Slashdot Mirror
DVD-Jon Breaks iTunes Encryption For Linux Users
McGruff writes "The Register has a story regarding DVD-Jon's new hobby, iTunes DRM. According to the story DRMed iTunes AAC files can now be played under Linux via VidioLAN Client thanks to some handywork by Jon.
'"When you run the VideoLAN Client under Windows it will write the user key to a file. The user key is system independent and can thus be used by the GNU/Linux version of VLC," he explains.' Personally, this just means I will buy even more iTunes." (We mentioned in November Johansen's efforts to negate the iTunes restrictions on Windows.)
How long before people start exchanging their keys ? Now that the key can be had and used under virtually any platform, in an easily copied or transmitted file format, the copy-protection is effectively cracked.
Maybe we deserve this world ?
Awesome, I was waiting for this. Definitely a reason to consider iTunes now.
How long until someone writes a command-line AAC2mp3 converter?
-3Suns
~~~~
The Revolution will be Slashdotted
I am quite excited about this. VLC has always been my media player of choice, now the ability to play AAC DRM files in it just ups its ante.
While booting to Windows is a slight disappointment, I am sure DVD-Jon will remove that step ASAP.
I read Slashdot in Lynx, I am a real geek.
Does anybody else see something wrong with Apple having a program that only works on Windows and Macs? You would think they would be a little bit more understanding of those of us running "alternative" OSes.
Chaos will always win out over order because chaos is more organized
Norwegian programmer Jon Lech Johansen, who broke the DVD encryption scheme...
It was my understanding that DVD-Jon (as we're calling him now) did *not* actually break the DVD encryption scheme, but collaborated with some anonymous hackers who did. I think his involvement was more on the order of making it more accessible to the tyro. Could someone clear this up once and for all?
What do any of these people do with free time to break encryption schemes, contribute to oss, and build robotic girlfriends? I'm serious, how do you earn a living and still have time to do things like this?
Somehow I think that this is an example of the way software restrictions will continue.
Programmers will code the security so that the app only works one way, and some user will break it s it works elsewhere as well.
We need to have more thought put into coding so that apps will work more platforms, and also be aware that it is envitable (sp?) that somebody will crack it.
I broke a lot of digital clocks as a kid because I wanted to know what made them tick! I still got new ones, and broke them as well.
Here I come to save the da... *thud*
I gotta get me a shorter cape.
Seems like this crack can be patched.
I doubt Apple will call DVDJohn but I bet the RIAA will.
When will the this commie bastard be stopped from stealing money from corporations?????
No, you need the iTunes client to play any files you buy from the iTunes store. And No, it doesn't (yet) work under Wine or CrossoverOffice.
What is the point here?
Ok, so you can play iTunes AAC files on *Nix PCs, provided you have the key. Wouldn't it just be easier to download it off of Kazaa? You can find cover art with google, and you can use SoulSeek to find high quality rips. That gets rid of two arguements right there.
iTunes DRM is WEAK, man. Burn it to CDRW and rip the sucker again, it's as easy as jumping over a subway turnstile. Why are we wasting time with a pointless thing like this, why not crack WMP or something harder with a better payoff?
That would be the way for apple to go if they were in it to make everyone feel good. But actually, they are in it to make money. And as you may have noticed, a lot of linux users don't like to pay for stuff. This is smart for Linux users, not so good for people trying to make money off of Linux users.
And of course, it could never be enough. port itunes to linux? Where is the Ogg Vorbis support? Got Ogg? Why doesn't it work with *insert random peice of sourceforge developed software here*
I know, nobody wants to hear that they are the prima donnas of the IT world. But I've got Karma to burn.
At least Apple's version of DRM would go virtually unnoticed by casual listeners of music. iTunes DRM was designed to deter heavy pirates, but in all fairness, their DRM scheme is the best of the bunch. There are several ways to circumvent iTunes DRM, but at least DVD Jon's implementation just means it's less of a hassle for the said casual user.
So if this guy is so great, has he broken Windows Media yet?
So can we change his name to iTunes-Jon. Or better yet how about iDVD-Jon. Kinda catchy, actually.
Not that I would advocate such use. But this requires the key to be distributed with each file. Keep in mind that said key is *known* by apple, and directly tied to your account, it isn't something I would recommend sending out into the wild. On the other hand, using it on your own equipment to get around that creepy three machine registration limit seems like a good thing. If anything ever happened to Apple and your registered machine bit the dust, being able to back up a valid copy of your key seems like a good thing.
:-)
The thing is that AFAIK VLC isn't set up to manage multiple key+file pairs. So it is useful for *your* library, but not various files downloaded off the net. For that reason, I doubt they will go after him.
