Slashdot Mirror
Johansen Cracks AirPort Express Encryption
womby writes "DVD Jon has just announced that he cracked the encryption in Apple's AirPort Express. 'I've released JustePort, a tool which lets you stream MPEG4 Apple Lossless files to your AirPort Express. The stream is encrypted with AES and the AES key is encrypted with RSA.' No real details of the process employed in cracking the unit but newsworthy none the less."
I wonder if Apple Legal will have a DMCA fit about this. And how good their case would be.
Well it sounds like Apple did the right thing by using AES and RSA which are both industry standard and not some crazy "applecrypt" or something. Must be a really weak key or poor implementation or the protocol.
Blaze a trail to the New World
This is great news. I want any application I own on any platform (OS X/Windows/Linux/Zeta!) to be capable of streaming to an Airport Express. I can't imagine that this would really upset Apple since you're still buying their hardware. It just lets you use the hardware with more applications. If iTunes is still the best and most elegant way, people will use that.
Of course...Apple isn't always logical like that, and there may be some precedent set that would injure them in court some time later.
Well I'm still waiting for my dealer to get some in stock so I can buy a couple (I have a single storey home that wanders, uhm, well you know what I mean).
Anyway, back on topic, I never really understood why Apple felt the need to encrypt it in the first place. I mean, what next, B&O encrypting the output to speakers? Sony insisting their systems will only work with encrypted mains voltage that you certify has not been used to power any unauthorised (by the RIAA and MPAA) devices?
Bad analogies are like waxing a monkey with a rainbow.
I want to know if he really does have testicles made of brass.
He is just a front figure of a large international cracking group. He has already been to court once, and is protected by a largely fair norwegian legal-system, so each time the group have something controversial (whenever they have something) they have him release it.
Since all he got was the public key, you can't actually decrypt streams that are being sent. What it means is that programs can now stream music to the AEx. This should be really cool, especially once something like AudioHiJack or Wiretap comes along that lets you redirect all your system audio to it. I'd love to be able to stream non-iTunes audio formats that way (real player radio stations and whatnot). Anyways, can't see how this hurts apple - more people have incentive to use the AEx, Apple doesn't have to support their use of it that way, and the protected music is still protected. Hizzah?
He just doesn't give a shit for petty politics (DMCA crap).
Of course he doesn't care about the DMCA. He lives in another country.
Maybe I missed something, and I haven't been able to RTFA for obvious reasons. But doesn't the Airport Express take any stream sent to it from iTunes 4.6 or greater? What I am getting at is, on my iBook, I should be able to stream any file that plays from iTunes to the Airport Express. So what did I miss? Is this the ability to do that from other programs on other platforms? If so, why does the poster pick out the ability to transfer Apple Lossless files?
Now all we need is some sort of software-based audio out driver for OS X (like Cycling 74's Soundflower) which allows you to reroute OS X audio output to the Airport Express. This would be *ideal*, as then it'd be possible to stream audio from practically anything to your stereo. Digitally!
So sue me
U 3GhC/j0Qg9 0u3sG/1CUtwCk 9ok+8t9ucRqMd6 DZHJ2YCCLlDR7 WSHCAWKf1zNS1e Lvqr+boEjXuBe QJVxqcaJ/vEHKI Vd2M+5qL71yJZ mni/UAaHqn9Jds BWLUEpVviYnh
Exponent: AQAB
Jon Lech Johansen's blog
Wed, 11 Aug 2004
Reversing AirTunes
I've released JustePort, a tool which lets you stream MPEG4 Apple Lossless files to your AirPort Express.
The stream is encrypted with AES and the AES key is encrypted with RSA.
AirPort Express RSA Public Key, Modulus:
59dE8qLieItsH1WgjrcFRKj6eUWqi+bGLOX1HL3
5vOYvfDmFI6oSFXi5ELabWJmT2dKHzBJKa3
KSKv6kDqnw4UwPdpOMXziC/AMj3Z/lUVX1G
OitnZ/bDzPHrTOZz0Dew0uowxf/+sG+NCK3
Q+87X6oV3eaYvt3zWZYD6z5vYTcrtij2VZ9
imNVvYFZeCXg/IdTQ+x4IRdiXNv5hEew==
MD5(JustePort-0.1.tar.gz) = fe13e96751958c6e9d57cce0caa7b17b
DeCSS was indeed released by the group, MoRE, 4 years ago (MoRE had 3 members, you call that "large"?).
