Schneier on Security
A blog covering security and security technology.
« The Doghouse: Privacy.li |
| Surveillance Cameras and Terrorism »
July 11, 2005
The Hymn Project exists to break the iTunes mp4 copy-protection scheme, so you can hear the music you bought on any machine you want.
The purpose of the Hymn Project is to allow you to exercise your fair-use rights under copyright law. The various software provided on this web site allows you to free your iTunes Music Store purchases (protected AAC / .m4p) from their DRM restrictions with no loss of sound quality. These songs can then be played outside of the iTunes environment, even on operating systems not supported by iTunes and on hardware not supported by Apple.
Initially, the software recovered your iTunes password (your key, basically) from your hard drive. In response, Apple obfuscated the format and no one has yet figured out how to recover the keys cleanly. To get around this, they developed a program called FairKeys that impersonates iTunes and contacts the server. Since the iTunes client can still get your password, this works.
FairKeys ... pretends to be a copy of iTunes running on an imaginary computer, one of the five computers that you're currently allowed to authorize for playing your iTMS purchases. FairKeys logs into Apple's web servers to get your keys the same way iTunes does when it needs to get new keys. At least for now, at this stage of the cat-and-mouse game, FairKeys knows how to request your keys and how to decode the response which contains your keys, and once it has those keys it can store them for immediate or future use by JHymn.
More security by inconvenience, and yet another illustration of the neverending arms race between attacker and defender.
Posted on July 11, 2005 at 8:09 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"The Hymn Project exists to break the iTunes mp4 copy-protection scheme, so you can hear the music you bought on any machine you want"
The problem with this kind of thing is they seem to forget you can't even use iTunes without Apple's software.
So under what circumstances would you want to play the purchased music on any machine you want? Obviously there has to be some level of DRM, else none of the record companies would have got involved with Apple in the first place, and the fact that I can burn purchased music onto CD kind of invalidates the point of the Hymn Project.
@Alex - Many people (myself included) own MP3 players that will not play AAC files. In short, anything not made by Apple.
I could burn the music to a CD and then rip the CD in MP3 format. The Hymn Project allows me to do this entirely in software.
You may also like to see the SharpMusique product. Amazingly enough the Itunes music store delivers content to the end user _without DRM_, trusting iTunes to DRM it on arrival.
So if a program, i.e. SharpMusique, masquerades as iTunes then the user can get their content DRM free.
I wouldn't buy music from the Itunes Music Store, but I've certainly purchased a fair amount via SharpMusique.
@Alex - iTunes music is encoded in AAC. When you strip the DRM, you can play the resulting files on other portables (there are a number of them, search Google), as well as many other operating systems (Linux, etc). Burning to a CD-R is not a solution if you want to retain the compactness of the encoded files. Transcoding the PCM through CDDA will result in loss of quality.
@maco: many of the newer 3G mobile phones can handle AAC. Currently, I'm taking part in a huge music download/streaming project that will be launched in November in 7 European countries, and AAC is the codec of choice. In short, this whole "AAC is an Apple-proprietary format" is a myth.
Useful though it may be, Hymn does little to discourage DRM. Through its use, Apple gets the message "I want to use your service so badly that I'm willing to jump through hoops to get the product I want out of it." It may even be communicating that the consumer will put up with even more-restrictive DRM, as the iTunes product is so desired.
Stephen: Hymn isn't so much about hitting Apple with a stick over DRM as it is giving people the ability to do what they want to do with files they have purchased.
foo: Glad your phone supports AAC. My car stereo doesn't however, so I need software like Hymn to let me listen to the music I buy.
I also much prefer SharpMusique to iTunes because it's much, much smaller and lighter. I like it's GUI a lot more too, plus I don't need to install any of the quicktime nonsense either (bless the k-lite codec people).
Alex: you're completely missing the point. It doesn't matter if there is no reason to play these files on non-Apple players. I don't have to have a reason, much less justify myself to other people, I just want to do it. That should be more than enough reason all by itself, but at some point, people have decided that all rights are in the hands of the copyright holder by default.