My question is, how does the iPod decrypt the file without a key? Or is it simply using the parent boxes key? It seems to me that if that's the case it should be trivial to recover the key from an iPod directly, no PC required (Just a Mac
- Dubya
unless you really think you are innocent
On one side of the coin, this is definately great news for everyone not running Windows or OS X who still want to listen to their DRM'd AAC files. Now, there is some portability to these files, and the ability to cue them up in VLC.
On the flipside, when some music industry execs look at this and wonder why they can't control their content, there are a number fingers going to be point at the OSS community because of it.
Where do we draw the line at control? The **AA industries wants to control their content, and we (I use "we" very loosely) want to have control over that which we've purchased. But who truly owns the bits? A series of 1s and 0s? Who's allowed to make the rules?
I know who I WANT to make the rules, me, of course. But I also know who legally gets to make the rules at this point. Them. I don't want the music industry to get pissed off and take my iTunes away. I've found a legal, beneficial means to aquire my music. I want MORE options, not less because of wary industry execs who don't want to have their content cracked.
And let's not even bring the DMCA into the picture here...
Can you ping me now? Gooood! | Manhappenin.Net - Things to do
He's trying to play media that he legally purchased on Linux. This is exactly the argument that he used in his DeCSS defense. Until Norway passes a law making that illegal, he's perfectly safe.
I can't wait until all Slashdot comments are nothing but long strings of esoteric acronyms.
>Kid, seriously, grow up.
What is wrong with him doing this and staying like this forever?
I mean, he should stop doing something just because "other people who know better" say that he should stop?
Should he stop becuase he could get into civil legal problems? That doesn't stop lots of "adults".
Should he stop because its "wrong"? Maybe some one could tell me where this is ethically wrong becuase I don't see it.
I say that he should keep doing what he likes to do and accept the consequences until he feels he shoudn't anymore and not what other people say.
Because in the end its his life.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Troll or clueless, I can't tell because as AC there's no post history.
Consumers, at least in Norway, do have more rights. They have the right to use DeCSS to decrypt DVD video to video on the player of their choice. They also, presumably, have the right to publish and obtain the DeCSS program.
Now, back in the land of the free, we have no such rights...why? Because we pussed out. We decided not to pursue our DeCSS case and let stand a lower court ruling that banned it. Oh yeah, this was much better than what Jon did, namely stand up for himself in court.
I'm not so naive to believe that Jon was selfless in his act (he was part of or closely associated with warez groups who were keen on cracking DVD encryption to allow for perfect all-digital rips rather than having to use analog loopback to capture card). But even if DeCSS has a seedy or sordid history no one wants to talk about, the point stands that DeCSS does have legitamate uses and that is where Jon's defense was founded.
When you have precedent set, you don't hide it in your desk and call it a day. You use that precedent to try and set new precedent that is even broader in scope. Jon has stood up to the might of Norway's MPAA/Attorney General equivalents, who now have major egg on their face. How likely do you think they will be to pursue another half-baked case against Jon? Jon is probably bulletproof against anything but real criminal behavior. As soon as the words "fair use" are uttered, I can't imagine there would be a government attorney crazy enough to get struck by lightning twice.
Releasing it anonymously would have only started a witchhunt that could have harmed a lot of other people, people who shouldn't have to be lightning rods for this same kind of treatment. But putting his name on it, yes, he is risked another trial but as I said, it is rather unlikely.
In this world full of people who puss out and settle for lesser charges (cough)Mitnick(cough) I think it's incredible that someone has the guts to put himself at risk to stand up for something. I only wish someone were that brave here in US courts.
-JoeShmoe
.
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
Is this guy an idiot?
Jon is a noble-hearted man who is standing up to tremedous odds and tremendous risk to fight for somthing that is good.
'round here, we call people like that heros
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
On the other hand, a frail man deliberately picked up a handful of salt, which was at the time a monopoly product of the British Empire. He was arrested for it, but this and other actions that fly in the face of "common sense" eventually freed India from British colonization.
How about that woman who was arrested for sitting in the front of the bus, when everybody knows that black people need to sit in the back?
I'm not saying DVD-Jon is anybody resembling Gandhi or Parks, or that his cause is nearly as important. What I'm saying is that many changes come from a small number of people noisily breaking unjust laws, rather than a thousand people quietly breaking it.
I'd bet he started working on the iTMS project a long while ago. He's just been acquitted twice for doing the same thing with DVD encryption. Now that he has rock solid precedent, he can practically walk into court without a lawyer if the recording industry sues him. He's got a great big whoop-ass stick, and it's time to use it.
In Norway, that is... Americans are still screwed.
making it more accessible to the tyro
I had nothing to do with it... I wasn't there... you can't prove anything.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
"this guy got balls the size of dorian fruit" - some guy in Freedom Downtime
Maybe I'm behind the times. I thought iTunes was still a U.S.-only service?
