Slashdot Mirror

← Back to Stories (view on slashdot.org)

Audiophile Torrent Site What.CD Fully Pwnable Thanks To Wrecked RNG (theregister.co.uk)

Posted by msmash on from the security-woes dept.

Reader mask.of.sanity writes: Users of popular audiophile torrent site What.CD can make themselves administrators to completely compromise the private music site and bypass its notorious download ratio limits thanks to the use of the mt_rand function for password resets, a researcher has found. From the report (edited and condensed):What.CD is the world's most popular high quality music private torrent site that requires its users to pass an interview testing their knowledge of audio matters before they are granted an account. Users must maintain a high upload to download ratio to continue to download from the site. [...] "I reported it a year ago, and they acknowledged it but said 'don't worry about it,'" said New-Zealand-based independent security researcher who goes by the alias ss23.

17 of 138 comments (clear)

  1. Question? by npslider · · Score: 2

    What's this "CD" thing you speak of?

    1. Re:Question? by MightyMartian · · Score: 3, Funny

      I believe the Ancients used it to listen to music.

      Or perhaps it was simply a platter on which to place their protein nutrient powders. The Ancients were very strange.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:Question? by Opportunist · · Score: 5, Funny

      Do we look like we're experts in paleoaudio?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Re:Illegial site poorly administered by Anonymous Coward · · Score: 2, Funny

    News at 11.
    This doesn't seem like particularly shocking news, nearly all torrent sites are poorly run.

    They could easily solve this problem by purchasing and installing some solid gold Monster Brand ethernet cables between the server and the router.
    I'm actually surprised they don't already do this, in order to provide the clearest audio for their torrents.

  3. "audiophile" site... by Lumpy · · Score: 3, Interesting

    Yeah not much in real good audio there. Sorry but a CD rip to FLAC is a joke. call me when you have found that rare japan release on SACD and then ripped that to FLAC....

    Also their questionnaire is mostly Pseudo Knowledge and not real knowledge. Buddy of mine is an audio engineer with 2 degrees and he did not pass their test because he answered what was correct answers and not their audiophile misknowledge answers.

    --
    Do not look at laser with remaining good eye.
    1. Re:"audiophile" site... by tlhIngan · · Score: 2

      Sorry but a CD rip to FLAC is a joke. call me when you have found that rare japan release on SACD and then ripped that to FLAC....

      Which is a joke because you can't "rip" SACD to FLAC. You must convert it.

      SACDs are in a format called Direct Stream Digital, or DSD. Aka 1-bit because they are 1-bit ADCs and DACs run very fast. (Sampling theorem states if you have an N bit converter, you can oversample it by 2^M times the required sampling rate to get an N+M bit converter. So if you have a bandlimited audio signal and a 14-bit 48kHz ADC, if you oversample it at 192kHz, you turn it into the equivalent of a 16-bit ADC at 48kHz.)

      DSD is actually known as "Pulse Density Modulation" (PDM) as opposed to traditional Pulse Code Modulation (PCM) which we normally deal with, and Pulse Width Modulation (PWM).

      Of course, the irony of SACDs is PDM is never used directly - if the microphone captures as PDM, it's converted to PCM for processing/mastering/arranging, then converted back to PDM for mastering. (Your cellphone most likely has a PDM "Digital" microphone).

      To rip an SACD, you need an old PS3 (fat, running Linux) that can image the SACD. You then run it through a PDM to PCM converter to get audio you can use which is then compressed using FLAC. And the default DSD frequency is about 2.9MHz, which is 44.1kHz * 2^16, turning the 1-bit ADC into a 16-bit ADC..

    2. Re:"audiophile" site... by KozmoStevnNaut · · Score: 2

      By "higher quality than CD", do you mean better mastered audio, or so-called "high-resolution" audio?

      Because the latter is bullshit of the highest order. There is absolutely no audible difference between a hi-res audio file and a CD-quality resample of that same file. None at all.

