Slashdot Mirror
Security Analysis of My.MP3.com and Beam-It Protocol
Serg writes, "Potential ammo for the upcoming MP3.com trial? From a member of the Rice University CS Dept: "We found the protocol to provide strong protection against a user pretending to have a music CD without actually possessing it, however we found the protocol to be unnecessarily verbose and includes information that some users may prefer to keep private."
You can grab the report in either PS or PDF format. "
It WILL be cracked, it's just a matter of time.. client-side security doesn't mean much anymore.
Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.
If you own it, you're going to end up with a much better sounding song in about the same amount of time (or less)...
If you don't own it, you shouldn't even be downloading the songs in the first place, so stop fighting for Napster, Beam It, et al...
Any user who uses My.MP3.com is inherently giving up a remarkable amount of privacy. My.MP3.com knows every CD in a user's collection that they "beamed" to the server along with the user's e-mail address, network IP address and and Ethernet MAC address. An unscrupulous marketer could correlate musical preferences with other lifestyle choices and use this for targeted advertisement. MP3.com's pri-vacy policy 5 does not offer strong guarantees against this kind of behavior, and the ability to opt-out is at the bottom of the user-preferences page - something that most users will never do. And that is the reason for this sort of thing in a nutshell. While it sounds like a great idea for people who have a lot of CDs that they want to listen to both at home and at work, they will find themselves at the end of a barrage of "targetted" advertising. The spread of information from MP3.com will be exponential as more and more agencies sell your profile to interested parties. Oh joy, yet more spam. On the other hand, the lawsuit issue could be a good thing. MP3.com have a lot more money than the defendants in the other similar cases recently, and they are a company, able to organise their defence better than we've seen in the DeCSS trial so far. A victory in this case would have implications for the entire issue of people's right to use what they've bought, and for the digital media industry as a whole. Despite the privacy issues, which I don't like, I still hope MP3.com can win this case.
This is such a major flaw in the whole concept of the product. Understanding the reasoning behind the concept, but I would think they could have found a little better architecture. From a business model, how are they going to promote a product that fundamentally compromises the privacy of the user? Doesn't make sense to me.
More race stuff in one place,
than any one place on the net.
Any ideas why they would send the MAC address?
I would suppose mp3.com keeps an LRU list of the last 10 or so MACs to access a particular account, and denies access if multiple MACs try to access the site at the same time or if accesses occur from too many MACs in quick succcession.
-- Too lazy to get a lower UID.
...someone were to rip their CDs to their own drive (or rig up a CD jukebox, etc) and allowed themselves, and only themselves, to access their own private server for the same result?
The result, for that one person, is the same though the work involved is now significant. The difference is now it is 'narrow'casting rather than a broadcast.
MP3.com removes the upfront workload of ripping everything or rigging up the jukebox, and centralizes the servers -- which makes them accessable. While I (for example) could eventually get something like this set up privately at home, running a server isn't a real option for me. No, I don't use MP3.com, but I do see the utility of the enterprise.
Not saying which is best or who is right, just curious about this.
I don't subscribe to RMS's GNUtopian vision.
It is possible to respect the intellectual properties of others while still offering new and innovative services. Rock on.
:-)
There was definite worry about whether or not MP3.com's Beam-It software was going to be sufficiently secure as to avoid lawsuits. Since the MP3.com software was closed-source, and the protocol wasn't specified, it was a definite possibility that MP3.com was relying on "security through obscurity", just as the MPAA did with DVD (gee, doesn't this all just tie together nicely?).
However, the Beam-It protocol was obviously written with security concerns in mind. Knowing the protocol does not make it easier to spoof MP3.com into thinking you have music you don't (well, not *reasonably* easier).
Contrast this with CSS. Once the algorithm is known, it's easy enough to distribute unencrypted copies of the software, if you are so inclined (note: this *wasn't* the original intent of DeCSS, and I certainly haven't seen any evidence to support the idea that people are now pirating DVDs with DeCSS. And, yes, it was possible *before* DeCSS came about. There's also the whole bit-for-bit copy thing, if you can find the media...).
Yes, it's comparing apples and oranges. But you'll notice that MP3.com has achieved a happy medium for consumers-- allowing them to listen to other people's music, but still respecting the intellectual property of others.
