Home Tags Routing Information Protocol (RIP)

Tag: Routing Information Protocol (RIP)

RIP: Antivirus veteran Raimund Genes, 54

Trend Micro CTO suffered fatal heart attack Colleagues and friends are mourning the sudden death of distinguished antivirus industry veteran Raimund Genes last Friday.…

The Collapsing Empire is rip-roaring space opera with a conscience

John Scalzi’s latest novel is a thought experiment about the fall of civilization

New(ish) Mirai Spreader Poses New Risks

A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices.

This is not the case.
Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant.

99.6% of new smartphones run iOS or Android; RIP Windows and...

Apple retakes sales crown from Samsung, but biggest gains are from the Chinese.

RIP, “Six Strikes” Copyright Alert System

The anti-piracy accord between ISPs and entertainment industry meets its demise.

Western Union coughs up $586m for turning a blind eye to...

Helping internet scammers proved profitable, for a while Western Union will forfeit more than half a billion dollars after admitting it broke money laundering laws. The admission comes after America's trade watchdog, the FTC, looked into why so many fraudsters use the company's services to launder ill-gotten gains. Under the terms of the settlement, Western Union pled guilty to willfully failing to maintain an effective anti-money laundering program and aiding and abetting wire fraud.
It agreed to pay back $586m, retrain its staff, and submit to three years of independent oversight. "Western Union owes a responsibility to American consumers to guard against fraud, but instead the company looked the other way, and its system facilitated scammers and rip-offs," said FTC Chairwoman Edith Ramirez. "The agreements we are announcing today will ensure Western Union changes the way it conducts its business and provides more than a half billion dollars for refunds to consumers who were harmed by the company's unlawful behavior." The amount of the, effectively, nine-figure fine is certainly larger than the usual slap on the wrist that US regulators hand out. Last year, Western Union banked a net income of $837.8m, so the forfeit accounts for over eight months of profits – although considering that the complaint [PDF] states that the company has been carrying on in this way for at least eight years, Western Union is still in black from its activities. The FTC complaint states that Western Union must have been aware that they were carrying fraudulent transfers on their network and did nothing to stop them, or to rein in rogue agents in its employ.
In doing so, it violated banking secrecy laws and FTC reporting requirements. The government stated that Western Union agents were used in a number of scams, including internet fraud and online gambling.
It says that some of the funds identified came from scammers who took over social media accounts to declare they have been mugged and asking friends to send funds via Western Union to help. It also highlighted large numbers of transactions designed to send just under $10,000 overseas.
If someone sends more than that abroad it must be reported, so scammers do multiple smaller transactions that Western Union must have known were dodgy, the complaint claims. "As a major player in the money transmittal business, Western Union had an obligation to its customers to ensure they offered honest services, which include upholding the Bank Secrecy Act, as well as other US laws," said Chief Richard Weber of Internal Revenue Service–Criminal Investigation (IRS-CI). "Western Union's blatant disregard of their anti-money laundering compliance responsibilities was criminal and significant.
IRS-CI special agents – working with their investigative agency partners – uncovered the massive financial fraud and is proud to be part of this historic criminal resolution." ® Sponsored: Customer Identity and Access Management

JSA10772 – 2017-01 Security Bulletin: Junos: RPD crash while processing RIP...

2017-01 Security Bulletin: Junos: RPD crash while processing RIP advertisements (CVE-2017-2303)Product Affected:This issue can affect any product or platform running Junos OS where RIP is enabled. Problem: Certain RIP advertisements received by the rou...

