Security Analysis of My.MP3.com and Beam-It Protocol

Serg writes, "Potential ammo for the upcoming MP3.com trial? From a member of the Rice University CS Dept: "We found the protocol to provide strong protection against a user pretending to have a music CD without actually possessing it, however we found the protocol to be unnecessarily verbose and includes information that some users may prefer to keep private." You can grab the report in either PS or PDF format. "

sell out with me tonight

[BadERA]

this whole issue is entirely corporate -- corpA trying to make money, corpB claiming that corpA's profit-making activities are causing corpB to lose money ... and yet it all comes back to something that, at one time, had huge potential for the little guy ... what happened?

Score one for MP3.com

[thrash_]

It's good to hear that they didn't add more grease to the fire.

Re:Score one for MP3.com

[arivanov]

Score 10.

They have showed that you can actually implement a secure sale of media content and how to do it.

Something Mr Valenti and the MPAA/RIAA crowd have yet to understand. If you want to use challenge response and/or encryption it makes sense if and only if it is personal. Period. Otherwise it will always get cracked. And the moment it gets cracked everybody gets it.

The most important fact in this article is that even after successfully reverse enginering beamer you cannot steal CD's from MP3.com and violate the (C) laws.

A good lesson to MPAA on how to design your marketing and protocol specs properly.

Who cares

[MaxVlast]

That's really what this all boils down to in my mind. Lots of people with vested interest are worried about something that they can't stop. And they'll make life obnoxious for all of us for a very long time.

--
Max V.

security

[Signal+11]

Yes, but it's still dependant on client-side security, not server-side where it should be - which is like another well-known product: AOL.

It WILL be cracked, it's just a matter of time.. client-side security doesn't mean much anymore.

Re:security

[geirt]

No, it can't be cracked, because the key is much larger than the data the key is protecting (key=uncompressed audio data on cd, data = compressed mp3 audio). This is close to a "one time pad", the only crypto algo proved to be "safe".

Re:security

[Sloppy]

It WILL be cracked, it's just a matter of time.. client-side security doesn't mean much anymore.

That's what I thought too, before I read this. I figured it would be too easily crackable. But if you read this paper, and you believe these guys who wrote it, then it looks pretty good. The client sends raw CDDA data (from an unpredictable(?) offset) as part of a challenge, and this is checked at the server. I dunno how I would spoof it. I guess I'm a convert now.

There's still a lot of potential for account sharing, though, and the paper even mentioned it. (Along with a totally impractical "solution" for it.)

---

Re:security

[gammatron]

It's nothing like a one time pad at all. This is authentication, not encryption.

--

Re:security

Read the paper, Signal_11. It has been cracked. In fact it was completely reversed-engineered (DMCA be damned!). The security still holds up. I really don't know what you mean by "dependant on client-side security", since authentification takes place over on mp3.com's servers. The client just provides some randomly selected data. Evaluation of that data occurs over at 3's place.

Re:security

[PylonHead]

Your posting makes me wonder if you read the article very carefully. From the text:

Of the approximately 2500 sectors requested by the server, only 100 or so were requested 2 or more times and no track was requested more than 3 times. The server appears to be sampling the disk purely at random.

This is not client side security by any definition of the term. You are transmitting random sectors from the disk to the server for verification, not a checksum, not a thumbs up or thumbs down, but the raw data. The only way you can fake this is to have a complete copy of the CD in your possession.

They've really done a good job with this. Kudos to MP3.com for thinking it out.

What I don't understand

[um...+Lucas]

Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.

If you own it, you're going to end up with a much better sounding song in about the same amount of time (or less)...

If you don't own it, you shouldn't even be downloading the songs in the first place, so stop fighting for Napster, Beam It, et al...

Re:What I don't understand

[Maryck]

Ripping your music to your hard drive is fine when you have a relatively small CD collection, but when you have CD's numbering in the hundreds, it can be a real problem. Plus, services like Beam It make it convenient for you to be able to access your entire library regardless of where you are without having to haul around a huge CD wallet (which can be stolen).

Re:What I don't understand

[arafel]

Fairly short-sighted thinking there, though. What about, say, people listening at work? It means that you can do the beaming at home, then listen to more albums without having to cart tons of CDs into work with you.

(And no, I don't particularly want to rip everything onto the disk at work, for a multitude of reasons.)

Re:What I don't understand

[Epi-man]

Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.

If you own it, you're going to end up with a much better sounding song in about the same amount of time (or less)...

If you don't own it, you shouldn't even be downloading the songs in the first place, so stop fighting for Napster, Beam It, et al...

I am not positive, but I think you are missing the point here. This is supposed to offer a service to allow you access your CD collection anywhere. No, they don't upload the whole CD to their server, they do random data challenges to confirm you actually own the CD, then they all you to access their mp3s of that CD in your account. This saves you tons of time ripping and encoding unless you have a mind numbingly fast computer. Yes, it would sound better to carry the CD around with you, but this is an attempt to alleviate that need. As for "If you don't own it...." supposedly in that case Beam It doesn't help you much, since you can't answer the challenges and therefore don't gain access (with the exception of the local cartels idea discussed in the paper).

Re:What I don't understand

[ThunderBucket]

Consider the following case:

I buy a CD
I tell beam-it that I own the CD
I leave the CD in my car
I can still listen to it at a friend's machine, even if I forget and leave my machine in Windows (no FTP).

The biggest problem, as the authors noted, is the password-cartel issue. Carrying around hardware auth is about as annoying as carrying around the CD. At least with the current state of the art.

And the radio man says it is a beautiful night out there
and the radio man says Rock and Roll lives

Re:What I don't understand

[um...+Lucas]

I tend to bring a different CD with me to work each day and rip it to my hard drive... Thanks to the wonders of hard drives capacity jumps, i've now got over 24 hours of music accessible to me at work... And it's all mine.

I also have another CD full of Mp3's (again, mine) that i burned from home... it's another 8 hours.

In the worst case scenario, just email them to yourself at work, supposing you've got the bandwidth to upload from home to Beam IT and download from Beam It to work, you cand do the same with your own files and alleviate the middleman that's causeing all the controversy

Re:What I don't understand

[jfunk]

You're forgetting a few things.

I only have 10GB of hard drive space. That couldn't hold my 300+ CD collection. The space is used for things like software, source code, information and work on various projects, etc.

It takes much longer to rip a CD than use Beam-It. The most outdated piece in my computer is the 4x CD-ROM that I bought many years ago specifically so that I could use Slackware CDs instead of downloading at 2400bps. I have had absolutely no reason to buy a new CD-ROM, concentrating my budget on processors, hard drives, video, and sound cards.

With a large CD collection, it gets annoying to be constantly swapping CDs. With Beam-It, I simply leave a browser window open and play arbitrary CDs easily.

You mention errors. It has never skipped on me yet, the performance is great. The quality is also really good.

As for privacy, this isn't that much different than buying CDs from a "club." They're not grabbing financial information, email, Netscape history, etc. Them knowing what CDs I have is integral to the system, and I'm comfortable with that.

Re:What I don't understand

[bmetzler]

In the worst case scenario, just email them to yourself at work, supposing you've got the bandwidth to upload from home to Beam IT and download from Beam It to work, you cand do the same with your own files and alleviate the middleman that's causeing all the controversy

NO, NO, NO!! You aren't uploading whole the track with Beam-It, just a little "key" to verify that you have the CD. Then you stream it back to your audio player.

-Brent

Re:What I don't understand

[furiousgeorge]

you're (still) missing the point. You're wasting your harddrive space - potentially in multiple locations (home, work, etc).

I've beamed almost my whole CD collection in. 1400 songs so far. I can listen to this at home (DSL), at work (T3), or wherever. I no longer have to haul around stacks of disks, nor switch disks, nor waste my own harddrive space.

No swapping disks, custom playlists, etc etc etc. I'm in heaven.... :)

>>supposing you've got the bandwidth to
>>upload from home to Beam IT

try to follow closer - BeamIT DOES NOT upload your CD. All it does is verify that you actually own it. It takes seconds.

Re:What I don't understand

[lee]

Ok, could you put your expertise where your mouth is? Could you tell me how to rip CDs or point me to resources for doing so? I have RedHat 6.1 installed on a Pentium 75 with 48 MB RAM and a 8GB Scsi harddrive. My CDRom is scsi as well and not very fast. Will this set up work?

I also have a cable modem and dloading mp3s is quite easy. The difficult part is finding someone who has ripped the same CDs i have.

I also have lots of tapes from the 80s. They suck for sound quality after too much, but can't i legally have MP3s of the songs from those albums? Why shouldn't I be able to download MP3s of my tapes and vinyl and 8 tracks as well as my CDs.

Re:What I don't understand

[double_h]

Ok, could you put your expertise where your mouth is? Could you tell me how to rip CDs or point me to resources for doing so? I have RedHat 6.1 installed on a Pentium 75 with 48 MB RAM and a 8GB Scsi harddrive. My CDRom is scsi as well and not very fast. Will this set up work?

This should work fine. I recommend the program Cdparanoia, which is a free command-line tool that runs under Linux (prolly other Unices too, but I've only used it with Linux). It'll let you turn each track on a CD into a .WAV file, which you then can feed into an MP3 Encoder. Cdparanoia is a *great* program that does its own error-correction, and has worked on every CD-ROM drive I've tried (both SCSI and IDE).

As far as MP3 encoders go, the most popular free one is probably Bladeenc, also for Linux. To be honest, though, the commercial encoders (which use the Frauenhauffer(sp?) algorhytms) *do* sound better than any of the free encoders. I also haven't seen any good commercial MP3 Encoders for Linux, so that part may require a reboot into Windows.

Be aware that encoding MP3 can be a very time-consuming process, espescially if you're only rocking a P75. But this shouldn't be prohibitive - it just means you'll want to fire off a batch job before you go to bed.

Re:What I don't understand

[Fishstick]

Start with Grip, You'll need to get a ripper and encoder to go with it but I started with Grip and found it is a nice interface for starting out.

grip homepage

or you can just do a search on freshmeat for ripping software. Download one, install it and play around with it. It is not that hard.

I suspect that the reason you can only download mp3 files of CD's you own is not a legal one but a technological one. When you insert a CD into your drive, your PC can read the info (CCDB?) on it and use that verify that you own the CD. Can't do the same thing for tapes or LP's.

Re:What I don't understand

[jandrese]

I take it you have never tried to stream audio over a modem before. Nobody encodes MP3s at 48kbps anymore, for good reason, they sound terrible. Plus whenever I stream audio, the audio invariably breaks up/pops whenever one of the other two people I share the modem with decide to download an mpeg, view a webpage, check their mail, etc...

Re:What I don't understand

[Yakko]

haven't seen any good commercial MP3 Encoders for Linux,

There is the Xing MP3 encoder for Linux that should work with RHS 6.1. For the $20 I spent on it, it's well worth it (and very FAST!)

--

Re:What I don't understand

[furiousgeorge]

>>I take it you have never tried to stream
>>audio over a modem before.

I have, but i don't. I don't have to.
Not trying to state the painfully obvious, but bandwith is increasing. All my net connections are full speed (T3, DSL at home, etc) and my.mp3 works great.

The world is going broadband. Sure modems suck to stream, but this isn't meant for modems.

Re:What I don't understand

[Dream11]

I use the service rather than dragging CDs to work or when travelling. I have access to my entire collection, and can quickly and easily select tracks for the playlist I want.

Re:What I don't understand

[rcade]

Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.

You don't drag CD data "across the Net" with Beam-It ... you drag a code on the CD that identifies what it is. MP3.COM looks for that code in its database of ripped CDs, and if it exists, the CD is added to your private listening area on http://my.mp3.com. The process requires no uploading or downloading -- I beamed a dozen CDs in 10 minutes on a 28.8 connection.