      But if you mean better mastering, I'm 100% with you on that one. The loudness war kills good music.

      --
      Eat the rich.
  4. Re:High download ratio? by Anonymous Coward · · Score: 2, Informative

    While many private sites have unreasonable upload ratios, what.cd isn't one of them. They have a graduated scale based on how much you've downloaded, but even at the highest point it's only 0.6, which is pretty easy to maintain even without all the freeleech tokens they hand out at holidays and special events.

  5. I must be new here by wwalker · · Score: 3, Insightful

    We are on a relatively tech-savvy site, right? Why is there a link explaining what an audiophile is (as if I couldn't have guessed from the context even if I didn't know), but there is no link explaining how the exploit actually works? (It's not mt_rand that's the problem, it's how you seed it) Why do I have to google after reading the summary? What's the point of having editors here at all?!

  6. Re:implying "audiophiles" have a clue by Anonymous Coward · · Score: 2, Informative

    The audiophiles on the torrent site care about proper rips, not fucking audio cables. Take your worthless jabs elsewhere.

    "Proper rips" means that the audio doesn't contain 50-ms gaps of zeroed-out data because the CD had a scratch.

    captcha: channels

  7. Re:High download ratio? by Matheus · · Score: 2

    Your math is disregarding a few details:
    Just to be complete: Already mentioned:
    1) Highest enforced ratio is 0.6. I've been on sites that go to the full 1.0 so this is somewhat friendly.
    2) They have periodic Free Leech times (thanks for being a member this weekend, sorry for the downtime, etc) and items (editors/admin picks, Bowie catalog when he died, etc) which allow you to build up some buffer in your ratio.

    Not already mentioned:
    1) The biggest way to improve your ratio on any site is to upload material not already on the tracker. Every bit of upstream on those is pure plus for your ratio and until the swarm gets big enough you will tend to be the source for a lot of the download traffic so you get BIG multipliers. (20-30x makes up for a lot of under-performing torrents.)
    2) It is kind of a ponzi scheme that at some point the leaves will tend to have difficulty attaining a 1.0 ratio on any given torrent and given What's somewhat exclusive membership size it *can be very difficult to gain positive ratio. That being said, this is a ponzi where anyone in the network can be at the top or bottom for any given Torrent SO maybe you were a leaf on some obscure album you just had to have but you happened to jump on early and be a root for an extremely popular release so you got 5x on that one. You might have a lot of torrents that never quite reach 1.0 but your overall ratio can easily be above 1.0.

    Torrents only work well when people stay on to seed instead of hit-and-run style. Rules like this keep the swarms healthy. Note: this is not the only rule for this.. many sites also have specific restrictions for time period which actually ease the ratio rules a bit. "Sorry you were a leaf on this torrent but we're going to make you stay seeding for at least 2 weeks to keep the torrent alive. you don't get the ratio but you at least tried" Stuff.

  8. paleoaudio? by Anonymous Coward · · Score: 3, Funny

    I read as:

    Do we look like we're experts in pulseaudio?

    If there were experts, we wouldn't have pulseaudio.

  9. Re:implying "audiophiles" have a clue by KozmoStevnNaut · · Score: 2

    Yeah, you can hear the difference between a solid-state amp and a SET amp, because the SET amp will sound like crap in comparison, with distortion and noise that is significantly higher than with the solid state amp.

    And good luck actually hearing a difference between 320kbps or V0 MP3 compared to lossless. Try an ABX test, I think you'll be surprised at the result.

    --
    Eat the rich.
  10. Monster[TM] Ethernet cables aren't good enough by davidwr · · Score: 2, Funny

    They need to run their server on an analog computer and install a special "real analog modem" that stretches the sound out to fit in the 20-2000Hz range and sends it directly over the phone line as a pure analog signal. Their customers will need to buy analog computers and analog recording devices and of course one of those special "modems." Only then will their users get the best sound possible coming out of their $10,000 home audio system.