A Look Inside Responsible Vulnerability Disclosure

It's time for security researchers and vendors to agree on a standard responsible disclosure timeline. Animal Man, Dolphin, Rip Hunter, Dane Dorrance, the Ray. Ring any bells? Probably not, but these characters fought fictitious battles on the pages of DC Comics in the 1940s, '50s, and '60s. As part of the Forgotten Heroes series, they were opposed by the likes of Atom-Master, Enchantress, Ultivac, and other Forgotten Villains. Cool names aside, the idea of forgotten heroes seems apropos at a time when high-profile cybersecurity incidents continue to rock the headlines and black hats bask in veiled glory. But what about the good guys? What about the white hats, these forgotten heroes? For every cybercriminal looking to make a quick buck exploiting or selling a zero-day vulnerability, there's a white hat reporting the same vulnerabilities directly to the manufacturers. Their goal is to expose dangerous exploits, keep users protected, and perhaps receive a little well-earned glory for themselves along the way. This process is called "responsible disclosure." Although responsible disclosure has been going on for years, there's no formal industry standard for reporting vulnerabilities. However, most responsible disclosures follow the same basic steps. First, the researcher identifies a security vulnerability and its potential impact. During this step, the researcher documents the location of the vulnerability using screenshots or pieces of code. They may also create a repeatable proof-of-concept attack to help the vendor find and test a resolution. Next, the researcher creates a vulnerability advisory report including a detailed description of the vulnerability, supporting evidence, and a full disclosure timeline. The researcher submits this report to the vendor using the most secure means possible, usually as an email encrypted with the vendor's public PGP key. Most vendors reserve the [email protected] email alias for security advisory submissions, but it could differ depending on the organization. After submitting the advisory to the vendor, the researcher typically allows the vendor a reasonable amount of time to investigate and fix the exploit, per the advisory full disclosure timeline. Finally, once a patch is available or the disclosure timeline (including any extensions) has elapsed, the researcher publishes a full disclosure analysis of the vulnerability. This full disclosure analysis includes a detailed explanation of the vulnerability, its impact, and the resolution or mitigation steps. For example, see this full disclosure analysis of a cross-site scripting vulnerability in Yahoo Mail by researcher Jouko Pynnönen. How Much Time?Security researchers haven't reached a consensus on exactly what "a reasonable amount of time" means to allow a vendor to fix a vulnerability before full public disclosure. Google recommends 60 days for a fix or public disclosure of critical security vulnerabilities, and an even shorter seven days for critical vulnerabilities under active exploitation. HackerOne, a platform for vulnerability and bug bounty programs, defaults to a 30-day disclosure period, which can be extended to 180 days as a last resort. Other security researchers, such as myself, opt for 60 days with the possibility of extensions if a good-faith effort is being made to patch the issue. I believe that full disclosure of security vulnerabilities benefits the industry as a whole and ultimately serves to protect consumers. In the early 2000s, before full disclosure and responsible disclosure were the norm, vendors had incentives to hide and downplay security issues to avoid PR problems instead of working to fix the issues immediately. While vendors attempted to hide the issues, bad guys were exploiting these same vulnerabilities against unprotected consumers and businesses. With full disclosure, even if a patch for the issue is unavailable, consumers have the same knowledge as the attackers and can defend themselves with workarounds and other mitigation techniques. As security expert Bruce Schneier puts it, full disclosure of security vulnerabilities is "a damned good idea." I've been on both ends of the responsible disclosure process, as a security researcher reporting issues to third-party vendors and as an employee receiving vulnerability reports for my employer's own products. I can comfortably say responsible disclosure is mutually beneficial to all parties involved. Vendors get a chance to resolve security issues they may otherwise have been unaware of, and security researchers can increase public awareness of different attack methods and make a name for themselves by publishing their findings. My one frustration as a security researcher is that the industry lacks a standard responsible disclosure timeline. We already have a widely accepted system for ranking the severity of vulnerabilities in the form of the Common Vulnerability Scoring System (CVSS). Perhaps it's time to agree on responsible disclosure time periods based on CVSS scores? Even without an industry standard for responsible disclosure timelines, I would call for all technology vendors to fully cooperate with security researchers. While working together, vendors should be allowed a reasonable amount of time to resolve security issues and white-hat hackers should be supported and recognized for their continued efforts to improve security for consumers. If you're a comic book fan, then you'll know even a vigilante can be a forgotten hero.  Related Content: Marc Laliberte is an information security threat analyst at WatchGuard Technologies. Specializing in network security technologies, Marc's industry experience allows him to conduct meaningful information security research and educate audiences on the latest cybersecurity ... View Full Bio More Insights

Sony Music Apologizes for Britney Spears RIP Tweets

Oops, Sony did it again.

Got hacked that is. Sony is well aware of the damage a hacked account can cause, especially when it impacts an entire service such as the PlayStation Network.

The latest Sony hack is on a much smaller scale, though, with the ...