Re:What I don't understand

[Eccles]

Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues. I have ~100 CDs. Ripped at 10:1, that's 6.5 gigabytes, or ~80% of my work machine's hard drive. Not to mention dozens of hours of ripping/encoding/editing time. Perhaps your time is of no value, mine is.

Re:What I don't understand

I don't know how this got moderated up as insightful, it's just wrong. Mp3.com's does NOT require uploading the music on your CD's. They already have pristine, error-free, optimal-bitrate MP3's on their server.

You have to insert your own CD's simply for authentification. You do this once when you create your account; it takes just a few seconds per CD.

If you don't own it, you shouldn't even be download...

That was the point of the paper in the first place. The Beam-It service has security in place which works, whether or not you bother to educate yourself on it.

Re:What I don't understand

[adamsc]

I take it you have never tried to stream audio over a modem before. Nobody encodes MP3s at 48kbps anymore, for good reason, they sound terrible. Plus whenever I stream audio, the audio invariably breaks up/pops whenever one of the other two people I share the modem

This is increasingly not a problem as faster connections are becoming increasingly more pervasive, not less. Personally, I haven't needed to use an analog modem in the last two years. Given the millions of people who have cable or DSL, streaming audio is becoming increasingly usable.

Re:What I don't understand

[Wah]

I can listen to this at home (DSL), at work (T3),

if you're listening at work you either are the network admin, or have him locked in a closet. Nothing clogs a piple like 30 folks streaming 128kbps MP3s.

--

Re:What I don't understand

[davidu]

What are you talking about? Beam-it has nothing to do with uploading of CDs or encoding or anything. How was this moderated up? This guy doesn't know what he is talking about. Beam-it according to the report on the site, only sends checksum type info. It doesn't send over whole songs -- that would be assinine.

Just my $0.02,
-Davidu

Re:What I don't understand

[bari]

This setup should work just fine. I have right now a system ripping CDs (slowly, but surely) using cdparanoia (click here) and bladeenc (click here) on a P133 with 16MB of RAM and a 4x SCSI CDROM under RedHat 6.1. Having the SCSI CDROM helps a lot, as it uses much less CPU time, allowing you to reasonably encode at the same time.

-Rob

Re:What I don't understand

[sjames]

The Grip is a nice GTK app. It uses cdparanoia for the actual ripping and your choice of encoders. For encoding, LAME (LAME Aint No MP3 Encoder) is a good choice.

The CDRom should be OK if it's not actually ancient (and may be OK even then). Things will go slow on a P75 though.

Re:What I don't understand

[Defiler]

Actually, it would take over 300 of those to clog a T3.

Re:What I don't understand

[Defiler]

Assuming that you consider 128kbit to be optimal. Personally, I encode all of my MP3s at 256.

Re:What I don't understand

[osu-neko]

Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, witherrors, and without knowing if the song is actually there, you've got issues.

Well, first of all, it's not that I'm too lazy to rip several hundred CDs onto my hard drive, it's more like no one has invented hard drives large enough to hold my CD collection. Secondly, I don't want to drag them across the net at some arbitary speed, if I did, Beam-It would be no good, since the speed is not at all arbitrary, it's a fixed 128kbps. Thirdly, what errors? I haven't seen any. And fourthly, I know exactly what songs are there and what ones aren't, so what the hell are you babbling on about?

If you own it, you're going to end up with a much better sounding song in about the same amount of time (or less)...

Umm, I guess this line of reasoning makes sense if you're an unemployed munchkin still in school or something, but I happen to have an office, and it's a heck of a lot more convenient being able to bring up my web browser and listen to my CD collection than it would be to drag my several hundred CDs back and forth from work.

Once you actually get a life yourself, you'll understand how useful Beam-It is...

--

Re:What I don't understand

[um...+Lucas]

I apparently took the wrong angle on this one.

Before you run off on your assumptions, let me assure you that I too have an desk, office, and name plate...

Here's my new track: Like Napster with just a couple of Beam-It users, network bandwidth is going to get sucked dry... 128 kbps adds up pretty quickly. I'd just as rather see users put the files on their hard drives than see 30 or 40 128 kb streams flowing through the network just to satisfy everyone's listening neeeds... This will be even more important as businesses switch more and more of their systems to IP... Video conferencing, Voice over IP... as well as regular network tasks, should not have to suffer because people want to have access to their entire CD collection online.

I mean, a year ago it was unthinkable that this would be possible. Today, already, people take the bandwidth for granted.

I'm done.

Re:What I don't understand

[cpt+kangarooski]

mp3? How quaint ;)

320Kbps mp2 for me. (what the hell - disk space is cheap and i only listen to 'em on the computer)

It's not about security

[RJ11]

The upcoming trial isn't about security, so this is rather irrelevant to that. However it certainly does make a rather nice front.....

When!!!???

[tilleyrw]

Begin Rant Mode

When will the MPAA, RIAA, etc. realize that the days of closed-media are OVER!!! The other day, I wanted to listen to that new Marc Anthony tune -- I fired up Napster and downloaded it with the quarter-hour.

They are trying to protect an outmoded means of media distribution. But like dinosaurs, it may be a while before the brain realizes the rest of the body is dead.

End Rant Mode

Re:When!!!???

Taking a commercial product without paying is normally known as stealing.

I hope your argument works well when the RIAA knock on your door and take you to court. Nice of you to put your name and address in your resume too - make it easier for them to find you.


Saxo Grammaticus

Re:When!!!???

[Cid+Highwind]

Pay no attention to the parent of this post, "tilleyrw" is just another shill for the RIAA, hammering on the tired old MP3==stealing argument.

What you did has a techical name, jerk. It's called "theft".

#ifdef flame
Assholes like you give all the legitemate MP3 listeners a bad name. If you want to steal, that's your problem, but don't f---ing brag about it on a public message board!
#endif

Just because you can steal something doesn't make it right to do so. Just because the RIAA is a bunch of greedy lawyers doesn't justify stealing from them, or from the artists they screw over err... represent.

Re:When!!!???

[MillMan]

Oh get over yourself. You said it yourself, record companies screw over artisits.

Technology has eliminated the need for this middleman, the record company. Therefore, I will bypass them because they are unneeded. They don't offer me the cost model that I want: Where the album costs at most 5 dollars and about 80% of the money goes to the artist. The technology isn't totally ready as far as bandwidth, but the record companies aren't exactly moving twords this model anyway.

I buy about 1 cd a month, usually AFTER I've heard it on mp3. So I end up screwing over some artists out of a few cents. Hopefully they'll realize that there are alternatives out there. Its limited as to whats out there, but all we need is one company willing to run the cost structure I just mentioned, and thats all it will take.

Record companies would rather push proprietary formats with SDMI, or even worse, a pay per play format!!

Record companies view new technology as a reason for prices to increase for the consumer, while driving their own costs down. This is COMPLETELY unacceptable, and I will not go with it.

How many CD's are worth 16 dollars? I'd say maybe 10% of my collection qualifies. Do you realize CD prices haven't changed in about 10 years? Am I the only one who is bothered by this?

The whole stealing argument is legitimate, but it isn't the end of it. Record companies are much more immoral than I could ever hope to be.

Re:When!!!???

[llornkcor]

You said it yourself, record companies screw over artisits.
Probably mostly true, unless, of course, the artist OWNES the record company.

Technology has eliminated the need for this middleman, the record company.
Wrong!!! A record company does a hell of a lot more for the artist than what you think.

and about 80% of the money goes to the artist.
Wrong again!!! What about the time it takes to record the damn thing? Or about paying the recording engineers, graphic artists, extra musicians, or even guitar techs that fix the broken guitar strings? There's alot more going on than you think. And what about the promotional videos? Did you take any of the extra expenses invloved with record/ CD production? The artists do NOT recieve 80% of the price you pay. I am sure that the record store where you buy it from makes about a 100% mark-up.

Re:When!!!???

[kdoherty]

How many CD's are worth 16 dollars? I'd say maybe 10% of my collection qualifies. Do you realize CD prices haven't changed in about 10 years? Am I the only one who is bothered by this?

You want to make a statement? Don't buy the music and don't pirate it. By not buying the music the record companies lose money, and by not pirating you don't look like a wanker who just isn't willing to spend money for music.

Yeah, record companies suck. Yeah, CDs are overpriced. So you're not buying the albums, that's great, it's the right tact. I still haven't seen a compelling argument as to why piracy is therefore legitimate. If you're willing to pay 16$ to listen to a CD, then pay it and listen. If you aren't willing, then you don't deserve to listen to it. The argument of "I'm not willing to pay therefore I'll just take it" falls flat.
--
Kevin Doherty
kdoherty+slashdot@jurai.net

Re:When!!!???

[Sloppy]

When will the MPAA, RIAA, etc. realize that the days of closed-media are OVER!!! The other day, I wanted to listen to that new Marc Anthony tune -- I fired up Napster and downloaded it with the quarter-hour.

People like you are what is holding it back so be careful who you call a dinosaur. Maybe they would have moved to MP3 distribution by now if thieves like you hadn't legitimized their fears of piracy.

They are trying to protect an outmoded means of media distribution. But like dinosaurs, it may be a while before the brain realizes the rest of the body is dead.

Ah, so in other words, it may take a while before professional musicians realize that they're not going to get any royalties anymore, thanks to Napster w4r3z/mp3z d00dz, and they finally decide to switch professions.

Music is not like software. You can't make a living maintaining and supporting music, and its value is not a function of future expected support. It's a finished product. It is intellectual property. The Open Source model doesn't work. (But I think the Shareware model does.)

When you steal it (for consumption rather than for evaluation), you're fucking someone. You're fucking someone who made something that you enjoy. Is this a sane thing to do?

---

Re:When!!!???

[thenerd]

Liberty is not equal to impunity.

the RIAA's gripe isnt security

[festers]

While I think that this this news about beam-it security is very good and will make things a bit more difficult for the RIAA, IIRC their main complaint is the fact that they are "broadcasting" the music. MP3.com is like a radio station where you get to play all your favorites (that you happen to own) without all the commerical and control the industry requires. I think this case is very similar to the MPAA: it's all about control.


--------

Re:the RIAA's gripe isnt security

I'm the shepherd, and I laugh at the black sheep laughing at the rest of the flock.

I fancy a lamb stew for dinner - the black one'll do, plus I'd like a new black pullover.


Wingnut

Re:the RIAA's gripe isnt security

[Refrag]

It's isn't a broadcast. That's the difference. People that are ignorant about technology think that all of this stuff is the equivalent to broadcasting. It's not. They are not throwing a bunch of data into the air allowing whoever wants to grab it to listen. What MP3.com is doing is sending a customized stream to an individual. This stream only contains music that the user was verified for.

Even Shoutcast isn't broadcasting. Those 'stations' send a separate stream to each user who requests the stream -- they aren't sending the stream to everyone on the Net.

Re:the RIAA's gripe isnt security

[homer_ca]

I think the real issue is the nature of the service. The RIAA wants to treat this like a radio broadcast and charge for performance rights. mp3.com wants to treat it like a private offsite file storage for its users, and they have a good case for it.

For a few years now companies have been offering file backup services over the Internet (@backup is one of them). One of the ways they reduced network traffic was the way they handled applications. If someone had a common app like Office 97 the backup client would do a checksum on the files and upload a small token to the backup server saying "this user has this version of EXCEL.EXE" or whatever. Then if the user requested a backup the server would send the whole file. To do this they'd need to keep copies of Office 97, Photoshop and whatever else on their servers JUST LIKE HOW mp3.com keeps copies of the music on their servers.

AFAIK this is how mp3.com has been promoting their service: private network storage for YOUR music.

Good and bad...

