Apple Disables PyMusique Hack

[dvdh]

How long until PyMusique identifies itself as iTunes 4.7?

That would provide ground for more than just a lawsuit . . . I could see the courts interpreting that as fraud.

 

[kodiak]

not hard for apple to do... open source after all.
i wonder if they had anticipated this (4.7 fixing), or if its a temp measure that pymusique will find easy to work around...

if so we can be sure of a 'security update for itunes' which will be mandatory, that will properly 'fix' it.

also interesting that they call it a security loophole - thats usually a rather negative terminology (for apple/microsoft) as it shows flaw in thier own software.
sounds like they want to be able to paint pymusique as hackers, or was it just so they could close it quickly, with whatever fix necessary?

 

[Chaszmyr]

The real question is what was DVD Jon thinking, did he not think they would close the door on him.

Perhaps he just wanted to know that he could do it, and boost his reputation in the process.

 

[nagromme]

The "arms race" will go on, and someone will spoof 4.7--agreed.

But Apple won't have to change the DRM scheme to close this hole tighter in iTunes 4.8 (or whatever).

All Apple has to do is pre-encrypt the music BEFORE transmission. NOT with your account's DRM--that would lose the benefits of Akamai--but rather with tough 128-bit encryption that's not account specific. Only iTunes would have the key to decrypt it, at which point your DRM is added in the same step. No changes to the DRM itself, only to the transmission process.

That's my guess about the future.

PS has Napster closed their gaping hole yet? Because you don't even have to PAY to exploit that one...

 

[DavidLeblond]

The real question is what was DVD Jon thinking, did he not think they would close the door on him. Gee, i am doing something that Apple my not like, so lets tell the world about it and see if Apple rolls over and plays dead.

He was thinking "Wow I haven't been in the news in a while. What can I do to get headlines?"

 

[rikers_mailbox]

Who saw THAT coming a mile away?

So far away that Apple had ALREADY fixed it. It was just a matter of forcing people to use the latest version iTunes.

I'm impressed.

 

[Maestro64]

also interesting that they call it a security loophole - thats usually a rather negative terminology (for apple/microsoft) as it shows flaw in thier own software.
sounds like they want to be able to paint pymusique as hackers, or was it just so they could close it quickly, with whatever fix necessary?

No, Apple has always been willing to call it a security issue, it opposite of what MS says, MS tend to say there are no security issue which has made bad press for them. Apple has shown to be proactive as possible and show they fix things as so as they find out.

I guess some people at Apple did not get to see their families this weekend. They were busy fixing the hole.

 

[limulus]

That would provide ground for more than just a lawsuit . . . I could see the courts interpreting that as fraud.

No. The legal definition of fraud: "Any act, expression, omission, or concealment calculated to deceive another to his or her disadvantage;"

Note that a human being has to be on the receiving end, not a server.

 

[RHutch]

No. The legal definition of fraud: "Any act, expression, omission, or concealment calculated to deceive another to his or her disadvantage;"

Note that a human being has to be on the receiving end, not a server.

Not necessarily a "human being"; it could be a company. This would be fraud directed toward Apple, not the server.

 

[Tulse]

No. The legal definition of fraud: "Any act, expression, omission, or concealment calculated to deceive another to his or her disadvantage;"

Note that a human being has to be on the receiving end, not a server.

Interesting. I'd be surprised if the definition didn't cover computer communications (wouldn't that be "wire fraud"?), but I am not a lawyer.

 

[limulus]

Not necessarily a "human being"; it could be a company. This would be fraud directed toward Apple, not the server.

Yes, good point. But then how is someone using this software to deceive Apple to Apple's disadvantage? The copy of the music is still paid for.

Interesting. I'd be surprised if the definition didn't cover computer communications (wouldn't that be "wire fraud"?), but I am not a lawyer.

IANAL either, but answers.com definition of wire fraud uses fraud as the basis, meaning that a person (or company) still must be on the receiving end.