The state(s) of texting and driving in the US

EnlargeJustin Sullivan/Getty Images reader comments 67 Share this story We plow through five mile markers then slide 60 feet along the edge of the shoulder before enough snow piles up to scrape our ride to a halt.

This is the good outcome.

The three tons of steel traveling 55 miles an hour could have flipped and rolled in a second, killing everyone inside.

But after disentangling my heart from my esophagus, we determine that everyone's fine.

Dad pulls himself out of the car to catch his breath on the side of the road, and he looks to his smartphone GPS to figure out how far we are from West Yellowstone, Montana.
It’s below freezing, and my phone doesn’t have anything remotely resembling service.

This is the second time he’s glanced at his phone for the GPS; the first is what landed us here. How’d this happen? My guess is it has something to do with the dopamine.
I’m going to play fast and loose and speculate that a major component of cellphone interaction comes from “wanting” that dopamine response.

Dopamine is a neurotransmitter that gives us little jolts of pleasure to motivate us to go and seek out more pleasurable experiences.
It would seem to me that smartphones facilitate this process—every time you punch a button, you get a little jolt of dopamine, as that button push has the potential to take you somewhere pleasurable.

Thanks to the device’s ability to easily access the Internet, we have at our fingertips an unlimited amount of available seeking.

The satisfaction of clicking on a new thing keeps dopamine flowing along at a healthy thrum.

Today, we also have all sorts of connectivity to apps that offer validation—a double-tap on Instagram gives us the jolt that we love. This is one of the core principles of design—draw the gaze without making it seem like you're trying.
It can be a really lovely thing depending on your perspective, and we see all different manifestations of it on our smartphones. When we’re talking about driving though, ultimately design has little to do with why we crash into snowbanks while driving our vehicles.

Driving is boring, or at least we’ve been acculturated to believe so—the lone reward for most is getting where we need to go.
So as we travel along this dull journey from point A to point B, many instead pepper themselves with mini dopamine hits—snacks, music, or by mainlining digital dopamine like text messages, Snapchats, Vines (RIP), or whatever.
If we can get these mini seeking hits from dopamine while driving, the experience is far more pleasurable. In the case of my accident, my dad distracted himself from act of driving by engaging with something that helped us anticipate getting there—his GPS.
It’s a strange sort of paradox, and the more you think about it, the weirder it gets. In 2014, distracted driving was responsible for 3,179 deaths and 431,000 motor vehicle injuries according to the federal government.

That’s the latest data, but more is likely forthcoming as we become more and more attached to smartphones.
It's been pretty well established that using a smartphone or any other distracting device while on the road has at the very least a detrimental effect on one's ability to drive, and at the worst it’s incredibly dangerous.

The CDC classifies three main types of distraction: Visual (looking at the road), Manual (removing your hands from the wheel), and Cognitive (not thinking about driving).
Interacting with a cell phone engages all three of these.

To be fair though, chowing down on a double cheeseburger would hit me on all three fronts as well. But if we hold for a moment that it's bad to be twiddling a cell phone while you're behind the wheel of a two-ton death machine, what is the US doing about it on a federal and state level? President Obama has been a supporter of anti-texting and driving measures. Pictured: In 2010, he invited students to a White House science fair and honored the kids behind a device that sends out an alarm when you take a hand off the steering wheel for more then three seconds. Jim Watson/AFP/Getty Images) The state of texting and driving Turns out, the response to the issue isn’t that mixed.
In 2009, President Obama issued an order that prohibits federal employees from texting while driving on government business. Railway operators and commercial vehicle drivers have rules governing their use as well. State response has been more sporadic.

As of this summer, 14 states (including DC) prohibit the use of hand-held cellphones while driving a car.

Those laws are what are referred to as primary enforcement laws—i.e. an officer can pull you over and cite you if he/she sees you using a phone. No states have bans on using hands-free devices totally, but 38 prohibit novice drivers from using cell phones in any capacity. Now, what I’ve been rambling about: 46 states and DC have bans on texting while driving.

Four states do not—Missouri, Arizona, Montana, and Texas—though a few of these have bans on novice drivers utilizing devices to text.
I don’t want to ride the personal fallacy all the way to the bank, but my 60-year-old pop’s little smasheroo with a snowbank makes me suspicious of the assumption that errors only happen to novices. Seeing this landscape and its sporadic enforcement, I was confused.

