Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Another Fairplay Threat?
- Thread starter MacRumors
- Start date
- Sort by reaction score
milo said:
And since when can you get a criminal record from a civil lawsuit? Since never, that's when.
balamw said:
I guess it depends how much of FairPlay they end up replicating. If they replicate the server too, then it'll probably be simple to tell iTunes to look at the third-party server (just capture the data going to Apple's IP address and send it off to DoubleTwist).
If they do that it probably wouldn't work with iTMS purchased tracks. This leads to the same kind of issue as Real faed, sure you can use the Real Store, but not at the same time as ITMS. ick.Nermal said:
(FWIW. They could probable accomplish a simple redirection just by adding an entry to the local hosts table, since Apple most likely addresses their servers by name not IP.)
We'll see if anything comes out of this, good or bad.
B
tveric said:
Doenertier said:
CaptainHaddock said:
milo said:
Okay, you've got me. Pirating stuff is fun and nobody will ever get to you. And if they do it's still fun since you don't get a criminal record. And if you got one then it would be totally unfair. Man, I am a total idiot for even considering to buy stuff. You know, pay money for it.
Let me just say the following: I do not like being restricted in what I do with the stuff I pay for. But I know what I am allowed to do in advance (that is before I pay money for it). Therefore I can DECIDE to pay or not. And to use it or not. And if I am not willing to pay for the package I get, I don't pay. AND DON'T USE IT. That is even if I do not like being restricted.
But nevermind, that is just me. (I thought like you on this matter a few years ago)
Doenertier said:
Don't put words in our mouths. If you're going to make the moral argument against piracy, make it. I just don't agree with trying to fearmonger by saying that the feds are going to bust your door down and impound your hard drives.
Don't confuse condoning piracy with pointing out incorrect statements.
balamw said:
Indeed, there would need to be a "helper" that checks to see where the track came from, and redirects it to DoubleTwist if necessary.
I'm interested in seeing where this all goes, it'll hopefully silence the complaints of the lack of an NZ iTMS.
Legality of Reverse Engineering
I actually work as a programmer for a DRM provider. Here's what our legal wonks have told us with regards to the DCMA:
1) If we want our player to be able to read files protected by a competitor's DRM, we are entitled to do so. This means that if we had a new iPod-killing mp3 player, we would be legally within our rights to reverse engineer iTunes to crack the DRM, and then re-implement the same algorithm in our own player (it would have to be cleanroom reverse engineering of course, but that's for IP reasons, not the DCMA)
2) However, our player must not give the user more rights than the original player. So, we can't provide an option to rip to mp3 for example. All we can really offer is another player, or, at the absolute limit, a convertor that removes FairPlay DRM, and replaces it with ours (or another provider's). The new DRM should provide exactly the same restrictions on copying/transferring of files as the original. The legal eagles tell us that this last bit is really a bit too grey at the moment to be safe, so we would be better off restricting ourselves to just a player.
This of course makes liars of all those people that spread FUD about the DCMA and DRM in general. All DRM is crackable, and the provisions in the DCMA make it legal to do so, if the reason for doing so does not infringe fair-use....
I actually work as a programmer for a DRM provider. Here's what our legal wonks have told us with regards to the DCMA:
1) If we want our player to be able to read files protected by a competitor's DRM, we are entitled to do so. This means that if we had a new iPod-killing mp3 player, we would be legally within our rights to reverse engineer iTunes to crack the DRM, and then re-implement the same algorithm in our own player (it would have to be cleanroom reverse engineering of course, but that's for IP reasons, not the DCMA)
2) However, our player must not give the user more rights than the original player. So, we can't provide an option to rip to mp3 for example. All we can really offer is another player, or, at the absolute limit, a convertor that removes FairPlay DRM, and replaces it with ours (or another provider's). The new DRM should provide exactly the same restrictions on copying/transferring of files as the original. The legal eagles tell us that this last bit is really a bit too grey at the moment to be safe, so we would be better off restricting ourselves to just a player.
