×
Music

'Pharma Bro' Martin Shkreli's One-of-a-Kind Wu-Tang Clan Album Sold By US Government (npr.org) 46

H_Fisher writes: Only one copy exists of the Wu-Tang Clan album Once Upon a Time in Shaolin, and it was owned by "Pharma Bro" Martin Shkreli. Now, NPR reports that this album has been sold by the U.S. government to an unnamed buyer in order to pay Shkreli's civil forfeiture judgment following his conviction for securities fraud. The album, which was originally sold for $2 million, exists only as one physical CD copy. It was seized along with other assets in 2018, and while the sale price and buyer weren't identified, Shkreli's attorney says that his client has now repaid the $7.4 million forfeiture judgement.
Japan

Iconic Japanese Videogame Music Incorporated Into Olympic Opening Ceremony (huffpost.com) 23

"Fans of Japanese video games couldn't believe their ears as Olympic athletes paraded into Tokyo's National Stadium during the opening ceremony for the 2020 Games on Friday..." reports the Huffington Post. During the Parade of Nations section of the ceremony, "The orchestra was playing tunes from some of their favorite games." In a celebration of Japanese popular culture that is appreciated worldwide, the entry parade was set to tunes from games developed by Sega, Capcom and Square Enix. It kicked off with "Overture: Roto's Theme" from Dragon Quest. Next up was "Victory Fanfare" from Final Fantasy. The parade featured more tunes from Monster Hunter, Soulcaliber and Sonic the Hedgehog. According to Classic FM, the music from Kingdom Hearts was composed by Yoko Shimomura, who is responsible for the music for some of the biggest video games ever made. Fans were delighted to hear her work being incorporated into the ceremony.

While the list didn't feature widely recognized tunes from cultural juggernauts like Mario Bros. or The Legend of Zelda, the music helped give a sense of atmosphere to the ceremony, which was held in almost an empty stadium due to coronavirus restrictions.

There's even an elaborate doodle at Google.com commemorating the Opening Ceremonies with an anime animation that leads to a multi-level 1980s-style videogame in which Lucky the cat competes in various sporting events. (Though the Huffington Post notes that in the real world, about 1,000 people sat in the 68,000-capacity stadium.)

The Washington Post reports the Japanese public "overwhelmingly opposed hosting the Olympics as a new wave of the pandemic hit the country." But unfortunately, host city Tokyo signed a contract agreeing the event could only be cancelled by the International Olympic Committee, and now "There's the possibility — once utterly remote — that Japanese voters could kick Prime Minister Yoshihide Suga out of power in parliamentary elections later this year."
Social Networks

Clubhouse Is Now Out of Beta and Open To Everyone (techcrunch.com) 31

Clubhouse announced Wednesday that it would end its waitlist and invite system, opening up to everyone. TechCrunch reports: Clubhouse is also introducing a real logo that will look familiar -- it's basically a slightly altered version of the waving emoji the company already used. Clubhouse will still hold onto its app portraits, introducing a new featured icon from the Atlanta music scene to ring in the changes. "The invite system has been an important part of our early history," Clubhouse founders Paul Davison and Rohan Seth wrote in a blog announcement. They note that adding users in waves and integrating new users into the app's community through Town Halls and orientation sessions helped Clubhouse grow at a healthy rate without breaking, "but we've always wanted Clubhouse to be open."

According to new data SensorTower provided to TechCrunch, Clubhouse hit its high point in February at 9.6 million global downloads, up from 2.4 million the month prior. After that, things settled down a bit before perking back up in May when TikTok went live on Android through the Google Play Store. Since May, new Android users have accounted for the lion's share of the app's downloads. In June, Clubhouse was installed 7.7 million times across both iOS and Android -- an impressive number that's definitely in conflict with the perception that the app might not have staying power.

Clubhouse's success is a double-edged sword. The app's meteoric rise came as a surprise to the team, as meteoric rises often do. The social app is still a wild success by normal metrics in a landscape completely dominated by a handful of large, entrenched platforms, but it can be tricky to maintain healthy momentum after such high highs. Opening up the app to everybody should certainly help.

