Via Adriana’s furl, I found a slightly hysterical-in-an-unfunny-way Boing-Boing posting which linked to an original blog post – the latter being a blog with only two postings.
The paragraphs below are from the Boing-Boing posting; my mental responses to the paragraphs are infix and bold.
The latest iPods have a cryptographic “checksum” in their song databases that prevents third-party applications from synching with the portable music players.
Hmmm, okay…
This means that iPods can no longer be used with operating systems where iTunes doesn’t exist — like Linux, where gtkpod and Amarok are common free tools used by iPod owners to load their players.
Errr… but a cryptographic checksum can’t do that without a nonce which will be en-clair in iTunes, and someone will rip that out with a debugger, so what’s the problem? Do you know the difference between a cryptographic checksum, an HMAC, and a signature?
Notice that this has nothing to do with piracy — this is about Apple limiting the choices available to people who buy their iPod hardware.
Errr… if they were embedding private certificates in players and then signing the databases with a public key, then I would agree. To me this just sounds like worrying about on-disk database corruption.
The new hardware limits the number of potential customers for Apple’s products, adding engineering cost to a device in order to reduce its functionality.
Um… Bullshit?
…and lo and behold, on the original complaining blog, is a self-congratulatory back-slapping followup dated today.
Indeed, it is posting #2:
Thanks to some inspired work by a few heroes, we’ve managed to work out how to get everything working again.
This is what we’ve found out: the hash at 0x58 is the one that matters. And we know how to generate it.
It’s a cryptographic signature combining data from the iTunesDB and a device specific identifier (called the firewireid) and some (formally) secret numbers.
Instructions for linux users on how to fix their iTunesDB files are here. Windows users are going to have to wait a little while. (For interested programmers, the code to generate the hash is here.)
The heroes in question include wtbw, nopcode, teuf, simon and many others from #gtkpod.
Let’s all hope that (if they haven’t already from the iPhone unlocking) Apple learn that fighting against us is pointless. It’s a waste of their time if the open source crowd is going to get past it in just a weekend.
…or, as I read it “we finally worked out how to use a debugger and reverse-engineered this change to the database format; next time maybe Apple will warn us when they have the temerity to change their own proprietary software like iTunes, so that we don’t have to think so hard”.
If it’s SHA-1, well for god’s sake it’s only the world’s defacto standard hash algorithm. Perhaps you can bitch at Apple for not publishing their iTunes database format as a RFC, or something like that, but you can’t blame them for modifying their own code.
And the manner in which the ipodminusitunes.blogspot.com crowd are painting this is right up there in my mind with “now you see the violence inherent in the system, help, help, i’m being repressed.”
People who don’t know how to drive crypto, shouldn’t throw PR stones.
Leave a Reply