This of course makes liars of all those people that spread FUD about the DCMA and DRM in general. All DRM is crackable, and the provisions in the DCMA make it legal to do so, if the reason for doing so does not infringe fair-use....
Nermal said:
Not necessarily. We don't know exactly how FairPlay works. Lets say I download my favorite song from iTMS. iTMS encrypts the song and adds my AppleID to it. When iTunes wants to play the song, it calls iTMS, gives it my AppleID, the iTMS returns a key to decrypt the song, iTunes decrypts it and plays it. Most likely iTunes will actually send both my AppleID + some ID for the song, so that if I crack the key for one song I cannot copy _all_ my songs.
Now the question is: Does iTMS keep track of all the songs that I bought or not? If it doesn't keep track of all the songs then the following would be possible: DoubleTwist adds a a random song id to the song. Then it adds _my_ AppleID and encrypts the file. When iTunes wants to play the song, it notices that it is encrypted, and takes my AppleID plus the song ID and sends it to iTMS. If iTMS doesn't keep track of songs then it will calculate which key would decrypt the file (if Apple had sold me a song with that song ID). And that key could be used to decrypt the song.
Another possibility: DoubleTwist could take the song ID and my AppleID from _any_ one song ABC that I bought from iTMS. It could be possible to find which key was used to encrypt that song from that information; nobody would have tried to make it difficult to find out. The decryption key is top secret, not the encryption key. So with this information, DoubleTwist could encrypt any song XYZ with exactly the same key as the one song ABC that I bought from iTMS. When I try to play any of those songs, iTunes will find the my Apple ID and the song ID of ABC attached to the song, sends it to iTMS, which returns the key to decrypt ABC, and uses it to decrypt XYZ. And since XYZ was encrypted with the same key as ABC, it will decrypt and play.
Methinks you don't have a good grasp of public key encryption. (Or at least how it's supposed to work).gnasher729 said:
The encryption key is the one that is top secret because it's the one you keep private, and is the one which would allow DoubleTwist (or anyone else) to masquerade as iTS. The decryption key, by it's very nature, is vulnerable and in effect "public" (since it must be on the client machine, so it can be discovered). There is a flaw in the FairPlay system that Jon has exploited before (as I mentioned earlier in the thread) which has to do with the fact that the files are personalized locally on the client machine, so if they can fool iTunes into personalizing third party files, they're in like Flynn. (This also has the effect of making a private key or equivalent available on the system which may be the chink in FairPlay's armor).
Essentially, the FairPlay system is one that implies a certain amount of trust. Once you authorize a machine all of the purchased tracks from that account on the machines can be decrypted. Even if they are not on the machine at the time of the authorization and the machine is not on the network at the time (I have played back encrypted videos on DVD-R on my iBook while it was not on the 'net.)
I don't know how often it needs to "phone home" so you can't just load up 5 machines with protected content, detach them from the network and deactivate all of your machines at iTMS... Then spend the next year working on 5 more systems...
B
Apple needs to start working on a new business model while the studios are still suing their customers and the TV boom is still on. If they dont they're going to be beaten overseas. Enough with the legal rhetoric damn it, evolve your business model or you'll lose.
balamw said:
good lord, if anyone actually got through reading all this, can there be any doubt left that all consumers want is DRM-free content??? There's a simple rule that exists - the more complicated the DRM you put on your content, the less likely that people are going to buy it. Hence, people are downloading music and movies for free, and ripping Netflix DVDs to their hard drives to burn their own copies.
You can't put the genie back in the bottle. Until there's DRM-free movies and music for sale online, so-called pirated downloads will continue to dwarf legal downloads. End of story.
Actually what many consumers want is DRM transparent downloads. They don't want to constantly be reminded of their restrictions and they don't want the restrictions to get in the way or have to know any of the technical details.tveric said:
Fairplay does a fairly good job at that, which is why it has been successful.
