
Breaking Grooveshark's encryption - lucgommans
http://lgms.nl/blog-1
======
Marcus10110
This almost feels like legal cover more than anything else. At least they
"tried" to protect the music files from easy duplication & piracy. I wonder if
circumvention of XOR is illegal under the DMCA. It feels just about effective
as renaming the file extension from _.mp3 to_.shh

~~~
eli
IANAL, but the DMCA does not make any distinction between strong encryption
and mild obfuscation. They're both "technological measure that effectively
controls access to a work"

I'm not sure the DMCA provides any "proof" that they're going after privacy.
But it does afford them legal tools to go after people who publish Grooveshark
decryptor scripts.

~~~
sp332
I think the word "effective" might be interpreted to exclude ineffective
measures like this one.

~~~
eridal
That's subjective.

Any strong technique, once broken, is not effective anymore: is it then legal
to use such technique, due its ineffectiveness?

~~~
mglinski
Also IANAL but from what I know the law has not been interpreted to use (in my
opinion) a reasonable definition of the word effective. The law requires 2
things here for a covered protection to be "effective":

    
    
      #1 That the protection on the copy is "sufficient" to protect the rights of a copyright holder of the original work, and
    
      #2 That the copyright owner is satisfied with the protection provided by the copied work.
    

To me at least, this seems insane. You can theoretically claim DCMA based
relief for anything forever by taking its bitstream format and flipping every
bit once. That coupled with the knowledge of the copyright owner will be
enough to be covered under this reading of "effective".

The linked court decision states on page 28:

98\. To prevail on a DMCA claim for violation of the copy-control provision,
plaintiff must show that CSS “effectively protects a right of a copyright
owner under” the DMCA. 17 U.S.C. § 1201(b)(1). Under that section, a
technological measure “effectively protects a right of a copyright owner . . .
if the measure, in the ordinary course of its operation, prevents, restricts,
or otherwise limits the exercise of a right of a copyright owner under this
title.” 17 U.S.C. § 1201(b)(2)(B). For the reasons articulated above, the
court finds that CSS technology is an effective technological measure to
prevent copying of copyrighted DVD content by the average consumer. That CSS
technology has been hacked does not disturb this conclusion.

The RealNetworks case where this was decided is linked below. The case
basically went "There is this program that uses freely available code that
technically breaks your DCMA approved protection method, CSS, but because CSS
still works to protect rights due to the breadth of it's implementation, it is
not sufficiently broken by your program or the freely available knowledge you
used to make it, and the Court finds for the Plaintiff." (my interpretation
from reading page 56)

See: [https://www.eff.org/files/filenode/RealDVD/real_v_dvd-
cca_pi...](https://www.eff.org/files/filenode/RealDVD/real_v_dvd-
cca_pi_order_081109.pdf)

Pages #28 and #56

------
yarper
tl;dr they xor'd the files with 37 (ASCII '%')

~~~
baby
the post was more complicated to read than the encryption they used

------
rcfox
A few years ago, there was an article posted to Hacker News about some site
that sold DRMed anime shutting down and how people who bought anime from the
site would no longer have access to the things they bought. As it turned out,
the special Flash-based anime viewer they provided just did a per-byte XOR
with 0x42 on PNG files.

------
TheLoneWolfling
Slightly off topic:

Why is this site _more_ readable without the stylesheet?

------
PythonicAlpha
This "coding scheme" seems to be "unkillable" (don't know, if the wording is
correct, the spell checker does not like it).

I thought, after Microsoft made a bad name about itself by using this in its
"Access" product ten years ago or so (they "encrypted" passwords this way),
some people should have been warned. May be it is was just to long ago ...

Within seven years or so (of operating), somebody could have come up with a
different algorithm ...

~~~
slang800
Well, there are tons of different DRM algorithms, but none of them are backed
by secure cryptography since you cannot logically restrict people from
"saving" but not from "viewing". There's no mathematical backing to the idea.
This is probably why Grooveshark didn't bother using a complex algorithm...
they already know that DRM is fragile and will be broken by someone who's
determined enough. So the performance cost of a real encryption scheme just
isn't worth it.

As for storing passwords with something like that: that's terrible. We have
great hashing / salting algorithms, and tools like bcrypt make them very easy
to use. Of course, in this case you're not letting anyone (including yourself)
_view_ the password (you're just checking for correctness against a known
hash), so the solution is very different and is theoretically secure (unlike
DRM).

~~~
vbezhenar
> Well, there are tons of different DRM algorithms, but none of them are
> backed by secure cryptography since you cannot logically restrict people
> from "saving" but not from "viewing"

Actually you can, but this requires smart viewer. You sending encrypted data
into viewer where data is decrypted. Secret keys storing inside viewer and
retrieving them is hard task. Of course that requires DRM-enabled display,
participating video card, drivers, etc.

------
ionwake
Can you explain further how the key is used in the mapping? Maybe with a
doodle? Thanks & well done btw

\-- mixing the file with a single byte (0x25, or ASCII 37, or a percent sign)

------
theandrewbailey
Cryptography rule #1: Don't make your own.

I guess that AES (or some other standardized cipher) was too overkill,
insufficient, or mainstream for them?

~~~
tbabb
It's clear they didn't really care whether you got to the files or not; I
think they were just covering their legal asses. (Didn't matter in the long
run, it would seem).

------
moey
I had a Tidal trial and was trying to see how encrypted their lossless music
was. It uses some Chrome NaCL executable to decrypt, then play the music. In
any other browsers, you cannot play HiFi music since they do not support NaCL.

That seemed like a good solution to DRM encryption.

At the end of the day though, people can just record the input on their sound
card if they really wanted...

------
q3k
So, a whole article just to explain it's a single-character XOR encryption.
Smooth.

~~~
rrss1122
He definitely tried too hard.

~~~
lucgommans
Author here. Can confirm: you're right.

But I did learn a lot and will surely try this first in the future.

Should I have written on top that, if you're into crypto, you may want to skip
to the summary?

~~~
rrss1122
A tl;dr is always nice!

~~~
lucgommans
Well there is already a summary at the bottom, but I guess I should refer to
it at the top. Thanks :)

~~~
ionwake
I enjoyed the article, it was well written

------
donpdonp
"...after quite literally being sued to hell."

[http://theoatmeal.com/comics/literally](http://theoatmeal.com/comics/literally)

~~~
lucgommans
They weren't sued "anywhere": sued to hell just means they were sued out of
existence -- and that is, _literally_ , true. Or that's how I, as a non-native
speaker, see it, and why I thought it was correct.

~~~
mistercow
If they were literally sued to hell, that means that hell is a real place, and
they are now actually in that place.