[spiralx]

Any user who uses My.MP3.com is inherently giving up a remarkable amount of privacy. My.MP3.com knows every CD in a user's collection that they "beamed" to the server along with the user's e-mail address, network IP address and and Ethernet MAC address. An unscrupulous marketer could correlate musical preferences with other lifestyle choices and use this for targeted advertisement. MP3.com's pri-vacy policy 5 does not offer strong guarantees against this kind of behavior, and the ability to opt-out is at the bottom of the user-preferences page - something that most users will never do. And that is the reason for this sort of thing in a nutshell. While it sounds like a great idea for people who have a lot of CDs that they want to listen to both at home and at work, they will find themselves at the end of a barrage of "targetted" advertising. The spread of information from MP3.com will be exponential as more and more agencies sell your profile to interested parties. Oh joy, yet more spam. On the other hand, the lawsuit issue could be a good thing. MP3.com have a lot more money than the defendants in the other similar cases recently, and they are a company, able to organise their defence better than we've seen in the DeCSS trial so far. A victory in this case would have implications for the entire issue of people's right to use what they've bought, and for the digital media industry as a whole. Despite the privacy issues, which I don't like, I still hope MP3.com can win this case.

Re:Good and bad...

[WayneGayle]

An unscrupulous marketer could correlate musical preferences with other lifestyle choices and use this for targeted advertisement. MP3.com's pri-vacy policy 5 does not offer strong guarantees against this kind of behavior, and the ability to opt-out is at the bottom of the user-preferences page - something that most users will never do.

Oh I doubt it. Most people who are going to be using this service are most likely going to be like the people who read slashdot. We have high speed internet access and are at least a little technically inclined. I've opted out, as I always do when I give anyoned my email address... -WG

Re:Good and bad...

Why is everyone so afraid of getting targeted vendor communications, assuming we're always going to get junkmail? I can tell you, I much prefer seeing promotional info from vendors/venues that have products I might buy versus the damnable Pennysaver which clutters my box every week... Imagine this scenario: You walk into music store A, and you get the usual product presentation: row upon row of semi-sorted music. Semi-sorted because it's only sorted by alpha in very loosely-grouped genres that don't really fit all the music that's out nowadays. Then you walk into music store B, where they know you personally. The friendly and cute girl behind the counter lights up when you walk in, and cheefully asks if she can help you find anything today. Of course, the music was automagically rearranged already when you walked in, sorted by the music you're most likely to buy (up at the front) descending to that which you are less likely to buy, ending in a cash register. All the other music is behind a curtain in case you want it (say you're shopping for crazy cousin Louie, who digs zydeco, which isn't something you're likely EVER to dig on.) What's wrong with an intelligent agent, or a personal shopper? If I had the money, (can't wait for that IPO!) I'd never shop alone again; I'd have some beautiful girl at Nordie's call me up when a new suit was in that would look just *great* on me...

Re:Good and bad...

[Sloppy]

My.MP3.com knows every CD in a users collection that they "beamed" to the server along with the users e-mail address, network IP address and and Ethernet MAC address. An unscrupulous marketer could correlate musical preferences with other lifestyle choices and use this for targeted advertisement.

Keep in mind that even if they didn't know your CD list, the server would still always know what music you requested to be streamed back to you.

The only way you can have privacy in this regard, is to use your own stream server (not mp3.com's), and encrypt everything that passes over a public network.

---

WTF?

[348]

In the conclusion the report states that there are no significant security issues and that the user must be in possession of the original, also it reads something to the effect of users desiring privacy can use the traditional MP3 "Ripping" software. The architecture fundamentally compromises the privacy of its users to provide a centralized service.

This is such a major flaw in the whole concept of the product. Understanding the reasoning behind the concept, but I would think they could have found a little better architecture. From a business model, how are they going to promote a product that fundamentally compromises the privacy of the user? Doesn't make sense to me.

Re:WTF?

[Hrunting]

This is such a major flaw in the whole concept of the product. Understanding the reasoning behind the concept, but I would think they could have found a little better architecture. From a business model, how are they going to promote a product that fundamentally compromises the privacy of the user? Doesn't make sense to me.

People don't care about their privacy to the degree that Beam-It threatens them. It's that plain and simple. We don't want our address information or phone number freely distributed out over the Internet, but we don't mind if people know what CDs we listen to. I personally don't care if they keep a database of the CDs that I frequent. Who cares what music I listen to, and conversely, who do I care knows? People are not being persecuted or harassed for it. The privacy of the user isn't completely compromised; it's just compromised enough to obtain enough information for the product to work. Phone books work the same way. E-mail directories work the same way. It's not a complete compromise, just a partial compromise.

Of course, many partial compromises can be put together to form the whole picture, but it's already to late for that. If anyone thinks that their privacy is completely secure, they're insane. And in light of that, it's not a big deal (especially from a promotional standpoint) that listening habits could be catalogued.

Re:WTF?

[MindStalker]

No, I think what the problem is, is that there are some privacy issues with their implimentation, that do not have to exist, for such a program. Basically the 2 problems are that their privacy policy is a joke, and that the user/client gives up information like its MAC address, which is unnessesary for security, so obviously simply used for extra info for My.Mp3.com to collect and sell.

Re:WTF?

[348]

There is more to the privacy part than just them keeping a log or database on what music you accessed isn't there?

I admit I skimmed over parts of the report because it went on and on, but I thought that they tracked MAC address etc, as well as other things. I agree that if they were just logging my music tastes, BFD, who cares, but they are capturing more for the purposes (speculation) of more direct, targeted marketing based on that information.

I believe that this will get out of hand very fast and create a PR nightmare, reminds me of the Real Player incident where they were capturing information in a way that really wasn't on the level.

Re:WTF?

[Cuthalion]

People really don't mind if others know what CDs they listen to - often quite the contrary. Hell, many people (myself included) spend a fair ammount of time publishing a database of their music collection.

Re:WTF?

[arivanov]

WTF is encrypting/challenge-response to an anonymous recipient?

You either know who is on the other end of the line doing challenge response or you do not. If you do not you do MPAA/DeCSS.

It is an either or. MP3 does not keep your exact name and snail mail address. So make sure you use a good mail filter on a proper mail account and write an anonymizer proxy for the protocol and run it from a shell account somewhere (Not like they are not going to get youor IP when you request streaming data).

Re:WTF?

[348]

I agree, but two points:

1) You chose to make public your DB of music likes and by ommision dislikes. You made the decision to make this information public.
2) This architecture can allow the hosting entity to capture this and other information to use as they wish, without consent. Targeted spam etc.

I would rather be in the position to make a decision to make public this information than to have a service provider capture and distribute the information without me being asked.

Re:WTF?

You do have a choice, simply do not use the service. Nothing more to it.

Re:WTF?

[MindStalker]

The encryption challenge responces are challenging random bits of data on the cd you own in your drive. This is a one time only thing, for when your beaming them your cd to prove you own it. After that you can receive the music without the need for proof

What does this have to do with anything?

[GoofyBoy]

The paper just reports on the protocal. Its nice work but its nothing shocking. It might not even be entirely correct.

I just have a feeling that there is something more important/worthwhile in the submission box than this.

Re:What does this have to do with anything?

[Sloppy]

This report is important because the protocol is important. Some people (e.g. me) have argued against mp3.com's beaming service on the grounds that it would be easy to spoof, either by reverse-engineering the beamit client, or by writing a virtual CD-ROM driver that returns fake CDDB tags. The guys that wrote this report confirmed that it challenges the client to return some raw CDDA data from an unpredictable offset. That's a lot better than what I feared.

Maybe it's not important to you, but to me, this information changes my opinion of my.mp3.com's beaming service from an easy-to-crack w4r3z/mp3z server to something a bit more legitimate.

---

Re:What does this have to do with anything?

Then read some other 'weblog'... don't be a whiner... andy roony has a copyright on the mentality...

Re:What does this have to do with anything?

[Nagumo]

Perhaps this isn't "stuff that matters," but it directly fits under "news for nerds." Did you bother to read the article? It is pretty interesting even if it isn't, as you say, "newsworthy."

Why the MAC address?

[Acy+James+Stapp]

Any ideas why they would send the MAC address?

I would suppose mp3.com keeps an LRU list of the last 10 or so MACs to access a particular account, and denies access if multiple MACs try to access the site at the same time or if accesses occur from too many MACs in quick succcession.

Re:Why the MAC address?

They do NOT deny access if multiple MACs try to access the same account at the same time.

Two people in two places can stream from one account (while another person or more is beaming CDs to the same account from elsewhere).

Yes, there is potential for abuse.

Privacy

[MattTC]

I fail to understand how the Beam-It system compromises the user's privacy...although they certainly suffer from the Ralph's Club syndrome, it does not seem like this is something that would constitute a full-scale privacy breach, especially if there is an option to opt out...certainly not on the same scale as the doubleclick cookie issue.

Maybe I'm just missing something. But then I still use my Ralph's Club card too.

Not that I find Beam It to be the most useful thing in the world. I much prefer keeping everything on my 36GB HD =)

Says it's safe !

[aav]

I can't stop myself from wondering why the question on the message is "possible ammo ... "
After having a brief look at the article two things were very clear :
1. the guys at Rice showed that the transaction language makes the protocol look a lot like ftp. And we all know that ftp servers are pretty well pretected
2. in the conclusion of the article said (and I quote) " our analysis has revealed no glaring security flaw ... a user must have posession of the original CD (or a bit-for-bit perfetc copy ) ... The security of the system is not dependent on the mocule secrecy"

I guess it should be pretty obvious for anyone that this article doesn't say anything about the security of the mp3 format. Or of a CD ... So why do you post misleading questions ?

Re:Says it's safe !

[echo1]

I completely agree with your last point regarding the security of the CD itself. Section 1.2 (Account Sharing Security) of the paper discusses the possibility of users pooling money to purchase CDs and then share passwords. Why bother using my.mp3 at all. Once you have the CDs you could just rip them and then share them with who ever you want. The CD itself is not secure. Stopping mp3.com would be an unnecessary bandaid when the real problem is that the RIAA needs to find other ways to make money with music, not just through record sales.

Re:Says it's safe !

It doesn't really require you to have the CD image- only quick access to a few random pieces of its data. A hypothetical CD sharing cartel would simply need a server program to provide those bits- either by reading them from an actual CD owned by a member, or a cached binary copy.

It wouldn't be too hard to code up a Napster style distributed network that displays the titles of CDs in the drives of all currently online users. You'd just click on a title to have the "authentication" executed for your Beam-It account, using verification data automatically requested from the actual CD.

Re:Says it's safe !

[peter]

Your point about how the protocol looks like FTP is meaningless. The important part is the data that is sent by the protocol, what sequence, and what encoding (encrypted or cleartext, etc.) is used. The other important part is what the hosts are supposed to do based on the protocol commands they receive.

The fact that something looks similar has no effect whatsoever on security. Security is in the details. (I was going to beat on micros~1 and how their stuff often looks like it's the same as the secure stuff, etc., but I'll leave that as an exercise for the reader :)

#define X(x,y) x##y

Give the buyers some added value..

[morpheus_]

I have over 600 CDs in my collection, bought over the last 10 years. I like the idea of being able to satisfy the sudden need to listen to a song while I'm at the office, without having to lug around my CD container, or 60 mp3 CDs (which, as a matter of fact, I have). For the customer, there's much to win. Why do we have to put up with this kind of corporate bullshit then? Fight and win, mp3.com!

Ammo? I think not.

[jstepka]

Potential ammo for the upcoming MP3.com trial?

I'm going to disagree. The movie editors that work with the movies off their hds are just as libable if they are on a network then. I could simply crack their machine and download their movies. Security holes will always be around, that is why security analyst have jobs.

Re:Ammo? I think not.

Uh, dude...

This has to do with music, not movies.

And the protocol is secure. The only way to spoof it is to have a bit-for-bit copy of the CD anyway-- in which case, you're already a pirate.

