[quenix]

I was under the impression that all audio Spotify serves is heavily DRM-ed and can only play with special hardware decoders which respect the DRM?

How did was this person able to play the encrypted audio? Does this not let them effectively rip music from Spotify?

[mogery]

Spotify DRM is basically security through obscurity. It's just AES-128-CTR over a plain old OGG file. The tricky part is figuring out the extremely odd protocol you have to request audio keys and track data through. That's all.

[seabrookmx]

Sounds similar to many encrypted HLS streams you see on the internet.

If you're savvy enough to watch the network tab in the browser devtools, you can grab the key and easily decrypt and assemble the chunks. You can even find reference implementations on github (hls.js for instance).

[oceanplexian]

The DRM has been broken for years, and is still broken (I personally wrote a Rust client to grab music from Spotify in .ogg format) but their lawyers rabidly take down any reference to decrypting it on Github or anywhere else, because well, the implication.

[arthurcolle]

A funny IASIP reference, you love to see it

[matthewmacleod]

It's not, really – AFAIK the audio is just AES-encypted with a per-session key that you get when logging in (but it's been a long time since I looked). There are a bunch of open implementations, like https://github.com/librespot-org/librespot – I guess it's kind of an open secret that you could rip music if you really wanted to, and you certainly used to be able to do that with libspotify when it was still around. I imagine the lawyers will come for you if you're silly enough to bang on about it.

Certainly there's no need for "special hardware decoders" – Spotify works on loads of devices that have no support for that kind of thing.

[BonoboIO]

Does Spotify watermark their streams?

[OccamsMirror]

They would be silly not to!

[slim]

They would be silly if they do. That music is not their property and they have no exclusivity. Why would they care if it gets distributed elsewhere?

[sneakymichael]

Just some context: Spotify's official iOS library used to serve streaming [unencrypted, 'raw'] PCM data to the app for playback[1]

"The good old days"

[1] Trace of this, from 2013: https://stackoverflow.com/questions/20614360/does-the-libspo...

[OJFord]

I don't know how special those decoders could be, obviously not Spotify-specific. Unofficial clients that want to stick around tend to require a premium account, libspotify/spotifyd on Linux for example.

[svnpenn]

You can download L3 CDM from GitHub, or even dump your own using wvdumper/dumper. Then its just a matter of making a request to Spotify License server, which returns key for decrypting.

[cVaqw7V34imZ8yL]

Does your PC or phone have special hardware decoders from Spotify?

Can you play Spotify on your PC or phone?

[gambiting]

I mean, both your PC and your phone will have special DRM-compliant hardware decoders available. Whether Spotify is using those or not is another question, but yes, the CPUs in phones/PCs are equipped to decrypt DRM-secured content.

(one "interesting" case around that was that some OnePlus phones couldn't play netflix in resolutions higher than 480p, because despite the Snapdragon chip supporting the DRM format required for higher resolutions, OnePlus never paid the licence to use it - so their phones couldn't decrypt the video. They did relent later and said they will enable the functionality for users who send in their phones, and it can only be flashed in person at their service centre, not via an OTA update. I always wondered how many people have done that)

[quenix]

Yes, my PC and phone most definitely do.

[micromacrofoot]

they just need to be a less convenient way to pirate music and no one will really bother, a lot of popular music gets pirated before it even hits Spotify anyway