Open Source

Audacity's New Owner Is In Another Fight With the Open Source Community (arstechnica.com) 48

An anonymous reader quotes a report from Ars Technica: Muse Group -- owner of the popular audio-editing app Audacity -- is in hot water with the open source community again. This time, the controversy isn't over Audacity -- it's about MuseScore, an open source application that allows musicians to create, share, and download musical scores (especially, but not only, in the form of sheet music). The MuseScore app itself is licensed GPLv3, which gives developers the right to fork its source and modify it. One such developer, Wenzheng Tang ("Xmader" on GitHub) went considerably further than modifying the app -- he also created separate apps designed to bypass MuseScore Pro subscription fees. After thoroughly reviewing the public comments made by both sides at GitHub, Ars spoke at length with Muse Group Head of Strategy Daniel Ray -- known on GitHub by the moniker "workedintheory" -- to get to the bottom of the controversy.

While Xmader did, in fact, fork MuseScore, that's not the root of the controversy. Xmader forked MuseScore in November 2020 and appears to have abandoned that fork entirely; it only has six commits total -- all trivial, and all made the same week that the fork was created. Xmader is also currently 21,710 commits behind the original MuseScore project repository. Muse Group's beef with Xmader comes from two other repositories, created specifically to bypass subscription fees. Those repositories are musescore-downloader (created November 2019) and musescore-dataset (created March 2020). Musescore-downloader describes itself succinctly: "download sheet music from musescore.com for free, no login or MuseScore Pro required." Musescore-dataset is nearly as straightforward: it declares itself "the unofficial dataset of all music sheets and users on musescore.com." In simpler terms: musescore-downloader lets you download things from musescore.com that you shouldn't be able to; musescore-dataset is those files themselves, already downloaded. For scores that are in the public domain or that users have uploaded under Creative Commons licenses, this isn't necessarily a problem. But many of the scores are only available by arrangement between the score owner and Muse Group itself -- and this has several important implications.

Just because you can access the score via the app or website doesn't mean you're free to access it anywhere, anyhow, or redistribute that score yourself. The distribution agreement between Muse Group and the rightsholder allows legitimate downloads, but only when using the site or app as intended. Those agreements do not give users carte blanche to bypass controls imposed on those downloads. Further, those downloads can often cost the distributor real money -- a free download of a score licensed to Muse Group by a commercial rightsholder (e.g., Disney) is generally not "free" to Muse Group itself. The site has to pay for the right to distribute that score -- in many cases, based on the number of downloads made. Bypassing those controls leaves Muse Group on the hook either for costs it has no way to monetize (e.g., by ads for free users) or for violating its own distribution agreements with rightsholders (by failing to properly track downloads).

The Almighty Buck

Together Price Helps Strangers Share Subscription Passwords (fastcompany.com) 83

An anonymous reader shares a report: Earlier this week, I bought a month of Starz for a fraction of its typical asking price. Instead of paying $9 per month, I paid $3.24. Then I added a subscription to Spotify for $3.49, and a Disney Plus subscription for just $3. All told, my bill comes to about $10 per month for $28 worth of services. Those cut-rate subscriptions come courtesy of Together Price, a service that lets people rent out access to a share of their digital subscriptions. In exchange for a cut of each transaction, Together Price essentially serves as a marketplace for organized password sharing. The service, which started five years ago in Europe and has 80,000 paying customers, just launched in the U.S. last week.

While Together Price isn't the first service to make password sharing easier, it's definitely the most brazen. Still, CEO Marco Taddei insists that the service is legal and that it technically honors each subscription's terms of use. He also believes the service is helping companies retain users that they'd otherwise lose. "We are targeting the very specific audience that needs to share," he says. "If [subscription providers] are not going to allow them do so so, they are going to drop the subscriptions." After signing up for Together Price, you can browse a "network" of users offering to share their subscriptions. Most major streaming video and music services are available, including Netflix, Spotify, Disney Plus, HBO Max, and Hulu, but sharing isn't limited to media. Some users are also peddling subscriptions to software tools such as Canva Pro and Surfshark VPN, and the site lets you set up custom subscriptions for pretty much anything by listing the service name, price, and sharing rules. For each service, you send a request to the subscription owner and submit credit card information to Together Price. Once the owner accepts the request, Together Price processes the payment, and you're allowed into a group where you can view login details and chat with the other members.

