Private Apple AirPlay key released, could lead to unauthorized third-party uses - Page 2

Ok let me be clear about my philosophy about hacking because my metaphor was't that good.

Let's say you have a server that gets hacked by someone from China. Do you send a hit squad to China, cut off all access to your server from China IP addresses, try to hack back in revenge? No you beef up your own security and prevent anyone from exploiting you in that way again.

Apple assumed that people would play nice and ethically with their device. Bad assumption regardless of the moral high ground. Sure the guy made Apple look bad, but he did very little harm to them. Apple can fix it and learn not to be so clever by half like hiding something in plain sight.

Of course the right thing to do would have been to inform Apple prior to releasing the hack and we don't actually know if he did that or not, but it doesn't look like it.

Well, I don't think you're right about video. I stream to my Apple TV 2 very often. I even have an app that allows me to stream to a computer.

I hope it's not just to make money licensing that Apple has held back the capabilities of AirPlay. Well, maybe it is. But the way to become a standard is to open it up and allow all kinds of people to use it.

The G2 AppleTV was given AirPlay support with iOS v4.2 in NOvemeber 2010 and video AirPlay support via 3rd-party apps with iSO v4.3 in March 2011.

http://en.wikipedia.org/wiki/IOS_ver...tory:_Apple_TV

They can update the public/private keys via a software update, but the moment they issue that update the new private key will be known to those that care enough to disassemble the code.

This metaphor isn't that good either. Assuming that China has a law against hacking someone else's server (like in the US and other places). You would go to China and file both a criminal complaint and a civil complaint against the hacker. Hoping to punish him for the harm/offense he did to you. Meanwhile you will go and beef up your server defenses.

I'm curious, what is the legal ramifications of stealing and using an encryption key? As more and more people work and store things on-line there will be bigger and greater use of encryption. And if there isn't currently any laws against misusing encryption keys there will be in the near future. Just like the house lock mentioned above it will be against the law to use a found or hacked key to gain access to items you weren't authorized to access.

Not really, they will be using DLNA to do that, I can do that with my phone at the moment, a lot of new TVs have DLNA support built in.

The DMCA includes language spelling out the fact that reverse engineering for the purposes of creating interoperation between software programs is specifically permitted, provided some ground rules are observed.

Section 1201 (f) (1) allows circumvention of effective protection measures (eg. bypassing cyrptographic keys) for the purposes of reverse-engineering the techniques needed to achieve interoperability, provided said information, necessary to producing an interoperable product, is not already readily available to the person performing the reverse-engineering.

(In this case, it seems to me, if the person performing the reverse engineering attempted and failed to ask Apple directly for the necessary information to create an independently interoperable software program, then it follows inexorably that said information is not, in fact, "readily available" to the person performing the circumvention, and therefore, 1201 (f) (1) is directly applicable to them. If they made no such attempt, then they probably shouldn't have proceeded... Or, at least, they shouldn't have brought attention to themselves... I guess it depends on the accepted definition of "readily available" -- is it defined as something that is already published in an open standard, so that the researcher needs do nothing more than passively look it up? Or is it defined as something that the researcher needs to do more active legwork to achieve?)

Section 1201 (f) (2) allows production of tools and software that uses the circumvention of those effective protection measures (eg. bypassing cryptographic keys) to actually enable 3rd party software programs to achieve said interoperability.

Section 1201 (f) (3) sets out the conditions under which it is permissible to redistribute the information and software tools derived from the two steps above.

And, as stated previously, all this depends on whether the researcher/hacker/whatever-you-call-him lives within the jurisdiction of the USA -- if not, then accusing him of being a felon for having violated the DMCA is, quite frankly, jibberish. Judging by the context I can glean from other portions of the blog, it appears that the work was done in Sydney, Australia.

I think this means we may see an attempt at adding Airplay support to a hacked Gen1 AppleTV.

They will, but I'm sure there will be provisions that iTunes video content may require Apple hardware. In the least they would need some way to guarantee people are respecting licensing regulation from the networks or they could get in hot water with the studios.

I think most of the time people have no concept of the amount of red tape that holds things up & how little of it is based on technical or financial reasons. Content providers are often at the mercy of content creators and there is a lot of back room dealing that we never get to see.

Obviously not.

But it would still be illegal for someone to charge something to your card and you'd be very unhappy.

But it's just a number. Apple shouldn't worry about someone stealing their numbers - right? Well then, you shouldn't be concerned about someone stealing your credit card numbers and internet passwords.

I doubt Apple sees this as all that big of a deal. The primary purpose of the key is for third party equipment manufacturers. None of the legitimate manufacturers that need to maintain a good working relationship with Apple are going to use this hacked key.

I doubt Apple is overly concerned with what hackers and cheap Chinese equipment manufacturers are going to do with it.

I agree. Now that I have looked into the process a little bit through the source code provided, it appears that there is really is no other way to do what needs to be done. You need to send the data encrypted to make sure it is being sent an received through the same server/client request and the only way to do that is with a public/private key. Usually the two devices that need to do that are physically separated across the internet but in this case the client is the iPhone and the server is the aTV, and both are in the same room. So Apple may do nothing in response.