MP3.com's Beam-It

Mutok pointed us to MP3.com's new Beat It program. It is of course windows only which means I've never tested it, and functionally it works almost exactly like a collection of Perl scripts Nate and I hacked out a year ago to serve our personal collection of MP3s. Basically, the software checks if you have a CD, and it tracks your collection. Then you use the software to track playlists and play your MP3s. There are a lot of interesting legal problems here, and the potential for abuse is high. But dangit if this isn't the future of music, I'm gonna be cranky. Now can I please have a Linux port?

Strong Security Possible w/ Hashes

[Brian+Ristuccia]

If the system was properly designed, it would be very difficult to spoof your possession of a CD without actually having some sort of access to a complete copy of it.

For example, mp3.com could keep a sizable portion or complete copy of the unencoded track around at their site. Then they could ask you to take a random number of bytes at a random offset, append a random key string they specify, and hash it with a strong hash algorithm. On their end, they would do the same, and you'd be denied access if the results did not match. In this case, you'd need to have the sizable portion of the unencoded track on hand to answer their responses - or act as a man in the middle with a friend actually having the CD.

The connection wouldn't need to be encrypted as hashes obtained from sniffed connections would be useless because the key string would be specified by the server and change on every attempt.

/.

[Signal+11]

Oh my god, somebody copied Rob's code again! Look - it's over there, somebody copied an idea of his! That page has banner ads on top and links on the left-hand side of the page. THEY COPIED ROB! Oh my god - there's another site - cnn.com copied Rob too - they have STORIES on a page along with IMAGES! Oh no, OH NO! And look - even the politicians have ripped Rob off - they're using OPEN FORUMS and FREE SPEECH!

Rob, please... this mp3 thing affects absolutely nobody. I could make the claim it's not unlike my own mp3db program and no doubt winamp could say the same. Or xmms for that matter. Or how about the dozens of geeks that were bored and wrote their own perl scripts? This is just noting the obvious.. it has no implications on the majority of readers here...

What's so illegal?

[anthonyclark]

AFAIK there is nothing illegal about making a copy of CDs you own. (either here in the UK or in the US)

So what is so illegal about storing those CD "archives" at a remote site? Nobody would complain or try to sue you if you stored backup tapes offsite, in fact they would applaude you.

It's the same argument as taping a CD 10 years ago. I may want to tape a CD to listen to in the car, and that is OK. If I then sell or broadcast that tape then I'm breaking the law - I have no problem with that. Fast-forward to today. If I want to listen to music anywhere on my MP3 player then I should be able to.

There's no legal issue here at all. (only the music industry not trusting it's valued customers)

"Beam it" is the correct name

[Otto]

And it seems like a strange program...

The Beam it software gets some info from the CD, to identify it. Then it sends that info to mp3.com, to match with their database. If they have that CD in their database, you can listen to the songs from the CD online.

Question: What's the point? If I have the CD, and I have a CD drive, then play the damn thing. As for being portable, CD's are easily portable now.

The big thing seems to be the sales aspect. If you buy a CD from there, then you can listen to the songs while you're waiting for the cd to arrive via snail mail.

Still, I think that this type of marketing can only go so far. Is any company actually having big success in this type of venture? (selling music online) I know that everyone said is was the next big thing, but you have to take that with a grain of salt. Given the option of spending 5 minutes to find a song as an MP3, and buying it for $1.00 or so, I'll take the 5 minutes.. Legality doesn't bother the majority of people. I mean, it's not an easily prosecutable offense, now is it?

"Your honor, this guy stole a song from us and gave it to... errr.. well, 3 people.. costing us a total revenue of.. umm.. $3.95... errr...."


---

Re:"Beam it" is the correct name

[DeadSea]

I would pay for a service like this if they gave me some things that the CD didn't.

For example, if they embedded synchronized lyrics in each mp3. Or they made sure that each mp3's ID3 tag was filled in completely and correctly.

I really like having the lyrics scrolling by as I listen to music, and adding them myself works, but its slow, to say the least.

Not just windows

[/]

According to this page, it's also available for the macintosh. I know that doesn't help most linux folk, but c'est la vie.

Regarding a cheating client for my.mp3.com

[jdc@pobox.com]

I initially thought this would be easy too; I checked it out a little bit. Look at this (simplified) capture.



->20 20 20 20 20 00
HELO mail=XXXXXXX@earthlink.net vers=0.90 cver=win004 sern=3933243
0a 20 20 20 20 20
AUTH meth=md5 pass=7998e0845cc98a85930b51212204d619
0a 20 20 20 20 20
MDID time=19739 tkof=150,27502,83547,93115,114317,121907,142117,18 6545,197950
0a 00 00 00 00 00
VFCD mdid=508103
0a 00 00 00 00 00
20 20 20 20 20 00
->RVDT trck=1 sect=18032 nsec=203 rate=22050 chnl=stereo bits=17 size=238728
->(238728 bytes of track data)
0a 20 20 20 20 20
-350 size=238728
---more negotiation snipped---
-231 mdid=508103

Okay.

So near as I can tell, they use a challenge/response scheme for authentication. This is fine, and a little debugging will fill in the details there.

Looks like the MDID setup call passes track offsets; note the parameters strictly increase. I'm guessing that the time= parameter has something to do with the time the TOC on the disc was burned, but I have yet to try to correlate it to actual time in seconds.

After the MDID call, we get 232 back; then the real fun starts.

VFCD kicks off what looks like a pretty solid verificatation process. The server uses 331's to ask for random numbers of seconds from random sector offsets, and the client replies with RVDT's and track data.

If all the tracks are verified, a 231 is replied from the server with the 'mdid', and the connection hangs up.

That's as far as I've gotten.

