Slashdot Mirror
RIAA Tracking Songs by MD5 Hashes
aSiTiC writes "Apparently RIAA has obtained some technical experts in their prosecution of file swappers. Currently they are tracking traded mp3 files from the Napster network by matching MD5 hashes. This seems quite interesting but I was under the assumption that identical hashes could be created with identical rips and id3v2 tagging. Now may be the time to update your illegal mp3 file MD5 hash sums."
What if I own the CD but got files off the Internet because I was too lazy to rip them? Would I still be expecting to be sent to the prison camp?
In other news, all songs produced by RIAA artists in the last 10 years all have the same MD5 hash anyway, because they're all the same.
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
you just normalize or edit the begining or the end of the song? Does the MD5 Hashes still works?
will they start sending subpeonas to aol/tw customers this time?
It is generally believed amongst file traders that it is legal to download an mp3 for a song, when you own the CD. In other words, you don't need to rip and encode songs from your own CD. However, this may not be true (I am not a lawyer).
The RIAA is using MD5 hashes as a basis for proof that the individual in question downloaded the files they are sharing, instead of ripping them from their own CD collection. This is supposed to show the individual is a willing participant in stealing and distributing music, instead of someone who is just sharing what they already own. But, see above.
I think this is mostly just a FUD tactic. They can talk to the media about how their MD5 hashes prove so-and-so is a big mean pirate hacker. MD5 hash certainly sounds scary, especially when the technology is described by the media as a tool used by hackers.
---
I support spreading santorum
The only way for two files to have the same MD5 hash is for them to both be encoded with the same encoder, from the same WAV file, with the same bitrate and all advanced options, and to have exactly the same ID3 information, the same filesize, and to be identical to the last bit.
If two people used the same ripping software set to all its default settings (as many unsophisticated users do), got a perfect rip off the CD, and relied on CDDB information for tagging the song, then it's possible that they got mp3s identical down to the last bit, and thus identical MD5 hashes. BUT to make this a plausible defense, you'd have to show that your rip was in fact perfect. In other words you'd have to be able to recreate the mp3 independently. If the old Napster mp3 had any ripping errors, then it would be hard to claim that the later rip just happened to have the same errors - assuming errors are essentially random.
Are we sure they're actually using MD5? The article doesn't even contain the string "md5" that I can see. It mentions hashes though, but there's something called Robust Hashing which can be used to identify, or at least, compare content in a "fuzzy" way.
Belief is the currency of delusion.
Lets see someone put together an app that flips bits here and there within MP3s to make each one it runs against unique enough to create a new MD5 hash!? (I would, but I can only program in a pseudo-language ;) It could even be as simple as adding in a trailing byte to all of your MP3s, though that could be easily filtered. Hell, if you can hide messages within compressed JPEGs without noticeably affecting their quality, why not do something similar to MP3s just to jack up this sort of tracking!?
"1984" was ment to be a warning, not a guidebook. You hear that Kim Jong-il!? BushCo?!
What good evidence destroying/hiding mechanisms are there around? Apart from deleting and overwriting the area several times? How about something that can kill the hard-drive even when the computers off? I see crime scenes on the news all the time with police carrying out computer cases for examination - it always struck me that you could fit tamper protection in your computer - any attempt to move it, open the case or anything with out proper authorisation would cause the hd to torch its-self, this could be as simple as a battery inside with enough power to boot the machine quietly and very quickly destroy the data, the police would have no time to stop it, while all this is probably illigal itself, it could be better than being sued for $50000 per song or whatever their price is?
:)
I hope the next kazaa lite comes with file altering/deleting/anti-riaa utilities
This comment does not represent the views or opinions of the user.
No, we need to create a honeypot farm. You remember that article way back when on Slashdot? It described how to implenent a whole farm. Then we strictly prohibit scanning of the networks for MD5 checksums. Since RIAA is using bots, they won't read the warning and fire off the subeona. When you get a subeona, then you slam them with a computer crime lawsuit. See, you can still get rich from RIAA. But how do you get illegal MD5 check sums with out possesing the files? If you wanna screw with RIAA you have to be damned sure that you right.
The views expressed are mine own and do not express the views of my employer.
