[via BB] Jon Johansen discovered that the iTunes Music Store applies DRM to your purchased tracks once they’ve been downloaded. He’s created PyMusique, an app which lets you sign up with the store, buy music, and even download music you’ve already purchased, while skipping that pesky DRM step. Note: this doesn’t allow you to steal music; you must buy it, just as you do with iTunes. However, when you buy from iTunes, what you purchase is controlled by Apple; when you buy from iTunes through PyMusique, what you purchase is controlled by you.
A cursory glance through the Python source of the program shows that it includes a Python implementation of Jon’s DeDRMS DRM-stripping logic, but that’s only used for playing 30-second track samples (a handy feature of iTunes he wanted to preserve in PyMusique). When you actually purchase a song, the store sends it to you without DRM; this is what you have purchased from Apple and your local iTunes client further cripples it once the product has been delivered. PyMusique simply converts the raw M4A data (which appears to be AES-encrypted, but the key is handed to you at the same time1) to a usable M4A music file without applying further restrictions.
I’ll have to take a closer look at the source to understand more about how it works (if indeed there is more to understand).
1 Dr. Wallach points out that the reason the music is trivially encrypted has nothing to do with security. It could have been “encrypted” with XOR, or ROT-13. The purpose of this seemingly purposeless encryption step is to provide a legal foothold for Apple: because DVDjon undertakes some trivial decryption task when receiving the music file, his activities can now be considered in violation of the DMCA or any other law prohibiting the defeat of copy-protection measures.
March 18th, 2005 at 11:56 am
PyMusique: A first look at the code
Excellent summary by Dan of what’s under PyMusique’s (metaphorical) hood….
March 21st, 2005 at 8:30 pm
[…] curious to see exactly what the “fix” entails; as I mentioned on Friday when I examined the PyMusique code, the purchased audio files were already trivially encrypted with […]