about 3:30 Pacific Time. We are doing our live recording of Episode 71 of The Recompiler podcast.
AUDREY: We’re having a happy early recording day.
CHRISTIE: Yes, because I got stuff to do this weekend. But before then, we’re going to talk about Las Vegas Hotel security issues during DefCon, Foreshadow – another speculative execution of vulnerability, and issues with the music industry business model and copyright. First, I bet you we’ve got some announcements.
AUDREY: We do indeed. DevOpsDays Portland is coming up less than a month from now. Christie and I will both be attending. We are very excited about this edition of the series of events where people who work in software, ops, a mix of all of those things and want to improve their skills and learn from their colleagues. So we have a discount code: RECOMPILERFRIENDS will give you 20% off. I have not checked to see if there are still tickets available but I do expect that they’re going to sell out. And we have a ticket giveaway that’s running through August 20th. There will be a link in the show notes where you can put your name in.
CHRISTIE: It is possible this will publish after that. But good luck to those of you who have entered. And then, we are still doing our pre-order for the second edition of our Community Event Planning book. So, get on that. This group gets the pre-orders, right? Or the previews rather?
AUDREY: Yes. This group gets the previews. Once we start sending out previews, it will not be possible to pre-order until we get an actual publication date for the book, a firm publication date for the book. So if you wanted to see what we were doing as we do it and see the pieces come together, start using it in your own events, then the pre-order is the best way to make sure that happens.
CHRISTIE: Link in the show notes. And then to go along with that, we are running a survey for event organizers. Tell us a little more about that, Audrey.
AUDREY: The survey is our way of reaching out to a broader spectrum of events communities that we’re not necessarily involved with personally and to understand the scope of the kinds of events that people are doing in technology communities and other areas like fandom, labor organizing, media in general, media and arts, and to see what they have learned about sustainability, about hospitality that is creating a welcoming environment, and what kinds of things that they would like other organizers to know.
CHRISTIE: Awesome. So, find a link to that in the show notes. And then last, we’ve got an open call for contributors, don’t we?
AUDREY: We do. There’s a couple of weeks left on that, as well. We are doing for our last issue of the year: Machines and Things. It’s sponsored by CentOS. We don’t often have an issue sponsor but I appreciate the help that they give us to make sure that we had our full year of publishing this year.
AUDREY: And so for Machines and Things, we are going to talk about machine learning, the internet of things, and the combinations of all of those things that have to do with mechanization, automation, the material and digital aspects of that.
CHRISTIE: All right and that’s open for a while right through September.
AUDREY: Yeah, early September.
CHRISTIE: All right. So, our first topic today Defcon, which is one of the annual big security hacker conferences, happened last week in Las Vegas. And usually, there’s some kind of news that comes out of DefCon. This year, the biggest thing I was noticing is people talking about some new security procedures in place after the mass shooting that happened last October. Did you catch some of this, Audrey?
AUDREY: No, but I was backpacking for three days.
CHRISTIE: That’s right.
AUDREY: So, there’s a few things that I missed until I came back and you told me about them.
CHRISTIE: Well, that sounds a lot better than having your privacy invaded in a hotel in Las Vegas.
AUDREY: Privacy in the middle of the woods is a little bit of a different thing.
CHRISTIE: Yes, different situational awareness model there. So, I started seeing tweets basically about hotel security staff coming into rooms regardless of whether or not the ‘Do Not Disturb’ sign was up and doing things from something as sort of hands-off as a visual inspection to even more going through people’s belongings, taking photographs, things like that.
AUDREY: And that does sound pretty invasive.
CHRISTIE: And it turns out to be partially as a result of a definite security policy change that has been implemented after the mass shooting basically in direct response to that where basically the hotel staff wants to have visual inspection, visual review, whatever, of rooms basically at least once a day. So if you deny housekeeping or have the ‘Do Not Disturb’ sign up for an extended period of time, they’ll send security staff. It’s unclear to me if they’re having security staff inspect in addition to housekeeping, like housekeeping is kind of the first line. But it also sounds like these policies are not being implemented consistently and that possibly, there was heightened overreach specifically because of DefCon and DefCon’s audience.
AUDREY: DefCon does have a reputation in terms of the attendees trying to hack into things. I mean, it may be a sign of physical security problem but certainly a communications security one.
CHRISTIE: So you can kind of see how this would happen. I think DefCon has been going on for quite some time and has been going on for quite some time in Vegas. So it has a reputation, I guess, for lots of different kinds of stuff going on. Anyway, a couple of issues came to mind for me around this one. I think it’s really important that people, at least, know about these new policies.