As for cracking into the servers and downloading all the music-- hey, isn't that illegal anyway?

Basically, this shows that MP3.com has taken reasonable (and, in fact, quite good) measures to ensure that pirates can't access music they don't own. Since they've taken such measures, the use of my.mp3.com falls under "fair use". As such, the RIAA's lawsuit is bullshit (but we knew that already).

Try to understand the issue before you call everybody else idiots, you fucking moron.

What is RIAA's view if...

[Paul+Neubauer]

...someone were to rip their CDs to their own drive (or rig up a CD jukebox, etc) and allowed themselves, and only themselves, to access their own private server for the same result?

The result, for that one person, is the same though the work involved is now significant. The difference is now it is 'narrow'casting rather than a broadcast.

MP3.com removes the upfront workload of ripping everything or rigging up the jukebox, and centralizes the servers -- which makes them accessable. While I (for example) could eventually get something like this set up privately at home, running a server isn't a real option for me. No, I don't use MP3.com, but I do see the utility of the enterprise.

Not saying which is best or who is right, just curious about this.

Re:What is RIAA's view if...

The RIAA tried to get the court in the Diamond Rio case to rule that

1. Computers were subject to SCMS. (The AHRA explicitly exempts computers from SCMS, as the RIAA should well have known.)

2. It was illegal to copy music to a hard disk, since computers are not covered by SCMS.

They lost on both counts. However, for a long time after the ruling, their main Web site and SoundByting Web site continued to state, quite incorrectly, premise #2. (The SoundByting Web site seems to have been fixed on this point -- just enough to make it technically accurate.)

Agreed

[Andy+Dodd]

The portability issue is key. I use Beam-It, and it makes things soooo convenient when I want to listen to music in a computer lab. Just bring headphones. :) Oh, and Beam-It takes a *lot* less time per CD han ripping - I can "beam" a CD in under a minute, but my machine rips+encodes at just a shade over 1x, i.e. 40-60 minutes depending on CD length.

Showing that it's secure shows that...

It is possible to respect the intellectual properties of others while still offering new and innovative services. Rock on.

There was definite worry about whether or not MP3.com's Beam-It software was going to be sufficiently secure as to avoid lawsuits. Since the MP3.com software was closed-source, and the protocol wasn't specified, it was a definite possibility that MP3.com was relying on "security through obscurity", just as the MPAA did with DVD (gee, doesn't this all just tie together nicely?).

However, the Beam-It protocol was obviously written with security concerns in mind. Knowing the protocol does not make it easier to spoof MP3.com into thinking you have music you don't (well, not *reasonably* easier).

Contrast this with CSS. Once the algorithm is known, it's easy enough to distribute unencrypted copies of the software, if you are so inclined (note: this *wasn't* the original intent of DeCSS, and I certainly haven't seen any evidence to support the idea that people are now pirating DVDs with DeCSS. And, yes, it was possible *before* DeCSS came about. There's also the whole bit-for-bit copy thing, if you can find the media...).

Yes, it's comparing apples and oranges. But you'll notice that MP3.com has achieved a happy medium for consumers-- allowing them to listen to other people's music, but still respecting the intellectual property of others.

Funny, huh? That, in my mind, was the last legal hurdle-- proving that the Beam-It software took legitimate measures against piracy. The paper is well-written enough that MP3.com could probably submit it as evidence (both in the RIAA's lawsuit against MP3.com, and in the slander lawsuit, since the RIAA has said that MP3.com has a flagrant disregard for IP, and this proves otherwise).

I'm an AC because I don't want my real name moderated down for run-on sentences :-)

Re:Showing that it's secure shows that...

[Mister+Attack]

That, in my mind, was the last legal hurdle-- proving that the Beam-It software took legitimate measures against piracy.

Uh-uh. MP3.com is still redistributing copyrighted material without the consent of the copyright owners. Even if they do have cryptographically strong verification of ownership, they do not have the right to redistribute those songs! I hate it, it sucks, but that's the way copyright law is written. The laws need to get fixed, but until they do, MP3.com is still violating copyright!
--

Ahh Very tricky..

[Otto]

Very nifty protocol. I wouldn't have thought of a random CD block check.

This potentially makes it much more difficult to fake the response to the server, tricking it into thinking you have the CD when you don't. Also the hash of the block is computed on the server side for verification, rather than on the client side. Good. They don't trust the client at all. :-)

Now, of course, someone will just find a back door somewhere. Still, it shows that they didn't just whip the thing out, but put some thought into it.

It's still a stupid service without widespread broadband. But more of that is appearing every day.

---

In case it's not obvious

[Acy+James+Stapp]

This would be to prevent the "cartel" discussed in the article. I think they will leave some leeway, in case there are legitimate reasons to be playing two or more mp3s from the same account simultaneously.

The easiest way to cheat would be to borrow and beam your friend's CDs. A good afternoon of beaming and you could double your collection.

Re:In case it's not obvious

if you ask your friends nicely, they'll beam CDs to your collection for you.. no need to shuffle atoms. i'd like to see an underground trader network.. some private mailing list that hooks people up to beam each other stuff.

Dammit, I can't stand columns in docs!

[Smack]

OK, so this is completely OT. But I hate it when you see documents like this that are written in 2 column style. Sure that might work well on paper, but it really sucks in the Acrobat reader unless you've got a monitor with high enough rez to easily read the whole page at once. A single column layout is MUCH MUCH easier to read

Re:Dammit, I can't stand columns in docs!

[CoughDropAddict]

Or they could just post it in HTML and let people view it how they want to. If they want to release a PDF version for the suits, fine, but please...

the article is useful...

[levl289]

Folks, instead of keeping your heads in the ass of "make all music free", realize that artists need to eat.

This internet thing, and the OSS mov't is new to most people...especally those that have lots of money invested in the "old" way of doing things. It takes time for ppl to get used to it..this is a good start.

The article itself is very useful in explaning how the system works, and it gives wannabe programmers (me), the ability to see how something is reverse engineered (it really took away a lot of the mysticism IMO).

Re:the article is useful...

[Field+Marshall+Stack]

Bah. Judging by the percentages the major labels give their artists, I'd say that they're of the opinion that artists do not in fact need to eat. Sorry...
--
"HORSE."

Re:the article is useful...

[kashko]

I don't know about the record scene but as I recall it writers get at least 10% royalties. This reflects the risk the publisher takes: once they book is underway the writer can sit back ad rest for a week then get on with the next project.

I have tried to set up a business in the past. It takes time to market stuff. Generally speaking if the writer tries self publishing they won't write: you have to assume between 6 and twelve months intensive marketing before money comes in. I see no reason why it should be different for musicians.

There is, however, an increasing trend for writers to self publish and I can see this spreading to music. It's a trend could eventually be more of a threat to the big labels than MP3 or related technologies.

On the other hand self publishing is more suited to niche markets than to the mass markets the big labels need to tap in order to keep their marketing and other departments paid.

So I have no problem with big labels trying to protect their investment. There are things I don't like about the music industry, in particular tendency to be unwilling to use a small percentage of profits for experimental releases that don't hit the mass markets.

(this whole area is something I need to think about eventually to get ideas straigh but not just yet)

Would people here still think it right to pirate music if the musician was self publishing? Or it was a small independent label?

You can still borrow a friend's CD

[Jinker]

Now unless I'm mistaken, if you borrow a friend's CD, and 'add it to your collection', you've now got unlimited play access to MP3s from that CD, right?

Of course, if you borrow your buddy's CD, you can rip the MP3s yourself. Mind you, if you own a CD, you can do it as well.

What is this service good for again? :)

I suppose not *everyone* has free and easy access to a personal FTP site. But I'd expect that will change over the next couple of years, what with bandwidth and hard drive space being so darn cheap.

Re:You can still borrow a friend's CD

[cweber]

Yeah, I've been thinking along the same lines for a while. As far as I know, individual CDs don't have unique identifiers such that the BeamIt software could tell you, 'Sorry, this particular CD has been beamed already!'. The CD identifier being mentioned in the paper seems to only identify the album as Title X by Artist Y, not Title X by Artist Y, number Z in series . Maybe I am am wrong and someone who knows can enlighten us?

In the end it all boils down to whether an action is legal and to what extent we as individuals are willing to obey the law. Noone prevents me from speeding, but I can get caught and fined, so I choose not to speed. I would think that many people would respect copyright laws and fines imposed on violators if caught and therefore not beam CDs they don't own.

Re:You can still borrow a friend's CD

[homer_ca]

Yes this is still possible, but you couldn't possibly distribute as many copies this way as you could by posting an mp3 to the Internet. The recording industry has lived with this level of borrowing and copying for years. Just like when friends borrowed and taped LP's and CD's in the olden days.

Services vs. Privacy

[soldack]

That's really what this thing comes down to. In most cases, to get the services that you want, you have to give up some privacy. You want the goverment to give you Social Security; then you have to have a number attached to you. You want a credit card company to loan you money; then you have let them know about every purchase you make. If you want to have MP3.com handle all your music, then you have to let them know what music you like. That's just the way things go.
Although there are often some insidious reasons for collecting user data, the biggest reason is usually because it is either integral to the service or it makes it work much better. For example, /. has a feature to remember your user name and password. It is pretty insecure but it makes getting access easier. In MP3.com's case, some of the information is needed, some of it may make improve the service, and a some of it may turn out to be nefarious. The consumers can dictate what they want by either using or not using the service. That is part of the beauty of a free market. Consumers can dictate the forms of new products and services with their buying power. Companies will not offer what people do not want.

Re:Services vs. Privacy

You want the goverment to give you Social Security; then you have to have a number attached to you.

It's basically impossible for a US citizen to get a job without this. And if any of the dozens of people who have it dislike you, you'll be so screwed it'll take years to put some semblance of your life back together. Considered Harmful.

You want a credit card company to loan you money; then you have let them know about every purchase you make.

Not every item, just the identity of the vendor. And anonymous cash is still pretty much accepted, at least for the moment.

/. has a feature to remember your user name and password.

Today's bloated trailing-edge crippleware doesn't handle cookies appropriately (a configurable lifetime per domain), so requiring them (rather than using URLs with IDs) is another Bad Idea.

Ammo? I think so.

[pimp]

While it may have not been the original intention, showing interest in security is showing responsibility. By showing that MP3.com is taking active interest in attempting to solve some of the problems over which they have been criticized they will get big brownie points.

empowering big business

[henninrp420]

it seems like the industry is trying to put a stop to "illegal" mp3 sites by coming up with a way to verify that you already own a physical disc. they will then be able to say that because they can verify you have this disc, there is no longer a reason that songs from label-controlled artists should be available freely on the web because it constitutes copyright infringement. the great thing about mp3s is that they're small, quick to download or create, and give you the option of listening to parts of a CD BEFORE you buy the album, listen to the rest of it and find out that the whole album sucks except for the one or 2 catchy songs that happen to make it onto MTV. it's hard enough to find a STORE that will let you listen to CDs before you buy them. (i know of one whole such store in my area). it will also be impossible to obtain ONE good song from an album of sh*tty ones because you don't want to go pay $15-$20 for a full album to obtain a single. i wonder what sort of revenue in sales is created for the music industry by consumers buying a full album to get that "neat song i heard on the radio". the target-related advertising part of this bothers me too, because if you sample the way target advertising works for companies like BMG, you'll find madonna and christina aguilera (sp?) and nine inch nails and metallica in the same "if you like this artist..." category...and the associated artists most certainly are nothing alike. basically, i think what is going to happen here comes down to people receiving a lot of email and promo offers for things they don't want/need/have time for, and it's going to empower the government and coprorate junkies to have a tighter grip on what citizens do with the things they own.

