Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Music Media

Security Analysis of My.MP3.com and Beam-It Protocol 164

Serg writes, "Potential ammo for the upcoming MP3.com trial? From a member of the Rice University CS Dept: "We found the protocol to provide strong protection against a user pretending to have a music CD without actually possessing it, however we found the protocol to be unnecessarily verbose and includes information that some users may prefer to keep private." You can grab the report in either PS or PDF format. "
This discussion has been archived. No new comments can be posted.

Security Analysis of My.MP3.com and Beam-It Protocol

Comments Filter:
  • That's really what this all boils down to in my mind. Lots of people with vested interest are worried about something that they can't stop. And they'll make life obnoxious for all of us for a very long time.

    --
    Max V.
  • Yes, but it's still dependant on client-side security, not server-side where it should be - which is like another well-known product: AOL.

    It WILL be cracked, it's just a matter of time.. client-side security doesn't mean much anymore.

  • Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.

    If you own it, you're going to end up with a much better sounding song in about the same amount of time (or less)...

    If you don't own it, you shouldn't even be downloading the songs in the first place, so stop fighting for Napster, Beam It, et al...
  • The upcoming trial isn't about security, so this is rather irrelevant to that. However it certainly does make a rather nice front.....
  • Ripping your music to your hard drive is fine when you have a relatively small CD collection, but when you have CD's numbering in the hundreds, it can be a real problem. Plus, services like Beam It make it convenient for you to be able to access your entire library regardless of where you are without having to haul around a huge CD wallet (which can be stolen).
  • Begin Rant Mode


    When will the MPAA, RIAA, etc. realize that the days of closed-media are OVER!!! The other day, I wanted to listen to that new Marc Anthony tune -- I fired up Napster and downloaded it with the quarter-hour.


    They are trying to protect an outmoded means of media distribution. But like dinosaurs, it may be a while before the brain realizes the rest of the body is dead.


    End Rant Mode

  • While I think that this this news about beam-it security is very good and will make things a bit more difficult for the RIAA, IIRC their main complaint is the fact that they are "broadcasting" the music. MP3.com is like a radio station where you get to play all your favorites (that you happen to own) without all the commerical and control the industry requires. I think this case is very similar to the MPAA: it's all about control.


    --------
  • by spiralx ( 97066 ) on Wednesday February 16, 2000 @07:21AM (#1268068)
    Any user who uses My.MP3.com is inherently giving up a remarkable amount of privacy. My.MP3.com knows every CD in a user's collection that they "beamed" to the server along with the user's e-mail address, network IP address and and Ethernet MAC address. An unscrupulous marketer could correlate musical preferences with other lifestyle choices and use this for targeted advertisement. MP3.com's pri-vacy policy 5 does not offer strong guarantees against this kind of behavior, and the ability to opt-out is at the bottom of the user-preferences page - something that most users will never do. And that is the reason for this sort of thing in a nutshell. While it sounds like a great idea for people who have a lot of CDs that they want to listen to both at home and at work, they will find themselves at the end of a barrage of "targetted" advertising. The spread of information from MP3.com will be exponential as more and more agencies sell your profile to interested parties. Oh joy, yet more spam. On the other hand, the lawsuit issue could be a good thing. MP3.com have a lot more money than the defendants in the other similar cases recently, and they are a company, able to organise their defence better than we've seen in the DeCSS trial so far. A victory in this case would have implications for the entire issue of people's right to use what they've bought, and for the digital media industry as a whole. Despite the privacy issues, which I don't like, I still hope MP3.com can win this case.
  • by 348 ( 124012 )
    In the conclusion the report states that there are no significant security issues and that the user must be in possession of the original, also it reads something to the effect of users desiring privacy can use the traditional MP3 "Ripping" software. The architecture fundamentally compromises the privacy of its users to provide a centralized service.

    This is such a major flaw in the whole concept of the product. Understanding the reasoning behind the concept, but I would think they could have found a little better architecture. From a business model, how are they going to promote a product that fundamentally compromises the privacy of the user? Doesn't make sense to me.

  • Fairly short-sighted thinking there, though. What about, say, people listening at work? It means that you can do the beaming at home, then listen to more albums without having to cart tons of CDs into work with you.

    (And no, I don't particularly want to rip everything onto the disk at work, for a multitude of reasons.)

  • The paper just reports on the protocal. Its nice work but its nothing shocking. It might not even be entirely correct.

    I just have a feeling that there is something more important/worthwhile in the submission box than this.
  • Any ideas why they would send the MAC address?

    I would suppose mp3.com keeps an LRU list of the last 10 or so MACs to access a particular account, and denies access if multiple MACs try to access the site at the same time or if accesses occur from too many MACs in quick succcession.
  • I fail to understand how the Beam-It system compromises the user's privacy...although they certainly suffer from the Ralph's Club syndrome, it does not seem like this is something that would constitute a full-scale privacy breach, especially if there is an option to opt out...certainly not on the same scale as the doubleclick cookie issue.