Music

Vinyl Album Sales Jump 108% In First 6 Months of 2021 (cnbc.com) 110

Long-time slashdot reader phalse phace writes: 2021 is turning out to be an even stronger year for vinyl album sales than in 2020.

In the first six months of 2021, 19.2 million vinyl albums were sold, outpacing CD volume of 18.9 million, according to MRC Data, an analytics firm that specializes in collecting data from the entertainment and music industries. That is a 108% increase from the 9.2 million that were sold during the same period in 2020.

And according to MRC Data, Record Store Day 2021 helped to sell 1.279 million vinyl albums in the U.S. in the week ending June 17, a record for a Record Store Day week and the third-largest week for vinyl album sales since MRC Data began electronically tracking sales in 1991. Further, with 942,000 vinyl albums sold at independent record stores in the week ending June 17, that marks the largest week ever for the format at the indie sector in MRC Data history.

Music

Music Streaming Inquiry Finds 'Pitiful Returns' For Performers (bbc.com) 108

A committee in the U.K. Parliament says the music industry is weighted against artists, with even successful pop stars seeing "pitiful returns," reports the BBC: They are calling for a "complete reset" of the market, with musicians given a "fair share" of the £736.5 million that UK record labels earn from streaming. In a report, they said royalties should be split 50/50, instead of the current rate, where artists receive about 16%.

The findings came after a six-month inquiry into music streaming. "While streaming has brought significant profits to the recorded music industry, the talent behind it — performers, songwriters and composers — are losing out," said Julian Knight, MP, who chairs parliament's Digital, Culture, Media and Sport committee. "Only a complete reset of streaming that enshrines in law their rights to a fair share of the earnings will do...."

A survey by the Ivors Academy and Musicians' Union found that in 2019, 82% of professional musicians made less than £200 from streaming, whilst only 7% made more than £1,000...

The committee's report said streaming had "undoubtedly helped save the music industry" after decades of piracy, "but it is clear that what has been saved does not work for everyone".

A chart accompanying the article shows that meanwhile streaming services keep 30% of the revenue, while labels end up with 55%.

"Artists who release their own music, or who work with independent labels and distribution companies, tend to get a higher share."
Businesses

Automattic, Owner of Tumblr and WordPress, Buys Podcast App Pocket Casts (theverge.com) 20

Pocket Casts has a new owner. Automattic, which runs WordPress.com and recently purchased Tumblr, announced today that it's acquired Pocket Casts, the well-regarded podcast app. The blog post announcing the purchase didn't offer much in the way of a preview, but it did tease potential future integrations. From a report: "As part of Automattic, Pocket Casts will continue to provide you with the features needed to enjoy your favorite podcasts (or find something new)," the post states. "We will explore building deep integrations with WordPress.com and Pocket Casts, making it easier to distribute and listen to podcasts." Pocket Casts launched in 2010 and sold to NPR and a group of other public media groups eight years later. It's been well-received, particularly from sites like The Verge, because it's available across platforms. It started monetizing through a program called Pocket Casts Plus, which charges users a monthly subscription fee for features like desktop app access and a standalone Apple Watch app, in 2019.
Piracy

Stream-Ripping Can Be Perfectly Legal, French Ministry of Culture Says (torrentfreak.com) 28

An anonymous reader quotes a report from TorrentFreak: Downloading music via stream-ripping tools can be perfectly legal, the French Ministry of Culture has confirmed. The resulting copies fall under the private copying exemption. However, this only applies if the stream-ripping service doesn't circumvent technical protection measures, which is a widely contested issue. [...] Copyright holders are convinced that stream-ripping sites break the law but, in most countries, legal uncertainties remain. In the US, for example, popular stream-ripper Yout.com has sued the RIAA in an effort to have its site declared legal. This case, which remains ongoing, could set an important precedent.

