Introduction
Read this piece in a Belorussian translation.
Like a creeping fog, DRM smothers more and more media in its clammy embrace, but the sun still shines down on isolated patches of the landscape. This isn't always due to the decisions of corporate executives; often it's the work of hackers who devote considerable skill to cracking the digital locks that guard everything from DVDs to e-books. Their reasons are complicated and range from the philosophical to the criminal, but their goals are the same: no more DRM.
We're going to revisit the history of the most famous DRM cracks. While the stories themselves are fascinating, one of the merits of such an exercise is to use the lessons of the past to consider the challenges of the future. Along the way, we'll address the following important questions:
- Will DRM someday be unbreakable? Do content companies care if it is?
- Who or what is a "Beale Screamer"?
- What does the history of DRM mean for new technologies such as Blu-ray discs and HDCP links?
- Can a marker violate the DMCA?
- What's more important: technology, Congress, or the market?
- Will a Stalin statue make a brief cameo appearance in the conclusion of this article?
We'll start our survey with one of the most-used DRM schemes in the country, Apple Computer's FairPlay.
It's all about the music
FairPlay
The FairPlay system, despite the professional effort that went into it, turned out to be surprisingly hackable, given Apple's reputation for robustness and general platform security. When Apple decided to take a bite out of the digital music market several years ago, it marshaled its internal technical resources to develop a home-grown DRM scheme dubbed FairPlay. By the middle of 2004, the encryption scheme had been cracked more times than a toppled Humpty Dumpty. Jon Johansen, the Norwegian hacker partly responsible for cracking the encryption on DVDs (see below), released the primitive QTFairUse, which attempted to bypass (rather than break) the FairPlay encryption. QTFairUse relied on Apple's software to decrypt the protected song files and then grabbed the unencrypted music from RAM. It then wrote this data to an unencrypted AAC file that turned out not be readable by most music players.
QTFairUse would not be the program to bring unencumbered iTunes downloads to the mainstream user, but it did represent one possible line of attack. Another approach was provided by playfair, a little program capable of stripping the DRM from iTunes files. Instead of grabbing the unencrypted data, playfair relied on grabbing the key FairPlay encryption uses. This key was stored on the iPod and was also easily accessible on Windows systems; once it was grabbed, songs could be decrypted and written to disk (Mac systems initially required the iPod to be attached to the computer).
This approach meant that you could only decrypt songs to which you had the rights anyway, but Apple was still unhappy about it. They modified their software to make the key much harder to grab. They also leaned on the web hosting company that playfair used; the project was also pulled from SourceForge. Showing just how hard it is to stuff the code genie back in the bottle, though, playfair development continued. The project was renamed "Hymn" and new versions are still being released, though all still have problems with certain versions of iTunes.
A third approach came from PyMusique, software originally written so that Linux users could access the iTunes Music Store. The software took advantage of the fact that iTMS transmits DRM-free songs to its customers and relies on iTunes to add that gooey layer of DRM goodness at the client end. PyMusique emulates iTunes and serves as a front end to the store, allowing users to browse and purchase music. When songs are downloaded, however, the program "neglects" to apply the FairPlay DRM. (A variant of PyMusique, called SharpMusique, has been developed and maintained by Johansen, though it has not been updated in 10 months).
The attacks on FairPlay have been enlightening because of what they illustrate about the current state of DRM. They show, for instance, that modern DRM schemes are difficult to bypass, ignore, or strip out with a few lines of code. In contrast to older "patches" of computer software (what you would generally bypass a program's authorization routine), the encryption on modern media files is pervasive. All of the software mentioned has still required Apple's decoding technology to unscramble the song files; there is no simple hack that can simply strip the files clean without help, and the ciphers are complex enough to make brute-force cracks difficult.
Apple's response has also been a reminder that cracking an encryption scheme once will no longer be enough in the networked era. Each time that its DRM has been bypassed, Apple has been able to push out updates to its customers that render the hacks useless (or at least make them more difficult to achieve). The resulting cat-and-mouse game between the company and its users will no doubt become a familiar feature of future DRM schemes, most of which are now built with the ability to update themselves even after deployment.
On the other side, it's also more difficult than ever to shut down a cracking project. Coders simply move their work from server to server until they find a spot where the long arm of Apple Legal cannot reach.
Windows Media
When it comes to music, Microsoft's own DRM system comes second only to Apple's FairPlay—though that's not saying much in the US, where Apple has an 80 market share. Still, it's a solid achievement for the Redmond, WA-based company, which beat out earlier contenders like Liquid Audio and Real. Windows Media Audio has been hacked less frequently than Apple's competing system, but as security analyst Bruce Schneier puts it, this is due to "market share, nothing more." Because relatively few music downloads are sold in the format, hackers devote less energy to cracking it.
Windows Media Audio has stood secure for several years now, but it was memorably hacked back in late 2001, when version two of the encryption was in use. A hacker using the pseudonym "Beale Screamer" posted a long message to the sci.crypt newsgroup in which he described how to circumvent the DRM protections of Windows Media Audio and provided code to do so. His program, dubbed "freeme," worked, but with limitations; users needed to have a license for the song before the decryption would work. It also was designed only for version 2 of Microsoft's DRM, the one included with Media Player 7.
Beale Screamer actually had some complimentary words for the Microsoft engineers who designed the scheme:
You guys have put together a pretty good piece of software. Really. ... My real beef is with the media publishers' use of this software, not the technology itself. However, it's easy to see where software bloat and inefficiency comes from when this code is examined: every main DLL has a separate copy of the elliptic curve and other basic crypto routines, and parameters passed back and forth between modules are encrypted giving unnecessary overhead, not to mention all the checks of the code integrity, checks for a debugger running, code encryption and decryption. Perhaps you felt this was necessary for the "security through obscurity" aspect, but I've got to tell you that this really doesn't make a bit of difference. Make lean and mean code, because the obscurity doesn't work as well as you think it does.
Mr. Screamer ("Beale" to his friends) made a point of asking users not to use freeme as a tool for violating copyrights, because such use would violate the serious point he was trying to make about DRM's dangers to fair use. Such principled messages are actually quite common among DRM crackers; whether users heed them is another story altogether.
The news created headaches for Microsoft's digital media group, but ultimately the hack was not of great concern. Microsoft was able to update their DRM, which has not been widely breached since that time.
reader comments