Remember, owning the copyright on a work only allows you to control distribution of that work which isn't covered under fair use. If I want to play my files on my Uzbekistan-made Music Player Uzbek 3000, I should be able to, or at least to try. Apple is also free to try to stop me, but there's no reason to expect them to always succeed, nor to give their success legal guarantees.
I have actually had this installed on my computer for a while, but never bothered to use it. I just tried it out, and it seems to have worked perfectly with the default settings. I'm not planning on doing anything special with my music, but it is nice to know that it will still be around long after Apple drops support for what I legally purchased.
Which one is the attacker and which the defender?
Things like this are why I refuse to buy anything that has any sort of DRM, and I've bought a good amount of music online. I only buy MP3s, though, and only from legitimate sources (They Might Be Giants, for example, has their own website selling MP3s direct from them, and there are sites such as Audio Lunchbox and others that sell MP3s as well. Hard to find the latest Britney Spears album as a legit MP3, but that's not really a big deal for me...). I also won't buy things from Drive-Thru RPG, preferring RPGnow because their PDFs are non-DRMed.
Yeah, I could buy DRMed music and eBooks, and without much hassle on my part remove the restrictions, but that would be technically breaking the law, and part of the point of actually buying the stuff is that I'm trying to be entirely legal.
Format schmormat, the big payoff for me with Hymn is I don't have to worry about this authorize/deauthorize garbage when I get a new computer. Yeah, Apple will let me de-auth the files on the old machine and then re-auth them on the new machine. However the hassle of moving files from old to new is big enough already, I don't need to pay for the privilege of even more headache.
I assume you're talking about the Coding Technolgoies project? Any status to report?
I agree with most of the anti-DRM and anti-iTunes Music Store rhetoric above.
But here's an even bigger kicker for me: the iTunes store does a lousy job of representing the full diversity of music being made today.
Have you ever tried to find music by local or obscure artists in the iTunes store? If your experience was like mine, it's just not there.
Amazon and its affiliates do a pretty good job of scouring the planet for most any music currently being distributed and a lot of old stuff that's not. Even a tiny outfit like CDBaby does a better job than iTunes (and a better job than Amazon of getting money straight to the artists -- local small-label musicians I know love CDBaby).
The great potential of the Internet is to help people form micro-communities of interest, to decrease the power of monolithic top-down culture and increase the power of bottom-up culture and the "long tail". So far iTunes isn't living up to that potential.
Screw iTunes, screw Napster, and all the rest. Can't play it on this computer, can't burn it, can only listen to it AT ALL as long as you maintain your subscription... How much crap will people put up with?
DRM-defeating technology won't change anything except the magnitude of the drastic measures the scumbags take to shove DRM down our throats. The only answer is a boycott.
But that takes discipline. And you can't download discipline.
I observed a similar issue recently.
Real Player converted files to a proprietary format without warning the user. When the user upgraded the computer, the keys (unexplicably) wouldn't transfer to the new system. (Note to Real: a critical app such as a key management program probably should not require an "A:" drive). The faceless/nameless customer support from Real failed miserably to help resolve the issue. They just kept reiterating the same "follow the instructions or re-rip the files" message. This simply left the files in an unusable format and the user in an unfriendly state.
Naturally, because of this, the user vowed to never allow anyone to use another Real product.
I found it interesting that (perhaps due to the principle of the situation) the user was more intent to find a way to "get access" to their own files than to call the mess a complete loss and create the files again. Eventually they did find a way to defeat the Real DRM and get their files converted to mp3. And who, really, can blame them?
The right for fair use (of what you buy) is just as important as other basic rights such as freedom of speech. If it ever gets to the point you own nothing you buy there's actually a word for it, it's called communism. The only difference is it's big corporations that own your stuff and tell you what to do with it.
For example, would it make any sense to buy a lawn mower which you couldn't lend to your friend unless you paid a fee to the manufacturer?