 

[JGowan]

Well, obviously you couldn't write a program such as "PyMusique" without having a copy of iTunes to begin with. Once again, the "CLICK THROUGH" demands that you agree to TERMS OF USE of the software or you can't have access. Certainly, these terms were broken.

DVD Jon, you bad bad man.

 

[Stella]

I'm a little upset, though, that Apple blocked out older versions of iTunes. That means that people who may have agreed to the old terms but didn't like the newer iTunes terms (7 cds but 5 computers), can now no longer buy music. It also forces an upgrade. It's fairly acceptable since the new terms really are better and the upgrade is free, but it still makes me sad since I would have ended up with no recourse if I accepted the old license but not the new one.

Well, if this is an effective fix for the problem, then so be it.. You know who to blame - no, not apple - DVD John.

He should do more useful things like hack WMA.

 

[sjl]

All Apple has to do is pre-encrypt the music BEFORE transmission. NOT with your account's DRM--that would lose the benefits of Akamai--but rather with tough 128-bit encryption that's not account specific. Only iTunes would have the key to decrypt it, at which point your DRM is added in the same step. No changes to the DRM itself, only to the transmission process.

At which point, you pull out the debugger, trace through the iTunes code to find out where the 128 bit encryption key is kept, and then make use of that 128 bit key to decrypt the music as it downloads using the existing PyTunes code.

Short of keeping the keys -- and the DRM-adding-code -- in hardware where it's at least theoretically secure from software, there's nothing Apple can do, fundamentally, to prevent such hacks from taking place. Even if the keys are kept in hardware, careful use of microscopes and so on could well crack the code.

There's a limit to how much money Apple can spend on keeping things secure; in the end, if there is just one determined hacker out there, Apple's best efforts are futile. All they can do is try to keep one step ahead for a few minutes at a time.

And don't go waving the DMCA at me. There are still countries out there where the above is perfectly legal. Plus I'm coming at this from a technical point of view, not a legal one.

 

[wnurse]

hello, arm chair lawyers.

Interesting. I'd be surprised if the definition didn't cover computer communications (wouldn't that be "wire fraud"?), but I am not a lawyer.

There are many browsers that identify themselves as internet explorer for compatibility purposes. Should the makers of these browesers alll be sued?. Hey people, why don't we let the real lawyers be lawyers and we all go back to our day jobs. Interesting, almost every week, someone in a forum predict an apple lawsuit and it rarely comes about. Lawsuits are expensive. Lawyers get paid. Dvd Jon is not a multimillionaire. Why would apple pay a lawyer millions to sue someone with Jon net's worth? What exactly would they hope to do?. Scare him? (hollywood couldn't, why would they succeed).

My guess is that you have seen Apple's full response. If he gets around it with having pymusique identify itself as itunes 4.7, i am sure apple would do another work around.

 

[jragosta]

I don't care what Apple says... you can't sell, what is it now, 3 million songs and just break even.
They have to be making money from it.
(this is my opinion, I know you are not going to agree, but don't try to convince me otherwise)

Matthew

Why would you reach that conclusion? The number sold has absolutely nothing to do with it.

If your total costs are equal to your total revenue, you don't make money. Simple.

Look at the airlines. How could they be flying millions of passengers billions of miles and not making money?

 

[yg17]

That would provide ground for more than just a lawsuit . . . I could see the courts interpreting that as fraud.

how so? browsers use different user agents all the time, I can make Mac Firefox identify itself as Windows IE6 with 2 mouse clicks.

If iTunes 4.7 uses some sort of secret packet to communicate with the iTMS, it will take DVD Jon a packet sniffer and 5 minutes to fix the problem

 

[Dippo]

He should do more useful things like hack WMA.

He would but he enjoys the open AAC codec instead of the closed WMA codec.
And no one cares about whether WMA is hacked but an iTunes hack, now that is news.