Even with this many legal measures in place, there's still more than a few distracted driving deaths and injuries every year.
I wanted to know how effective these state measures are at preventing accidents.

Are these laws enforced? How effective are they? How many of these distracted driving deaths are caused by interactions with smartphones? Turns out, these are not really easy questions to answer. Enlarge / The wide-open roads of Montana aren't immune to the dangers of texting and drive.

This is in Pondera County near Highway 89. Education Images/UIG via Getty Images) Crashes in Big Sky Country and beyond I decided to follow a trail in Montana, where, coincidentally, my accident took place.

There were 192 crash fatalities in Montana in 2015. Unfortunately, I couldn’t find any data on distracted driving, though impaired driving (alcohol/drugs) accounted for 10 of those fatalities.
It’s dangerous to generalize with data, so we’ll just leave those numbers there. With stats not helping much, I chatted with Audrey Allums, a Grants Bureau Chief for the Montana Department of Transportation.
She's responsible for approving grant funding for tons of different safety projects throughout the state.

For example, if a police department wants overtime pay to run a DUI training workshop, they send those requests to Allums.

Any sort of political action is not really within her purview, but she did tell me that many different cities in Montana have their own laws prohibiting the use of a cell phone while driving within city limits.

Allums noted the state has national data on distracted driving, and it's a terrible thing that continues to cause loss of life. However, she wasn't sure why Montana doesn't have a primary enforcement law.

All Allums could add was that it's really difficult to track if someone was using a phone or not when a crash took place. This, of course, totally makes sense. When someone's involved in an accident, first responders aren’t prioritizing the discovery out what caused the crash—their primary concern is saving lives. People involved in such accidents aren't necessarily going to fess up either. Who's going to admit to liking dog posts on Facebook when they crashed and killed someone? Allums pointed me toward a recently proposed bill in the Montana state legislature: HB 297.
It was a primary enforcement law similar to what exists in many others states, and it passed in the House before ultimately failing to get a second reading in the Senate before the legislature adjourned.

The state’s website lists the bill as "probably dead." Other states are trying to minimize potential injuries due to texting in other ways.

At Utah Valley University, administrators have divided staircases into three lanes, one for walking, one for running, and one for texting.

Antwerp, Belgium has similar lanes for walking texters, but as a whole, this sort of solution doesn’t seem particularly widespread or effective. Police have tried unconventional methods, like going undercover to catch and cite distracted drivers. New York might be working towards allowing police officers to use a device called a Textalyzer, which functions like a breathalyzer, except that it detects whether or not a touch screen has been used and text has been typed. Laws that enable strong penalization for distracted driving are becoming more common as well (for example, the recently passed Daniel’s Law in PA). And, of course, all aspects of the auto industry are simultaneously pushing steadily towards autonomous driving mechanisms.

Tesla's efforts may be the most high-profile, but tech companies like Google, traditional auto-powers like Ford, and new transportation companies like Uber are all scrambling towards similar goals.
In theory, removing the traditional role of a driver from all vehicles would free up individuals to toy with their phones as desired, but theory and practice are not one in the same.

A piece of technology can fail, and results could be tragic.

This reality is a long ways away anyway, as both the tech needs to improve and the regulations have to catch up. Currently, these measures are by no means common and standard across all states, nor is there likely to be pressure federally for everyone to adopt unusual measures.

The sad reality, for now, is that we may just resign ourselves to more auto deaths until self-driving cars come to fruition and save the day (if ever). Among other alternative anti-texting and driving initiatives: Simulations have been created to dramatize the experience for drivers.

This is one from AT&T's 2014 "It Can Wait" campaign in New York City. Spencer Platt/Getty Images) In Maine, New Gloucester High School goes beyond the standard scared-straight, crashed car display.

The school held an entire live mock crash demonstration instead. John Patriquin/Portland Press Herald via Getty Images No sign of stopping Will these laws and measures make a difference? There’s been research into that question.

The Texas A&M Transportation Institute has looked into it and found that texting and driving roughly doubles the reaction time of a driver when doing several different roadway activities.

They also found that voice-to-text services don’t do much in the way of alleviating the danger.

According to a CBS news report on a separate study done in 2015, researchers found that there was a seven percent reduction in car crash hospitalizations in states that issued bans between 2003 and 2010.