In France, the Ministry of Culture was recently questioned on the stream-ripping issue. Philippe Latombe, a member of the MoDem party, asked the Government whether copies downloaded through these services are considered illegal. The question was part of a broader inquiry into the private copying rules and regulations. These allow people to copy music and movies in exchange for a tax that's paid on storage media and devices including blank CDs, hard disks, and smartphones. Responding to the question, the Ministry of Culture confirmed that, under the right conditions, it's perfectly legal to use stream-ripping services to download music and other media. "[Stream-ripping] is legal and the resulting copy falls under the exception for private copying as provided by law, if several conditions are met: it must be made from a lawful source at the request of the user, without being stored by the converter, and no circumvention of technical protection measures must be carried out." If these three boxes are ticked, stream-ripping is in the same league as ripping or copying an old-fashioned CD or DVD.

The big question, however, is in what situation all these conditions would apply? With regard to YouTube ripping, the "source" could be considered legal, as artists and labels often upload the videos themselves. The second box is also ticked by many stream-rippers as they don't permanently store music. The operator of the stream-rippers FLVto and 2Conv recently said that his site doesn't even store basic logs as that would involve significant costs. This brings us to the third and final condition; whether the stream-ripper circumvents technical protection measures. This is a crucial question and the answer largely depends on who you ask.

Space

Branson Successfully Completes Historic First Flight To the Edge of Outer Space (cbsnews.com) 180

UPDATE: Branson's done it. "In a live broadcast during the vehicle's descent, Branson called the trip, 'an experience of a lifetime,'" reports NBC News: Branson's flight took off Sunday morning at around 10:30 a.m. ET, although the launch time was delayed by around 90 minutes because of overnight weather conditions at Spaceport America...

Branson was joined on his flight by pilots Dave Mackay and Michael Masucci and three mission specialists, all of whom are employees of Virgin Galactic: Chief astronaut instructor Beth Moses, lead operations engineer Colin Bennett and government affairs vice president Sirisha Bandla.

Virgin Galactic is expected to conduct several additional test flights before beginning commercial operations with private customers next year. The company has said the suborbital joyrides will likely cost more than $250,000 each, but final pricing has not yet been announced...

"It's taken 17 years to get to this flight, and of course a lot of personal wealth has been poured into it, but it also shows that this takes tenacity," said Greg Autry, a space policy expert at Arizona State University.

Earlier in the day, Virgin Galactic's Twitter feed shared a nice clip of the astronauts arriving on the launch site.

CBS News streamed their own live coverage at the top of this web page (as well as in their CBSN app), but also reported on the other options: With typical Branson fanfare, Sunday's flight will be broadcast live across Virgin Galactic's social media platforms, featuring appearances by Stephen Colbert and retired Canadian space station astronaut Chris Hadfield, along with the performance of a new song by singer-songwriter Khalid. Even SpaceX founder Elon Musk plans to be watching. "Will see you there to wish you the best," he tweeted Saturday.
And what did Jeff Bezos have to say before Branson launched his history-making flight? "Wishing you and the whole team a successful and safe flight tomorrow. Best of luck!"

Saturday CBS News offered this description of Branson's hopes: Richard Branson, the globe-trotting media mogul and founder of Virgin Galactic, plans to rocket into space Sunday morning on a flight that would make him the first owner of a private space company to launch aboard one of his own spacecraft. If all goes well, he will beat rival Jeff Bezos of Blue Origin, who is set to launch on July 20. Branson, two company pilots and three Virgin Galactic crewmates are launching from Spaceport America, near Truth or Consequences, New Mexico, on what's expected to be at least an hour-long flight, reaching altitudes a little over 50 miles above the Earth.
Japan

A Digital Cat Is Melting Hearts (and Napping a Lot) in Japan (nytimes.com) 34

The calico prances and dozes on a 26-by-62-foot LED billboard in Tokyo. It has drawn crowds in real life and sparked joy on social media. From a report: Ryoko Kikuchi was strolling home from a Tokyo movie theater when she saw a cat the size of a yacht strutting high above the sidewalk, coyly licking its paws. "The way it was meowing was too cute to bear," she said. A lot of people in Tokyo feel the same way, no matter that the cat is just a bunch of pixels on a billboard. The 4K display does not officially "open" until Monday, but it has already drawn socially distanced crowds -- and inspired many social media posts -- since its installation last month. The digital calico behaves a bit like an actual cat, in the sense that it does whatever it pleases. Visitors are only treated to a few brief appearances per hour, in between a stream of advertisements and music videos.