So how is Jon trying to play media on Linux that he's legally purchased when it can't be purchased in Norway? I'm just wondering.
The claim is because Apple doesn't make money off of iTuness it won't hurt... but it will.
Steve Jobs clearly stated on more than one occasion that iTunes has done wonders for moving iPods (a big business, and growing).
iTunes got the Music industries backing because it was secure... if that trust is lost, after the contracts end, iTunes has no more content.
That means no more iTunes, and that lowers the sale of iPods.
All that can be good, can be used for evil.
Radiation can kill, and it can save lives. Without water we die. With to much, we drown.
iTunes is the same way.
You know you can choke to death on an Apple? If that NT computer that controls the Machines in the hospital goes down... you could die too.
It's all subject to success, and failure. Perhaps that's life.
My only beef is that DVDJohn is intentionally ruining the first digital success of legal Music, what could have been quite an industry. Apple already went to Windows... I would have bet, Linux was in the works. Apple needs the Open Source community, and knows that.
He is? The iTunes Music Store is available only in the United States, and I believe he's in Norway.
(Apple uses the credit card mailing address to ensure you are in the US, but don't confuse your ability to get a US credit card with Apple having a legal right to sell you that song if you really aren't a US resident.)
I do sympathize, but I have to disagree with your logic.
It's a Slashdot axiom, but I'll repeat it here: If your business plan relies upon unbreakable encryption, it's a bad business plan.
That being said, I don't see how this is going to destroy iTunes. Yes, copyright violations are possible using these ideas. But I think you'll find that anyone who is using iTunes in the first place (rather than just nabbing whatever they want from P2P) is going to be the kind of person who wouldn't commit a copyright violation through iTunes, either.
Weaselmancer
Weaselmancer
rediculous.
Depends on how he actually did it.
If all he did was point his browser at itunes.com and buy the song using his own credit card, then the norwegian courts would not give a rat's ass about Apple really not wanting to sell it to him.
Same thing goes if he bought it while actually beeing in USA (vacation or something).
After examining the code, here's basically how the iTunes encryption works:
Every user account for iTunes gets a "user key". This gets sent to the computer at the the time of "Authorization" and gets written to a file on the hard drive. But it's not written out plainly, oh no. Instead, it creates a "system key" using several bits of data from Windows and the hardware and such. This system key is what's stored in the file.
To playback a song, the system key is derived from the machine and used to decrypt the file on the drive. This gives the list of user keys that machine is authorized to play, and these will decrypt songs using the same account (yes, each song is encrypted at the time of download, with the user key for that account).
This crack essentially works out how the system key is derived. Using that, it gets the user key, writes it off to a file, and can then decrypt any of that users songs.
Note that when you transfer a song from iTunes to the iPod, it does the same basic thing. Decrypts the file using the system key and reencrypts it using iPod specific information, then sticks it on the iPod. The iPod then does the same process as iTunes to play the file, more or less, it's just using a different system key.
This crack could be patched by changing the method to derive the system key from the machine, but not once the user key has been derived and written to a file somewhere. Once you have the user key, that can be used to decrypt the songs, and you're essentially done. Since you have the song files, and the key to decrypt them, no patch in the world could possibly fix it. They could fix it for newly purchased songs, but to do that they'd have to change every users key and reauthorize them. And that potentially breaks the authorization for songs that have already been purchased. They could start a new key without removing the old ones, in order to maintain backward compatibility and not piss off everyone who has used iTMS up until now, and then release new songs using only the new encryption, but it's essentially a dead end. The whole concept behind iTunes encryption is that once a machine is authorized, it can play songs without any outside intervention. Meaning that it has everything it needs to decrypt the songs right there on that machine. Meaning that as long as this is true, it can be cracked again.
I knew it was only a matter of time. I give it another 2 weeks before someone takes the code out of the drms.c, drms.h, and drmtables.h files and produces an M4P->M4A converter. Everything really needed to do it is in there. You read in the file, call this code to get the system key, call the code to get the user key, call the code to decrypt the DRMS section, then rewrite the file with a normal AAC data section instead. Not too difficult, although interpreting Jon's code is a PITA to say the least. The guy writes C code that reads more like ASM. Frankly, looking at the code, I think he simply found the relevant part of iTunes/Quicktime with a debugger and converted the relevant machine language straight into C with no major adjustments.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Yeah, I think this almost certainly is. Huge amounts of bit manipulation, lots of magic numbers, meaningless variable names. No type safety? No comments?
I've seen code like this before, when people have disassembled Windows DLLs back into C then tried to submit it to Wine.
I'd say Jon is treading on very slippery slopes indeed with this code. It might be possible to show that it's been simply generated from the original code which is almost certainly copyright violation - laws against that certainly exist in Norway.