Though the researchers attempted to account for other laws that might have influenced that reduction, the researchers stand by their data. Much of this research suggests creating stricter enforcement laws surrounding the use of devices on the road is a net good.

But let’s engage in a bit of wild speculation here: I’m not sure we can totally believe that people are going to use cell phones less in their vehicles.
Sure, many of the measures police are employing or mining data from cell phones post-crash might significantly improve our abilities to identify what caused those crashes, but so far, people seem to be using their phones in their cars more than ever before. Personally, I use my phone all the time as a navigational device, propped up right on my dashboard to give me directions wherever I’m headed. This is the difficulty that safety officials face.

As cars become better designed, the fact that you’re driving a physics nightmare waiting to happen becomes more and more unreal.

Think about it. When was the last time you became fully aware of the fact that you were driving your metal bullet to the grocery store? That experience has an impossibly difficult time competing with our slick smartphones. After the crash, my dad used his phone to locate an affordably-priced tow truck company with his data connection.

A few minutes later, the truck was there to pull the car from the bank.

Dad nestles the phone back into the front pocket of his vest, ready for its next use. For more info on texting bans: http://www.ghsa.org/html/stateinfo/laws/cellphone_laws.html Thomas Wells is a writer and a teacher who lives in Bozeman, Montana. You can read the occasional tweet at @thomastalketh or check out his website at therealthomaswells.com.

Microsoft Patches Skype for Mac Backdoor Open for Up to 10...

In October Microsoft patched a local backdoor in the code of Skype for macOS that appears that may have existing since 2005, according to security firm Trustwave. Microsoft quietly patched the Mac OS X client for Skype in October, closing a backdoor that could have existed for as long as a decade and would have allowed attackers to control many aspects of the software, security-services firm Trustwave said on Dec. 14.The backdoor, which bypasses a permissions check by the Skype client whenever a dashboard widget requests access, could allow an attacker that already had local access on a system to control the Skype client.Someone using the dashboard widget application programming interface (API) could, for example, get notifications of incoming messages; read, modify and create messages; retrieve information on any contact; and record the audio—but not the video—of any Skype call to disk.“You can do pretty much everything that Skype can do,” the researcher who discovered the issue told eWEEK.

The researcher requested anonymity because of concerns that publicity could hinder future research. “You can rip off the contact lists. You can start new conversations. You can make calls.” The researcher found the backdoor during a penetration test and audit of the software.

Any Skype Dashboard widget for Mac OS X that identified itself as “Skype Dashbd Wdgt Plugin” would have access through the program’s application programming interface (API) without any notification or permission of the user, according to an advisory published by Trustwave. Normally the Skype program will notify the user each time a new dashboard widget attempts to connect to Skype through its API.“In the case of the backdoor, no such notification attempt is made and as such the user is not given the opportunity to deny access,” Trustwave said in its statement on the issue.Trustwave does not believe that the backdoor was put in for nefarious purposes, but was more likely the result of quick-and-dirty development practices.“An interesting possibility is that this bug is the result of a backdoor entered into the Desktop API to permit a particular program written by the vendor to access the Desktop API without user interaction,” the company said in a statement. “Indeed, this possibility seems even more likely when you consider that the Desktop API provides for an undocumented client name identifier.”Ironically, the actual Skype Dashboard widget does not use the backdoor, despite using the name that would give it access without notification.“This raises the possibility that the backdoor is the result of a development accident which left the code behind accidentally during the process of implementing the Dashboard plugin,” the company said.While the security issue allowed an attacker to gain access to Skype’s functionality without notifying the user, the severity of the vulnerability is limited by the fact that the attackers must be able to get a dashboard widget or program onto the victim’s computer.Trustwave did not know how long the backdoor had been present in the software, but the Skype Dashboard plugin for Mac OS X was released in September 2005 as version 1.0.2.

The company confirmed that the backdoor string was present in the program for at least five years.“I couldn’t get a copy of Skype for OS-X dating back that far with which to verify, but it is certainly a logical assumption and a strong possibility that it does indeed date back that far,” the researcher said.The issue was patched in October 2016 with the release of Skype for Mac version 7.37(178).“We don’t build backdoors into our products, but we do continuously improve the product experience as well as product security, and encourage customers to always upgrade to the latest version,” Microsoft said in a statement sent to eWEEK.