At least Apple had the foresight to add multiple layers of security, but I am sure it will be broken again and Apple will fix, and it will go on and on....

 

[bdkennedy1]

IDIOTS

I love the legal notice "iTunes is a registered trademark of Apple Computer, Inc." at the bottom of their web page to prevent from getting sued. GOD some people are just so blatently outright stupid I just want to slap and shake them. Why would someone create a program knowing they're going to get sued by Apple and spend all of their money defending themselves?

 

[wnurse]

Well, obviously you couldn't write a program such as "PyMusique" without having a copy of iTunes to begin with. Once again, the "CLICK THROUGH" demands that you agree to TERMS OF USE of the software or you can't have access. Certainly, these terms were broken.

DVD Jon, you bad bad man.

I suspect that apple TOS is not infinetly binding. It's only binding if i use it. Example, suppose i remove itunes from my computer and forever use Windows media player (god forbid!!), am i still bound by apple TOS. TOS are extremely weak. I'm surprised companies even bother to still write one. People violate TOS all the time. I know i do. I'm not even worried about getting sued. Please!!.. TOS is just a way for companies to feel good about themselves. Also, suppose he develops on a friend machine. His friend agrees to the TOS, he doesn't. There are so many possibilities, it's endless.. allow me a few.
One of these days, i will send a TOS to a company myself.

Example of my TOS.

By reading this email, you hearin agree that i am no longer bound by your stupid TOS. I shall do whatever i want with your software without liability. You further agree that i may reverse engineer your software and sell it to whoomever I want. To decline this TOS, please reply with decline in subject line. Furthermore, you shall have to make your software unavailable to me. If for whatever reason I can obtain your software (either via third party site or through you), the terms in this TOS shall go into effect.



See what i mean when i said TOS are weak? anyone can have a TOS, even your dog.

 

[GFLPraxis]

That would provide ground for more than just a lawsuit . . . I could see the courts interpreting that as fraud.

Why? Safari can identify itself as Internet Explorer. FireFox can identify itself as ANY browser.

 

[~loserman~]

I love the legal notice "iTunes is a registered trademark of Apple Computer, Inc." at the bottom of their web page to prevent from getting sued. GOD some people are just so blatently outright stupid I just want to slap and shake them. Why would someone create a program knowing they're going to get sued by Apple and spend all of their money defending themselves?

Maybe they are trying to turn Apple into the next SCO

 

[lom8104]

how so? browsers use different user agents all the time, I can make Mac Firefox identify itself as Windows IE6 with 2 mouse clicks.

If iTunes 4.7 uses some sort of secret packet to communicate with the iTMS, it will take DVD Jon a packet sniffer and 5 minutes to fix the problem

Off topic, but how do you make firefox ID itself at IE6? I hate having to use IE for some webpages.

 

[J-Squire]

Keep Up

Why would you reach that conclusion? The number sold has absolutely nothing to do with it.

If your total costs are equal to your total revenue, you don't make money. Simple.

Look at the airlines. How could they be flying millions of passengers billions of miles and not making money?

But Apple ARE making money off iTunes. Keep up people. Jobs stated that iTunes was a loss-leader for selling more iPods about 6 months after they opened the store. We are now 18 months down the track from that, and Apple have stated at TWO previous quarterly financial disclosures that they ARE making a profit on iTunes song sales.

People keep quoting apple on the "loss-leader" statement saying that iTunes is only around to sell iPods, so how is napster going to stay in business, blah blah blah. But Apple also stated that they thought they would only sell 1 million songs in their first year of the store. They sold it in a week. They now sell 3million a day. They are turning profits - substantial ones - and it is only going to grow

 

[syoung6164]

Why would you reach that conclusion? The number sold has absolutely nothing to do with it.

If your total costs are equal to your total revenue, you don't make money. Simple.

Look at the airlines. How could they be flying millions of passengers billions of miles and not making money?

Might I add his numbers are a little off...It's 300 million. Big difference