The cat yawns here and there, and at 1 a.m. it drops off to sleep for about six hours, resting its head on white paws that hug the side of what appears to be an open-air perch near the Shinjuku subway station. (The three-dimensional look is an illusion created by a curved, 26-by-62-foot LED screen.) It also talks, greeting pedestrians with "nyannichiwa." That is a blend of "konnichiwa," or hello, and "nyan," Japanese for "meow."

Android

Apple and Google Crowd Out the Competition With Default Apps (theverge.com) 79

If you use an iPhone or Android phone, chances are the majority of your most-used apps were made by Apple and Google. From a report: That's the takeaway from a new Comscore study that ranks the popularity of preinstalled iOS and Android apps, such as Apple's Messages, alongside apps made by other developers. The results show that the majority of apps people use on their phones in the US come preinstalled by either Apple or Google. The first-of-its-kind report was commissioned by Facebook, one of Apple's loudest critics, and shared exclusively with The Verge. Preinstalled services dominate when it comes to basics like weather, photos, and clocks, according to the report, suggesting these categories will be difficult for other apps to compete in. Defaults don't win out exclusively, though: Apple Maps and Music don't appear on the iOS list at all, and Gmail makes the iOS list several entries below Apple Mail.

The timing, as Facebook likely intentioned, is apt: Apple and Google are increasingly under scrutiny for how they favor their own services over competitors like Spotify. US lawmakers are currently reviewing a new set of bills designed to curb the power of Big Tech, including legislation that could potentially bar Apple and Google from giving their services the upper hand against rivals. The pushback stems from how Apple and Google bundle their apps and services with their mobile operating systems in ways that some of their competitors think is unfair. The criticism is harsher against Apple, given that it more tightly controls the apps that come preinstalled on the iPhone and doesn't allow developers to circumvent its App Store.

The Internet

Bumble Is Opening a Restaurant To Help People Date IRL Again (engadget.com) 66

Dating app Bumble is opening up a restaurant in New York City where single folks can meet up for dates. Engadget reports: Bumble Brew is scheduled to open for breakfast service on July 24th. Lunch and dinner service will start at the Nolita spot in the coming weeks. Along with an 80-seat dining room, there will be a cocktail bar, patio dining and private dining space. The restaurant, which is decked out in the app's recognizable shade of yellow, can be used for events as well. It has an Italian-inspired menu with pickup and delivery options, and the music is primarily from female artists. The new venture builds on the Bumble Hive pop-up community spaces where people can hang out, eat and drink and meet others. Bumble Brew doesn't have a direct tie-in with the Bumble app, at least for now. Still, it's easy to imagine Bumble adding a reservation system that pops up when NYC users try to arrange a date.
Music

No, Open Source Audacity Audio Editor Is Not 'Spyware' (arstechnica.com) 125

Over the Fourth of July weekend, a number of news outlets, including slashdot, ran stories warning that the free and open-source audio editor Audacity may now be classified as spyware due to recent updates to its privacy policy. Ars Technica's Jim Salter looked into these claims and found that that is not the case. An anonymous reader shares an excerpt from his report: FOSS-focused personal technology site SlashGear declares that although Audacity is free and open source, new owner Muse Group can "do some pretty damaging changes" -- specifically meaning its new privacy policy and telemetry features, described as "overarching and vague." FOSSPost goes even further, running the headline "Audacity is now a possible spyware, remove it ASAP." The root of both sites' concern is the privacy policy instigated by new Audacity owner Muse Group, who already published open source music notation tool MuseScore. The privacy policy, which was last updated on July 2, outlines the data which the app may collect [...]. The personal data being collected as outlined in the first five bullet points is not particularly broad -- in fact, it's quite similar to the collected data described in FOSSPost's own privacy policy: IP address, browser user-agent, "some other cookies your browser may provide us with," and (by way of WordPress and Google analytics) "your geographical location, cookies for other websites you visited or any other information your browser can give about you." This leaves the last row -- data necessary for law enforcement, litigation and authorities' requests (if any)." While that's certainly a broad category and not particularly well-defined, it's also a fact of life in 2021. Whether a privacy policy says so or not, the odds are rather good that any given company will comply with legitimate law enforcement requests. If it doesn't, it won't likely be a company for long. The final grain of salt in the wound is a line stating that Audacity is "not intended for individuals below the age of 13" and requesting people under 13 years old "please do not use the App." This is an effort to avoid the added complexity and expense of dealing with laws regulating collection of personal data from children.

