Oh, IT'S ON. After months of eager anticipation, it looks like either Viodentia has finally come out of hiding, or s/he's passed the torch on to another (Doom9 forum user Divine Tao?) -- but either way it looks like MS DRM IBX components up to version 11.0.6000.6324 are good to go with the latest version of FairUse4WM, v1.3 Fix 2 (read: this is the update we know you've all been waiting for). We haven't yet confirmed ourselves, but feel free to tell us whether you got a sweet taste of DRM freedom without having to continue using XP and Windows Media Player 10 with that subscription music service.

[Thanks, Abdul and Adam]

Hey Viodentia, you can come out of hiding now -- we have good news for you and the rest of the DRM-hating world. Microsoft has gone home with its tail between its legs, and very, very quietly dropped their lawsuit against you. (In official terms, they filed a notice of voluntary dismissal of all claims with the Seattle Federal court.) For those not in the know, Microsoft charged Viodentia with "copyright infringement" after they showed the world how easily FairUSE4WM could circumvent its PlaysForSure DRM. Microsoft's reason for dropping the charges? Simply enough: they couldn't find Viodentia. Hey Microsoft, instead of trying to shackle those of us interested in the fair use interoperability of our music, why not redirect your substantial legal resources to negotiate some DRM-free music (and video while you're at it) with the majors? We hear EMI might be interested.

[Thanks, Steven J.]

After yesterday's news that Microsoft was launching a lawsuit campaign against the John Does responsible for FairUse4WM, we weren't expecting the next volley to come so soon. So it's somewhat contrary to expectations that Viodentia has released the newest version of his software to counter Microsoft's latest PlaysForSure IBX update (dated 9/23, regarding the memo which we recently printed). We asked Viodentia about Redmond's accusation that he and/or his associates broke into its systems in order to obtain the IP necessary to crack PlaysForSure; Vio replied that he's "utterly shocked" by the charge. "I didn't use any Microsoft source code. However, I believe that this lawsuit is a fishing expedition to get identity information, which can then be used to either bring more targeted lawsuits, or to cause other trouble." We're sure Microsoft would like its partners and the public to think that its DRM is generally infallible and could only be cracked by stealing its IP, so Viodentia's conclusion about its legal tactics seems pretty fair, obvious, and logical to us. An American megacorp swinging around bogus indictments in order to root out a hacker? Surely you jest!

Microsoft filed a lawsuit in federal court last Friday against "John Does 1-10," for breaking their PlaysForSure DRM software. The defendants include Viodentia, the famed hacker who has now twice broken Microsoft's DRM through his application FairUse4WM. Microsoft alleges that Viodentia and his posse infringed on the company's copyright by creating and distributing their program. From what Viodentia told us in our interview with him yesterday, we know that he doesn't live in the US, so it's unlikely that this suit will have any meaningful effect on him for now. Further, given that Microsoft admits that it doesn't know how to find Viodentia -- and we assume that a hacker of his caliber would be good at covering his online tracks -- this suit appears (again, we invoke the "we are not lawyers" clause here) to actually be a way to get at the records of Google and Yahoo, where Viodentia is said to have email accounts. A declaration filed yesterday in Seattle federal court by Andy Cookson, a Microsoft investigator, states: "Among the third parties who have possession of such information are email service providers Yahoo! and Google. Subpoenas to those entities is likely to provide information about the defendants' locations, and also provide additional information about third party services used by the defendants. With such information, through subpoenas to third parties, it is reasonably likely that I will be able to identify defendants." In other legal filings yesterday, Microsoft declared that it "expects to complete its Doe discovery and identify defendants in 120 days."

[Thanks, resource]

Instead of our usual run of interviews with industry luminaries and the like, today we're aiming the camera a different direction. We had a few things to ask the person whom we've identified as Viodentia, the creator of FairUse4WM -- the thorn in Microsoft's (and Yahoo's, and Napster's, and Real's, etc.) digital media business for a month now. Seems at once likely and not that the big DRM scheme developed by the largest software company was broken and broken again by a single person, but here we are -- and here's what Viodentia had to say about the digital music business, where Microsoft went wrong with PlaysForSure, and what s/he thinks about this latest memo and patch.

Thanks for granting this interview. So FairUse4WM caused quite a stir. How long did it take you to crack Microsoft's PlaysForSure DRM? Was anyone else involved?

Finding a way to extract key information took about a couple of weeks of spare time. Going from a prototype to a more general tool took a couple of months. I am the only developer, although my friends served as early beta testers and sounding boards, and with the initial release I've gotten to know some very helpful people.

So apart from any ideological or political distaste you may have for DRM, do you have any personal reasons for wanting to crack Windows Media DRM? Like, are you a Rhapsody or Napster subscriber?

No, due to geographic location, I'm unable to subscribe to those services. Only my selfish rationale is the challenge in pitting my skills against the industry leader.

Without revealing the secret sauce, what were the fundamental flaws with PlaysForSure that allowed you to break it? Did Microsoft know about these flaws?

Once code is released, there's really nothing secret anymore -- Microsoft didn't follow standard security practices, and left sensitive data unencrypted on the stack while calling routines out of kernel32.dll. Even when they fix this by changing malloc() to alloca(), it'll still be a big task to audit other sensitive routines for DLL calls. On a theoretical level, they have to send the decryption keys outside of their control, and their only defense is through obfuscation.