Re:empowering big business

> they will then be able to say that because they can verify you have this disc, there is no longer
> a reason that songs from label-controlled artists should be available freely on the web
> because it constitutes copyright infringement.

Excuse me? When has anyone ever said that this was NOT copyright infringement??

> it's hard enough to find a STORE that will let you listen to CDs before you buy them.

Most music stores I know of do, with the exception of places that sell CDs as an afterthought, like KMart.

what's wrong with targeted ads?

[rnd()]

If we must put up with ads, then why shouldn't they be targeted? If I am going to see ads, I at least want to see ads for products that I might want to buy.

I make a rational choice when I use services that demand information in exchange for a service... I opt out of systematic junk emailings and give them the info that they request in exchange for the service that they provide.

Take, for example, one of my favorite sites on the net, Moviecritic.com. This site has saved me lots of money and time by helping me to avoid movies that I wouldn't like. The site uses collaborative filtering to do so, but in the process also asks for some demographic information. Now, I'm sure that the demographic data which moviecritic collects is highly valuable. I'm also sure that its owner (the person who collected it from consenting moviegoers like me) sells it to movie studios, etc. I don't care. I like the service and just because there is capitalism and age/sex/zipcode information involved doesn't mean it's evil.

Re:what's wrong with targeted ads?

[Wah]

I make a rational choice when I use services that demand information in exchange for a service

Your personal information is worth a great deal on money. Acquisition costs and QUALITY customer profiles are difficult to come by and are expensive. If you ever visit a site and it requests some type of consumer information from you, don't give it unless you feel you are being compensated fairly.

Also realize that consumer targeting can cut down of the number of Tampax ads you recieve in the mail. The easier it is for companies to find the right customers, the less money they waste talking to the wrong ones, all of which helps to lower prices and make the market more efficient.

One coin, two sides.

--

Re:what's wrong with targeted ads?

[DreamerFi]

If we must put up with ads

Well, I don't put up with them. I will actively avoid ads, and I actively blacklist companies that send me dead-tree junk mail, and I do care very much about who sells my data to whom. I've been called picky, I've been called weird, and even paranoid, but that's the way I do it...

-John

mp3.com EULA

[spRed]

[ Okay, it's terms and conditions, but just as odious ]
from the 'Terms and Conditions' on mp3.com :

You agree to bound by and subject to such terms and conditions, including but not limited to the (i) Instant Listening Service Terms and Conditions of Use and (ii) Beam-it End User Web Site And Software Terms And Conditions Of Use, each of which are incorporated herein by reference.

(my ephasis)

Does anyone with an mp3.com account have a copy of these or a link to them? I'm curious if any of these agreements (which you can't read before saying 'I Do') prohibits reverse engineering of the software, and/or attempts to circumvent it.

-Red

Re:mp3.com EULA

[jbuhler]

Here's the license agreement that comes with the libmsp software (the not-open-source part of BeamIt). I couldn't find a version on the my.mp3.com web site. In answer to your question: yes, it does contain a provision against reverse engineering.

END USER WEB SITE AND SOFTWARE TERMS AND CONDITIONS OF USE

Welcome to MP3.com's Beam-ItTM service (the "Service"). By subscribing to the Service and/or by downloading MP3.com's Beam-ItTM software (the "Software"), you are agreeing to abide by the terms and conditions of this agreement (the "Agreement"). The terms and conditions of this Agreement may be modified from time to time by MP3.com. Each time you log on to the Service or use the Software you agree to familiarize yourself with the most current version of these terms and conditions. If you continue to access the Service or use the Software, you agree to be bound by the most current version of the terms and conditions..

1. SOFTWARE

(a) In addition to certain third party software which may be required, use of the Service may include downloading the Software, as such Software may be updated from time to time. The MP3.com information and Software, and the content posted on the MP3.com web site is copyrighted and protected by law and international treaty. You may download the Software through a web browser onto a single computer for your personal, non-commercial internal use only. BY DOWNLOADING THIS SOFTWARE YOU ARE AGREEING TO THE TERMS AND CONDITIONS OF THIS AGREEMENT, WHICH SHALL REMAIN IN EFFECT UNTIL YOU UNINSTALL THE SOFTWARE, DESTROY ALL COPIES OF IT AND REMOVE FROM YOUR MY.MP3.COM ACCOUNT ANY REGISTERED CONTENT (DEFINED BELOW) PLACED THERE THROUGH USE OF THE SOFTWARE. IF YOU DO NOT AGREE WITH ANY OF THE TERMS OF THIS AGREEMENT, DO NOT DOWNLOAD OR INSTALL THE SOFTWARE.

(b) You are granted by MP3.com a non-exclusive, non-transferable, non-sublicenseable, license to use the Software solely for connecting to and using the Service in accordance with this
Agreement. This is a license, not a transfer of title, and you may not nor permit anyone else to (a) modify the Software or use it for any commercial purpose or public display, performance, sale or rental; (b) decompile, reverse engineer, or disassemble, modify, or create derivative works based on the Software or the documentation in whole or in part; (c) remove any copyright or other MP3.com proprietary notices; (d) transfer the Software to another person. You agree to prevent any copying of the Software that you download for your use from the MP3.com web site.

(c) The Software and all information furnished by MP3.com on the MP3.com web site is copyrighted proprietary material of MP3.com and may not be copied, reproduced, modified, published, posted, transmitted, or distributed in any way, without MP3.com's prior written permission. Except as expressly provided herein, MP3.com and its suppliers do not grant any express or implied right to you under any patents, copyrights, trademarks, trade secret, or other intellectual property rights of MP3.com or its suppliers.

(d) The terms and conditions of this Agreement govern your use of our Software and Service only. You further agree to abide by the terms and conditions of any third party software licenses for other software used by you in conjunction with our Software and Service.

2. SERVICE/CONTENT

(a) You will become eligible to use the Service as an end user ("Registered User") upon subscribing to the Service and paying the applicable fee, if any. Registered Users are permitted by MP3.com to register their possession of certain user media (e.g., CDs) containing audio content ("Registered Content") by placing such user media in an applicable information storage and retrieval device (e.g., a CD-ROM drive) and thereby enabling verification of such user media by MP3.com ("Verification"). Upon successful Verification of user media provided by you, the corresponding Registered Content will become available to you for listening via streaming from your My.MP3.com account on the MP3.com web site. In submitting your user media for Verification, you agree to abide by all instructions, rules and directions posted by MP3.com, as well as all laws regarding copyright ownership and use of intellectual property, and you shall be solely responsible for any infringements of third party rights. You represent and warrant that: (i) you are the sole owner of any user media submitted by you for Verification,(ii) you will not submit for Verification any user media not owned by you, (iii) you will not loan, rent, lease or otherwise transfer any user media owned by you to a third party for the purpose of allowing such third party to submit such user media for Verification, (iv) you will not provide your My.MP3.com login name or password to any third party, and you will not allow any third party to access your my.MP3.com account, and (v) if at any time you sell, transfer or otherwise dispose of any user media, you will immediately remove the Registered Content related to such user media from your My.MP3.com. account. You further agree not to copy, reproduce, transmit, distribute or transfer any Registered Content in violation of any third party rights.

(b) You acknowledge that the Registered Content is protected by copyrights, trademarks, and other intellectual and proprietary rights ("Rights"); (ii) these Rights are valid and protected in all media and technologies, whether known or unknown; and (iii) except as explicitly provided otherwise, this Agreement and applicable copyright, trademark, and other laws govern your use of such Registered Content. You agree to comply with any instructions, rules, or directions posted by MP3.com related to such Registered Content.

3. TERMINATION

(a) We may terminate this Agreement, and your account, at any time, for any or no reason, with or without notice to you. You may terminate this Agreement by discontinuing use of the Service and/or Software, and following the procedure set forth in Sections 1(a) and 3(b).

(b) Upon any termination of this Agreement, all licenses granted herein shall immediately terminate, and you agree to immediately destroy all copies of the Software and all of its accompanying documentation. Sections 4, 7, 9, and 10 shall survive termination of this Agreement.

4. WARRANTY DISCLAIMER: LIMITATIONS OF LIABILITIES

YOU UNDERSTAND AND EXPRESSLY AGREE THAT THE SERVICE AND SOFTWARE ARE BEING MADE AVAILABLE TO YOU "AS IS" AND "AS AVAILABLE." YOU ASSUME THE RISK OF ANY AND ALL DAMAGE OR LOSS FROM USE OF, OR INABILITY TO USE, THE SERVICE AND SOFTWARE; AND MP3.COM MAKES NO REPRESENTATION OR WARRANTY, AND DISCLAIMS ALL IMPLIED REPRESENTATIONS AND WARRANTIES, THAT THE SERVICE AND SOFTWARE WILL PERFORM IN THE MANNER EXPECTED WITHOUT INTERRUPTION, ERROR OR DEFECT.

WITHOUT LIMITING THE FOREGOING: ALL REPRESENTATIONS, CONDITIONS, WARRANTIES AND GUARANTEES, WHETHER STATUTORY OR OTHERWISE (INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT OR RESPECTING SATISFACTORY QUALITY) ARE HEREBY DISCLAIMED BY MP3.COM TO THE FULLEST EXTENT PERMITTED BY LAW; MP3.COM SHALL NOT BE LIABLE TO YOU OR TO ANY THIRD PARTY FOR OR IN RESPECT OF ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL LIABILITY, LOSS OR DAMAGE ARISING DIRECTLY OR INDIRECTLY FROM THE USE OF THIS WEB SITE OR THE SOFTWARE, OR FOR ANY LOSS OF DATA, LOSS OF PROGRAMS, PROFIT, REVENUE OR BUSINESS, HOWSOEVER CAUSED (WHETHER ARISING OUT OF ANY NEGLIGENCE OR BREACH OF THIS AGREEMENT OR OTHERWISE), EVEN IF THE SAME WAS FORESEEABLE BY, OR THE POSSIBILITY THEREOF IS OR HAS BEEN BROUGHT TO THE ATTENTION OF, MP3.COM.

YOU AGREE THAT YOUR SOLE AND EXCLUSIVE REMEDY AGAINST MP3.COM FOR LOSS OR DAMAGE CAUSED BY ANY DEFECT OR FAILURE IN THE SOFTWARE, REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT OR TORT, INCLUDING NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, SHALL BE THE REPLACEMENT OF SUCH SOFTWARE. THE FOREGOING SHALL BE YOUR SOLE AND EXCLUSIVE REMEDY AGAINST MP3.COM.

SOME STATES OR JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF CERTAIN TYPES OF LIABILITY. THEREFORE, THE ABOVE EXCLUSIONS OR LIMITATIONS MIGHT NOT APPLY TO THAT EXTENT, AND NONE OF THE ABOVE SHOULD BE CONSTRUED AS EXCLUDING OR LIMITING ANY LIABILITY BEYOND WHAT IS PERMITTED UNDER APPLICABLE LAW.

5. PARTNERS.

MP3.com works with a number of partners, whose Internet sites are linked to and/or from the MP3.com web site. Because we have no control over the content and performance of such sites, we make no guarantees about the accuracy, currency, content or quality of such sites and information on them, and we assume no responsibility for unintended or objectionable content that may reside on these sites.

6. PASSWORDS/PRIVACY
(a) Use of the Service may require a password. You are responsible for maintaining the confidentiality of your password and other registration information and shall be responsible for all uses thereof, whether or not authorized by you. You agree to immediately notify MP3.com of any unauthorized use of your password and/or registration information.

(b) MP3.com agrees that information MP3.com obtains from your use of the Service or Software will be handled in accordance with our published privacy policy which can be found at http://www.mp3.com/privacy.html.

7. HOLD HARMLESS.

You agree to indemnify, defend and hold harmless MP3.com, its affiliates, officers, directors, employees, consultants and agents from any and all third party claims, liability, damages and/or costs (including attorneys' fees) arising from your use of the Software and/or Service, violations of this Agreement by you or your infringement, or infringement by any other user of your account, of any intellectual property, or other rights of any person or entity.

