[cap-talk] Capability control vs. the status quo

[Toby Murray]

A real world quasi-"communicating conspirators" example:

The iTunes application allows users to buy music online. When one
purchases a song using iTunes, the song is downloaded and can then be
played on the computer.

In order to try to control the extent to which these songs can be
shared, the audio in these songs is encrypted.

The QTFairUse6 program can be used to remove the encryption from the
songs that they have purchased  -- although I expect this isn't exactly
a legal thing to do.

It works by co-opting iTunes into acting as a communicating conspirator,
roughly as follows:

- QTFairUse6 attaches to the iTunes process and uses the Windows COM to
instruct iTunes to start playing back the encrypted song
- in doing so, iTunes first decrypts the audio before sending it to the
sound card
- Before playback begins, QTFairUse6 patches the memory image of the
iTunes process to redirect the decrypted audio so that instead of
heading to the sound card, it is intercepted and written to disk.

In effect, iTunes has the authority to read the plaintext audio. It
chooses not to share this authority by not exposing the key used to
encrypt the song. However, it can be used as a proxy (via its COM
interface) to allow a thirdparty access to the plaintext by suitably
"confusing" it (patching its image in-memory to reroute the audio
output).

Communicating Conspirators is certainly alive and well in the status
quo.