However, as far as I can tell Johansen no longer has any connections with MoRE. All the software on his site is GPL'ed and copyrighted by himself. MoRE is not mentioned anywhere.
The point of the hack is to permit you to stream audio to an AE from a program other than iTunes.
]{
Now I can divert all my system sounds to the Airport Express so I can get beeps in the living room in glorius 5.1 Surround Sound while I use the computer in the bedroom!
Come to think of it, I'm ONLY going to do this when other people are watching TV! This is gonna be fun!
I read this headline as "Johansen Cracks Airborne Express Encryption". I was a little uneasy in that second or so before I read the blurb about the article.
and they invest millions to make inexpensive music downloads available (at almost no profit)
No, they invest millions so they will get tens of millions in revenue from selling iPod. Don't get me wrong, I like Apple and I'm impressed by Steve Jobs's ability to resurrect the company, but it's still a company, not a charity.
iTMS is selling songs cheaply to gain market share and get people to buy iPods, not to make inexpensive music downloads available.
Your country has a rather annoying tendency of assuming they have legal jurisdiction over the entire world. See Dmitri Sklyarov, for example. Jon Johansen should be safe provided he never sets foot on U.S. soil any point in his life (the major mistake that Sklyarov made). They probably don't care enough to extradite him (and would likely fail in any case), like they are attempting with Bobby Fischer (admittedly, a U.S. citizen at the time).
Oceania has always been at war with Eastasia.
...there is no DMCA here :D Of course, once the EUCD is passed into law (sooner or later), it may be a problem.
Kjella
Live today, because you never know what tomorrow brings
Then AP Extreme converts from Lossless to standard audio. Makes sense now?
I believe he's talking about Apple's Lossless codec, which lets you rip lossless, but still compressed (just not as compressed as mpeg or AAC) audio into iTunes.
First he cracks Fairplay, now this. What's his beef?
What makes you think he has any?
While spite may be one of the things that motivates 'crackers', the main reason isn't usually any kind of revenge.
I have some personal experience, (having cracked some copy-protection schemes on games about 10 years ago), and my motivation wasn't any kind of personal vendetta.
I just didn't like copy protection schemes that much; It felt like a withdrawal of trust. The main part of my motivation was simply the challenge.
(And the reward of people thinking you were some kind of genius)
Many people like to solve crossword puzzles, Richard Feynman liked to pick locks. Some of us like to reverse-engineer.
...by posting a story to slashdot his website while their lawyers and henchmen race towards DVD Jon in a black supersonic jet straight out of X-Men. (yes I verbed slashdot, but I googled and seems to be ok to do now)
Seriously though, just hire the kid. Give him a 80 hour a week job and enough money he'll stick it out. No more spare time, no more cracks.
MPEG4 is not a single standard - but a collection.
Among these there is a Lossless compression codec that Apple have put forward for inclusion into the MPEG4 collection.
Matt Thompson - Actuality - Insert product here.
...I suppose he's talking about the Apple lossless codec in a MPEG4 container format (it is more than just a video codec, you know...)
Kjella
Live today, because you never know what tomorrow brings
Maybe it appears that way to the layman, but to other programmers and computer scientists, he's just doing what comes naturally.
Almost any good programmer can crack software. They just choose not to, or to keep quiet if they do. Jon is a skilled showman as well as a software cracker. Hey, he got his ass saved from jail by the EFF when all he was doing is fronting others code. Now he's pretty much bulletproof (he doesn't release compiled executables as that was the main DeCSS sticking point), it's only right that he should continue to champion fair use and stand against lazy attempts to be "DMCA compliant", by cracking pointless encryption schemes which only require a little reverse engineering to find the barely hidden key, not cryptanalysis.
