shahine.com/omar/

Twitter

About

Me: I live in Silicon Valley with my wife, child and cat. I have worked at Microsoft since I graduated from College, both in the Macintosh Business Unit on products such as Outlook Express, Entourage, IE, and Virtual PC and in Windows Live on Hotmail, Calendar and People. I am currently a Principal Lead Program Manager on the Windows Live Social Networking team. I basically manage a team of Program Managers responsible for delivering features to support our web and client applications. I've been blogging since 2001 and like to play around with .NET in my spare time working on projects such as dasBlog (the blog that powers this site) and Send to SmugMug (an application for uploading photos to SmugMug). I blog about a number of technology and productivity related topics.

Total Posts: 1176
This Year: 0
This Month: 0
This Week: 0
Comments: 3715

Disclaimer
The posts on this weblog are provided "AS IS" with no warranties, and confer no rights. The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

E-mail

Tuesday, March 22, 2005

« Windows Media DRM to deliver Indian Movi... | Main | The Credit Card Prank II »

Apple iTunes DRM hole

It seems that Paul Thurrott is astonished that Apple would apply DRM to purchased music on the client (iTunes) rather than the server. Seems like a really bad design decision and a good way to open the door for two programmers to crack it.

The statement from their blog is precious:

"Our intent was not to circumvent copy protection, and if Apple did DRM on the server, we would leave it in place! But applying DRM in an opensource project is not worth the time it would take to code it."

If memory serves me right, when Apple first released Software Auto Update back with Mac OS X they did not cryptographically sign their updates, which of course opened them up for a man in the middle attack delivering malicious code to their customers. Nor did they use any form of HTTP authentication or certificate validation when downloading updates. I remember this because when we developed our software update for Microsoft Office X I was sort of astonished that they did not code sign their updates or use https. Well it was a matter of time before they had to fix it.

I guess hindsight is 20/20 (that goes for everyone). But personally I'm not surprised.

Apple | Software

Posted Wednesday, March 23, 2005 Permalink Comments [1] View blog reactions

Related posts:
Fringe benefits of owning an iPhone
Purchasing an iPhone 3G
On the road to paying a lot for the iPhone
Thoughts on the 3G iPhone
Apple Stuff 2008
iTunes meta data support catches up, iPod still behind
Tracked by:
"On feasibility" (Geekable.com) [Trackback]

Tuesday, March 22, 2005 11:59:57 PM (Pacific Daylight Time, UTC-07:00)

Hmmm...

At first I thought pymusique was blatently doing something illegal but now it's not so clear.

If I put a server on the public internet and someone attempts communication with the server and I grant them access then has anyone done anything wrong? It's not so clear.

I'm guessing it is illegal just because you still need to create and use a real itunes account to purchace the music. I'm sure when you create the account you agree to only use itunes or something of that sort.

Anyway, sounds like Apple needs to redesign their music store.

Monmin

Comments are closed.

homepage | contact

Twitter

Recent posts

Tags

About

Tuesday, March 22, 2005

Apple iTunes DRM hole