OTOH Amazon unbox seems overly restrictive with its two machine and 48 hour limitations. Zune's 3x3 DRM also seems to miss the boat as it'll probably annoy more users than get them to buy tracks...
B
balamw said:
I'm pretty sure that that's not how FairPlay works. I think it goes something like this...
When iTunes tries to play a protected media file, it asks for an ID of the device that it is trying to play on (serial number, or something like that). Each media file contains a list of devices for which it has been authorised. If the current device is not in this list, iTunes offers the possibility to add the device to the list of devices authorised for this media file. There is a limit of five devices for any given media file.
In principle, you could put an encrypted file onto a service like [website name removed], and it could be used by millions of people. Of course, you would have to be an idiot to do so, because your ID is embedded in the file, allowing the legal eagles to nab you. And of course, anyone USING the file runs the risk of iTunes calling home to notify Apple if it detects a known pirated file...
Apple gives you the option to clear the list of authorised devices for all files in an iTunes library once a year.
balamw said:
Whom are you kidding? Nobody cares that Fairplay's DRM is better than other DRM. Do you think it being "successful" (and that word ONLY applies comparing it to other pay services, not overall downloads) has anything to do with the fact that 70% of all mp3 players are ipods, and only work with the itms? Gee, I wonder.
And even if there's a causal relationship here (which is ridiculous), extend that out to all downloads. 5% of all music on ipods is from the itms. Sounds like the "successful" formats are the non-DRM ones, whether they be so-called illegal downloads or music obtained from CDs, or just copied from a friend's library of DRM-free music.
Your average ipod owner could not possibly give a flying %^@$ about how Fairplay's DRM compares to other mp3 players' DRM. Talking about "DRM transparent" like its something that Joe Consumer has any clue about is delusional at best.
That's the point, if they don't "see" the DRM, hence the transparency, it doesn't bother them one bit. I haven't seen the need for things like hymn since the DRM doesn't stop me from doing anything I want to do with the files, such as burn a CD or move it to another machine.tveric said:
Definitely not per file, Wikipedia has a pretty good summary of how it actually works here: http://en.wikipedia.org/wiki/FairPlay#How_it_works . More that a database of all files the device can play is downloaded from the store...demallien said:
B
I can certainly vouch for the sentiment expressed that people out there like the iTunes application without regard to how they have obtained their music. I have lots of music on my computers that I have accumulated over many years; and of all the media players I've used over the years, iTunes is without a doubt the nicest and best of the lot.
However, when it comes to the task of extracting audio from CDs and then encoding them as MP3s, I still prefer Audion. I like the specific controls it gives me. Also, the cost of the user interface experience in Audion for that particular set of tasks does not exceed the benefits of having used the program.
I fully understand someone's desire to protect the means of their own financial income. Clearly, the general public's acquisition of music or movies "for free" does not contribute to the artist's income from his/her creative efforts. However, I have two basic issues with present models (both the traditional "brick-n-mortar" as well as the digital DRM'd ones):
1. I feel the labels are by-and-large ripping off artists. Yes, I fully understand that label companies have much more invested in the business of making music than any single band or artist does; however that doesn't entitle them to make a king's randsom from each CD or DVD and pay the tiniest fraction of those monies to the artist. Due to my personal objections to this, I refuse to be party to this practice.
2. I object to having my usage rights in any way restricted. I do not like to be hemmed in (even in principle). I have not and never will sign any kind of license agreement (figuratively or literally) just for the benefit of possessing entertainment content.
A separate issue I have (which only applies to having to buy an entire CD at once instead of individual tracks) is that it's well known that most CDs have only a few good tracks on them; the remaining ones being largely "filler". I'm not saying there aren't ANY CDs out there where all the tracks are good. However most of the ones I've heard over the years have maybe 2-4 good tracks, and the rest are garbage.