    Maybe I'm just missing something. But then I still use my Ralph's Club card too.

    Not that I find Beam It to be the most useful thing in the world. I much prefer keeping everything on my 36GB HD =)
  • I can't stop myself from wondering why the question on the message is "possible ammo ... "
    After having a brief look at the article two things were very clear :
    1. the guys at Rice showed that the transaction language makes the protocol look a lot like ftp. And we all know that ftp servers are pretty well pretected
    2. in the conclusion of the article said (and I quote) " our analysis has revealed no glaring security flaw ... a user must have posession of the original CD (or a bit-for-bit perfetc copy ) ... The security of the system is not dependent on the mocule secrecy"

    I guess it should be pretty obvious for anyone that this article doesn't say anything about the security of the mp3 format. Or of a CD ... So why do you post misleading questions ?
  • Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.

    If you own it, you're going to end up with a much better sounding song in about the same amount of time (or less)...

    If you don't own it, you shouldn't even be downloading the songs in the first place, so stop fighting for Napster, Beam It, et al...


    I am not positive, but I think you are missing the point here. This is supposed to offer a service to allow you access your CD collection anywhere. No, they don't upload the whole CD to their server, they do random data challenges to confirm you actually own the CD, then they all you to access their mp3s of that CD in your account. This saves you tons of time ripping and encoding unless you have a mind numbingly fast computer. Yes, it would sound better to carry the CD around with you, but this is an attempt to alleviate that need. As for "If you don't own it...." supposedly in that case Beam It doesn't help you much, since you can't answer the challenges and therefore don't gain access (with the exception of the local cartels idea discussed in the paper).
  • This is such a major flaw in the whole concept of the product. Understanding the reasoning behind the concept, but I would think they could have found a little better architecture. From a business model, how are they going to promote a product that fundamentally compromises the privacy of the user? Doesn't make sense to me.

    People don't care about their privacy to the degree that Beam-It threatens them. It's that plain and simple. We don't want our address information or phone number freely distributed out over the Internet, but we don't mind if people know what CDs we listen to. I personally don't care if they keep a database of the CDs that I frequent. Who cares what music I listen to, and conversely, who do I care knows? People are not being persecuted or harassed for it. The privacy of the user isn't completely compromised; it's just compromised enough to obtain enough information for the product to work. Phone books work the same way. E-mail directories work the same way. It's not a complete compromise, just a partial compromise.

    Of course, many partial compromises can be put together to form the whole picture, but it's already to late for that. If anyone thinks that their privacy is completely secure, they're insane. And in light of that, it's not a big deal (especially from a promotional standpoint) that listening habits could be catalogued.
  • by Anonymous Coward
    Taking a commercial product without paying is normally known as stealing.

    I hope your argument works well when the RIAA knock on your door and take you to court. Nice of you to put your name and address in your resume too - make it easier for them to find you.


    Saxo Grammaticus
  • I have over 600 CDs in my collection, bought over the last 10 years. I like the idea of being able to satisfy the sudden need to listen to a song while I'm at the office, without having to lug around my CD container, or 60 mp3 CDs (which, as a matter of fact, I have). For the customer, there's much to win. Why do we have to put up with this kind of corporate bullshit then? Fight and win, mp3.com!
  • Consider the following case:

    I buy a CD
    I tell beam-it that I own the CD
    I leave the CD in my car
    I can still listen to it at a friend's machine, even if I forget and leave my machine in Windows (no FTP).

    The biggest problem, as the authors noted, is the password-cartel issue. Carrying around hardware auth is about as annoying as carrying around the CD. At least with the current state of the art.

    And the radio man says it is a beautiful night out there
    and the radio man says Rock and Roll lives
  • Potential ammo for the upcoming MP3.com trial?

    I'm going to disagree. The movie editors that work with the movies off their hds are just as libable if they are on a network then. I could simply crack their machine and download their movies. Security holes will always be around, that is why security analyst have jobs.
  • ...someone were to rip their CDs to their own drive (or rig up a CD jukebox, etc) and allowed themselves, and only themselves, to access their own private server for the same result?

    The result, for that one person, is the same though the work involved is now significant. The difference is now it is 'narrow'casting rather than a broadcast.

    MP3.com removes the upfront workload of ripping everything or rigging up the jukebox, and centralizes the servers -- which makes them accessable. While I (for example) could eventually get something like this set up privately at home, running a server isn't a real option for me. No, I don't use MP3.com, but I do see the utility of the enterprise.

    Not saying which is best or who is right, just curious about this.
  • The portability issue is key. I use Beam-It, and it makes things soooo convenient when I want to listen to music in a computer lab. Just bring headphones. :) Oh, and Beam-It takes a *lot* less time per CD han ripping - I can "beam" a CD in under a minute, but my machine rips+encodes at just a shade over 1x, i.e. 40-60 minutes depending on CD length.
  • by Anonymous Coward on Wednesday February 16, 2000 @07:41AM (#1268083)
    It is possible to respect the intellectual properties of others while still offering new and innovative services. Rock on.