Funny, huh? That, in my mind, was the last legal hurdle-- proving that the Beam-It software took legitimate measures against piracy. The paper is well-written enough that MP3.com could probably submit it as evidence (both in the RIAA's lawsuit against MP3.com, and in the slander lawsuit, since the RIAA has said that MP3.com has a flagrant disregard for IP, and this proves otherwise).
I'm an AC because I don't want my real name moderated down for run-on sentences
Pay no attention to the parent of this post, "tilleyrw" is just another shill for the RIAA, hammering on the tired old MP3==stealing argument.
What you did has a techical name, jerk. It's called "theft".
#ifdef flame
Assholes like you give all the legitemate MP3 listeners a bad name. If you want to steal, that's your problem, but don't f---ing brag about it on a public message board!
#endif
Just because you can steal something doesn't make it right to do so. Just because the RIAA is a bunch of greedy lawyers doesn't justify stealing from them, or from the artists they screw over err... represent.
0 1 - just my two bits
They have showed that you can actually implement a secure sale of media content and how to do it.
Something Mr Valenti and the MPAA/RIAA crowd have yet to understand. If you want to use challenge response and/or encryption it makes sense if and only if it is personal. Period. Otherwise it will always get cracked. And the moment it gets cracked everybody gets it.
The most important fact in this article is that even after successfully reverse enginering beamer you cannot steal CD's from MP3.com and violate the (C) laws.
A good lesson to MPAA on how to design your marketing and protocol specs properly.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
This would be to prevent the "cartel" discussed in the article. I think they will leave some leeway, in case there are legitimate reasons to be playing two or more mp3s from the same account simultaneously.
The easiest way to cheat would be to borrow and beam your friend's CDs. A good afternoon of beaming and you could double your collection.
-- Too lazy to get a lower UID.
Folks, instead of keeping your heads in the ass of "make all music free", realize that artists need to eat.
This internet thing, and the OSS mov't is new to most people...especally those that have lots of money invested in the "old" way of doing things. It takes time for ppl to get used to it..this is a good start.
The article itself is very useful in explaning how the system works, and it gives wannabe programmers (me), the ability to see how something is reverse engineered (it really took away a lot of the mysticism IMO).
Q: What do you think about American Culture?
A: I think it's a good idea.
(adapted from Gandhi)
That's really what this thing comes down to. In most cases, to get the services that you want, you have to give up some privacy. You want the goverment to give you Social Security; then you have to have a number attached to you. You want a credit card company to loan you money; then you have let them know about every purchase you make. If you want to have MP3.com handle all your music, then you have to let them know what music you like. That's just the way things go. /. has a feature to remember your user name and password. It is pretty insecure but it makes getting access easier. In MP3.com's case, some of the information is needed, some of it may make improve the service, and a some of it may turn out to be nefarious. The consumers can dictate what they want by either using or not using the service. That is part of the beauty of a free market. Consumers can dictate the forms of new products and services with their buying power. Companies will not offer what people do not want.
Although there are often some insidious reasons for collecting user data, the biggest reason is usually because it is either integral to the service or it makes it work much better. For example,
-- soldack
This report is important because the protocol is important. Some people (e.g. me) have argued against mp3.com's beaming service on the grounds that it would be easy to spoof, either by reverse-engineering the beamit client, or by writing a virtual CD-ROM driver that returns fake CDDB tags. The guys that wrote this report confirmed that it challenges the client to return some raw CDDA data from an unpredictable offset. That's a lot better than what I feared.
Maybe it's not important to you, but to me, this information changes my opinion of my.mp3.com's beaming service from an easy-to-crack w4r3z/mp3z server to something a bit more legitimate.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I make a rational choice when I use services that demand information in exchange for a service... I opt out of systematic junk emailings and give them the info that they request in exchange for the service that they provide.
Take, for example, one of my favorite sites on the net, Moviecritic.com. This site has saved me lots of money and time by helping me to avoid movies that I wouldn't like. The site uses collaborative filtering to do so, but in the process also asks for some demographic information. Now, I'm sure that the demographic data which moviecritic collects is highly valuable. I'm also sure that its owner (the person who collected it from consenting moviegoers like me) sells it to movie studios, etc. I don't care. I like the service and just because there is capitalism and age/sex/zipcode information involved doesn't mean it's evil.