AUDREY: Right, and it didn’t seem like the conference organizers or attendees had really any sense of what was going on until they found themselves with security folks trying to get into their room.
CHRISTIE: Right. And in fact, one of the organizers, Marc Rogers, I don’t know what role this person has presently, but wrote a thing saying basically like, “I wasn’t aware of this but I should have been,” and basically offered a resignation. It’s unclear whether or not the committee is going to take him up on that. He basically said like, “I should have known about this and we should have done a better job communicating and working with hotel staff.”
AUDREY: So he’s taking responsibility. And it seems like the follow-up that I saw from the organizers was that they were having very active conversations about what’s going to happen next year.
CHRISTIE: Let me look at DefCon’s Twitter real quick because I saw an update like yesterday. They’re tweeting about a lot more. I’ll have to find it and put it in the show notes. But yeah, they do seem like they’re taking an active role in working with the venue and whatnot because there are a couple of different issues. I think it’s one thing for the visual inspection. I mean, we can argue about whether or not that is mostly [inaudible] or if it will have a real impact. But they definitely were searching people’s belongings. People were reporting that at times, they were getting significant pushback when asked for identification and when asked for verification did the people requesting to view the room.
AUDREY: In some cases, they weren’t making a request at all. They were just opening the door.
CHRISTIE: Yes. So there’s sort of the issues around that and around Caesar’s Palace and the other chain of the other hotels involved doing a better job with that. And then for me, it also sort of reminded me just about personal security things because I travel. I occasionally stay in hotel rooms for work. And there was something that I was already doing, but knowing that this might become more of a thing, what steps can I take in addition or whatever? So I thought that would be interesting to talk about, like using the deadbolt and the…what’s the thing that’s like a lever and it kind of goes over the…I don’t know what that apparatus is called.
AUDREY: I’m not sure either.
CHRISTIE: The thing where when you go to open it from the outside, it catches.
AUDREY: And you can even use it to leave your door open too if you’ve got friends running back and forth.
CHRISTIE: Yeah, or you’re trying to unload luggage or whatever. Whatever that thing is called. It’s certainly not…
AUDREY: I guess, sliding latch.
CHRISTIE: Yeah, the secondary latch in addition to the deadbolt. I always use that when I finally go to sleep but I might start doing it just all the time I’m in the room because it gives you an actual…you know, someone can’t just totally open the door all the way. You told me about the door knob alarms?
AUDREY: I’ve seen those recommended for people that are traveling in just anywhere in the world where they feel a little bit less secure about the place that they’re staying, whether it’s a hotel or somebody’s home. And one of my grandparents used it as a safety measure, too. They’re nice because there is just a thing that you can stick in the pocket of your luggage and then turn it on. And if somebody tries to open the door, the alarm goes off. You really only can usefully use it once you’re in the room. But any time that you’re just worried about that door getting opened and not knowing when you’re in the room, so you can sleep comfortably. They seem like a really good option.
CHRISTIE: And they’re basically a little device that has kind of like a loop so that you can hang it on. I don’t know how well it would work on a doorknob that wasn’t the lever kind if it were just a round thing. But I could see how it would work on the lever kind.
AUDREY: Oh, yeah. When I’ve seen it before, it was on a regular door knob and it was great.
CHRISTIE: Okay. And they’re not that expensive. So that’s one thing. Another tip I saw was bringing a door stopper and they have door stoppers both for like tile and a hardwood and then also for carpet that has like some teeth on it. So it’s another thing you do is you can…because usually, they’re used to wedge doors open but you can also make it so there’s an extra bit of friction and resistance if you try to open a door.
AUDREY: And even if your goal is just that nobody can open the door on you when you’re trying to change your clothes or take a shower. I think if you stay in hotels much, you at some point have that experience with housekeeping where they knock and they open the door too fast and you don’t have a chance to say, “Wait. Give me a minute. You don’t want to open the door yet.” And so, anything that just helps you have a little bit of time that way I think is good. I mean, there is always going to be somebody that makes the security argument that [inaudible] they can inspect exactly how they want to when they want to do that they’re not securing things appropriately. But when we’re talking about personal safety, that’s just pretty ridiculous.
CHRISTIE: And then some other things I saw are I think you need an extra basically mobile device but there’s programs you can get where they must use the camera to respond to motion detection, start recording video or video and audio. I think we might have even talked about one of these on the podcast.
AUDREY: Yeah, there are home security systems that work that way.
CHRISTIE: Yeah. And so bringing something like that, that is actually how some of this reporting about what the Defcon hotel staff were doing came to light because some people had these devices and caught video of the security staff or whatever rifling through stuff.