I think Jon's doing us a real service, which I appreciate. I don't worship his genius, as he's only doing something I've done myself, albeit on much more media-friendly targets. He could just be cracking Safedisc games in relative anonymity for the same amount of intellectual effort, but instead he's hounding high-profile DRM schemes, starting with the weakest (Apple). Worship him if you want.
Don't know for sure, but maybe he's just a Mac guy. Wants to crack CSS so he can stream under Darwin, Fairplay so he can use his music as he sees fit, and AEx so he can use his hardware as he sees fit.
On the other end of the spectrum, maybe he's a hardcore PC guy that wants to use the brilliant systems (hardware and software) that Apple has created. iPods are lauded as the greatest thing since sliced bread, QuickTime, while a little bulky of late, has been an industry standard for years(vs. the bastard child WMV), and Mac software generally just works, and looks good doing it. Read the Apple Interface Guidelines sometime, just the bullet points on the main screen sum up their philosophy.
I'd try to crack any product if I thought it was useful enough, i'm just not as demanding of compatibility as this fella. Of course I use Wintel (sorry tuxies), so 99% of what I want/need is either already made for my platform, or there is a decent-but-incompatible alternative.
It is encrypted because otherwise you're transmitting copyrighted works over a medium easily sniffed. The AAC file you bought from iTunes, which can't be played on anything but the system you authorized it for (simplifying here, calm down nitpickers) would be transmitted unencrypted to the Airport Express. It would be an excellent way to decrypt your files and do whatever you want with them- all you would need would be a second machine with a wireless card, or probably even just running a sniffer locally on the system doing the transmitting.
This is blatantly obvious and I'm not sure why the poster was modded up 5, Insightful- time to start meta-moderating again as it seems mods are getting lazy. Folks, if you've got mod points, check out some of the non-front page stories- they NEED the mod attention. I'm so sick of people just knee-jerk moderating, especially to posts which have ALREADY been modded up- and then people like me who eventually get mod points have to come along and mod something "overrated" to knock it down (only to be undone by some moron 5 seconds later who doesn't look at the comment's previous moderations).
Please help metamoderate.
It's worth mentioning that Johansen is a member of the open source VideoLAN project, which develops the libdvdcss library and VLC multimedia player.
He reverse engineered FairPlay and added FairPlay support to VLC.
Together with the fact that all his recent software has been licensed under the GPL this indicates that he no longer has anything to do with any "cracking" groups.
He seems to be one of a handful of people who knows what the hell is going on.
Why would the US Government want someone who "knows what the hell is going on". Hell, who would manage him? What department would he report to? Come on, your country is run by a man who probably uses "12345" as the combination on his luggage (encrypted of course, with his Cap'n Crunch decoder ring)
Then Apple should thank him. He just opened up the market for a hardware device Apple is no question making profit on.
they didn't "invent" OS X, they stole it from BSD and overcharged for it. keep shelling out your $130 every year for a "secure" OS.
Darwin is free. Cocoa, Quartz, Carbon, and a number of other technologies that have nothing to do with BSD are not.
Can somebody explain to me how _this_ hack threatens the DRM protected content? AFAICT, itunes decrpyts the content, converts it to this lossless stream, reencrypts it to protect it in transit, and streams it to the AE. There's no threat to the DRM media here at all, since you have to have an unprotected source to start with.
The real threat is that somebody will take this and figure out how to fake being an AE, then you essentially have iTunes doing the work of defeating its own DRM for you. This would have the advantage (from a piracy standpoint) of being fairly hard for Apple to fix via "bug fix updates", unless they built a way to upgrade the AE firmware the same way. That's something I can see people getting into a tizzy about, but for this particular hack I think the useful purposes far outweigh the piracy ones.
Just a thought.
That reminds me... I need to change the combination on my luggage.
Since when is using a publicly available public key to encrypt a stream of data from an application and send it to a device considered "cracking?" It seems to me that this is a good ol' hack (read: clever piece of software), just like DeCSS or the other thing he did with protected iTunes tracks.