Arista beats Cisco’s $335M copyright claim with an unusual defense

Scott Jonesreader comments 23 Share this story After a two-week trial, a San Jose jury has cleared Arista Networks of allegations that it infringed copyrights and patents belonging to Cisco Systems. In a lawsuit filed in 2014, Cisco accused Arista of violating copyright because Arista's high-end switching equipment used some of the same commands from Cisco's Command Line Interface, or CLI.

Arista lawyers claimed that the CLI was an industry standard, promoted by Cisco, and that now Cisco was trying to change the rules because of Arista's success. This morning, the eight-person jury cleared Arista of both patent and copyright infringement.

The copyright claim, which was the bulk of Cisco's case, was rejected by the jury based on a legal doctrine known as "scènes à faire." A French term that means "scene that must be done," the phrase refers to a situation in which the creation of a certain work can only be accomplished in a limited number of ways, thus producing a more limited copyright. During closing arguments, Arista's lawyer Robert Van Nest described Cisco's CLI as using simple, uncreative phrases, according to a report in Law360. He called the commands unoriginal and noted that they were based on 40-year-old technology from older systems.

By finding in favor of a "scènes à faire" defense, the jury has shown that those arguments, questioning the creativity behind CLI, had a strong effect. Van Nest, whose firm defended Google earlier this year in its second trial against Oracle, presented three possible copyright defenses under which jurors might find in his favor: fair use, merger, and scènes à faire.

The jury said that only scènes à faire weighed in Arista's favor. The case will likely be appealed, and because of the inclusion of a patent claim, it will head to the US Court of Appeals for the Federal Circuit, which hears all patent appeals.

That's one of several similarities between this case and Oracle v.

Google
, which also headed to the Federal Circuit despite the patent claim being a minor part of the case that was ultimately dropped. "We thank the jury for their diligence in reviewing the evidence, though we respectfully disagree with the verdict," said a Cisco spokesperson in an e-mailed statement to Ars. "The jury found that Arista infringes Cisco’s user interface and that it was not fair use.

But the jury found on the narrow legal issue of 'scènes à faire.' We are reviewing the details of the ruling and determining Cisco’s options for post-trial motions and appeal given the clear testimony that other suppliers use very different commands." The statement also notes that Cisco recently won a patent infringement case against Arista at the International Trade Commission. Scènes and switches As a legal doctrine, "scènes a faire" developed from copyright disputes over movies, as a way to describe scenes that were so stock, obvious, or cliched, they didn't warrant copyright protection.

A well-known 1990 paper by Prof. Jessica Litman, entitled "The Public Domain," traces the history of the doctrine. In the 1940s,  Judge Leon Yankvich described scènes a faire as "the common stock of literary composition—'cliches'—to which no one can claim literary ownership." In a 2003 case, a photographer who'd been hired to do a marketing shoot for Skyy Vodka sued the liquor company when it hired someone else to produce similar product photographs.

Both the district court judge and the appeals court held that Skyy was protected by the doctrines of scenes a faire and merger. "This long-running litigation is fundamentally about how many ways one can create an advertising photograph, called a 'product shot,' of a blue vodka bottle," wrote the 9th Circuit judges who decided Ets-Hokin v.
Skyy Spirits
. "We conclude there are not very many." While the original photographer did indeed own a copyright to photograph of a blue vodka bottle, courts limited the ways in which he could stop others from "copying" him.

There are only so many ways to get that product shot. In Atari, Inc. v. North American Phillips Consumer Elecs Corp., a 1982 case at the 7th Circuit, a panel of judges used the concept in a copyright case regarding Atari's Pac-Man game.

They held that a competing game couldn't be infringing just because it used a maze, scoring table, and wrap-around tunnels—those concepts were the video-game equivalent of "scènes a faire." (The competing game was found to infringe for borrowing other elements, however.) Another use of "scenes a faire" came up in a 1988 video game decision, Data East USA v.

Epyx
.

Data East claimed that the Epyx video game International Karate was a rip-off of the Data East game, Karate Champ. Judges for the 9th Circuit held that "the visual depiction of karate matches is subject to the constraints inherent in the sport of karate itself," and certain game elements amount to scènes à faire, since they were "indispensable, or at least standard."