8. EXPORT CONTROLS.

You agree to comply with all export laws and restrictions and regulations of the United States Department of Commerce or other United States or other sovereign agency or authority, and to not export, or allow the export or re-export of any information from the MP3.com web site or any Software in violation of any such restrictions, laws or regulations, or unless and until all required licenses and authorizations are obtained to the countries specified in the applicable U.S. Export Administration Regulations (or any successor supplement or regulations).

9. APPLICABLE LAWS. This web site is controlled by MP3.com from its facilities in the United States of America. MP3.com makes no representations that the information in or from the MP3.com web site is appropriate or available for use in other locations. If you access this web site from other jurisdictions you are responsible for compliance with local law. This Agreement shall be construed in accordance with and governed by the laws of the State of California in the United States of America as such laws apply to contracts between California residents performed entirely in California. Both you and MP3.com consent to the exclusive jurisdiction of the state and federal courts having jurisdiction over San Diego, California, for the adjudication of any controversy, claim or dispute which arises from or relates to this Agreement, the Software and/or the Service.

10. NO ASSIGNMENT.

This agreement may not be assigned by you to any third party without the prior express written consent of MP3.com. Any assignment that violates this provision is null and void.

11. WAIVER; SEVERABILITY.

No failure of either party to exercise or enforce any of its rights under this Agreement will act as a waiver of such rights. If, for any reason, a court of competent jurisdiction finds any provision or portion of this Agreement to be illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the other provisions of this Agreement will not be affected.

BY USING THE BEAM-IT SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT AND AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS. YOU FURTHER AGREE THAT THIS AGREEMENT, WHICH MAY BE MODIFIED FROM TIME TO TIME BY MP3.COM (AND POSTED AT THE MP3.COM WEB SITE) IS THE COMPLETE AND EXCLUSIVE STATEMENT OF THE RIGHTS AND LIABILITIES OF THE PARTIES, AND SUPERSEDES ANY AND ALL PRIOR AND CONTEMPORANEOUS WRITTEN OR ORAL AGREEMENTS EXISTING BETWEEN THE PARTIES WITH RESPECT TO SUCH SUBJECT MATTER. CERTAIN PROVISIONS OF THESE TERMS AND CONDITIONS MAY BE SUPERSEDED BY EXPRESSLY DESIGNATED LEGAL NOTICES OR TERMS LOCATED WITHIN THE MP3.COM WEB SITE.

Copyright (c) 2000 MP3.com. All Rights Reserved.

How to use Beam-it without actually possesing it.

[geirt]

There is a security hole ....

If Alice (who happens to own a large cd collection) register her collection using Bobs MAC and IP address, Bob could listen to all the music that Alice owns. Then Alice could do this again, and again, giving all here friends access to her collection. Alice could automate this, she creates a web site, where you enter your MAC and IP address, and a beam-it account is created on your behalf. To do this Alice needs a big disc, or a lot of CD players in her computer.

Lets take this another step:

Create a distributed registration service (think Napster), where every user has a CD in his/her cd player and a common database of avable CD at the moment. When you want to listen to a particular CD, you register it on beam-it, and receives the challenge. Then you forward the challenge to the machine which has the original CD, and get a response back which you forward to the beam-it server. Viola, you receive your MPEG2-layer3 file, without owning the CD.

The weak spot in the protocol is that you don't want to transfer a lot of data (that's the whole point with beam-it), so you could easily send the data to another machine for validation.

QED

No kidding

Ok, so Beam It can validate that I've got the CD in my drive.

... for the duration of time that it takes me to run Beam It. So all people will do is pass around the physical disks, effectively pirating the content.

I read last week that Microsoft's next Windows Media Player will have pay-per-play (called "micropayments" when we like it and "obnoxious fees" when we don't).

The casualty in all this is going to be personal privacy. I think any kind of secure intellectual property scheme is going to have an "identify the user" component.

Nothing is safe..

I can think of a few flaws in the system. here is a quick one fake/shared accounts. If you share accounts with peoplepretty soon you could get a VERY large library of "autorized" music. If enought people start using 1 acount aund updating it then the library will become huge. some sort of crack/link to the cdda. or special server. i.e. server set up to give beem-it whatever ID its looking for.

Re:Nothing is safe..

[bokane]

Actually, (I think) Beam-It protects against that by only allowing one IP per login at any given time. Sure, people could share an account and take turns, but it kind of limits the usability of it, especially if you've got an assload of people using the one account.

Re:FIRST POST

[348]

First post is a quick and zippy way of dumping off your mod points. If this wasn't the motivation, the moderator would have used his points to mod good threads up and not dump them on a post which was rated zero to start with. Zero remains at the bottom of the heap anyway, why move it further? It makes no sense. See this monkey?! It makes no sense, Why does Chubacka live on Endor? It makes not sense. . .

How do you go home at night?

I don't know about you, but I carry a couple of hardware identifiers on a little metal ring. They're called "keys".

I could get used to the idea of carrying an additional key on my keyring that simply contains an identity. I wouldn't even mind paying $10 to $100 *in cash* to buy the identity down at the local computer store.

Re:How do you go home at night?

[ThunderBucket]

I was referring to non-mechanical keys. A mechanical key reader for a computer is probably going to lose (horribly) on price/performance to an electronic reader.

The method I was thinking of at the time of the original post was mag-stripe style readers. These demagnetize annoyingly often and are not overly difficult to copy.

Smart chips (a la AMEX's Blue card) would be OK, if there were readers for them. A mechanically simpler (thus cheaper) alternative would be the ID buttons made by Dallas Semiconductor. Two contacts, powered by the reader, and they have quite a large data capacity. (I don't have the link anymore.) These microchip-style authentications would be more resistant to replay attacks than magstripe.

And the radio man says it is a beautiful night out there
and the radio man says Rock and Roll lives

(A slight correction)

In the fourth paragraph, that should be "unencrypted copies of the movies", not "unencrypted copies of the software". The UDF filesystem does not encrypt data as far as I know.

My apologies.

The AC that still uses run-on sentences.

What are you talking about?

[zipwow]

How do you figure this is client-side security? MP3.com owns a copy of all the disks, they could change the data they ask from from the CD periodically. Your 'spoof database' of information that mp3.com asks for would only be good for a week or two.

I suppose that's good enough for you to set up your account and download the mp3s, but its likely that the spoof database is similar in size to just providing the pirated mp3s for download in the first place.

Its not like someone's going to set up an account that has EVERY disc mp3.com owns (yeah, they won't notice that) then publish the username on the net for thousands of people to use. Only one person can connect on a username at a time, so your account would be shut off pretty quickly if you tried that. Even if you had multiple accounts, you're going to be turned of pretty quickly, as well as investigated.

It seems to me that there are waaay easier ways to pirate music than hacking through mp3.com.

Zipwow

This is more work than just ripping and copying..

[zipwow]

Sure, you could do what you've described, but is it really practical? If you're going to create a distributed database of illegally copywrighted works in the range of terabytes of data, would you want to provide the raw CD information, or just the damn mp3s themselves?

Additionally, this sort of 'service' would be clearly illegal, and anyone involved in it would be both detectable and prosecutable.

That's assuming they live where there's laws, but if they live in China they probably just have a big database of mp3s ANYWAY, which is really the easiest route.

This is akin to saying "The banks in the world are insecure because the vault could be broken into by freezing the lock and applying 40 tonnes of pressure" when you can just point a gun at the teller and ask nicely.

Zipwow

An unmentioned perk?

[medicthree]

Something I haven't heard mentioned before that might be another incentive to use the service: The ability to once again listen to damaged tracks.

Imagine, for example, that your CD is scratched in such a way that certain tracks are unlistenable. If you were to use the Beam-it software, and the verification process wasn't hampered by the scratches, you could regain the ability to listen to those "lost" songs. I'm not sure how much of the CD is randomly checked in the verification process, but most likely after a few tries you would be able to have a scratched CD verified.

Re:An unmentioned perk?

That's brilliant. I can't tell you how many times I've been annoyed by deteriorating CDs. (Unless, of course, the check is done on a deteriorated sector... what then?)

Which brings me to the next point... what happens when the RIAA switches over to Superdisks (or whatever they're named) which are those $18-$20 "multimedia" (yeah, as if we care) monstrosities currently in the pipe? Maybe that's why they're fighting MP3.com etc. so hard... the Beam-It technology means that when they Great Medium Swap is made, we'll still be able to listen to our old Paul Simon CDs without having to repurchase at a 50% markup.

Personally, I have a big enough HD to back up my whole collection, and I'm looking at this little guy to cart it with me easily.

Re:An unmentioned perk?

Unfortunately this is not the case. I only found out about my.MP3.com a few days ago . I was musing on IRC that it would be great if music companies allowed you to download legal mp3's if you proved that you had bought the original CD. My sister managed to add a nice big scratch to my copy of "The Bends " by Radiohead making it unlistenable. I tried beam-it several times with this CD and it failed after nearly 20 mniutes of trying every time.

I was annoyed that it didnt work but very impressed that they must have used a decent authentification and not relying on something really silly like CDDB. Several other people have since mentioned to me problems with even very minor scrathes on CD's that play 100% but fail to beam

Re:An unmentioned perk?

[Sloppy]

I think you just explained the real reason RIAA is upset about this. They want you to buy a new CD when an old one gets scratched.

---

Re:An unmentioned perk?

[medicthree]

Since my first post I actually tried this with two scratched CDs. One of them won't let me listen to 3 of the 16 songs on the track. That one was authenticated perfectly the first time. The other has skips on every song and you could probably describe it less as scratched than as "blotched" (it has pretty big stains on the back from dried coffee, I think). That one wouldn't authenticate. Looks like it'll work out some of the time at least.

Don't underestimate convenience

[Tim+Macinta]

if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.

You are severly underestimating the convenience that a service like this provides. It allows you to turn your computer into the equivalent of a CD jukebox without eating up your hard drive space. Now that my Kenwood jukebox is constantly flaking out on me I'm seriously considering switching to something like BeamIt. I have a couple hundred CDs and I'm constantly getting more, so it would be very convenient for me if I could pop a new CD into my computer for 10 seconds and then put the physical CD into storage so that it's not cluttering my work area. I would also love to have access to all my CDs on the days that I'm not working from home and without the need to lug 200+ CDs into the office.

You are also grossly underestimating the effort that such a service can save in ripping as well. If I were to rip every new CD I got I would spend a good hour or so each week interfacing with the ripper (typing in the song title, etc). That may not seem like a lot, but that is essentially what keeps me from doing it. I was thinking of extending Gtcd so that with the push of a button it would automatically rip all of the tracks from a CD and label them based on their CDDB entries, but I may look into using BeamIt instead (if it's available for Linux) since it has the added bonus that I could access my music from anywhere.

It's amazing how big of an effect a little convenience can have. I bought a TiVo a few weeks ago and at first glance it doesn't look like it does anything too revolutionary (aside from time shifting live programs). The features that it provides are available elsewhere for the most part. You can use a VCR to record shows you want to watch and you can use a TV Guide to pick shows that you want to watch. But when you combine all the little things that you could do using some other method into one very convenient system the end result is incredible. BeamIt sounds like it could be to music what TiVo is to TV and I intend to check it out...

I'm confused - please explain.

- How does it protect against borrowing friends CDs?

Besides which:

- It challenges you for random blocks from each CD? Well... so you have to put the CD in your CD drive... which means, why not just listen to it from the CD drive?

Its fair enough if you say "oh it means you dont have bother taking your CDs around", but eh? I'm confused. If it needs to grab info from teh CD, how does this mean you dont have to carry the CD around?

Re:I'm confused - please explain.

