New code first step in breaking Apple's DRM

The man responsible for writing software that allowed people to circumvent copyright technology on DVDs has posted software on the Internet that may allow Windows-using customers of Apple Computer Inc.'s iTunes Music Store to break digital rights management (DRM) technology that protects files downloaded from that service.

A link to the file, called QTFairUse, was posted on a Web log that is maintained by Jon Lech Johansen, also known as "DVD Jon." When compiled and run, the program allows iTunes users to make raw copies of songs that use Apple's MPEG-4 Advanced Audio Coding (AAC) standard.

According to comments in a file included with the QTFairUse code, the program allows users to open and play an AAC file using Apple's free QuickTime media player, then save raw AAC data to a file on the computer.

However, the file posted by Johansen still requires significant technical knowledge to use.

The file was posted as uncompiled C language code and must be compiled before it can be run. Also, while the output file created by QTFairUse would be an identical copy of the original, the copying process does not create a file that can be immediately played by music applications on a user's computer. However, if Johansen continued to develop the code, it could lead to ripping applications that removes the DRM from iTunes files.

While the application is certainly not something the average person will be able to use in its current form, it creates a balancing act for Apple when considering what to focus on when updating iTunes in the future.

"The exploitation of iTunes vulnerabilities forces Apple to revisit their code -- this results in a challenge of how much developer time can Apple dedicate to patching security holes rather than enhancing features," Tim Deal, senior analyst with Technology Business Research, told MacCentral.

The program was posted on Friday without comment to Johansen's Web log, which is called "So sue me," and is apparently designed for use on Microsoft Corp. Windows systems.

People have looked for ways around encryption technology since it was first introduced, but in the future Deal doesn't see many people taking advantage of DRM exploits like QTFairUse. The low cost of legally purchasing music at online services like Apple's iTunes Music Store may prove more appealing than going through the hassle of illegally breaking the DRM.

"While the ease of use and relative low cost of downloading music from iTunes might be enough to halt most people from taking advantage of illicit applications, there is still a small percentage who will exploit the opportunity," said Deal. "In the not-too distant future, when record companies shift their distribution methods from the costly retail model to the streamlined Internet model, song downloads will be cheap enough to dissuade hacking by even the most stalwart cyber criminals."

Johansen rose to international prominence after he created DeCSS (De Contents Scramble System) in 1999 to crack the CSS copy protection on DVDs, and made the code available to others on the Internet. Norwegian police raided his home in January 2000 after the Motion Picture Association of America (MPAA) filed a complaint.

After a trial in Norway, Johansen was acquitted in January of charges related to his development and distribution of DeCSS. The court found that Johansen was entitled to access information on a DVD that he had purchased, and was therefore entitled to use his program to break the code.

Norwegian prosecutors have appealed that ruling.

This is at least the second time since its release on October 16 that restrictions in iTunes for Windows have been circumvented by developers. Bill Zeller's MyTunes application allows Windows users to download music from an iTunes shared playlist over a network.

Unlike QTFairUse, MyTunes doesn't break the digital rights management that Apple has placed in all of its purchased music, but it does allow users to download and play music imported from CDs. Zeller's Web site also states that he is fairly certain that MyTunes cannot be detected on a network, which means someone could be downloading shared music without the source person's knowledge.

Apple representatives were not immediately available to comment for this story.

Subscribe to the Best of Macworld Newsletter

Comments