AUDREY: Being able to actually know what they were doing instead of just what they claimed.
CHRISTIE: I think that’s sort of more on the ‘if your threat profile or whatever is higher’.
AUDREY: Even if you’re just traveling with stuff that’s pretty valuable and you’re worried about theft, incidental theft. Even under the best circumstances, housekeeping will leave rooms open while they go get towels and things like that. And so, if you’re worried about that kind of physical security then having some kind of monitoring could be good.
CHRISTIE: And then there’s a few other things I do. I always tidy things up so that like it’s not super obvious if I do leave stuff in the room like what exactly I have left. I always make use of the room safe to put things. I figure if somebody is really set on stealing something, that won’t necessarily stop them but it will stop opportunistic theft.
AUDREY: We were talking about it before and you mentioned some of those things and I thought it was interesting that we have somewhat different travel strategies for this. If I have something with a password and encryption, then if I leave it in the room or not I think, “Well, it’s going to be really inconvenient if it gets stolen,” but nobody’s going to actually get into it. And anything that I can carry with me, I do. I very rarely leave anything that I would be concerned about losing in a hotel room and I plan my travel packing that way too so that there is very little that if I lost it, it might be expensive and inconvenient but it wouldn’t make me less safe. And some of that is that I don’t stay in hotels that much. I often stay in hostels or different kinds of Airbnb type stuff. And I’ve done some couch-surfing, too. And so, I don’t usually assume that things are secure if they’re in a hotel room. And I definitely try to plan so that it’s not going to be a lot of work or stress to deal with that.
CHRISTIE: And for me, I always have to weigh the risk because things can be taken from you if you have them with you too or you can lose them. And so, I’m always weighing what’s the risk of having something with me versus not, versus in the hotel. If I’m traveling for an extended period of time, I don’t exactly want to carry all my medication on my person. If someone manages to rip my backpack off my shoulder, that’s not great. I always travel with my passport and a copy of my passport. And I keep them in different locations separately. So I think it just all depends on your particular situation, what your strategy should be.
AUDREY: Just both what your profile is and what your needs and your ability are. I can take advantage of being able to carry around quite a bit in a backpack before it’s uncomfortable for me. I have a lot of different kinds of backpacks and bags so that I can make carrying a lot of stuff look like it fits in, things like that. So what’s going to work for one person won’t work for everyone.
CHRISTIE: Right. There isn’t really necessarily a universal set of recommendations.
AUDREY: But maybe more just a series of things to be aware of, like we were hearing from this response after folks reported things that DefCon hotels are interested in doing this. They are interested in being able to search rooms whenever they want, doing inspection of some sort of rooms daily in a way that maybe they hadn’t before. And while I think that’s pretty silly, I also think that if you’re staying at a hotel that has declared their interest in doing that and maybe put it in the room contract some place you haven’t noticed that you should be prepared for that to happen.
CHRISTIE: Right. And if you’ve been used to declining housekeeping service either by telling them anytime and/or putting the ‘Do Not Disturb’ sign up, know that that’s now considered a red flag. One thing I saw and I can’t remember where it was. It might have been in the Parallax article on this that someone suggested that this was less about actually improving the security but in reducing liability in case a future thing like that happens again.
AUDREY: Yeah. I saw that too and I thought that often seems to be the reason for these kinds of things.
CHRISTIE: Yeah. And I found that pretty frustrating because it’s like we end up putting so much energy into these side channels when the real problem is the availability of these kinds of weapons.
AUDREY: It’s sort of interesting, like guns are allowed in hotels, I guess.
AUDREY: I was thinking about this too like what’s the threshold that everyone’s going to go. Oh yeah, that. That’s a hazard.
CHRISTIE: I’m not actually sure guns are universally allowed in hotels. I’m curious about that.
AUDREY: I guess what I mean is if they aren’t, then they could try to control what comes into the building in the first place.
CHRISTIE: Oh, God. Can you imagine having to go through TSI style security every time you go in and out of the hotel?
AUDREY: That does sound pretty awful.
CHRISTIE: It sounds like a nightmare. I think I saw someone say and I thought this was in reference to firearms that they went to check, like the procedure was to check them into the hotel safe, gun safe or whatever, but that it was already full by the time they got there. It hasn’t even been a year since that happened and I think we will potentially continue to see fallout from it.
AUDREY: Of different sorts.
CHRISTIE: Yeah, because these operators own hotels in other cities and I could see policy rolling out to other cities through that. And then when norms change, they tend to change across the board or in bigger ways.