You only "Beam-Up" each CD ONCE. The challenge/response happens then. After that, you can travel all over the world with your laptop, listening to MP3.com's streaming versions of the songs on that CD, and you will never be challenged to show possession of the physical CD again.

Or at least that's how I think it works.

Re:I'm confused - please explain.

[osu-neko]

- How does it protect against borrowing friends CDs?

The same way Best Buy protects against physical disc borrowing: they don't. There is no way to prevent that, and once I've physically borrowed your CD, I can easily make a copy of it myself. So this isn't any bigger a piracy issue for mp3.com than it is for Best Buy.

Besides which: - It challenges you for random blocks from each CD? Well... so you have to put the CD in your CD drive... which means, why not just listen to it from the CD drive? Its fair enough if you say "oh it means you dont have bother taking your CDs around", but eh? I'm confused. If it needs to grab info from teh CD, how does this mean you dont have to carry the CD around?

It only challenges you the first time. Once you've verified you have the CD, you can listen to it anywhere, even while you're at work and the CD is at home.

--

Reboot into Windows!!

[lee]

My linux box has never successflly run windows. It started life as a Novell 4.1 server and was loaned to me by my employer until such time as they needed it back ;-) I tried installing 95 and nt, but it crashed immediately and the harddrive would not remain formatted, at least in a way windows would recognize. I have installed windows on all sorts of machines and not seen similar problems. It hated my cd-rom drive( so what if it is a Plextor and you need to use a caddy, redhat liked it) I fdisked my hd and installed Red Hat. No prob, except netscape crashes way too often.

I tried to rip cds on my nt laptop, but the programs seemed not to work for my wierd laptop cd drive. I have several gigs free on my linux box, so ripping cds to it seems like a good use especially since my stereo stopped working.

What the RIAA Lawsuit is really about

[Agar]

I can't believe that no one has mentioned this: the RIAA lawsuit has nothing to do with the Beam-It technology, its security, or MP3 encoding. Nothing.

To provide the music stream, MP3.com has to have ripped versions of every CD. They claim that they've got a database of 40,000 CDs available to be "beamed".

The RIAA claims that MP3.com didn't BUY these 40,000 CDs; that they made unauthorized copies to create their database.

Here is the relevant information from this CNN story:

But the RIAA is accusing MP3.com of creating an unauthorized digital music catalog of up to 45,000 CDs, claiming many of the copyrighted works are the property of its members.

"Simply put, it is not legal to compile a vast database of our members' sound recordings with no permission and no license," Hilary Rosen, CEO of the RIAA, stated in the letter. "Obviously, you are not free to take protected works simply because you want them."

[snip]

But legal experts say that by creating a catalog of digital music without an explicit license, MP3.com has overstepped copyright laws.

"I don't know what MP3.com is thinking," said Lon Sobel, editor of the Entertaiment Law Reporter and a former Loyola University Law School professor. "Under the Audio Home Recording Act of 1992, consumers get the right to make copies of material for their own non-commercial uses. It does not give others the right to do it on consumers' behalf."

This RIAA statement reiterates:

The lawsuit against MP3.com has nothing to do with MP3 technology. It has to do with MP3.com, the company, taking music they don't own and haven't licensed to offer new services to make money for themselves.

While all these discussions are fascinating and relevant to many outstanding legal issues, they somewhat miss the point of this particular lawsuit.

------

Re:What the RIAA Lawsuit is really about

[homer_ca]

>"Simply put, it is not legal to compile a vast database of our members' sound recordings with no
>permission and no license," Hilary Rosen, CEO of the RIAA, stated in the letter. "Obviously, you
>are not free to take protected works simply because you want them."

And how is this different from a public library "compiling a vast database of sound recordings"? Do they need special permission from the RIAA?

Is the RIAA saying that mp3.com didn't pay for the CD's at $15 each or that they didn't buy public performance rights? It's not really clear from the CNN article.

Re:What the RIAA Lawsuit is really about

> The RIAA claims that MP3.com didn't BUY these 40,000 CDs; that they made unauthorized copies to
> create their database.

This isn't true, they are suing because MP3.com is sending out copies of the music over the Internet.

MP3.com of course only gives out copies of the CDs (in the form of mp3 streams) to people who already own the CDs.

However the record companies maintain they have the right to say who is and who is not allowed to make copies. That is what this case is about.

What the record companies are really pissed off about, however, is the fact that MP3.com is destroying the market that they wanted to enter-- the sale of their back catalog of music over the Internet. The record companies probably imagined that they could sell pay-per-listen rights to the vast library of recordings they own. By offering the same music for free (to people who already bought the CDs), mp3.com is making it impossible for the record companies to make any more money off these old recordings :)

Clever business technique, eh?

> While all these discussions are fascinating and relevant to many outstanding legal issues, they
> somewhat miss the point of this particular lawsuit.

Yes.

Re:What the RIAA Lawsuit is really about

[Agar]

A public library doesn't make a profit off of their vast database. Additionally, a library doesn't copy the music.

IANAL, but I'm assuming that even buying the CDs wouldn't be enough. In fact, I wish I could modify my original post to change the word "buy" to "license".

I'm not necessarily agreeing with this, mind you. It's just their argument, but "retransmission for profit" does seem to overstep the bounds "fair use" recording. An interesting twist -- my.mp3.com could be considered "fair use" for a consumer, but not for MP3.com the company.

Back to the library analogy. I wonder how the RIAA would feel about a library buying CDs, then making copies to lend out (so they could lend 10 copies of Pavarotti, though they bought only 1). The library wouldn't be making a profit, but I think the RIAA would still sue (and win) because the use of the copies exceeds "fair use".

------

Re:What the RIAA Lawsuit is really about

[Agar]

However the record companies maintain they have the right to say who is and who is not allowed to make copies.

Not to be flamebait, but don't they? Isn't that what current copyright law is explicitly for?

What the record companies are really pissed off about, however, is the fact that MP3.com is destroying the market that they wanted to enter-- the sale of their back catalog of music over the Internet.

I wonder if this is true. We could project a ton of reasons for the lawsuit, but it's too easy to start sounding like an X-Files episode without any backup data. It is, however, really easy (and amusing) to imagine record company execs really pissed off that so many good ideas are being exploited--and they're not the ones doing it.

------

privacy

[homer_ca]

>As for privacy, this isn't that much different than buying CDs from a "club." They're not
>grabbing financial information, email, Netscape history, etc. Them knowing what CDs I have is

Exactly, you give up more privacy buying from a club. Let's compare what info they get about you:

CD club:
Real name, street address, credit history, and all the CDs you bought from them. All cross-referenced with whatever they bought from the direct marketing company that sold them your profile.

my.mp3.com:
Email address, MAC address, IP address, and all the CDs that you choose to beam in.

If you're paranoid about privacy, use a throwaway email account from a free mail provider. The IP is probably a dynamic dialup IP. The MAC address is troubling, but not that many things record and cross-reference your MAC address yet (Windows 98 and Office 97 do). If they do, it's easy enough to replace. I have a closet full of old ethernet cards.

Oh yeah, and block cookies from mp3.com and their banner ad providers.

A whiff of a security flaw...

[The+G]

Okay, consider the question of why MP3.com found it necessary to put most of this in a closed-source library.

I suspect that that is because there is no way for the MP3.com server to verify the ethernet MAC. An open-source implementation of this library (which I'm sure will be forthcoming real soon now) could forge the MAC.

Why does MP3.com want the MAC? I assume it's to prevent account sharing -- if three or more MACs use the same account, they'd probably start denying requests, or at least they want to be able to start doing that if it becomes a problem.

If the MAC is their _only_ security against account sharing in this protocol, a reverse-engineered reimplementation would allow wide-spread account sharing. Moreover, it is reasonable to assume that the MAC is the only security: To rely on IP would flag anyone with a dynamic IP as an account-sharer.

This suggests that their sharing-detection would be vulnerable to abuse by an open-source reimplementation of their closed-source library. It also I think explains why they found it necessary to close the library: They've got a security flaw that could be easily exploited here.

Using the MAC was a clever solution to the problem of account sharing. I'm afraid though that it wasn't clever enough. In the absence of any way for the server to verify the MAC, they're vulnerable.
--G

Re:A whiff of a security flaw...

[PylonHead]

Interesting thought. Maybe rather than account sharing, they are checking for account establishment.

They can already limit the damage from account sharing: I read in one of the comments that only one client could beam music from a given account at a given time.

But this would be easy to get around if I could create 10 accounts with my collection (each with a different hotmail address) and give each of my friends a different account :)

Re:A whiff of a security flaw...

[jareds]

This suggests that their sharing-detection would be vulnerable to abuse by an open-source reimplementation of their closed-source library. It also I think explains why they found it necessary to close the library: They've got a security flaw that could be easily exploited here.

How does a closed source library keep you from spoofing your MAC address? The library is in user-space.

Re:A whiff of a security flaw...

[The+G]

True enough, but spoofing one's MAC address for a particular userspace program, while possible, is still hard enough to prevent too many people doing it. As opposed to a clint which took a fake MAC from the command line which could make all of this trivial for even the newest of Linux newbies.

Remember, their objective is probably to prevent casual account sharing, not all account sharing (which would be as much an technical and logistical impossibility as preventing people taping copies of their friends' CDs).
--G

Re:A whiff of a security flaw...

Your argument has a flaw - the attack you describe can easily be addressed on the server side. By denying service to systems reporting MACs already in use for a specific account, they could get rid of the MAC cloning scenario. And by limiting connections to, say, only one or two MACs at a time, they can get rid of account sharing. There's no info in the article about wether they're doing either of these things, but I think the protocol is designed well enough to plan for such contingencies. **Serg**

Other Media

[milph]

I have a large box of cassettes and a HUGE
collection of albums. (The large round black
vinyl things, for the youth impaired.)

Many MP3's I've acquired I own on these media.
The equipment to move the tracks to digital is
available to me here at work. However, it's
easier (to say the least) to acquire music I
wish to listen to (and have paid the fee to own)
over the internet.

While compromises like this service are nice,
they're not an absolute solution by a long shot.

The fact that they're grabbing an intrusive amount
of information, however, is offensive. (I suspect
I'm preaching to the choir here, though.) It's not
enough for an organization to ask if you want to
send information, they should disclose what's
being sent.

(A co-worker just mentioned his extensive eight
track collection to me...)

Re: To prevent uploading cartels

[jasoegaard]

It is reasonable that a user beams CDs from a very limited number of machines, since he must beam his CDs from home.

My guess is therefore, that an account gets blocked if CDs are beamed from several machines. In this way I can not go visit all my friends and beam their CD-collections to my account.

Another thing is accessing the same account from several machines at once. Although some say they don't block it now, it doesn't mean that they won't block it in the future.

WTF?

Did you even read the post (how the hell did you get a 1, moderators smoking crack again?)? He quoted the price model he wanted not the actual cost breakdown.

Artists as is make about 7 cents on the dollar, usually less for new groups. I would not feel guilty getting mp3s. Even though cds should be much cheaper I would rather pay the whole $16.00 price to the musician rather than the RIAA/companies on general principle.

Not to mention that the medium (cds) are cheap and have been around for years so there is no R+D to pay for and the existing cd presses paid for themselves long ago.

It is extortion.

A possible security flaw?

[medicthree]

How would the software treat CDR copies of CDs? Would it be able to detect that the CDR was not an "original"? Is there anything on the CDRs themselves that marks them as unique?

I know it doesn't sound very practical, because if a friend has a CD he could just as easily let you borrow it and "beam" it yourself, but what about on a larger scale? One could purchase CDRs on the black market and then beam them.. this would seem to hurt the industry more than even borrowing a friend's CD and beaming it.

Any ideas about whether CDRs would be authenticated?

Re:A possible security flaw?