Ofcourse the music industry will claim most people use these tools to pirate music. That's as absurd as claiming most people use cars to get away from crime scenes or claiming most people use chain saws to steal christmas trees.
what I don't get in this discussion is this: if you use iTunes you likely use an iPod. If you use anything but an iPod why would you use iTunes for music download? Now if you use iTunes and an iPod then one of the example about not being able to listen to the music in the car is strange, since you can just connect your iPod to your car radio.
the other thing is: DRM is not great, I don't like it, but to be honest so far I haven't had a point where I was hindered by it. the other thing to remember is that Apple didn't add DRM to ACC just to piss of end-users, but in order to be able to sell music online. I bet the music industry would have never allowed music downloads without some form of DRM.
if you want to own music either buy a CD or burn the music on CD. It's not like people who use iTunes don't know about DRM. So yes DRM is like the lawn mower that can't be lend to your friend, but you know that when you buy it.
Not to be a nit-picker, but "communism" is actually the collective ownership of property (and organization of labor). So in theory the music probably would not be as interesting, but you'd have all the access you could stand.
On the other hand, a company selling you the perpetual rights to own something and then suddenly expiring your access or taking it away is more aptly accused of "fraud" or breach of contract.
So what ever happened to the Digital Choice and Freedom Act of 2002?
Davi: well, in practice it's more or less state ownership of properly anyway.
The question of DRM vs Fair Use boils down to a larger issue -> society has reached a point where there is a technologically-driven break between the old concept of "Intellectual Property" and a new one. Fair Use and DRM are both "old concept". Society needs to stop trying to implement the old rules and write new ones that are sensible.
When the printing press came on to the scene, it enabled popular distribution of written material (a good thing), but also put scribes out of work (a bad thing for the scribes, at least). When the phonograph became popular, in enabled popular distribution of audio recordings (another good thing), and enabled musicians to acquire a new method of generating revenue (sales of recordings in addition to pay-for-performance). Since there was a barrier-to-entry for creating recordings (buying the equipment), an entire new industry was born.
One problem faced now is that the recording industry was based entirely upon a technological advancement, and that technological advancement has been surpassed by new technology. Unlike the scribes, however, the RIAA has enough money (and incentive) to fight the technological advancements tooth and nail for as long as possible to protect their revenue streams.
"Fair Use" is a concept that only exists because of technology. The entire concept of "Intellectual Property" is likewise based on technology. Without recording technologies (from digital all the way back to the basics of written language), there is no IP.
Copyright and Patent law (in the US at least) are designed supposedly to do really only two things -> to stimulate innovation by giving an economic incentive to be the first to come up with new technologies, and to protect the artistic community's right to make a living by the act of creative expression. "Fair Use" only exists to keep the playing field level -> to ensure that those who purchase copyrighted works have protected rights that cannot be usurped by the original copyright holder.
Both copyright and patent law, however, are stuck in "old concept" groundings. They're essentially built entirely around axioms that no longer apply -> the printing press and the phonograph aren't the end-all-beat-all of recording technologies.
We don't need to talk about "Fair Use", we need to talk about what is the proper way to protect IP while keeping the original reasons for copyright/patent intact.
How can we continue to stimulate innovation and creative expression (both assumed to be qualitative "good" things) while still letting the public have an acceptable level of access to legally protected IP?
I buy from iTMS when JHymn is working, I stop when it breaks.
I don't believe Apple will be in the music business for the rest of my life, and if they aren't, the music I'm buying will stop working when my computer wears out.
But I understand Apple needs to dazzle the RIAA. If you think there's noone at Apple who could make a damn-near unbreakable system you're kidding yourself.
Currently a pragmatic balance is achieved.
I agree that it is only the concept of a "live" experience that (so far) can't be reproduced and that retains its value in spite of file sharing and other new technology.
I thought these writers put the situation nicely:
"Ninety-nine years ago, John Philip Sousa predicted that recordings would lead to the demise of music. [dot dot dot] 'The time is coming when [dot dot dot] everyone will have their ready made or ready pirated music in their cupboards.'"
"Since 1998, annual concert-tour revenue has more than doubled, while CD sales have remained essentially flat. Last year, thirteen different artists grossed more than forty million dollars each at the box office. (Prince made eighty-seven million.) Consumers who seem reluctant to spend nineteen dollars for a CD apparently have few qualms about spending a hundred bucks or more to see a show."