AUDREY: It reminds me a little bit of some stuff that I’ve read about the architectural impact of anti-terrorist security and how buildings are built differently and events are organized differently. And I know not everybody’s going to automatically label mass shootings as terrorism but they certainly act quite similar. Same tactics. So, I don’t know. I think sometimes we just don’t notice how much things are changing around us and not just like what the human impact is of having mass shootings or having terrorist attacks happening. But the way that it changes the landscape around us, that going to a hotel can be different next year than it was five years ago for reasons that don’t have a lot to do with hotels and hospitality.
CHRISTIE: Right. One other thing I saw this whole discussion kind of brought up other security things that can happen at hotels and this one caught my eye. This is Chris Dagdigian, “This happened to me as well at a Marriott owned hotel property. Basically the scammers penetrate the VOIP phone system of the hotel and then go room-dialing to look for victims and the calls appear as if they’re coming from the hotel front desk.” They’ll call and then basically try to trick people into giving credit card information or whatever. And I just thought that was worthy of surfacing because it made sense to me soon as I heard it but that was not a thing I had heard about before.
AUDREY: Yeah and there are a number of hotel safety things that come up about letting, maybe not letting other people know what room you’re staying in because once you’re in the building, you have access to all the floors potentially. There’s just lots and lots of those kinds of things. And it is worth noting that there’s a lot of layers.
CHRISTIE: Definitely. We’ve got another security topic as we kind of thought it would be. The speculative execution vulnerabilities that first came out earlier in the year in January as just the gift that keeps on giving.
AUDREY: They continue to have all sorts of new variants.
AUDREY: Although this one comes with a really great video.
CHRISTIE: Yeah, the video. I was wondering, and it’s not branded by however the last one was branded. So I was like, “Who’s making these? These are pretty good.” Are you talking about the one on the main website?
AUDREY: Yeah. ForeShadowAttack.eu.
CHRISTIE: Yes. So this one’s called Foreshadow, and it actually has two distinct set of researchers independently discovered the vulnerability and developed proof of concept attack. And one of them actually first notified Intel before the Spectre and Meltdown vulnerabilities were made public.
AUDREY: I wonder why that is that a bunch of people started poking at the same sorts of things at the same time.
CHRISTIE: I was wondering that too and I didn’t have a chance to look into it more but it got me thinking, “Is it just one of those things?” I think there’s a term for this where like the sort of critical mass just hits a point and then a bunch of people arrive at a particular discovery or paradigm change or whatever kind of at the same time.
AUDREY: Yeah, maybe there’s an area of research that’s become important or people have become very aware of. And so, they’re all working in that area and that could definitely mean that they all start to discover the same things.
CHRISTIE: Yeah. I think this one is Intel specific and it is related to these Software Guard eXtensions, SGX. From the Foreshadow site, they say, “SGX is a Trusted Execution Environment (TEE) that enables secure program execution in untrusted environments. The program and the data it operates on are placed inside a secure enclave. There they are protected from modification or inspection, even in the presence of highly-privileged adversary corrupting the operating system, hypervisor, or firmware. So basically, Foreshadow uses speculative execution techniques to get information through the L1 cache about what’s supposed to be the secure enclave.
AUDREY: It seemed like this was particularly important to virtualization and shared hosting environments or shared…what do you call them? Like the virtual machine?
CHRISTIE: Yeah, shared computing environments. I’m not sure if there’s another. And then, the researchers who initially discovered Foreshadow demonstrated the vulnerability on this SGX system and then subsequently researchers found a bunch of variants basically and the L1 cache is the thing that kind of unites them. So you can also use some more methodology to get stuff related to the System Management Mode, the Operating System’s Kernel and other Virtual Machines. So they call that Foreshadow-NG. Information about this was embargoed and coordinated. So when it was announced, there’s also a bunch of operating system updates that came out, which I think is how you found out about it. Right, Audrey?
AUDREY: I found out about it because…yeah, kind of. Digital Ocean sent an e-mail to all customers saying that they were aware of this. They were mitigating it. I think that they might be in one of the groups that Intel mentions they’re working with on some of the specific modifications that they’re going to need, that they’re testing some things out before they roll them out to everybody. But yeah, there’s some immediate patches that folks can do.
CHRISTIE: It’s my understanding that there’s software mitigation available now or shortly and that the rest of it has to be addressed with the sort of other speculative execution hardware level things that it really just can only be fixed with a new generation of chips.
AUDREY: But I think some of the virtualization stuff specifically, there are some things that are happening like a couple of different steps. One of them is just to make it so that the shared environment is less shared. And then the next one is about those software mitigations that were easier to do on standalone servers, but they need to do some additional things for the virtual environments. And then the chip level stuff to come later.