/. the error would be corrected.
I wasn't surprised that the first source I saw report this called it a "crack," but had hoped by the time the story made it to
By the way, you do a real disservice to people trying to fight the DMCA by calling things like this "cracks." Lawyers for the bad guys already think these sorts of hacks are actually illegal cracks. You're bolstering their opinion by conflating the two.
Ummm, because "FlibDarg" was already taken?
IIRC, ALE is integrated into the quicktime codec. If you have an application that can use the quicktime Codec (iTunes, Quicktime player, IE, Safari, etc) then it can also encode/decode ALE streams.
This is blatantly obvious and I'm not sure why the poster was modded up 5
Somebody please mod SuperBanana down to -1 for this pinheaded comment.
What he doesn't understand is that the Airport *does not even play the original AAC file*. It is converted to Apple Lossless in iTunes before the stream is sent down.
So what's going over the air is simply a losseslly compressed representation of what's coming right out the s/pdif port IN THE CLEAR. And there's no way to get at the original AAC data from either stream, even if you could decrypt it, because it's already been decompressed in iTunes!!!
The granparent's point is perfectly valid. The encryption over the air accomplishing nothing. It is just a placebo that Apple gives the music companies.
It is encrypted because otherwise you're transmitting copyrighted works over a medium easily sniffed.
Oh My GOD! Lets shut down commercial radio! (talk about easy to sniff) and those cars that drive by with the tunes cranked up and the windows down -- We need to send the RIAA weasel-boy after them. Someone nearby could have a tape recorder.
Don't bother arguing about "pristine" digital copies. Yes, I know that over the air the format is lossless, but the fact that it was transcoded from a crappy MP3 makes the whole "Digital is different from analog" argument stupid.
You want a gaping digital hole? Look at CD sales. If the RIAA cared about protecting high quality digital content from trivial "sniffing" they would outlaw the CD tomorrow. If course this is never going to happen. It is much easier to make a huge stink about a theoretical hole that may allow a trickle of dubious content get in the hands of folks who didn't pay for it than address the hemmorage of pristine unprotected content direct from the industry.
Why is unprotected CDs OK, but unprotected airports somehow a threat to the industry?
Jon really is an asshole with too much time on his hands. What is he going to hack next? Satellite receivers? Computer controlled fridges? Microwaves? Leave our consumer electronics alone Jon.
Jesus was a compassionate social conservative who called individuals to sin no more.
Maybe you "elicit" requirements?
One of the things that dissapointed me about the AEx was the inability to stream to it from other audio sources. For instance... Living in Kentucky, I don't have a clear view of the southern sky so I can't get Direct TV, so I can't get NHL Center Ice, so I can't watch my beloved Colorado Avalanche. Luckily for me, nhl.com streams the radio broadcasts of all the games via Windows Media Player. That works great since I can listen to them on my Mac or my Windows box. We had an old laptop connected to the stereo and via wireless connection could listen to the games. After last season, the laptop died and after I heard about the AEx I thought that might be cheaper than buying a used laptop to replace the broken one. But obviously, you can't stream to the AEx from WMP, so I was out of luck. I know I can buy some other device to stream audio to the stereo but we do use iTunes on both our Macs and PCs so the AEx would fit well into our setup. :)
The point to this long, boring post is that *if* we could stream any audio source from any Mac/PC to our stereos, we would probably buy two or three AEx's. Apple gets my money for the hardware and I get my NHL fix and we are all happy (well, maybe not the Apple lawers but I'm sure they won't go hungry
Yeah, no sh1t!
/. can /. themselves!
;)
I think we need to implement something about Slashdotting, like you cannot post an article unless you're prepared to mirror the site/software you're talking about.
Or maybe Slashdot should offer a small amount of space to mirror sites, then
How about a list of open Windows boxes we can use as FTP servers?
#include <sig.h>
The strong encryption was not cracked. The implementation was cracked. No software-only based encryption is secure, period. The audio stream is encrypted with AES. AES is a symmetric key encryption sceme which means that both sides need the same key. The key needs to change over time or the encryption scheme can be cracked.