The following is, admittedly, a bit off-topic, but it is pertinant to the subject at hand (that is, the licensing issue). It really gets me that you have the RIAA and ASCAP/BMI going after businesses which have music playing in their shop environment, especially when the music in question is NOT a live performance nor intented as a means of deriving additional income. And the crux of that issue, for me, is that the restaurants (and offices in many cases) have never signed any kind of licensing agreement with anyone (and moreover ASCAP/BMI and the RIAA try to turn this into a criminal issue when clearly it should more properly be tried as a civil issue -- on which I feel is baseless and that they should be laughed out of court over).
</rant>
However, when it comes to the task of extracting audio from CDs and then encoding them as MP3s, I still prefer Audion. I like the specific controls it gives me. Also, the cost of the user interface experience in Audion for that particular set of tasks does not exceed the benefits of having used the program.
I fully understand someone's desire to protect the means of their own financial income. Clearly, the general public's acquisition of music or movies "for free" does not contribute to the artist's income from his/her creative efforts. However, I have two basic issues with present models (both the traditional "brick-n-mortar" as well as the digital DRM'd ones):
1. I feel the labels are by-and-large ripping off artists. Yes, I fully understand that label companies have much more invested in the business of making music than any single band or artist does; however that doesn't entitle them to make a king's randsom from each CD or DVD and pay the tiniest fraction of those monies to the artist. Due to my personal objections to this, I refuse to be party to this practice.
2. I object to having my usage rights in any way restricted. I do not like to be hemmed in (even in principle). I have not and never will sign any kind of license agreement (figuratively or literally) just for the benefit of possessing entertainment content.
A separate issue I have (which only applies to having to buy an entire CD at once instead of individual tracks) is that it's well known that most CDs have only a few good tracks on them; the remaining ones being largely "filler". I'm not saying there aren't ANY CDs out there where all the tracks are good. However most of the ones I've heard over the years have maybe 2-4 good tracks, and the rest are garbage.
The following is, admittedly, a bit off-topic, but it is pertinant to the subject at hand (that is, the licensing issue). It really gets me that you have the RIAA and ASCAP/BMI going after businesses which have music playing in their shop environment, especially when the music in question is NOT a live performance nor intented as a means of deriving additional income. And the crux of that issue, for me, is that the restaurants (and offices in many cases) have never signed any kind of licensing agreement with anyone (and moreover ASCAP/BMI and the RIAA try to turn this into a criminal issue when clearly it should more properly be tried as a civil issue -- on which I feel is baseless and that they should be laughed out of court over).
</rant>
How so. Please elaborate?gnasher729 said:
The decryption keys are everywhere and not top secret. Each iPod and iTunes has access to them. If you can get your hands on them you have something like hymn or FairKeys. Where does one get the encryption key?
EDIT: BTW I'm quite serious, if I got it wrong please help me understand where you're coming from.
B
balamw said:
Ok. Explain how Jon from Norway has now for the second time managed to crack Apple's _encryption_ and nobody has yet found any way to crack the _decryption_? (For those who don't remember, the encryption between Mac and Airtunes has been cracked, and now the encryption method of iTunes songs has apparently been cracked).
In case you've missed it, decryption is (once again) hacked QTFairUse6gnasher729 said:
I don't know how or even if Jon has cracked FairPlay 2.0 encryption. You tell me. How?
Here's what I believe:
In the case of AirTunes/JustePort, it's actually quite simple (for Jon and those of his talents), because the iTunes client software was the one encrypting the content for the AirPort, so the private key for that encryption was on the PC or Mac that was sending the content to the AirPort Express. Once you have the private key, you can portray yourself as the iTunes client and away you go.
These kind of hacks involve on of two things. 1) gaining access to the keys (DeCSS, playfair/hymn, JustePort) 2) Finding places in the software where the encryption is "off" or at least weaker than before (QTFairUse, and PyMusique).
B
balamw said:
No, you are WAAAAY off base.