CHRISTIE: So, Intel put out some very specific stuff about this and then the Ars Technica article is pretty good too. I added that to the show notes after we talk, so you may not have seen that yet.
CHRISTIE: I’m still really curious. I know researchers have kind of been working on this different stuff for a little while. I tweeted about this and someone linked to me some papers like from 2007. But I’m really curious like how much are the severity of these speculative execution class of vulnerabilities? How much of that is something that we could have seen ahead of time and how much is a result of just the complexity of the processor environment and architecture now? Do you know what I mean?
AUDREY: I thought that there was something that we had talked about originally with Spectre and Meltdown about some concerns more generally about speculative execution that had come up early on that is being implemented. I don’t know how [inaudible] that ever got.
CHRISTIE: Maybe I’ve already explored this issue and answered and forgotten.
AUDREY: Then you’ll go back and you’ll find it.
CHRISTIE: Yeah, it’s a good thing we do a podcast where we talk about this stuff.
AUDREY: And we have transcripts so you can search.
CHRISTIE: Yes. All right. So keep an eye out for potential operating system and maybe firmware updates, things like that.
AUDREY: Yeah, and read the emails from your hosting providers when they talk about security updates.
AUDREY: Those are often good and important. Also if you haven’t watched the video, I really liked the little Pacman style explanation they had.
AUDREY: The speculative execution and the specifics of this one.
CHRISTIE: Yeah, I thought they did a really good job of breaking that down and explaining it. I always liked nice visuals.
We have one non-security related topic. Kind of a combo of things. Last week, I started seeing this thing go around about how artists only make 12% of the music industry revenue in 2017. I’m not sure I could ever actually…oh no, I did find the report. Citigroup, which makes me a little distrustful of this — who knows if that’s rational or not — put out this report. They call it Putting the Band Back Together: Remastering the World of Music. Lots of puns there.
AUDREY: And it’s just an analysis of what? Revenue licensing?
CHRISTIE: Yeah, kind of like how much revenue the music industry makes and where it goes basically and how does that compare to previous years, too.
AUDREY: So apparently that 12% is an improvement.
CHRISTIE: Right. I like visuals. But this one…and I don’t know if you saw it, Audrey.
AUDREY: Which link? I’ll go ahead and open it.
CHRISTIE: Well, I’m looking at the report from Citibank but that’s not the only [inaudible]. How do I send this to you? Great live radio right here.
AUDREY: The problem is that you can put it in our show notes document. You can put in Signal or you can put it in Zoom’s chat.
CHRISTIE: I know. It’s like the fourth page of this PDF. And I think they’re trying to make it look like an equalizer. But this is the most confusing freaking graphic.
AUDREY: Oh, yeah.
CHRISTIE: And on the bottom they have this guitar. They’re being way too cutesy here. Some graphic designer got way too stoned.
AUDREY: That’s very, very [crosstalk].
CHRISTIE: So, it’s not just me, right?
AUDREY: No, you definitely have to think about it, especially because these colors are used in both the left and the right graph to mean different things.
CHRISTIE: Oh, my God. I hadn’t even…And then they have these play buttons that I’m pretty sure mean nothing. It’s just there being cutesy.
AUDREY: I’m clicking.
CHRISTIE: Take those out of there.
AUDREY: I agree. This is very confusing. You can put it in the show notes and people can appreciate. Oh, jeez. I scrolled down another page. This real world versus ideal world deal where apparently the artist is going to go to the bathroom.
CHRISTIE: Oh, my God. Okay. All right.
AUDREY: Sorry, that’s probably a bad interpretation.
CHRISTIE: No. They’re the bathroom icons.
AUDREY: Like in the ideal world. The artist makes music and then there’s a bathroom. And then money happens.
CHRISTIE: I’m really tempted to print out the icon of the artist singing [inaudible] and put that on our bathrooms here at the house.
AUDREY: People sing in the shower, I think would actually be great for that. You definitely should put this in the show notes so people can see for themselves. There’s a lot going on here.
CHRISTIE: Anyway, the whole point of this is that artists, it’s their intellectual property basically, they are artistic work. They make a pretty small slice of the pie. And the origin of that also…I don’t…I’m not sure…I think the report goes into this but basically like it was another way that people start talking about how shitty streaming is for artists that they get paid like fractions of cents every time a track is played and that really only adds up to anything material for only very, very, very popular artists. And so, it got me thinking again about that. And I think I had seen this go by a back a couple of times and I was like, “Yeah, whatever.” And then somehow David Crosby from Crosby, Stills, Nash, some tweets from him popped up that’s basically saying, “That’s why I am not on streaming,” or whatever. And it just sort of reminded me again that maybe I should buy music and buy it for download or buy records or CDs. It’s a thing you can still do.