This leaves the problem of how iTunes can tell the Airport the new key without everyone else listening and knowing the key also. Apple use RSA to secure the key transfer. RSA is a public key encryption system. This means there are two keys one public and one private. The private key is only known by the Airport. The public key is embedded in the iTunes software.
When iTunes wants to send a new AES key to the Airport it uses the RSA public key to encrypt the AES key. This encrypted message can only be decryped with the private key that the Airport has which means the system is secure even though everyone hears the new key in encrypted form.
The problem is that the RSA public key is embedded in the iTunes code. But that code needs to read in the key in order to use it and someone can reverse engineer this process to read the key themselves. This isn't necessaryily an easy thing to do but in a software only solution there is no way to stop it.
SYS 49152
Strawman argument. The parent didn't say prove, he said indicates.
How many cracking groups release their source code under one of the member's full name and licensed under the GPL? The answer doesn't prove anything, but it does indicate something.
if Bush's playing at being stupid has actually convinced anyone that he is a dull man, then he's become more dangerous already. play stupid so people think you are harmless and at worst a target of caricactures, check.
have a war so you have a good reason to pass fascist shit (cops can now wiretap you without a warrent, much easier to seize assets without a trial or an arrest, etc etc) PATRIOT act, check.
by the way Cheney how's Halliburton doing? Osama's brother is glad you and he could work out so many deals together.
It appears that he's just published the public key. That may allow him to ENCRYPT music for play over Airport Express, but it doesn't let him decrypt the stream.
.plan and sigs. I don't think that enables anyone to crack my mail. They can SEND me mail, but that's sort of the whole idea, isn't it?
Heck, I put a public key for mail in my
"I have people skills! I'm good with people, damn it! Why can't you people see that?!" -- Office Space
Also, you had a brainfart on illicit vs. elicit. Illicit is illegal. Elicit is to extract information. You should concentrate on bettering yourself and your language skills before you claim to know Johansen. For all you know, he could be a well-adjusted nerd.
DRM is bad for consumers. Consumers who purchase DRMed items should be ashamed for perpetuating this travesty against our society.
I wholeheartedly support Jon and I hope he continues to crack these DRMs. After he cracked FairPlay, I actually bought a few iTMS songs (which I wouldn't before) and then transcoded them into MP3 to play in my car deck. Then I realized I was helping Apple DRM so I stopped buying them again. Until companies trust their customers, the world of digital media is going to suck, BADLY.
Chris
From what I see in the dump, it looks iTunes queries the AE via RTSP, configures it with a password if need be, and then sets up an RTSP record stream to the AE. After that, it just pumps RTSP packets to it.
Part of the RSTP ANNOUNCE request is an RSA AES key.
Trust me. This is an inactive account. Regardless of what the
I think we can all agree that in our profit obsessed society most electronic gadget manufacturing companies care about one thing: profit.
That said, consider the following:
Current Revenue Figures for Major Record Companies:
2002 Warner Music Group (sold in 2003): $4.2B USD
2003 Sony Music: $5.3B USD
2003 Universal Music: $5.0B USD
2003 Sony Electronics Revenue: $41.1B
SOURCE: Respective 2002, & 2003 corporate annual reports.
As you can see, the COMBINED revenue for the top 3 music companies can't come close to Sony's electronic arm ALONE. Pick some other electronic companies and you'll arrive at exactly the same answer.
This is exactly the reason Sony manufactures MP3 players today. Companies can make far money from electronics than they ever will from music, and this simple economic fact does not bode well for the music companies.
They can pay lobbyist, the electronics companies can pay MORE lobbyist. They can pay off politicians, the electronics companies can pay off MORE politicians and on and on.
Rich...
The real threat is that somebody will take this and figure out how to fake being an AE, then you essentially have iTunes doing the work of defeating its own DRM for you.
;)
I investigated this justeport program yesterday, to see what it would take to do exactly that. My goal was not actually to defeat DRM, but to possibly create an emulator for being an AE, so that I could use iTunes to play songs on other computer's speakers. The thought of piping the music to a file did cross my mind, but that was not the goal.