Amazing magic tricks
from the 'Terms and Conditions' on mp3.com
(my ephasis)
Does anyone with an mp3.com account have a copy of these or a link to them? I'm curious if any of these agreements (which you can't read before saying 'I Do') prohibits reverse engineering of the software, and/or attempts to circumvent it.
-Red
.sig Karma out the wazoo, better to spend points elsewhere if this is above 2 or below 0
Oh get over yourself. You said it yourself, record companies screw over artisits.
Technology has eliminated the need for this middleman, the record company. Therefore, I will bypass them because they are unneeded. They don't offer me the cost model that I want: Where the album costs at most 5 dollars and about 80% of the money goes to the artist. The technology isn't totally ready as far as bandwidth, but the record companies aren't exactly moving twords this model anyway.
I buy about 1 cd a month, usually AFTER I've heard it on mp3. So I end up screwing over some artists out of a few cents. Hopefully they'll realize that there are alternatives out there. Its limited as to whats out there, but all we need is one company willing to run the cost structure I just mentioned, and thats all it will take.
Record companies would rather push proprietary formats with SDMI, or even worse, a pay per play format!!
Record companies view new technology as a reason for prices to increase for the consumer, while driving their own costs down. This is COMPLETELY unacceptable, and I will not go with it.
How many CD's are worth 16 dollars? I'd say maybe 10% of my collection qualifies. Do you realize CD prices haven't changed in about 10 years? Am I the only one who is bothered by this?
The whole stealing argument is legitimate, but it isn't the end of it. Record companies are much more immoral than I could ever hope to be.
Imagine, for example, that your CD is scratched in such a way that certain tracks are unlistenable. If you were to use the Beam-it software, and the verification process wasn't hampered by the scratches, you could regain the ability to listen to those "lost" songs. I'm not sure how much of the CD is randomly checked in the verification process, but most likely after a few tries you would be able to have a scratched CD verified.
You are severly underestimating the convenience that a service like this provides. It allows you to turn your computer into the equivalent of a CD jukebox without eating up your hard drive space. Now that my Kenwood jukebox is constantly flaking out on me I'm seriously considering switching to something like BeamIt. I have a couple hundred CDs and I'm constantly getting more, so it would be very convenient for me if I could pop a new CD into my computer for 10 seconds and then put the physical CD into storage so that it's not cluttering my work area. I would also love to have access to all my CDs on the days that I'm not working from home and without the need to lug 200+ CDs into the office.
You are also grossly underestimating the effort that such a service can save in ripping as well. If I were to rip every new CD I got I would spend a good hour or so each week interfacing with the ripper (typing in the song title, etc). That may not seem like a lot, but that is essentially what keeps me from doing it. I was thinking of extending Gtcd so that with the push of a button it would automatically rip all of the tracks from a CD and label them based on their CDDB entries, but I may look into using BeamIt instead (if it's available for Linux) since it has the added bonus that I could access my music from anywhere.
It's amazing how big of an effect a little convenience can have. I bought a TiVo a few weeks ago and at first glance it doesn't look like it does anything too revolutionary (aside from time shifting live programs). The features that it provides are available elsewhere for the most part. You can use a VCR to record shows you want to watch and you can use a TV Guide to pick shows that you want to watch. But when you combine all the little things that you could do using some other method into one very convenient system the end result is incredible. BeamIt sounds like it could be to music what TiVo is to TV and I intend to check it out...
-----
Free P2P Backup, Windows & Linux
My linux box has never successflly run windows. It started life as a Novell 4.1 server and was loaned to me by my employer until such time as they needed it back ;-) I tried installing 95 and nt, but it crashed immediately and the harddrive would not remain formatted, at least in a way windows would recognize. I have installed windows on all sorts of machines and not seen similar problems. It hated my cd-rom drive( so what if it is a Plextor and you need to use a caddy, redhat liked it) I fdisked my hd and installed Red Hat. No prob, except netscape crashes way too often.
I tried to rip cds on my nt laptop, but the programs seemed not to work for my wierd laptop cd drive. I have several gigs free on my linux box, so ripping cds to it seems like a good use especially since my stereo stopped working.