AUDREY: It is. Although it’s funny, Lucas went to the local record store the other week to try to buy something and they said we don’t have it and he was like, “Okay. Really?” “Yep, sorry.” I thought they’d at least offered to order it.
CHRISTIE: And they didn’t?
AUDREY: So then he went and bought it online.
AUDREY: One of the things that caught my attention about this report before, even the changes and lessons it create is that the reason that artists are making more money than they were, relative to the total pot has to do with performances that basically the way that people are making money is by touring and touring and touring. And live performance is the best financial deal for them. But obviously, very physically and mentally exhausting. And so, people effectively they’re doing more work so that they can actually get paid.
CHRISTIE: And I think a big part of this is related to who actually ends up owning the intellectual property when a real record deal happens and when things are distributed.
AUDREY: It’s amazing to me that that is still an issue because I’ve been hearing about it, as long as I can remember knowing anything about the industry.
CHRISTIE: And we talked about this on an episode. I need to go dig up which one. But we talked about all the really complicated licensing around it.
AUDREY: Well, just the rights holding. There are well-known artists from the 70’s and 80’s that fought very hard to get their master copies back, to get control that back, to actually own the stuff that they recorded, to control how it was licensed and used. And it’s just, I don’t know, kind of remarkable how little a lot of that has changed.
CHRISTIE: So this was kind of circulating around. And then it kind of reminded me that a little while ago, a couple of months ago, I was seeing these promoted tweets that was something like, “Wyden pushes harmful legislation for indie music. People in Oregon, help us fight back,” or something. And this was a little unusual because I’m really used to Wyden sort of…usually I don’t see stuff like that. Usually, Wyden is very progressive and we’re usually very happy about the legislation he’s promoting.
AUDREY: So you don’t often see criticisms that aren’t obviously coming from a conservative perspective, you mean?
CHRISTIE: Right, exactly. And so, at the time I was like, “That’s odd.” But you know, life, busy, and so I didn’t go back and dig that up until this thing was going around about music industry revenue. And then I went back and tracked it down and it’s related to copyright. And that musical recordings earlier than, it’s either 1972 or 1976, I forget which. I think they’re either about to go into the public domain or something like that. But anyway, so there’s two competing acts of legislation being considered in Congress that will attempt to change the way those sound recordings are treated. And this is really complicated and kind of gets into the weeds. But I think one version, this Techdirt thing says specifically to get streaming companies to pay a brand new performance right license on those works.
AUDREY: All their works that were not covered under certain sets of federal copyright law.
CHRISTIE: Yes. So there’s one camp that is really pushing for this because it’s going to basically add more of a licensing mechanism for its earlier works. But what that’s actually doing is serving to extend their copyrights.
AUDREY: Wyden’s version of it also changes the copyright aspects of it. Either way, there’s going to be federal copyright application to those older works. It’s just about whether licensing is going to happen a certain way or access is going to happen in a different way.
CHRISTIE: Yeah. It says, “Senator Wyden has introduced an alternative bill called the Access to Recordings Act that takes a more reasonable approach to the issue of pre-1972 sound recordings. Rather than just handing them one new right, while keeping them under obsolete state copyright laws, which block those works from entering the public domain with any other creative work created in the same time, Wyden’s bill effectively just puts pre-1972 sound recordings on par with other pre-1972 works and post 1972 works.”
AUDREY: Is that from the Internet Archive blog post?
CHRISTIE: No. That’s from the Techdirt thing. So the sort of camps are recording industry and other sort of music distributors want the sort of classics version and then Wyden and archivists and people like that want Wyden’s version called the ACCESS. And I think it’s all been consolidated now into…what is the damn thing called now?
AUDREY: Omnibus? Not that.
CHRISTIE: Give me one second. And it is so confusing the way legislation is in this country.
AUDREY: There are a lot of stages. There’s a lot of addendums, modifications.
CHRISTIE: It is now called the Music Modernization Act.
AUDREY: Well, that sounds fancy.
CHRISTIE: Doesn’t it?
AUDREY: Yeah. And why would you be against modernization?
AUDREY: Aside from how detailed and arcane some of this stuff can get, I started thinking about how weird it is that music has a special status. The specific Copyright Acts determine whether musicians get paid and what they get paid. I don’t know, I tried to think if there was another type of creative work that was anything like this. Lots of things can be copied and redistributed. Lots of things take some kind of effort, some kind of structure to distribute but I don’t know. How weird is it that musicians get paid only the minimum for use of their recordings and only through these super complicated mechanisms. And that the rights holding systems are like really expensive bureaucracies.