Comment submission errors should be fixed now. I accidentally used MT-Blacklist to ban ellipses....
It's plain depressing that a respected security analyst would give publicity to something that's clearly illegal. Bruce, which side of the fence are you on? Are you with the theives or are you with a lawful society?
"It's plain depressing that a respected security analyst would give publicity to something that's clearly illegal. Bruce, which side of the fence are you on? Are you with the theives or are you with a lawful society?"
You're kidding, right? This is a security blog. Much of security deals with illegal things, and it's pretty much impossible to talk about security without talking about illegal things.
It's also pretty much impossible to do research in security without talking about illegal things. All good DRM research -- yes, there actually is some -- learns from failures of previous systems. Not talking about those failures is a foolproof way of designing bad security systems.
Have you written to the major newspapers and television stations complianing that they're writing about the recent terrorist attack in London? That was clearly illegal, and you're opposed to giving that kind of thing publicity.
And as to which side I am on: I'm on the side of common sense.
"It's plain depressing that a respected security analyst would give publicity to something that's clearly illegal. Bruce, which side of the fence are you on? Are you with the theives or are you with a lawful society?"
Someone needs to grow up.
Obviously what we need is a language that makes discussion of illegal things impossible.
What a doubleplusgood world that would be!
BTW, "copyright violation" and "illegal distrubution" are not theft, no matter how much some would like you to think so.
> or claiming most people use chain saws to steal christmas trees.
Yeah. Last Christmas when my Dad and I stole a tree, we just used a tenon saw.
"It doesn't matter if there is no reason to play these files on non-Apple players. I don't have to have a reason, much less justify myself to other people, I just want to do it."
Apple does not support non-AAC devices, so your line goes a bit like
"I have a cassette player, but I want to be able to listen to CD's!" (wine-wine)...
"Are you with the theives or are you with a lawful society?"
Hmmmm. So, as Ari suggested, perhaps listeners are the lawful society protecting their rights while the music industry acts as (your word) thieves? Perhaps if you tried to clarify your point you would see the security practitioner's dilemma?
This brings to mind a recent flight where I was fortunate enough to sit next to a Hollywood producer. I first asked how he felt about the virtually unstoppable DVD ripping and distribution networks. "Outrageous!" he exclaimed. "It should be outlawed and stopped before we can no longer sell movies!" We talked about the re-emerging "full theater experience" for a little bit (will there be opportunities for growth, like live concerts). I then asked where he found all the music for his MP3-player (sitting in his lap) and why he did not just plug into the plane's "free" music channels. "Oh, um, well, I see..." he said softly.
re: MP3 player-carrying Hollywood producer
That's hilarious. You made my day, and I haven't even gotten into the office yet.
Why would someone use iTunes without an iPod? Because it is a very good music player in it's own right. I used it for a while before I got an iPod and liked it better than other players I had used. I didn't have a problem with the DRM used either until I bought a Roku Soundbridge to stream music to my bedroom from my computer and found that it couldn't handle locked ACC files because Apple hasn't licensed that to anyone. This is how it is always going to be, the majority of people will obey DRM restrictions up to and until it becomes a PITA, then they will either get around them or choose a different product.
Another thing that's surrounded by outstanding stupidity is licensing. I'm always amused when I buy something and there's a sticker on the package that reads "by breaking this seal you agree to [insert whatever stupidity here]", when infact, no one can enforce any contractual oblications on you unless you actually sign a contract.
Unfortunatly the patent system (an Elizabethan English invention) was supposed to protect the inventor etc against unfair competition and reward him for his endevors. Unfortunatly it does the exact oposit these days.
(On a side note the first patent applied for was a machine to knit stockings. It was rejected by QE1 supposedly because it would not work with silk...)
The current state of patents is that an inventor comes up with a "primary patent" for which they are unlikley to ever receive any money (it's just to new and the market is not ready).
