Hacking the Xbox, free in honor of Aaron Swartz

Bunnie Huang's seminal book "Hacking the Xbox" is now a free PDF, released thus by the author in honor of Aaron Swartz. "Hacking the Xbox" is the "Our Bodies, Our Selves" of reverse engineering -- a brilliant and accessible text setting out the case for and the practicalities of reverse engineering and taking control of your devices.

I agreed to release this book for free in part because Aaron’s treatment by MIT is not unfamiliar to me. In this book, you will find the story of when I was an MIT graduate student, extracting security keys from the original Microsoft Xbox. You’ll also read about the crushing disappointment of receiving a letter from MIT legal repudiating any association with my work, effectively leaving me on my own to face Microsoft.

The difference was that the faculty of my lab, the AI laboratory, were outraged by this treatment. They openly defied MIT legal and vowed to publish my work as an official “AI Lab Memo,” thereby granting me greater negotiating leverage with Microsoft. Microsoft, mindful of the potential backlash from the court of public opinion over suing a legitimate academic researcher, came to a civil understanding with me over the issue.

It saddens me that America’s so-called government for the people, by the people, and of the people has less compassion and enlightenment toward their fellow man than a corporation. Having been a party to subsequent legal bullying by other entities, I am all too familiar with how ugly and gut-wrenching a high-stakes lawsuit can be.

Read the rest

Help reverse-engineer Vimeo's anti-downloading measures

JWZ wrote his own Vimeo downloader (and uses other Vimeo downloaders like Miro), but it's stopped working, because Vimeo's got new countermeasures.

I really rely on Vimeo downloaders for my own watching, since Vimeo's network buffering is so terribly broken and performs so poorly in bad network connections. Any time I really want to watch a video on Vimeo -- especially if it's more than a few minutes long -- I download it and watch it with VLC.

JWZ is looking for help reverse-engineering the measures Vimeo uses to stop video downloading. If you've got the time and inclination to help him, that would be great (it would also really help me write about and link to more Vimeo files here!).

On a private video, when you hit "Play" in either the Flash player or the HTML5 player, it loads "http://av.vimeo.com/Nx5/Nx3/Nx9.mp4?aksessionid=HEX&token=CTIME_HEX2" which returns the full MP4. Those URLs go 403 after some small number of minutes, and it loads a URL with different hex each time you hit play (though the decimal numbers stay the same), so presumably the ctime is a part of the hash.

The fact that this works in the HTML5 player means that they are computing those URLs from Javascript somehow, rather than with a secret key that is baked into their Flash player, so that's promising. But I don't have a lot of experience reverse-engineering gigantic Javascript apps.

Since it will be the first thing you find when googling, let me point out that the old moogaloop URLs like "http://vimeo.com/moogaloop/load/clip:ID" are 404.

Read the rest

Mobile ad