[rmull]

I don't see why not... it's a bit-for-bit copy, after all.

Re:A possible security flaw?

[BrookHarty]

The easiest protection for CDR copying is overburning. Most CDR burners will not burn over 74 minutes. Many music cds are 75-76 minutes.

Re: forget Xing, they're the worst

[TheGratefulNet]

bladeenc is MUCH better than xing.

and free, too.

--

borrow a cd and beam it - no proof of ownership

[TheGratefulNet]

there's this sceanario: I borrow a stack of cd's, "verify" to mp3.com that I own (actually, just temporarily posess them), then all of a sudden, I now have access to them across the net.

now scale this up to a whole company. I borrow a stack of cd's from all the folks in my company hallway. and they borrow each others (and mine).

yeah, lots of holes in this model. just because you have a cd in your drive does NOT give mp3.com the authorization to allow you to access it from their site repeated.

don't get me wrong - I hate the RIAA (who doesn't these days?) - but I have to admit that the reasoning behind my-mp3.com just isn't sound enough to stand up in court. IANAL, of course.

--

Re:borrow a cd and beam it - no proof of ownership

[BrookHarty]

If you borrow a cd you could just rip/encode it..

Re:borrow a cd and beam it - no proof of ownership

[TheGratefulNet]

If you borrow a cd you could just rip/encode it..

yes, of course. if you own enough disk space and a fast (and accurate DA-able cdrom drive). not everyone has that.

and not everyone wants to take the time to rip/encode a stack of cd's. from what I understand, the 'verification' process of my-mp3.com is very quick - just a few block checks and that's it. sounds QUITE a bit faster than the lengthy rip/encode process.

and worth noting, most unix folks use blade-enc as their encoder. this is generally a good encoder when the rate is 160k and above. for 128, it sounds like shite. I would be willing to bet that the my-mp3.com files are encoded with Frau, at 128k vbr. to purchase Frau for linux, last time I looked it was in the neighborhood of $200-300! no way I'd pay that, just for some binary-only encoder.

so considering that my-mp3.com saves you encode time (and gives decent quality), AND allows playback at remote locations, I do see some benefit to it. technically speaking, of course - ignoring any legal issues for now.

--

I was referring to non-mechanical keys as well.

Or, as they are often called, dongles. Parallel-port dongles are a nuisance but I'm thinking more about a USB dongle.

The dongle would not carry any data that represented money. Instead, it would contain a unique number, probably cryptographically signed by a company like Verisign. The only thing on the dongle is an identity.

I could buy such a dongle for cash at my local computer shop. Then I could plug it into any USB-equipped computer I find myself at and talk to an Internet Media Provider. I could initiate a secure connection and say "charge this dongle to this Visa card / anonymous e-cash account". Then the Internet media provider can send me my streaming media and bill me for it.

Throw in some simple public key encryption (the dongle now contains a private key and a public key) and you've got something immune to replay attacks.

Now the real question is economic: will people pay, say, $0.10 an hour for an Internet jukebox? I wonder how much my.mp3.com pays for the bandwidth to send an hour of Real Audio?

Re:I was referring to non-mechanical keys as well.

[ThunderBucket]

Wouldn't said USB dongle have to have some processing power then? If it can't handle challenge/response then it would seem that the public and private keys are uploaded to the "USB host" and then memorized. I'm too tired to properly analyze this, but it seems that keeping the chip's CPU powerful enough to be {fast, secure} would cause high prices.

Maybe trusted terminals where the public/private keys are changed periodically. (keep the last 3 so you only have to log in once a month or something) Actually, a one-week or so expiration on the codes would make password (or dongle replication) cartels pretty annoying to maintain.

And the radio man says it is a beautiful night out there
and the radio man says Rock and Roll lives

A few things not said.... (and my thoughts)

[BrookHarty]

1. Username/password authentication is a standard authentication scheme. Just dont let 400 people use the account at once.
2. Server side security.. The only thing you can do on a hacked account is add CDs.
3. Privacy concerns... So you send a few things to MP3.com. IPv6 will use MAC addresses, your IP address IS logged, and your email is not private.

I wish the RIAA would let MP3.com come out with new technologies. But then, Evil megacorps are everywhere.

Later RIAA, gonna go beam-it over my dsl...

Re:A few things not said.... (and my thoughts)

[medicthree]

1. Username/password authentication is a standard authentication scheme. Just dont let 400 people use the account at once.

Yes, username/password authentication is usually a good way of preventing unauthorized users from using other people's accounts. This system only works, however, when the legitamate users have an incentive to keep their accounts private. For example, I'm definitely not going to give a large group of people my unix shell account password, for obvious reasons. When I lose nothing by letting everyone else have my password, however (as is the case with my.mp3.com), then the password authentication becomes useless for limiting access. Users might even have incentive for giving their passwords out ("I'll give you my password if you authenticate 20 CDs that I don't already have...").

The only possible solution to this--and one that has been suggested--is to threaten revoking access to accounts that are obviously being used by numerous people. Various "adult" verification companies (e.g., Adultcheck) do this, but I'm not quite sure how efficient their systems are. I suppose MACs or IP addresses that my.mp3.com are collecting could be useful for this purpose.

sharing accounts

[Trepidity]

The strange thing I see in all this is that everybody is making a big deal over the possibility of "faking" ownership of a CD so that you can download it illegally from my.mp3.com, but nobody (except several IRC channels who are doing this) seems to realize a much easier method - just share an account with lots of people. Each person legitimately "beams" the CDs they own, and all the people sharing the account can then access all the CDs. Sure, you could do this sort of piracy before by ripping your CDs and sending them to people, but here you're saved the trouble of ripping, and the bandwidth usage is all my.mp3.com's, rather than your modem/DSL/cablemodem/T1 connection.

What the RIAA's gripe should be...

[Carnage4Life]

What stops me from getting an account at MP3.com, uploading some CDs then sharing this account with ALL my friends?
Won't this lead to the same kind of pseudo-piracy that exists today with downloading MP3s of people's computers via Napster? After all most sites allow you to log in from multiple computers, so what stops me from uploading a few CDs and posting my account info on my webpage so everyone can share my taste in music?

Re:What the RIAA's gripe should be...

[osu-neko]

What stops me from getting an account at MP3.com, uploading some CDs then sharing this account with ALL my friends?

The same thing that prevents you from buying a CD and sharing it with all your friends: nothing. Does that mean Best Buy should be shut down for promoting piracy?

--

Re:What the RIAA's gripe should be...

[Carnage4Life]

Wrong comparison...it's the same thing as buying a CD and burning a copy for all your friends. The RIAA should be worried like this; for instance if I told you to go to MP3.com and select the user name MusicLover and the password PhatBeats to access all 200 of my CDs I have successfully ripped off 200 artists. This is rather interesting and right now it seems that no one is focusing on this.

What would be really cool

[Wag]

Now if they could just get it to work with CDs I actually own. Damn that Error 29!

Forgot to mention Multiple Streams

MP3.com prevents you from downloading more than one track in your catalog at a time. I tried it and got a message, "We are detecting multiple downloads to the same IP... bla bla" It's cool, it can be faster than ripping, I've used it mostly just to get back the tracks of some scratched cd's I own.

Its not secure at all.

[PhiRatE]

I'd like to make the point that it actually isn't at all secure. A napster style configuration of people interested in listening to a wide variety of music could, by distribution, make the security method pretty much redundant.

As noted, in order to sign up a CD, you need to be able to verify a particular random track. If the client machine, rather than checking its own CD drive, made a request out to a collaborative network for a given CD before attempting authentication, it could, apon reception of the request for a particular random block, forward this request to another machine who claimed to have the relevant CD, and get the data from that machine, then forwarding it on. once this has happened, its in your account, you don't have to repeat this, so a system where CDs are in drives only on occasion is perfectly acceptable.

Take 20 or 30 people, and an application that requires that they have a CD, any CD, in their drive on load, and they can Beam register any of the 20 or 30 CDs online at the time, and as time goes by, they would rapidly build up a massive collection without a huge number of resources being tied up.

The Beam It method is perhaps, because of this, even less secure, and more convenient than Napster, no long download times, no scratched, damaged or badly made recordings, all available for free on the condition that you have at least on CD you can share with everyone else.

I have no doubt this concept has been picked up already by others. Game over mp3.com :/

Re:Its not secure at all.

If each CD is only available briefly, the entire cabal would have to beam it over a short time. If they do this more than a few times, picking them out of the noise would be easy. One fix is for each cabal member to keep a raw CD image or two semi-permanently, but that requires an unused half gig or more from each member and still may not elude detection.

Re:Its not secure at all.

[osu-neko]

Take 20 or 30 people, and an application that requires that they have a CD, any CD, in their drive on load, and they can Beam register any of the 20 or 30 CDs online at the time, and as time goes by, they would rapidly build up a massive collection without a huge number of resources being tied up.

<P>The amount of resources required for this is roughly the same as the amount of resources required to keep <B>10 times</B> as much music online and available in mp3 format, and requires considerable coordination between the co-conspirators.

<P><I>The Beam It method is perhaps, because of this, even less secure, and more convenient than Napster, no long download times, no scratched, damaged or badly made recordings, all available for free on the condition that you have at least on CD you can share with everyone else.

<P>I have no doubt this concept has been picked up already by others. Game over mp3.com :/ </I>

Yeah, right. There's not the slightest doubt in my mind that NO ONE is doing this. It's way more difficult and cumbersome than simply using Napster. If you think otherwise, gives us a URL/IRC nick or something where we can verify that this is indeed occuring...

--

Re:Its not secure at all.

[PhiRatE]

I did not say that people are doing it, only that people other than myself have surely seen the possibilities. It is not in the least more combersome than napster. It utilises all the benefits of Beam-It (No local HD storage required, good quality encodes) without any of the negatives (Having to own or borrow the CD)

Writing an application that could make this kind of exchange possible is trivial, and should the numbers of users on the network rise enough, users could even operate the registration application without a CD, taking advantage of the large number of offered CDs by others.

Re:Its not secure at all.

[PhiRatE]

Not at all. I was only talking about 30 people, with a more napster-like level of hundreds or thousands of people, a vast number of CDs would be available at any given time, making discerning the usage from the noise much more difficult.

Even in 20 or 30 people, having 20 or 30 cds constantly swapping in or out, with various members' music tastes being different and many of them missing swaps or already having a given CD from the last time, it would be difficult to pinpoint a particular group in a membership as large as Beam-It as CD sharing.

MAC address == useful marketing ID

[acb]

That's unlikely, unless the player software reports the MAC address back. AFAIK, only the submission client does that.

I imagine the purpose is to build up a database of MAC addresses to lifestyle data. MAC addresses (being both unique and relatively immutable) are good keys for a database of things such as musical tastes, ad responses and such. That it can be correlated with an IP and an email address is a bonus.

A lot of Windows websurfers have a tendency to blindly download "cool" software, such as that web cursor changing plug-in that was discovered to send personal data back to its maker. It is in this way that the MAC may be accessed, and may become more useful than a DoubleClick cookie.

Re:How to use Beam-it without actually possesing i

[osu-neko]

To do this Alice needs a big disc, or a lot of CD players in her computer.

She needs a smaller disk or less CD players if she just rips and encodes the CDs she wants to make available as mp3 files.

As for the rest, that's a lot of work to go through to get MP3s streamed to you. In fact, you could reduce the amount of work involved and the amount of online storage required by simply ripping all the CDs in question, keeping the mp3s online, and sending them to whoever requests them, leaving mp3.com out of the picture altogether!

So, in other words, you've really proven how mp3.com can't be effectively used for piracy. The same task can be accomplished much more cheaply and easily by NOT using mp3.com, so why would you go through all the extra effort?

--

Re:How to use Beam-it without actually possesing i

[geirt]

Bandwidth.