CHRISTIE: Right. And part of why didn’t I and I think Internet Archive, part of what the argument is for not just adding to the extension of copyright is that it prohibits musicians from reclaiming the copyright. And that’s interesting to me. I’m not sure how many people who enjoy music are aware that most of the time, signing a record deal or whatever means signing over the ownership of the intellectual property.
AUDREY: But you often have to know how things work, have a good lawyer, be popular enough, and be willing to do a lot of your own business stuff, like your own organizational business work to retain copyright, to retain control.
CHRISTIE: I think it’s understandable why I couldn’t remember if it’s ’72 or ’76 because one of the big Copyright Acts was the Copyright Act of 1976. And that’s the one that you were talking about the sort of different categories and it defines works of authorship in sort of these categories – literary works, musical works including any accompanying words, dramatic works including any accompanying music, pantomimes and choreographic works. So, I guess dance.
CHRISTIE: Yeah. Pictorial, graphic, or sculptural works, motion pictures and other audiovisual works, and sound recordings. Anyway, it’s going to be kind of a headache to talk about speculative execution and the copyright law in the same episode.
AUDREY: They’re both complicated. I don’t know. I don’t want to say I’m not a musician because I actually was on an album once upon a time. But I’ve never been the kind of professional musician that’s affected by this. And I just, “Good grief!” Like, “Can we start over? This is so bad.” I wouldn’t ever want to write if I had to deal with this. Or I wouldn’t want to write for money if I had to deal with this. I would do things very differently if the kind of stuff I work on was affected by this kind of an industry and these kinds of copyright laws that like I said, it just makes sure that only the bare minimum ever gets paid up.
CHRISTIE: And to me it’s one of those really stark examples of how much change and technology has affected things. First, mechanical distribution and then digital reproduction has really altered what it means to have a work of art, to distribute things like that. And then on top of that, corporate interests continue to sort of win out. Disney, if people learn anything about copyright, they tend to learn Disney wanting to protect Mickey Mouse or Steamboat Willie, I forget which it is, has been a huge driver of copyright legislation.
AUDREY: Yeah, and why the dates get extended further and further and further.
CHRISTIE: And it also got me thinking because there was also I guess one of the ROM sites. I don’t know if it was NES-specific or whatever. But one of the sites you go to, to get game ROMs, they got shut down in the last week or so. And then so people are also having discussions about preservation of video games too and just how much of that art and cultural artifact is lost in time.
We’ve probably got some things we love on the Internet this week.
AUDREY: It’s true. I guess we’re done talking about copyright.
CHRISTIE: Oh, we can talk more about it if you want.
AUDREY: No, I just was getting distracted by the speaker thing. I wasn’t sure if we were in the middle of a sentence or not.
CHRISTIE: We might have been. I don’t know.
AUDREY: Anyhow, it’s really complicated and it’s sad that people’s livelihoods are affected by this and not whoever runs Disney and Time Warner and whatever.
CHRISTIE: Right. And then it has a real material impact on not just the creation of art but the preservation of it too.
AUDREY: Yeah. Oh, that’s what I wanted to say, the video games thing. The ROM sites. Video games are particularly in bad shape, and I guess software in general, but games because they are artistic. Once the companies that create the platforms stop supporting them, games just disappear. They stop being available, they stop being something that people can look at again.
CHRISTIE: And I think also having them be so tightly integrated with hardware makes that complicated too.
AUDREY: So if we want any kind of preservation, then emulators are really important.
AUDREY: And if we don’t allow emulators or we don’t allow the copies that run on emulators, then we’re just destroying that history, that past work. And that’s a problem too.
CHRISTIE: Yeah and I don’t actually know what area of copyright video game ROMs would fall under. Is that a trademark protection? It’s interesting. I don’t know what their kind of source code is. Anyway, that’s interesting. I don’t know what area it falls under.
AUDREY: Yeah, me neither.
CHRISTIE: Okay, things we love on the Internet.
CHRISTIE: I learned about this website called DongleAuth.info. It basically lists different websites and whether or not they support One Time Passwords or Universal Two Factor Auth…sorry, Universal 2nd Factor. And then it also has information about what kind of dongle you might need and a protocol. And I just thought that was really handy reference to have kind of all in one spot. When you go to the page, you get a list of icons for different categories: Backup and Sync, Banking, Cloud Computing, stuff like this. If you want an easy way to tell about a service you’re already using, you can go here. Or if you like shopping or if you’re like, “Oh, I might be shopping for a new domain registrar,” and you want to specifically know which ones support more security options for you, you can look here.