But the short answer is that there's not enough in here to do it.
The way is works is that you generate an AES key. You encrypt that key using the RSA Public Key. You send that to the AE, which decrypts it with its private key. Then you use the AES key to stream the music over.
To pretend to be an AE, you need to know the private key inside the AE. Without it, you can't decrypt the AES key iTunes sends you, and you can't decrypt the stream of music.
Faking the protocol is pretty easy, since it's mainly RTSP with some extra headers. Faking iTunes into seeing you as an AE device is also pretty easy. Just use various Rendezvous utilities to broadcast yourself as an available RAOP service. But you can't decrypt the stream without that private key.
In theory, you could modify a copy of iTunes by changing the public key in there. Then you could make it work with your AE emulator program, but it wouldn't work with real AE devices anymore. Still, could be useful if you want a wacky way to bypass the DRM.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
US laws can apply wherever they please. Ask Saddam.
Umm...Saddam violated many UN resolutions. Those are international law. The UN was just a bunch of pussies and wouldn't enforce their own laws (partly because of those fucktard French holding up the UNSC), so we did it for them.
aah....feel that karma burn...
I used to get high on life, but I developed a tolerance. Now I need something stronger.
In order for such an update to work, it'd have to be an update to the AE devices themselves. And they'd have to update iTunes at the same time. And then it'd be probably just as easy to break open iTunes to get the public key again, and there you go.
What they really are worried about is somebody hacking apart the AE device and finding the private key. With that, I could write an AE emulator that would receive transmissions from iTunes... And totally bypass their DRM as well. Not that their DRM is effective anyway, but it's just one more way to do it, you know?
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
What if his actions cause the music industry to loss confidence in that DRM?
:-)
LOL!
Understand this... The "music industry" is royally screwed seven ways from Sunday. They know it too, don't kid yourself otherwise.
See, they need *customers*.
In order to exist, the music industry has to convince people to buy what they are pushing. They're between a rock and a hard place here, because if they make that DRM too obnoxious, if they go beyond the line too much, then their own customers will flip them the bird and jump right back onto P2P networks. It's already happened once, in their eyes. Does the P2P scare back around 1998 ring a bell? Napster? Back when it didn't quite suck, I mean.
See, Napster opened a new world for the music industry, because it showed them that the world had changed and now they had to compete with "free". How in the hell does one compete with free products?
DRM is a reaction to this, by trying to make it difficult for people to convert their products into a format than can easily become "free". Unfortunately, this is an impossible task. It's *proven* to be impossible, no less. So they now have to not only compete with "free", but to do it, they have to do something that's absolutely and totally impossible to do. What a bind that puts them in, huh?
The music industry is scared shitless, and with reason. This new medium takes their products and puts it into a form that:
a) damn near eliminates distribution costs,
b) makes low cost viral marketing into one of the most powerful forms of marketing there is through the rapid dissemination of the meme in question,
and c) eliminates all ability to control distribution of their product and thus be able to charge for it.
A and B they love, but C is included in the bargin and they cannot escape it. Furthermore, they're starting to figure out that the combination of A and B on a large enough scale eliminates the need for the middlemen in their business. Artist and customer can directly interact just as easily as middlemen and customers can. Since most of them are middlemen, this naturally makes them nervous. Right now, they're engaging in heavy media spending to combat this knowledge, leading to the current meme of "taking music without paying is stealing" and so on. They're engaging it on both the artist side and the customer side, and if both sides would just wake the hell up, the middlemen would be out of jobs.
So what I'm saying is that the idea that they can NOT offer their product on the internet is an unrealistic notion. They don't have that choice, not really.
If they don't offer something out there, in a light enough restriction no less, then what will happen is that they eventually die off. People will go back to passing around music for free, legislation and lawsuits be damned, they will find a way to do it safely if it comes down to it. Many very bright people are already looking for that way.