The first thing to point out is that neither the privacy policy nor the in-app telemetry in question are actually in effect yet -- both are targeted to an upcoming 3.0.3 release, while the most recent available version is 3.0.2. For now, that means there's absolutely no need for anyone to panic about their currently-installed version of Audacity. [...] Although FOSS-focused media outlets including FOSSPost and Slashgear reported negatively on this issue over the holiday weekend, the contributors and commenters active on the project's Github seem to have been largely satisfied by the May 13 update, which declared that Muse Group would self-host its telemetry sessions rather than using third-party libraries and hosting. The same day the second pull request went live, Github user Megaf said, "Good stuff. As long as the data is not going to [third party tech giants] we should be happy. Collect the data you really need, self-host it, make it private, make it opt-in, and we shall help." It's a small sample, but the sentiment seems broadly supported, with 66 positive and 12 negative reactions. Reaction to Megaf's comment reflects user reaction to the updated pull request itself, which currently has 606 positive and 29 explicitly negative reactions -- a marked improvement over the original pull request's 4,039 explicitly negative reactions and only 300 positive reactions. We believe that the user community got it right -- Muse Group appears to be taking the community's privacy concerns very seriously indeed, and its actual policies as stated appear to be reasonable.

DRM

To Help Livestreamers Avoid Copyright Violations, Riot Games Releases an Uncopyrighted Album (bloombergquint.com) 31

League of Legends developer Riot Games released a 37-track album of ambient tunes (now on Spotify, YouTube, and Apple Music) "that will let gamers stream their sessions accompanied by music that doesn't infringe copyright protections," reports Bloomberg.

And that's just one response to aggressive copyright enforcement: For example, a new Guardians of the Galaxy game to be released later this year will be loaded with a soundtrack with songs by Iron Maiden, KISS, Wham!, Blondie and more. To stay on the good side of the Digital Millennium Copyright Act, the studio behind the game, Eidos Montreal, has created a toggle switch that will allow gamers to turn off the soundtrack when live streaming, Venturebeat has reported. Cyberpunk 2077 developer CD Projekt SA also created an option for players to turn off certain songs that could cause trouble and replace them with an alternative.

After largely ignoring streaming platforms for years, last spring the music industry suddenly bore down on Twitch, owned by Amazon.com Inc. and started sending users thousands of DMCA takedowns for copyright violations. Twitch responded by telling users they could no longer use copyrighted material and also had to remove old posts that violated the rules. Some games are still struggling to adapt. Earlier this month, a number of music publishers, including those that represent Ed Sheeran and Ariana Grande, sued Roblox Corp. for copyright infringement, saying the company hasn't licensed the music many of its creators have used in their games. The lawsuit is seeking at least $200 million in damages, the Wall Street Journal reported...

The collection is just the beginning and Riot said it's committed to creating more projects like Sessions in the future.

Music

California Police Officer Plays Taylor Swift Song To Try To Block Video From YouTube (bbc.com) 172

Thelasko shares a report from the BBC: A US police officer played a Taylor Swift song on his phone in a bid to prevent activists who were filming him uploading the video to YouTube. The video platform regularly removes videos that break music copyright rules. However, the officer's efforts were in vain as the clip of the encounter in Oakland, California promptly went viral. Alameda County police told the BBC it was not "approved behavior."