AUDREY: Nice. So instead of having the reverse thing of doing the threat assessment after the fact or trying to get things up to the standard of security you need, you’re right. You could pick your vendors and your services that way. And this is, I think it says it’s a fork. There’s a two factor authentication site like this that’s very helpful.
CHRISTIE: Okay, awesome. I should link to that one as well too then.
AUDREY: Yeah, just keep track of it. I have a USB security dongle and because it’s not very well supported for browser-based stuff, that’s definitely limited how much I use it.
CHRISTIE: I have a Yubikey that I use for Two Factor Auth with LastPass. And I was looking at the Universal Second Factor which has an advantage in that it’s cryptographically tied to the thing you’re trying to authenticate with, so phishing wouldn’t work. It wouldn’t authenticate if you were trying to authenticate with a fraudulent site. But it would be fine on desktop but on mobile, there isn’t a really great interface for the iPhone yet. You have to get like this other kind of Bluetooth dongle thing and I’m just like, “No, I’m not going to start walking around with multiple dongles,” at least for password authentication. I already have to do it for power and video and stuff.
CHRISTIE: Someone reminded me that there can be software based Universal Second Factor, so that would be another option.
AUDREY: Oh, interesting. I should look into that.
CHRISTIE: I don’t know that there’s anything for iOS yet.
AUDREY: But it’s nice to know what the options are.
CHRISTIE: So for now, I’m just extra, extra careful that I am on the site I think I’m on. A lot of typing in URLs rather than clicking on links from things.
AUDREY: 1Password does a little bit of anti-phishing stuff too, in that it won’t suggest filling or auto-fill if it doesn’t match. You would have to manually start copying things over. And so, that helps me even if it’s just a sub-domain, it helps me kind of keep track of what’s going on.
CHRISTIE: Right. All right, what have you got?
AUDREY: As I mentioned earlier, I went backpacking. And there’s a specific kind of backpacking that I find very exciting even though I’ve only done very small sections and not a whole thing like this. It’s thru-hiking which is to say like completing the entire Pacific Crest Trail or Continental Divide Trail or Appalachian Trail. They are these big north south things. In the West, there’s some other ones. But I saw this article when I got back this week about two women who decided to do a thru-hike of the entire US/Mexico border.
AUDREY: Yeah. And they started off, they couldn’t find anybody else who had done it. And they had been thinking about doing…having done some of these thru-hikes, they had been thinking about doing another one that they hadn’t before and they thought about the current environment that we’re in and what would feel like a meaningful activity. That was definitely something I was thinking about a lot about backpacking and thru-hiking the kinds of privilege that play into it. For some of the longer ones, you can be taking 5 or 6 months off from everything else in your life to do it. And I thought it was really interesting that on reflecting on that, they decided to do something that would raise their own awareness of something going on in the US and give them the ability to communicate that, to witness it, and to share it. And so they did a daily blog about it. There’s some videos. This article on Outside has kind of a nice summary but it’s just really interesting to see kind of what they encountered and experienced. Some of the repeated themes that people would say, “Oh, it’s not safe, it’s not safe,” and they’d ask them, “Well, why is it not safe?” They’d say, “You know, there’s some really bad things happening 50 miles down the border.” And they’d get there. And people would say the same thing again. You know, our sense of like the scariness of the border wasn’t borne out by what happened when they hiked it.
AUDREY: Then also, reading that also reminded me of this other group. I’ll have two links in here at the end. This other group called Natives Outdoors which is outdoor wear and advocacy organization that’s about Native Americans being out there, climbing and hiking and kayaking and sharing their experiences with that, what it means to them to be in the spaces that are important to them. They have a great Instagram account and it’s just…I don’t know. It’s kind of shifted my perspective about what we think of as wilderness, what we think of the outdoors being, outdoor activities being. And I just really appreciate these perspectives and it’s something that I take out there with me now when I’m doing things and thinking about what they mean to me.
CHRISTIE: Awesome. All right. That sounds like some really great links. I can’t wait to check those out.
All right, Audrey. I think that’s a wrap. Thanks for joining me again this week and thanks everyone for listening. We’ll talk to you again soon.
CHRISTIE: And that’s a wrap. You’ve been listening to The Recompiler Podcast. You can find this and all previous episodes at recompilermag.com/podcast. There you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler Podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review. It really helps us out. Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to firstname.lastname@example.org or send feedback via Twitter to @RecompilerMag or directly to me, @Christi3k. You can also leave us an audio comment by calling 503 489 9083 and leave in a message.
The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright and is hosted and produced by yours truly, Christie Koehler. Thanks for listening.