Looks pretty solid to me thus far. I have yet to try beaming the same disc twice from two different machines; if the verification code always asks for the same #seconds and starting sector, obviously we can build a db, and we're golden.

Anyone interested in continuing this work, drop me a mail.. (jdc@pobox.com)

Will this really be the future?

[Chilles]

I'm still not so very sure if this is going to be the future of music. Even though I can download every piece of music I might ever want from the internet I keep on coming back to my (on-line or not) music store to buy my favorite music in hardcopy, complete with a nice booklet maybe for once not a diamond box and a few pictures of my (at that moment) favorite artist.
I want to be able to hold that box, look at it while listening to the music on my home stereo for the first time. I'd be hard pressed to find an attractive software equivalent for that.
Now I suppose there are a lot of people out there that don't need that physical representation of their music but I do and a lot of my friends agree with me.
The day that the only way to obtain the newest music of any of my favorite artists is by downloading an MP3 (or something like that) will be a sad day for me indeed.

My guess is that on-line music will perform a function similar to pay-tv, you subscribe to get a nice selection of music sent to you instead of some lame DJ's selection. Or a live registration of a good concert or a pop-festival.

Maybe they'll even cut back on the commercials if you pay them a little.

Mp3 Anytime - Anywhere for Linux Users

[szyzyg]

Oddly enough I posted this story last week but Slashdot ignored it..... Perhaps because I pointed out that the whole site is an exact carbon copy (check some of the html and layouts) of Myplay.com.

Myplay have been offering an online storage system like this for free for the last 4 months and they don't force you to use their technology, or limit you to streaming only.

So - for all you Unix users who don't want to cart a CD selection back and forth here's an online music HOWTO

(1) Get CD Paraoia or cdda2wav
(2) get LAME
( You can also get GRIP - that's a fancy GUI system that uses GTK - nice and easy)
(3) Extract your favourte CD audio to .wav files
(4) encode .wav files to .mp3 files using LAME
(5) Delete the .wav files

then....
(6) Get XMMS
(7) Listen to your funky mp3's


Now for the anytime/anywhere part....
(8) go to Myplay.com
(9) Get an account (they're free)
(10) upload your chosen tracks
(11) Listen to them wherever you go


okokok but there's more

If you want to show off your music taste you can assemble your favourite tracks into public playlists which anybody can listen to - so it's like creating a radio show. (they use icecast for this BTW)

Plus they've also got a few free tracks, both from themselves and from affiliates like emusic.com....


SO.... my.mp3.com is not Innovative... it's a copy.

So - why isn't myplay in the related links box?

Re:Not another NAPSTER

[Stavr0]

it actually checks to see if you own the cd

I C. How shall I hack thee, let me count the ways
- Sniff packets, then fudge up a client
- Repository of track/length sector aka CDDB
- Fake CDaudio driver that returns above info.
- Forge packets for upload to MP3.com

Yet another ill-conceived attempt at enforcing the unenforceable.
---

What's the difference between this and radio?

[The+Babushka]

Ok, here's a thought... What's the difference between this and an all-request radio station? Answer: You *own* the CDs already (at least in theory).

Think about it. If there were a request radio station, and you were the only listener, is there a law preventing them from playing whatever you request? So what's to stop MP3.com from just streaming to you personally *ANY* music you choose to listen to? (Regardless album ownership.) It's theoretically no different than request radio.

Yeah, we can *record* a media stream, but I can also record songs off the radio. What's the difference? Just because this is more customized? Because it's on the Internet? Big whoop -- every real life radio station tries to do this exactly: play songs I want to hear. It just so happens that online they can do it to perfection through mass customization.

I don't think MP3.com has gone far enough! I shouldn't need the CD to listen to music - I should be able to listen to ANYTHING they have available.

Waste of bandwidth

[ucblockhead]

This seems like a huge waste of bandwidth to me.

Twenty CDs and a backpack has a higher bandwidth then I have at work...

(Or maybe it is just this new 20 gig HD I got here at work. I've been copying CDs to it for a week now. I have almost a hundred here. Why would I want to download each time I listen when I can just save them to the HD? This seems better than wasting company bandwidth each time I get the urge for NIN.)

Why, oh why is everyone pushing all this connectivity stuff when the thing that is improving the least in most computer systems is the bandwidth? You can get a 27 gig drive for $200 now. That just cries out for new applications, but all these companies can come up with is new ways to send too much information through tiny little holes. I don't want my music to skip just because I'm downloading a new Quake patch.

New app: cheap motherboard+large hard drive+good sound card->awesome stereo.

There *will* be a linux port

[Thomas+A.+Anderson]

I emailed them the day it came out, and asked them about a linux port. I got an email back from an engineer saying they are working on it as fast as they can. Then I got an email from some suit saying "thanks for the email, blah, blah, blah" that didn't even address my question. A good friend of mine wqorks for mp3.com, and he says that almost everyone there sues linux, and a linux version is definatly coming. Another question, off topic, how come I submitted this story last week and it was rejected? Sure, it's not a great slasjdot story, but now the news is 1 week late making it even less interesting. Just my 2 cents.

BeamIT Packets Unencrypted

[Noke]

I did some Packet Snffing of the BeamIT client-to-MP3.com last night and determined that the CD info sent to MP3.com is not encrypted, making it quite easy to proxy-spoof mp3.com into thinking you own CDs that you do not.

The data on the CD sent seems to go a track-at-a-time and isn't the conventional format that you send CD data to CDDB. Instead, it seems to focus on the sector start and end positions for each track and some additional information.

Nontheless, I suspect that unless MP3.com reworks their protocol to use encryption, it will jsut be a matter of time before someone fully reverse-engineers the protocoll and "Beams" hundreds of CD's that they do not own. I wonder what the recording industry will think of that?