The encryption key is public, the decryption key is private. The decryption key used in iTunes is hidden away to the very best of Apple's ability from the eyes of prying hackers. (at least, one assumes so - it's illegal for me to even try and confirm that.... thanks DCMA)
If I want to exchange confidential information with someone, I am going to need their public key. They can send this to me unencrypted (normally as part of a "certificate" to prove who they are at the same time...). I then use this key to encrypt the secret message, and send the encrypted message to them. They in turn can decrypt this message by using their private key....
Normally, the messages exchanged in this manner are actually symmetric keys (keys that can be used for encrypting and decypting a message). This is certainly the case for iTunes, which uses AES, a symmetric encryption system to encode it's media files.
Contrary to what you seem to think, the keys in iTunes are not freely available. Both the private assymetric key, used to communicate with the server (to obtain the symmetric keys) and all of the symmetric keys, used to decrypt the actual media files, are hidden inside iTunes. Try looking for them on your harddrive, I promise you that you won't find them (unless you are an expert pirate with a few months of your time where you have nothing better to do....)
BTW, that article that you linked earlier about FairPlay has internal consistency problems. If what it says about retrieving keys from the Apple Store is correct, then what it says about VLC can NOT be correct. one or the other is wrong. My money is on the info about retreiving keys is wrong. I do this stuff for a living, and it's certainly NOT how I would do it....
Choppaface said:
Beaten overseas by who? Who is making it big selling TV shows overseas?
tveric said:
Wow, that's incredibly naive. People don't get free content because the free content is "simpler". It's because they're too cheap to pay. If people want no drm, they can just buy cd's and dvd's and rip them. People who download free content, or rip rented discs are just cheapskates who are stealing.
There IS DRM free music for sale online. And in contrast to your theory, people are still stealing it.
tveric said:
But if iTunes' DRM was annoying to users, it never would have made it to 70%. Users absolutely care about DRM. But they're not aware of it unless it's too restrictive or inconvenient - if you give them *bad* DRM they will totally notice it and hate it.
I noticed some of the same issues you did with the Wiki article, but didn't find a better general one. You? Cody Brocious had a blog post on the iTunes 6 process a while back but it doesn't seem to be available anymore...
It's the keys used to encrypt the actual media files, which are more closely guarded at Apple. It's much easier to pick the locks on the local system you have under your control than a remote server somewhere... The decryption keys are definitely stored locally since you can play protected files while offline. The one chink in the armor that I see that Jon may be using is that the personalization of the files is done locally, so this step may be exploitable.
Finding where the keys are on your HDD is the easy part, accessing and using them is the task that takes months... [Simple way to find the location of the keys. Image your HDD. Purchase file from iTunes. Image your HDD compare the two images. The new key(s) (and the file itself) must be in the bits that changed.]
As someone who does this for a living, can you comment on my read of the hacks that have been released in the later post https://forums.macrumors.com/posts/2917258/. It still seems to me that where DRM has been hacked has relied on key retrieval or finding the weak spot in the chain.
B
My point was exactly that. All the keys for decryption have to be on your PC/Mac/iPod.demallien said:
It's the keys used to encrypt the actual media files, which are more closely guarded at Apple. It's much easier to pick the locks on the local system you have under your control than a remote server somewhere... The decryption keys are definitely stored locally since you can play protected files while offline. The one chink in the armor that I see that Jon may be using is that the personalization of the files is done locally, so this step may be exploitable.
Finding where the keys are on your HDD is the easy part, accessing and using them is the task that takes months... [Simple way to find the location of the keys. Image your HDD. Purchase file from iTunes. Image your HDD compare the two images. The new key(s) (and the file itself) must be in the bits that changed.]
As someone who does this for a living, can you comment on my read of the hacks that have been released in the later post https://forums.macrumors.com/posts/2917258/. It still seems to me that where DRM has been hacked has relied on key retrieval or finding the weak spot in the chain.
Exactly my point about DRM "transparency". If the DRM is simple enough that it doesn't get in the way, it's as if it didn't exist. That doesn't mean people want DRM, just that they can live with it if it stays out of the way.milo said:
B