--- If you don't want to know the answer, don't ask the question.
Okay, consider the question of why MP3.com found it necessary to put most of this in a closed-source library.
I suspect that that is because there is no way for the MP3.com server to verify the ethernet MAC. An open-source implementation of this library (which I'm sure will be forthcoming real soon now) could forge the MAC.
Why does MP3.com want the MAC? I assume it's to prevent account sharing -- if three or more MACs use the same account, they'd probably start denying requests, or at least they want to be able to start doing that if it becomes a problem.
If the MAC is their _only_ security against account sharing in this protocol, a reverse-engineered reimplementation would allow wide-spread account sharing. Moreover, it is reasonable to assume that the MAC is the only security: To rely on IP would flag anyone with a dynamic IP as an account-sharer.
This suggests that their sharing-detection would be vulnerable to abuse by an open-source reimplementation of their closed-source library. It also I think explains why they found it necessary to close the library: They've got a security flaw that could be easily exploited here.
Using the MAC was a clever solution to the problem of account sharing. I'm afraid though that it wasn't clever enough. In the absence of any way for the server to verify the MAC, they're vulnerable.
--G
and free, too.
--
--
"It is now safe to switch off your computer."
now scale this up to a whole company. I borrow a stack of cd's from all the folks in my company hallway. and they borrow each others (and mine).
yeah, lots of holes in this model. just because you have a cd in your drive does NOT give mp3.com the authorization to allow you to access it from their site repeated.
don't get me wrong - I hate the RIAA (who doesn't these days?) - but I have to admit that the reasoning behind my-mp3.com just isn't sound enough to stand up in court. IANAL, of course.
--
--
"It is now safe to switch off your computer."
The strange thing I see in all this is that everybody is making a big deal over the possibility of "faking" ownership of a CD so that you can download it illegally from my.mp3.com, but nobody (except several IRC channels who are doing this) seems to realize a much easier method - just share an account with lots of people. Each person legitimately "beams" the CDs they own, and all the people sharing the account can then access all the CDs. Sure, you could do this sort of piracy before by ripping your CDs and sending them to people, but here you're saved the trouble of ripping, and the bandwidth usage is all my.mp3.com's, rather than your modem/DSL/cablemodem/T1 connection.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
What stops me from getting an account at MP3.com, uploading some CDs then sharing this account with ALL my friends?
Won't this lead to the same kind of pseudo-piracy that exists today with downloading MP3s of people's computers via Napster? After all most sites allow you to log in from multiple computers, so what stops me from uploading a few CDs and posting my account info on my webpage so everyone can share my taste in music?
I'd like to make the point that it actually isn't at all secure. A napster style configuration of people interested in listening to a wide variety of music could, by distribution, make the security method pretty much redundant.
:/
As noted, in order to sign up a CD, you need to be able to verify a particular random track. If the client machine, rather than checking its own CD drive, made a request out to a collaborative network for a given CD before attempting authentication, it could, apon reception of the request for a particular random block, forward this request to another machine who claimed to have the relevant CD, and get the data from that machine, then forwarding it on. once this has happened, its in your account, you don't have to repeat this, so a system where CDs are in drives only on occasion is perfectly acceptable.
Take 20 or 30 people, and an application that requires that they have a CD, any CD, in their drive on load, and they can Beam register any of the 20 or 30 CDs online at the time, and as time goes by, they would rapidly build up a massive collection without a huge number of resources being tied up.
The Beam It method is perhaps, because of this, even less secure, and more convenient than Napster, no long download times, no scratched, damaged or badly made recordings, all available for free on the condition that you have at least on CD you can share with everyone else.
I have no doubt this concept has been picked up already by others. Game over mp3.com
You can't win a fight.
That's unlikely, unless the player software reports the MAC address back. AFAIK, only the submission client does that.
I imagine the purpose is to build up a database of MAC addresses to lifestyle data. MAC addresses (being both unique and relatively immutable) are good keys for a database of things such as musical tastes, ad responses and such. That it can be correlated with an IP and an email address is a bonus.
A lot of Windows websurfers have a tendency to blindly download "cool" software, such as that web cursor changing plug-in that was discovered to send personal data back to its maker. It is in this way that the MAC may be accessed, and may become more useful than a DoubleClick cookie.