It's true that two different people could generate RIP's of the same track with the same MD5 hash, but the odds are low: they'd have to use exactly the same encoding settings, and enter exactly the same ID3 tags with exactly the same values. (Counterpoints: they could be default settings, and CDDB/Gracenote metadata, which would improve the odds a bit) And since we're talking about large music collections, the exact matching would have to have to happen across hundreds of tracks. And if the ID3 tags had notes like "ripped by so-and-so" that'd kinda blow the case. So while it's certainly true that MD5 hashes don't completely uniquely identify a particular RIP of a track, I think that when compared for large numbers of files, it'd be a pretty good indicator of file copying.
Enable 3D printed prosthetics!
If I use KaZaa to access indie artists who are
sharing their songs - as is their right - AND I
also rip my entire 1000+ CD/LP/8track collection
to the same computer AND I intellegently store
all the files in the same heirarchy.
Have any laws been broken?
KaZaa is configured to share everything in my
heirarchy so that the indie songs can continue to
be shared.
Have any laws been broken?
I go in for Jury Duty, meanwhile Another Kazaa
user downloads the indie shared files.
Have any laws been broken?
Another Kazaa user downloads the rips from my
personal collection because their 8track player
is on the fritz.
Have any laws been broken?
Another Kazaa user downloads the rips from my
personal collection because their LPs were
destroyed in a flood.
Have any laws been broken?
Another Kazaa user downloads the rips from my
collection because they want to see what the
latest Madonna single sounds like before going
out and buying the CD.
Have any laws been broken?
If any laws were broken here - who broke them?
Just because I leave the front door open does not
mean that anyone can enter and take what they
want from my house. Same as my computer.
The action of downloading is at question not
making the article available.
YMMV. Consult a lawyer.
comment directly in my journal
About this interpretation of Fair Use: I agree that downloading mp3's of CDs that you have purchased should be fair use. I am in a similar situation. A couple of years ago I lost 90% of my CD collection in an apartment fire. I had about 20 of these CDs ripped at the time and since then, I have downloaded many of the others to replace what I had paid for. In some cases, I re-purchased the CD because I wanted to have an original for some of my favorite artists but I didn't mind the mp3 mastered replacements for many of the CDs. Would this fall under Fair Use? I would think that it does since the RIAA seems to think that we are only purchasing a license to listen to the music. However, if I had to present the original CDs to a judge to prove that I do/did own the physical CD, I would be SOL.
The Tools Of Ignorance wanna be a tool?
Unless she had an OC-48 or two going into her home, she didn't make the files available for download by *millions* of strangers. When the resource is limited, the magnitude of the crime is likewise limited. If you offer a stolen watch on the streets of New York, you can't be charged with trying to sell it to MILLIONS of people, cause there's only one watch. Likewise, in this case there's only enough bandwidth for a certain number of potential downloads, and speaking of millions here is plain misleading.
If the people who downloaded files from her spread them further, that's THEIR crime and not hers, much as the guy who sold a stolen watch won't be found guilty for the watch buyer illegaly selling it to someone else.
And in this case, it's even less severe, as it's not a theft, but a copyright violation.
Regards,
--
*Art
The ripping stage can also produce slightly different checksums, depending on the condition of the CD - Audiograbber actually reports "potential speed errors". Unlike data CDs, some level of read error is considered acceptable on music CDs; you don't want the player to keep re-trying a bad sector if it detects a big problem - it would ruin your listening pleasure!
When I am king, you will be first against the wall.
what's stopping people from simply changing a letter in the mp3 info tag (the trivial approach) or a bit or byte somewhere in the file? Good luck matching my file to anything.
Well there are several things that could stop you. You could get the latest MISD (Microsoft Internet Social Disease), etc.
But if you don't, then short of other things stopping you, such as getting run over by a truck, you merely need to change one single bit in the file to have a very different MD5. That bit does NOT need to be in the ID tag. You could just decode one single mp3 frame, randomly selected from the file, alter one bit of the sound, and then re-code that single mp3 frame.
It is even possible that someone might be inspired to write a tool to do this. It would defeat a lot of the previous Slashdot discussions about using MD5 to indicate "good" downloads before you download them. But maybe trust relationships of the P2P swappers themselves, using private keys, is a better idea than trusting the download file.
The price of freedom is eternal litigation.
