Security Analysis of My.MP3.com and Beam-It Protocol

Serg writes, "Potential ammo for the upcoming MP3.com trial? From a member of the Rice University CS Dept: "We found the protocol to provide strong protection against a user pretending to have a music CD without actually possessing it, however we found the protocol to be unnecessarily verbose and includes information that some users may prefer to keep private." You can grab the report in either PS or PDF format. "

Showing that it's secure shows that...

It is possible to respect the intellectual properties of others while still offering new and innovative services. Rock on.

There was definite worry about whether or not MP3.com's Beam-It software was going to be sufficiently secure as to avoid lawsuits. Since the MP3.com software was closed-source, and the protocol wasn't specified, it was a definite possibility that MP3.com was relying on "security through obscurity", just as the MPAA did with DVD (gee, doesn't this all just tie together nicely?).

However, the Beam-It protocol was obviously written with security concerns in mind. Knowing the protocol does not make it easier to spoof MP3.com into thinking you have music you don't (well, not *reasonably* easier).

Contrast this with CSS. Once the algorithm is known, it's easy enough to distribute unencrypted copies of the software, if you are so inclined (note: this *wasn't* the original intent of DeCSS, and I certainly haven't seen any evidence to support the idea that people are now pirating DVDs with DeCSS. And, yes, it was possible *before* DeCSS came about. There's also the whole bit-for-bit copy thing, if you can find the media...).

Yes, it's comparing apples and oranges. But you'll notice that MP3.com has achieved a happy medium for consumers-- allowing them to listen to other people's music, but still respecting the intellectual property of others.

Funny, huh? That, in my mind, was the last legal hurdle-- proving that the Beam-It software took legitimate measures against piracy. The paper is well-written enough that MP3.com could probably submit it as evidence (both in the RIAA's lawsuit against MP3.com, and in the slander lawsuit, since the RIAA has said that MP3.com has a flagrant disregard for IP, and this proves otherwise).

I'm an AC because I don't want my real name moderated down for run-on sentences :-)

Re:What I don't understand

[jfunk]

You're forgetting a few things.

I only have 10GB of hard drive space. That couldn't hold my 300+ CD collection. The space is used for things like software, source code, information and work on various projects, etc.

It takes much longer to rip a CD than use Beam-It. The most outdated piece in my computer is the 4x CD-ROM that I bought many years ago specifically so that I could use Slackware CDs instead of downloading at 2400bps. I have had absolutely no reason to buy a new CD-ROM, concentrating my budget on processors, hard drives, video, and sound cards.

With a large CD collection, it gets annoying to be constantly swapping CDs. With Beam-It, I simply leave a browser window open and play arbitrary CDs easily.

You mention errors. It has never skipped on me yet, the performance is great. The quality is also really good.

As for privacy, this isn't that much different than buying CDs from a "club." They're not grabbing financial information, email, Netscape history, etc. Them knowing what CDs I have is integral to the system, and I'm comfortable with that.

Services vs. Privacy

[soldack]

That's really what this thing comes down to. In most cases, to get the services that you want, you have to give up some privacy. You want the goverment to give you Social Security; then you have to have a number attached to you. You want a credit card company to loan you money; then you have let them know about every purchase you make. If you want to have MP3.com handle all your music, then you have to let them know what music you like. That's just the way things go.
Although there are often some insidious reasons for collecting user data, the biggest reason is usually because it is either integral to the service or it makes it work much better. For example, /. has a feature to remember your user name and password. It is pretty insecure but it makes getting access easier. In MP3.com's case, some of the information is needed, some of it may make improve the service, and a some of it may turn out to be nefarious. The consumers can dictate what they want by either using or not using the service. That is part of the beauty of a free market. Consumers can dictate the forms of new products and services with their buying power. Companies will not offer what people do not want.