The video was filmed by members of the Anti Police-Terror Project (APTP), which says it is a coalition that seeks to "eradicate police terror in communities of color." Some of them were protesting outside the courthouse at the pre-trial hearing of a San Leandro officer charged with the manslaughter of a black man. In the video, the officer says: "You can record all you want, I just know it can't be posted to YouTube." When asked if playing music in this way is procedure, the officer responds: "It's not specifically outlined." Later in the video, he confirms: "I'm playing music so that you can't post on YouTube." The sheriff's department said: "We have seen the video and referred it to our internal affairs bureau. This is not approved behavior. It will not happen again."
Earlier this year, Motherboard reported on cases of other California-based officers starting to play Beatles songs while being filmed so that the clips would be removed for copyright issues when uploaded to social media sites.
Privacy

Passwords In Amazon Echo Dots Live On Even After You Factory-Reset the Device (arstechnica.com) 22

An anonymous reader quotes a report from Ars Technica: Like most Internet-of-things (IoT) devices these days, Amazon's Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can "remove any... personal content from the applicable device(s)" before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices can be reassembled to retrieve a wealth of sensitive data, including passwords, locations, authentication tokens, and other sensitive data. Most IoT devices, the Echo Dot included, use NAND-based flash memory to store data. Like traditional hard drives, NAND -- which is short for the boolean operator "NOT AND" -- stores bits of data so they can be recalled later, but whereas hard drives write data to magnetic platters, NAND uses silicon chips. NAND is also less stable than hard drives because reading and writing to it produces bit errors that must be corrected using error-correcting code.

Researchers from Northeastern University bought 86 used devices on eBay and at flea markets over a span of 16 months. They first examined the purchased devices to see which ones had been factory reset and which hadn't. Their first surprise: 61 percent of them had not been reset. Without a reset, recovering the previous owners' Wi-Fi passwords, router MAC addresses, Amazon account credentials, and information about connected devices was a relatively easy process. The next surprise came when the researchers disassembled the devices and forensically examined the contents stored in their memory. "An adversary with physical access to such devices (e.g., purchasing a used one) can retrieve sensitive information such as Wi-Fi credentials, the physical location of (previous) owners, and cyber-physical devices (e.g., cameras, door locks)," the researchers wrote in a research paper. "We show that such information, including all previous passwords and tokens, remains on the flash memory, even after a factory reset."

After extracting the flash contents from their six new devices, the researchers used the Autospy forensic tool to search embedded multimedia card images. The researchers analyzed NAND dumps manually. They found the name of the Amazon account owner multiple times, along with the complete contents of the wpa_supplicant.conf file, which stores a list of networks the devices have previously connected to, along with the encryption key they used. Recovered log files also provided lots of personal information. After dumping and analyzing the recovered data, the researchers reassembled the devices. The researchers wrote: "Our assumption was, that the device would not require an additional setup when connected at a different location and Wi-Fi access point with a different MAC address. We confirmed that the device connected successfully, and we were able to issue voice commands to the device. When asked 'Alexa, Who am I?', the device would return the previous owner's name. The re-connection to the spoofed access point did not produce a notice in the Alexa app nor a notification by email. The requests are logged under 'Activity' in the Alexa app, but they can be deleted via voice commands. We were able to control smart home devices, query package delivery dates, create orders, get music lists and use the 'drop-in' feature. If a calendar or contact list was linked to the Amazon account, it was also possible to access it. The exact amount of functionality depends on the features and skills the previous owner had used."
Furthermore, the researchers were able to find the rough location of the previous owner's address by asking questions about nearby restaurants, grocery stores, and public libraries. "In a few of the experiments, locations were accurate up to 150 meters," reports Ars.

An Amazon spokeswoman said: "The security of our devices is a top priority. We recommend customers deregister and factory reset their devices before reselling, recycling, or disposing of them. It is not possible to access Amazon account passwords or payment card information because that data is not stored on the device." The threats most likely apply to Fire TV, Fire Tablets, and other Amazon devices, as well as many other NAND-based devices that don't encrypt user data, including the Google Home Mini.
Piracy

Sony Wins Pirate Site Blocking Order Against DNS-Resolver Quad9 (torrentfreak.com) 65

Sony Music has obtained an injunction that requires the freely available DNS-resolver Quad9 to block a popular pirate site. The order, issued by the District Court in Hamburg, Germany, is the first of its kind. The Quad9 foundation has already announced that it will protest the judgment, which could have far-reaching consequences. TorrentFreak reports: The Hamburg court found that the DNS service is not eligible for the liability protections that other third-party intermediaries such as ISPs and domain registrars typically enjoy. And if Quad9 fails to comply with the injunction, it will have to pay a fine of 250,000 euros per 'infringing' DNS query plus potentially two years in prison. One of the arguments that Sony brought up in court was that Quad9 already blocks various problematic sites voluntarily. In fact, the DNS-resolver promotes threat blocking as a feature. "Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting to malware or phishing sites," the company's website reads.