And if the artists see that the music companies aren't actively trying to make them some cash by selling their music online, the artists might start waking up en masse and seeing that the old system is unnecessary with the new technological capabilities to directly reach the customers.
So the music industry *will* sell online. They don't have a real choice not to do so anymore. They can no longer pack up their toys and go home, because that would be a losing move.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
The DeCSS case raised a lot of awareness, and if you compare the reaction in the mainstream towards DeCSS with stories they print now, they are very different. About DeCSS, they were decidedly hostile, now it ranges from neutral to printing HOWTOs on cracking crippled CDs. Several commentators have started to understand why DRM is bad, and so we've got the big mainstream media's attention. In fact, it looks like they are grabbing headlines from /. :-)
Recently, a parliament member from the liberal party (Venstre, a small member of the ruling coalition) expressed support for Electronic Frontier Norway's amendment to EUCD, which will allow people to access legally obtained content with any means necessary and allow creating of tools to do it. I'm also very certain Socialist Left (SV, a medium sized opposition party) will support this too. Two major parties, the conservatives (Høyre, which is in government with the liberals, go figure), and the Labour party say they await a report from the Consumer Ombudsman's office. They haven't held a very clear position on DRM, but I expect it to come out in opposition to DRM.
With all this, I think EFNs proposed EUCD amendments have a very good chance of being included, and in that case, we'll still have a pretty well balanced copyright regime. It will still be possible to develop stuff that is not under the absolute control of the entertainment industry, and that may just save freedom of expression and technological progress for everyone.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
No. The key thing (pardon the pun) is that there are separate public and private keys. What he has done is isolate the public key (the one iTunes has) which would allow a separate program to send a stream to the AE just as iTunes does. But to decrypt the stream coming from iTunes you would need to know the private key that is embedded in the AE.
An important part of public key encryption is that knowing the public key does not allow you to determine the private key easily. This is a one-way hack.
SYS 49152
It's there to protect Apple from the Idiot Problem.
That's the problem in which some idiot sets up an open WLAN and starts sending songs to the AirPort Express.
While the idiot does this, his neighbor, the resourceful hacker, sniffs out the Ethernet frames, pulls down a stream of Apple Lossless Format audio, and saves it to his disk. Now he, and anyone else with technical expertise in range, will have any audio sent to the unit, including music purchased that the iTunes Music Store.
No loss, no fuss, and as long as you don't re-encode it, you've got audio just as good as what Apple's selling, although it's a bit larger.
The encryption isn't to protect the owner of the music or the hardware. It's there to keep you from inadvertently broadcasting music to anyone else. If you want to make a CD of iTunes Music Store tracks and copy that CD a few million times, they can't stop you. That's your choice. They're just limiting the distribution of this content in a way that only shares your music with the parties and devices of *your* choosing.
Yes, it's mostly to placate the music companies. What really throws me off is that people on Slashdot, a fairly security-savvy site, are complaining about *more* encryption. I certainly don't want some bozo capturing the audio I'm supposedly only broadcasting to my AirPort Express. If this makes it tougher for him to do so even after somehow cracking my WPA setup, then Apple's doing something *right.*
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
There is a simple criterion: if you, the user, have a way to read your private keys, it is fine. Encryption is here to help you. When your stuff is encrypted and you can not read your own private keys, the encryption is not here to help you. And you are, definitely, a sucker.
"Hey, can your neighbor snoop your S/PDIF port and record off it? No? Thought so. Can some guy with a cantenna a mile away sniff your S/PDIF port?"
I think you are missing a significant point in this story. Jon's hack does NOT crack Apple's encryption. If he had managed to crack AES/RSA this would be a much bigger story. The losslessly compressed stream being sent to Apple Express whether from iTunes or a JustePort equivalent is still an encrypted stream. Without Apple's private key you cannot read the stream. Jon found Apple's corresponding public key and followed the details how iTunes sets up the stream and emulates them in his product.
Nobody's encryption has been cracked. The reason it is called a public key is because it can and usually has to be made public in order to be useful. But being public in no way compromises the security of the encryption as long as the corresponding private key is not revealed.