Security Analysis of My.MP3.com and Beam-It Protocol

← Back to Stories (view on slashdot.org)

Security Analysis of My.MP3.com and Beam-It Protocol

Posted by Hemos on Wednesday February 16, 2000 @05:00AM from the looking-at-the-underlying-work dept.

Serg writes, "Potential ammo for the upcoming MP3.com trial? From a member of the Rice University CS Dept: "We found the protocol to provide strong protection against a user pretending to have a music CD without actually possessing it, however we found the protocol to be unnecessarily verbose and includes information that some users may prefer to keep private." You can grab the report in either PS or PDF format. "

1 of 164 comments (clear)

Min score:

Reason:

Sort:

Showing that it's secure shows that... by Anonymous Coward · 2000-02-16 00:41 · Score: 5

It is possible to respect the intellectual properties of others while still offering new and innovative services. Rock on.

There was definite worry about whether or not MP3.com's Beam-It software was going to be sufficiently secure as to avoid lawsuits. Since the MP3.com software was closed-source, and the protocol wasn't specified, it was a definite possibility that MP3.com was relying on "security through obscurity", just as the MPAA did with DVD (gee, doesn't this all just tie together nicely?).

However, the Beam-It protocol was obviously written with security concerns in mind. Knowing the protocol does not make it easier to spoof MP3.com into thinking you have music you don't (well, not *reasonably* easier).

Contrast this with CSS. Once the algorithm is known, it's easy enough to distribute unencrypted copies of the software, if you are so inclined (note: this *wasn't* the original intent of DeCSS, and I certainly haven't seen any evidence to support the idea that people are now pirating DVDs with DeCSS. And, yes, it was possible *before* DeCSS came about. There's also the whole bit-for-bit copy thing, if you can find the media...).

Yes, it's comparing apples and oranges. But you'll notice that MP3.com has achieved a happy medium for consumers-- allowing them to listen to other people's music, but still respecting the intellectual property of others.

Funny, huh? That, in my mind, was the last legal hurdle-- proving that the Beam-It software took legitimate measures against piracy. The paper is well-written enough that MP3.com could probably submit it as evidence (both in the RIAA's lawsuit against MP3.com, and in the slander lawsuit, since the RIAA has said that MP3.com has a flagrant disregard for IP, and this proves otherwise).

I'm an AC because I don't want my real name moderated down for run-on sentences :-)