Bill Woodcock, chairman of the Quad9 foundation, doesn't believe that the company's malware and phishing filters, which help to protect users, are on par with blocking a pirate site. He informed the German news site Heise that Quad9 will appeal to the injunction. Speaking with TorrentFreak, Quad9's General Manager, John Todd, says that the company is still reviewing the order, which it received last Friday. The non-profit foundation doesn't believe its resources should be used to benefit for-profit companies such as Sony.

Apple

German Watchdog Probes Apple's Market Dominance (bbc.com) 16

An anonymous reader quotes a report from the BBC: Apple is under investigation by the German competition watchdog. The Federal Cartel Office (FCO) said the initial investigation will look at whether the company is of "paramount significance across markets." Apple said it looked forward to "having an open dialogue" with the FCO about any of its concerns. In a statement, Andreas Mundt, President of the FCO, said it would examine whether with iOS Apple had created "a digital ecosystem around its iPhone that extends across several markets." He added that a focus of the investigation would be the App Store, "as it enables Apple in many ways to influence the business activities of third parties."

Depending on the outcome of its investigation, the FCO said it would look in more detail at specific practices of Apple, in a possible further proceeding. The FCO said it had received various complaints alleging anti-competitive practices, which a further probe could consider. The watchdog noted that App developers had criticized "the mandatory use of Apple's own in-app purchase system and the 30% commission rate associated with this." It had also received a complaint from the advertising and media industry about restrictions on user tracking in iOS 14.5, the watchdog said. The FCO said it would establish contact, where necessary, with the European Commission, which is currently investigating how App Store policies affect music streaming.
In response, Apple said the "iOS app economy" supported more than 250,000 jobs in Germany. It added that the App Store had given "German developers of all sizes the same opportunity to share their passion and creativity with users around the world, while creating a secure and trusted place for customers to download the apps they love with the privacy protections they expect."
Youtube

Why the Music Industry Doesn't Hate YouTube Any More (nytimes.com) 44

Today is Record Store Day, an annual event celebrating the culture of independently-owned record stores. And music industry players have said they actually got more money from the sale of vinyl records than they do from YouTube.

But is that changing? The New York Times reports those figures are from a time when YouTube was only selling ads on (or beside) music videos and then sharing that cash with the record labels and performs: Fast forward to last week, when YouTube disclosed that it paid music companies, musicians and songwriters more than $4 billion in the prior year. That came from advertising money and something that the industry has wanted forever and is now getting — a cut of YouTube's surprisingly large subscription business. (YouTube subscriptions include an ad-free version of the site and a Spotify-like service to watch music videos without any ads.) The significance of YouTube's dollar figure is that it's not far from the $5 billion that the streaming king Spotify pays to music industry participants from a portion of its subscriptions. (A reminder: The industry mostly loves Spotify's money, but some musicians ïsay that they're shortchanged by the payouts.)

Subscriptions will always be a hobby for YouTube, but the numbers show that even a side gig for the company can be huge. And it has bought peace by raining some of those riches on those behind the music. Record labels and other industry powers "still don't looooove YouTube," Lucas Shaw, a Bloomberg News reporter, wrote this week. "But they don't hate it anymore."

The YouTube turnabout may also show that complaining works. The music industry has a fairly successful track record of picking a public enemy No. 1 — Pandora for awhile, Spotify, YouTube, and more recently apps like TikTok and Twitch — and publicly browbeating it or playing one rich company against another to get more money or something else they wanted.

While the article cites concerns that YouTube is still paying too little (and failing to stop piracy), "just maybe, YouTube has shown that it's possible for digital companies to both upend an industry and make it stronger."

slashdot Top Deals