This almost feels like legal cover more than anything else. At least they "tried" to protect the music files from easy duplication & piracy. I wonder if circumvention of XOR is illegal under the DMCA. It feels just about effective as renaming the file extension from .mp3 to .shh
IANAL, but the DMCA does not make any distinction between strong encryption and mild obfuscation. They're both "technological measure that effectively controls access to a work"
I'm not sure the DMCA provides any "proof" that they're going after privacy. But it does afford them legal tools to go after people who publish Grooveshark decryptor scripts.
court ruled that the DMCA statute does not require the access control or copy control technology to be strong as long as it prevents unauthorized access and/or copying under ordinary course of operation and with the authority of the copyright owner
Also IANAL but from what I know the law has not been interpreted to use (in my opinion) a reasonable definition of the word effective. The law requires 2 things here for a covered protection to be "effective":
#1 That the protection on the copy is "sufficient" to protect the rights of a copyright holder of the original work, and
#2 That the copyright owner is satisfied with the protection provided by the copied work.
To me at least, this seems insane. You can theoretically claim DCMA based relief for anything forever by taking its bitstream format and flipping every bit once. That coupled with the knowledge of the copyright owner will be enough to be covered under this reading of "effective".
The linked court decision states on page 28:
98. To prevail on a DMCA claim for violation of the copy-control provision, plaintiff must
show that CSS “effectively protects a right of a copyright owner under” the DMCA. 17 U.S.C. §
1201(b)(1). Under that section, a technological measure “effectively protects a right of a copyright
owner . . . if the measure, in the ordinary course of its operation, prevents, restricts, or otherwise
limits the exercise of a right of a copyright owner under this title.” 17 U.S.C. § 1201(b)(2)(B). For
the reasons articulated above, the court finds that CSS technology is an effective technological
measure to prevent copying of copyrighted DVD content by the average consumer. That CSS
technology has been hacked does not disturb this conclusion.
The RealNetworks case where this was decided is linked below. The case basically went "There is this program that uses freely available code that technically breaks your DCMA approved protection method, CSS, but because CSS still works to protect rights due to the breadth of it's implementation, it is not sufficiently broken by your program or the freely available knowledge you used to make it, and the Court finds for the Plaintiff." (my interpretation from reading page 56)
Their content seems to be pirated (or user uploaded - hell, even company uploaded if the reports are true) in the first place. I think that's the bigger problem with the service.
A few years ago, there was an article posted to Hacker News about some site that sold DRMed anime shutting down and how people who bought anime from the site would no longer have access to the things they bought. As it turned out, the special Flash-based anime viewer they provided just did a per-byte XOR with 0x42 on PNG files.
This "coding scheme" seems to be "unkillable" (don't know, if the wording is correct, the spell checker does not like it).
I thought, after Microsoft made a bad name about itself by using this in its "Access" product ten years ago or so (they "encrypted" passwords this way), some people should have been warned. May be it is was just to long ago ...
Within seven years or so (of operating), somebody could have come up with a different algorithm ...
Well, there are tons of different DRM algorithms, but none of them are backed by secure cryptography since you cannot logically restrict people from "saving" but not from "viewing". There's no mathematical backing to the idea. This is probably why Grooveshark didn't bother using a complex algorithm... they already know that DRM is fragile and will be broken by someone who's determined enough. So the performance cost of a real encryption scheme just isn't worth it.
As for storing passwords with something like that: that's terrible. We have great hashing / salting algorithms, and tools like bcrypt make them very easy to use. Of course, in this case you're not letting anyone (including yourself) _view_ the password (you're just checking for correctness against a known hash), so the solution is very different and is theoretically secure (unlike DRM).
> Well, there are tons of different DRM algorithms, but none of them are backed by secure cryptography since you cannot logically restrict people from "saving" but not from "viewing"
Actually you can, but this requires smart viewer. You sending encrypted data into viewer where data is decrypted. Secret keys storing inside viewer and retrieving them is hard task. Of course that requires DRM-enabled display, participating video card, drivers, etc.
It's clear they didn't really care whether you got to the files or not; I think they were just covering their legal asses. (Didn't matter in the long run, it would seem).
I had a Tidal trial and was trying to see how encrypted their lossless music was. It uses some Chrome NaCL executable to decrypt, then play the music. In any other browsers, you cannot play HiFi music since they do not support NaCL.
That seemed like a good solution to DRM encryption.
At the end of the day though, people can just record the input on their sound card if they really wanted...
They weren't sued "anywhere": sued to hell just means they were sued out of existence -- and that is, literally, true. Or that's how I, as a non-native speaker, see it, and why I thought it was correct.