Other organisations look at the primary patents and then try to work out how to apply it to existing technology, they then apply for "secondary patents" these effectivly earn them money not the primary patent holder.
A patent can earn an organisation money in one of two ways,
1, By producing new inovative product that is better than other existing products.
2, By stopping people producing new and inovative products that compeate with your existing product line.
Now the "Commons" would prefere companies to take option 1, however nearly all large organisations take option 2, which was not what was originally intended.
The reason for this is fairly simple, the cost of getting a patant is quite low (as little as 5000USD) the cost of starting a new product can easily be well above a million USD.
So it is cheaper by far to take out lots of patents and use those to stifle competition. Also patents can be traded, say organisation X has a patent on an area you would/need to develope, if you have a patent that effects them you can horse trade so you both benifit. Obviously if you are a little organisation with few patents you are not allowed to play as the organisations can demand just about any sum of money out of you in licencing fees.
Oh one other little idea that applies in the US is the so called "Submarine Patent" whereby an organisation can quite leagaly steal your invention away from you (Bruce has made some interesting comments on this in the apendex of one of his books).
This might sound like I am against patents I am not (apart from the submarine aspect), what I would like is a change in the rules, whereby all patents go into a colective organisation and you licence from the colective at a reasonable rate.
The colective then pays the patent holder the royalties (less a small commision). This is sort of like a licence to play music in a club or on a radio station, you pay a fixed amount per year based on your perceived ability to pay (ie a percentage of the turnover).
This would level the field somewhat, and would also reduce the incidence of patent infringment, which might make a lot of legal types unemployed (do I here chearing of stage ;)
"Have you written to the major newspapers and television stations complianing that they're writing about the recent terrorist attack in London? That was clearly illegal, and you're opposed to giving that kind of thing publicity."
The difference is that the major newspapers are not lending aid to the terrorists through their writing. They are are not printing contact information of terrorist recruiters. The URL of the site with the claim of responsibility was not given out. By linking to the Hymn project site you are actively supporting their activities. More people will download the software as a result and more right violations will happen.
A software that breaks copyright protection is in clear violation of the DMCA. And as established by Universal v. Reimerdes, linking to illegal materials itself is illegal.
From the ruling:
"There is little question that the application of the DMCA to the linking at issue in this case would serve, at least to some extent, the same substantial governmental interest as its application to defendants' posting of the DeCSS code. Defendants' posting and their linking amount to very much the same thing. [...]"
While I'm well aware of your views on the DMCA, I hardly think that the critics of the Law are above the law.
"The difference is that the major newspapers are not lending aid to the terrorists through their writing. "
Wrong. Terrorists thrive on attention, since their cause depends on it. After all, where would a sense of anticipatory "terror" come from if attacks were never revealed (reported)? I'm not advocating for/against restricting the information, just pointing out the obvious connection for you (again).
Another twist to the DRM debate:
HDCP (High-bandwidth Digital Content Protection) will be a required component of computer monitors that Microsoft will use to regulate video playback.
"Who determines when you get the restrictor and when you get the black screen? You guessed it: the content owner does."
You're probably already aware of this but I thought I'd mention that CDBaby actually provides digital distribution for their artists to online music stores including iTunes. I'm with a band on a small label with material for sale online and we wouldn't be in the iTunes store if it weren't for CDBaby. In fact, the majority of our sales through CDBaby are digital through iTunes rather than shipped CDs. If someone were to purchase a hard copy of our CD they would rip an unprotected mp3 for use on their computers or mp3 players.
Alex Krupp: "I'm not planning on doing anything special with my music, but it is nice to know that it will still be around long after Apple drops support for what I legally purchased."
I purchase music from iTunes using my laptop that runs Mac OSX but if I want to listen to that music on my main computer at home I have to re-rip the protected file because my 7 year old desktop running Mac OS 9 isn't supported by any version of the iTunes software that plays the newer protected files. I have to convert my music to older technology because I can't afford to buy the new hardware yet.
shame that Apple issues a cease/desist order and hymn's downloads have disappeared.
the lesson here that is that people should download every DRM cracking tool they come across in order to protection their future freedom!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.