June 20, 2018

Apple Closes iTunes Store "Security Hole"

Last week, DVD-Jon and two colleagues released PyMusique, a tool for buying songs from Apple’s iTunes Music Store (iTMS) site. This got some people upset, because songs bought with PyMusique were not encumbered by any copy protection. Now Apple, predictably, has updated iTMS to make it incompatible with PyMusique.

The standard narrative about this goes as follows: (1) DVD-Jon and friends discover a security hole in iTMS. (2) The write PyMusique, which exploits the hole to get unprotected music. (3) Apple fixes the hole and iTMS is secure once again. The standard narrative misses the point entirely.

For starters, the security mechanisms of iTMS were, and are, well designed. A system that does what iTMS does will necessarily be unable to prevent unauthorized copying of music. That’s just a fact. Apple, to its credit, didn’t overinvest in fancy anti-copying technology that would be defeated anyway. Instead, Apple built a more modest and – here’s the key point – user-friendly system that gave users freedom to make legal use of music and provided speed bumps to steer consumer behavior, but didn’t pretend to stop determined infringers. There was no point in trying to stop determined infringers, because (a) there was nothing Apple could do to stop them from ripping iTMS content, and (b) all of the songs that might be ripped from iTMS were already available on the darknet anyway.

iTMS security is a bit like the lock on your screen door: it’s not very strong, but it doesn’t have to be, because the screen door around it is inherently vulnerable anyway. Putting an expensive lock on your screen door is a waste of money because it doesn’t make you any safer. Similarly with iTMS: spending more on copy protection would have been a waste, because it wouldn’t have reduced infringement.

Rather than owning up to its savvy engineering decision not to overinvest in fruitless copy protection, Apple apparently feels compelled to pretend publicly that iTMS is “secure” in the sense that heroic effort is required to illegally redistribute content bought from iTMS. That’s obviously untrue, but Apple is unwilling to admit that in public. (The famous reality distortion field plays a role here.)

So DVD-Jon and friends came along and released software that let people buy music that wasn’t wrapped in the usual weak iTMS copy-protection mechanisms. It was always possible to get such music, by buying it via the normal methods and then stripping off the copy-protection in one of several well-known ways. So PyMusique didn’t prove anything that we didn’t already know; but it didn’t really harm Apple or anybody else either.

Still, Apple apparently wanted to maintain the pretext of iTMS security, so it updated iTMS to make it incompatible with PyMusique. It’s still possible to make a new version of PyMusique that lets people buy music from iTMS and end up with that music in uncopyprotected form; but at least Apple can give the impression of policing its security perimeter.

We haven’t seen the end of this charade. Expect more iTMS “bugs” and more “fixes” from Apple.

UPDATE (7:50 PM): As predicted, DVD-Jon has reverse-engineered Apple’s fix and says he can now reenable PyMusique. That was quick!

Comments

  1. Two words: “Security Theater”. Sigh. (It’s still sent to the (untrusted) client machine unencrypted?)

  2. Anonymous says:
  3. What article from the register? That “link” of yours looks like a link, highlights like a link on mouseover, but doesn’t actually do anything when clicked on.

    As for its not being secure again, they never did secure it — they are still sending the file to the client unencrypted, rather than sending the machine hash to the server and applying the DRM (retch!) there and then sending the DRM’d file back to the client.

  4. ah. poop. I hate my lack of html skills. like quotations and stuff. the article is here.

  5. That one works; thanks.

  6. Steve Purpura says:

    If you substituted “A future Apple legal defense requires that they claim publically that iTunes DRM is secure” for all of the stuff about reality distortion field, then this discussion makes a lot more sense.

    This game has been going on since the Atari video game cartridge pirating in the 70s. The only improvement in the game between developers and hackers is that it happens in nearly real-time now. And we all expect it to happen in real-time.

  7. peter honeyman says:

    We have Ph.D.s here who know the stuff cold, and we don’t believe it’s possible to protect digital content.
    Steve Jobs, Rolling Stone interview, December 3, 2003

  8. I wouldn’t be so quick to dismiss Apple’s action. Apple has struck a balance for personal use and making its site a locus for illegal activity. But DVD-Jon poses a real threat: why should consumers accept a product that cripples their legal use of it? The presence of an alternative undermines the pragmatic solution that Apple wants.

  9. Well, PyMusique doesn’t even give you music in all the freedom that CDs do. CDs are a backup, rip to any format, in VBR if you wish, in a high bitrate (160k+) if you desire, come with a booklet, play in your car stereo (well, if it’s a real CD).

    There is NOTHING to worry about for the music industry. When consumers can actually buy MUSIC instead of crippleware for their money, they just might.

    1. Offer the consumer what they want
    2. Make them pay for it, with on online store.
    3. Profit!

    Or you do what the MI has been doing all along: devising new ways to rip customers off by giving them crap for their money 😉

  10. One thing to remember. The actual files that itunes and pyMusic download from the internet do not have any DRM at all. They are scrambled, but not DRM’ed. What happens is that itunes re-encodes the aac files to add DRM once it has arrived.

    pyMusique isn’t removing DRM, it is simply neglecting to add it to files that don’t have it in the first place.