

Ask HN: Can't iTunes Match be used to actually "pirate" content? - ufuk

Since iTunes Match will be sending to Apple server the fingerprints of the songs on one's computer, could one not, theoretically, fake iTunes into believing that an audio file with a given fingerprint actually exists on your computer?<p>This attack vector was used by Dropship to transfer files across Dropbox accounts (Ref: http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-project/), but the implications were minor since, from a security perspective, the attack was on a fellow user. Here the attack is on the iTunes system as a whole, and enables you to download songs that you have not purchased and have not ripped or downloaded.<p>I can already imagine networks popping up where people share their audio fingerprints.
======
mikecane
Most likely so. But that $25 or so per year is most likely not going to Apple
but being split by the record labels. Others have pointed out this is kind of
a piracy amnesty. The average person just isn't going to go nuts pirating
music to get some sort of deal. Those aren't the kind of people buying
iDevices. Besides which, don't people have to upload the music for the scan?
Broadband uploads speeds are crap, again whittling away whatever incentive
people might have to load up on stolen music.

~~~
ufuk
I realized that the $25 per year was a form of piracy amnesty the moment I
heard about it. The way I see it, people pay $25 per year to get an all-you-
can-eat music service, since they can always legitimize content they keep on
downloading from illegitimate sources.

My question, however, is whether it is even necessary to download any
illegitimate content. Nobody needs to upload any music to any servers (iTunes
Match claims not to), all they need to do is to trick iTunes to make it look
like "Song X.mp3" is actually on their hard-drive. In order to do that all
people need to find out is what data iTunes sends to mothership about a
particular song. A similar feat was achieved by Dropship.

~~~
mikecane
Maybe this helps: [http://arstechnica.com/apple/news/2011/06/what-you-need-
to-k...](http://arstechnica.com/apple/news/2011/06/what-you-need-to-know-
about-itunes-match-your-questions-answered.ars)

So it does scan, not require an upload unless it's not matched. Very
interesting. It's not a service I'll be using, though.