    Yea, it will be more expensive and keeping it temperature- and humidity-stable will be a pain in the rear, but it will be worth it.

    As least that's what my friend's second cousin's son-in-law ex-con school chum says. He should know, he sells the stuff.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Monster[TM] Ethernet cables aren't good enough by ArmoredDragon · · Score: 3, Interesting

      I've been a member of W.CD for about a year, and that's not the type of site it is. Most torrent sites that host music haven't the slightest clue how to make sure it is a decent quality release. Similar to how TV and movie torrent sites have extensive rules for quality (similar to what scene releases have,) W.CD has its own rules that can guarantee you aren't going to waste ratio or time on a crap release. But they don't go to those silly analog extremes. For example, 192kbit VBR MP3 (aka LAME v2) is a perfectly acceptable encode there because it provides audible transparency. What won't be accepted is i.e. having a 128kbit CBR MP3, or having anything that is up-encoded to fit the rules (and yes, you can empirically measure when somebody has done this, W.CD even provides guides for doing so.)

      I personally am not an audiophile, nor am I a music enthusiast, but it's a nice site. In addition to music, it's also a wonderful site for college textbooks (I personally have uploaded several, including ones I've scanned myself.)

    2. Re:Monster[TM] Ethernet cables aren't good enough by KozmoStevnNaut · · Score: 2

      MP3 can't produce transparent audio at ANY bit-rate. It has many design compromises like the anti-aliasing which produces audible distortions, and besides that, it's a frequency domain codec, like AAC and most others, which makes them all incapable of true transparency:

      https://en.wikipedia.org/wiki/...

      BS.

      If you want to prove your claims, please provide ABX test logs where you successfully detect any difference between high-bitrate MP3 and the lossless source. Because yes, MP3 is technically inferior to later codecs, but that doesn't make it useless, it just makes it less bitrate efficient for full transparency. And there are a couple of problem samples (not music) that it cannot achieve full transparency with, even at 320kbps, but those are only relevant for test purposes, they're very far from actual musical content. If you're not getting audible transparency on music, stop using an inferior encoder. LAME is the standard recommended encoder for a reason, it's vastly superior.

      And I'm sorry, but if you think ATRAC is superior to MP3, you've obviously never used a Minidisc player.

      Stop reading the haphazardly-edited dreck on Wikipedia (it's notoriously bad for technical subjects) and go join https://hydrogenaud.io/ instead. They would love if you could actually prove an audible difference between high-bitrate MP3 and the lossless source, in a properly controlled double blind test. You can start by reading their wiki page on MP3, which is a lot better than the one on Wikipedia: http://wiki.hydrogenaud.io/ind...

      For my own part, I've done lots of ABX testing, and even with the toughest musical sample I could find (solo harpsichord), LAME-encoded MP3 achieved full transparency at -V3 VBR for me, and while I could ABX it with 100% accuracy at -V5, I would not be able to hear any difference in normal playback. It was only when I played back the same snippets over and over that I could actually detect a minute difference in the sharpness of transients, but it was extremely subtle.

      Try disregarding your bias, and give MP3 a fair shake in a controlled listening test, instead of just reading the technical info and extrapolating. I think you'll be suprised at how good it actually is.

      --
      Eat the rich.
  11. Re:implying "audiophiles" have a clue by MightyYar · · Score: 2

    The thing about "warmer" sound from tubes... it's actually not completely unreasonable. People don't listen to perfectly-reproduced signals, they like to mess with the frequency response. People mess with tone control all the time, and even the crappiest car radios have bass and treble control. Tubes mess with the signal in all sorts of complex ways, especially toward the top when a transistor would start clipping. It is reasonable that some people would find this distortion to be pleasant. It also seems like a non-trivial problem to recreate this distortion digitally, though recording it and playing it back should be fairly straightforward. I wonder if there's a market for pre-warmed music? :)

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.