I was under the impression that MP3 (MPEG-1, Layer 3) was a lossy algorithm. Even with the same ripper settings working off the same stored raw CD audio file, will it actually produce identical output? Can the MP3 encoder drop different bits as irrelevant on different passes in time on the same data with the same settings? If this is indeed the case (I don't know, I am not familiar with the detail of the algortithm), then MD5 sums become a virtually foolproof way to identify a file since an identical sum can only be produced from the exact source MP3, not one that is close. Just a thought on that matter. And a second point, more of an idea really... Has anyone thought of trapping RIAA? Here is my proposal... 1) Go and buy 50-100 CDs from your local music stores (I know, this is abhorrent since you are lining the pockets of the people you want to fight but it is a means to an end). SAVE ALL THE RECEIPTS! You will need these. 2) Download a popular P2P program and sign on. 3) Go download crazy and download an MP3 for EVERY SINGLE SONG on the pack of CDs you just purchased. Be obviously, be a bandwidth pig, get somone's attention. 4) Take screenshots and printouts of the directories containing your "booty". This will establish the timestamps of when they were downloaded. Sign and date the screenshots, preferably with witnesses who sign them as well. 5) Wait for a supoena from RIAA. 6) Join RIAA in court and argue "fair use" by throwing up your stack of legally purchased CDs and the receipts for them clearly indicating that they were purchased PRIOR to the supposed infringement and you were simply wanting MP3s of CDs you own but lacked the knowledge/skill/time/tools to rip them. Is such a case copyright infringement? It's a dangerous game to play because the fair use doctrine has been supported, it is not a matter of law. The outcome could be undesired because it could cause a rethinking of what constitutes fair use. The fun part of such rethinking could be the broadening of what is considered infringement into areas where it was not infringement and ignite an absolute firestorm.
No, I did not have renter's insurance, so it was a complete loss for me. If I had been reimbersed, I would have likely re-purchased the CD's that I wanted most and forgotten about the ones that I seldom listen to. This brings up another question/issue. Before the fire, I could have made backup's of every CD that I had. Then after the fire, I wouldn't have lost anything audiable, just the physical packaging. However, after the fire, it was too late, but couldn't I have considered napster to be my backup. Since I could readily download a CD when ever I wanted, why make a backup of it?
The Tools Of Ignorance wanna be a tool?
You point out a very real danger.
If you just alter the ID3 tags without altering the mp3 content, then they can nail you. If simply altering id3 tags becomes commonplace because everything thinks it is the easy, trivial implementation, then they will nail you by checking the hash of the content. Identical content with trivially altered ID3 tags is a very good argument that you got this file from the thousands of other people who have the same hashed file with trivially altered ID3 tags.
I'm proposing a non-trivial, but not that conceptually complex alteration to the content that alters it in an imperceptable way. In fact, whether the alteration seems complex to you is irrelevant. After all, it is just a command line tool to you anyway, just like altering ID3 tags. You don't care how it is done. Run this tool on your mp3 file, it randomly affects an imperceptable alteration to one of the gazillions of 11-byte frames in the file.
However I doubt that they will go to such trouble -- if they have access to your files you're pretty much caught red-handed. A different MD5 checksum won't get you off of the hook here.
They might have access to your files if you are sharing them.
I think the original argument is that Jane Doe was sharing files. Jane claims the sharing is unintentional. Jane claims that the mp3's on her hard drive are her own rips of CD's she owns. The MD5 hash proves otherwise. This sub-discussion is about altering mp3's so that hashing is now useless at tracking the source of where you got an mp3 from. In the Jane Doe scenerio, a comples mp3 alteration to foil the MD5 hash would actually be useful.
Merely altering the ID3 tag such that the RIAA can also alter the ID3 tag back to what it is in the wild, and get identical MD5 hashes is a very strong argument against Jane Doe.
The price of freedom is eternal litigation.
Don't we already pay a small tax to the recording industry every time we buy blank audio CDs (but not data CDs)? I'd like to see some lawyer fight a case claiming that a P2P user has already paid the RIAA and is therefore exempt from their lawsuits when downloading the music and burning it to an audio CD. That would be an interesting lawsuit.
So did I, so I just ran the experiment:
Looks like under identical conditions (same drive) it'll rip consistently. Ripping off a different drive might give different results, that's more hassle than I want to try right now. If anyone wants to compare, the disc/track I ripped is Pink Floyd's Dark Side of the Moon, Capitol's catalog # CDP 7 46001 2, DIDX 226. (Different recordings will almost certainly give different results.)Oh, and to make RIAA happy:
;-)-- Alastair
Different drives, with the same disc, and identical software, certainly do give different results. Just tested. Identical versions of cdparanoia live on both systems.
I also ran lame with default settings (makes a 128K CBR) on both WAVs and got different sums there as well.
No tags involved.