    There was definite worry about whether or not MP3.com's Beam-It software was going to be sufficiently secure as to avoid lawsuits. Since the MP3.com software was closed-source, and the protocol wasn't specified, it was a definite possibility that MP3.com was relying on "security through obscurity", just as the MPAA did with DVD (gee, doesn't this all just tie together nicely?).

    However, the Beam-It protocol was obviously written with security concerns in mind. Knowing the protocol does not make it easier to spoof MP3.com into thinking you have music you don't (well, not *reasonably* easier).

    Contrast this with CSS. Once the algorithm is known, it's easy enough to distribute unencrypted copies of the software, if you are so inclined (note: this *wasn't* the original intent of DeCSS, and I certainly haven't seen any evidence to support the idea that people are now pirating DVDs with DeCSS. And, yes, it was possible *before* DeCSS came about. There's also the whole bit-for-bit copy thing, if you can find the media...).

    Yes, it's comparing apples and oranges. But you'll notice that MP3.com has achieved a happy medium for consumers-- allowing them to listen to other people's music, but still respecting the intellectual property of others.

    Funny, huh? That, in my mind, was the last legal hurdle-- proving that the Beam-It software took legitimate measures against piracy. The paper is well-written enough that MP3.com could probably submit it as evidence (both in the RIAA's lawsuit against MP3.com, and in the slander lawsuit, since the RIAA has said that MP3.com has a flagrant disregard for IP, and this proves otherwise).

    I'm an AC because I don't want my real name moderated down for run-on sentences :-)
  • I tend to bring a different CD with me to work each day and rip it to my hard drive... Thanks to the wonders of hard drives capacity jumps, i've now got over 24 hours of music accessible to me at work... And it's all mine.

    I also have another CD full of Mp3's (again, mine) that i burned from home... it's another 8 hours.

    In the worst case scenario, just email them to yourself at work, supposing you've got the bandwidth to upload from home to Beam IT and download from Beam It to work, you cand do the same with your own files and alleviate the middleman that's causeing all the controversy
  • by jfunk ( 33224 ) <jfunk@roadrunner.nf.net> on Wednesday February 16, 2000 @07:45AM (#1268085) Homepage
    You're forgetting a few things.

    I only have 10GB of hard drive space. That couldn't hold my 300+ CD collection. The space is used for things like software, source code, information and work on various projects, etc.

    It takes much longer to rip a CD than use Beam-It. The most outdated piece in my computer is the 4x CD-ROM that I bought many years ago specifically so that I could use Slackware CDs instead of downloading at 2400bps. I have had absolutely no reason to buy a new CD-ROM, concentrating my budget on processors, hard drives, video, and sound cards.

    With a large CD collection, it gets annoying to be constantly swapping CDs. With Beam-It, I simply leave a browser window open and play arbitrary CDs easily.

    You mention errors. It has never skipped on me yet, the performance is great. The quality is also really good.

    As for privacy, this isn't that much different than buying CDs from a "club." They're not grabbing financial information, email, Netscape history, etc. Them knowing what CDs I have is integral to the system, and I'm comfortable with that.
  • No, it can't be cracked, because the key is much larger than the data the key is protecting (key=uncompressed audio data on cd, data = compressed mp3 audio). This is close to a "one time pad", the only crypto algo proved to be "safe".
  • No, I think what the problem is, is that there are some privacy issues with their implimentation, that do not have to exist, for such a program. Basically the 2 problems are that their privacy policy is a joke, and that the user/client gives up information like its MAC address, which is unnessesary for security, so obviously simply used for extra info for My.Mp3.com to collect and sell.
  • by 348 ( 124012 )
    There is more to the privacy part than just them keeping a log or database on what music you accessed isn't there?

    I admit I skimmed over parts of the report because it went on and on, but I thought that they tracked MAC address etc, as well as other things. I agree that if they were just logging my music tastes, BFD, who cares, but they are capturing more for the purposes (speculation) of more direct, targeted marketing based on that information.

    I believe that this will get out of hand very fast and create a PR nightmare, reminds me of the Real Player incident where they were capturing information in a way that really wasn't on the level.

  • In the worst case scenario, just email them to yourself at work, supposing you've got the bandwidth to upload from home to Beam IT and download from Beam It to work, you cand do the same with your own files and alleviate the middleman that's causeing all the controversy

    NO, NO, NO!! You aren't uploading whole the track with Beam-It, just a little "key" to verify that you have the CD. Then you stream it back to your audio player.

    -Brent
  • Pay no attention to the parent of this post, "tilleyrw" is just another shill for the RIAA, hammering on the tired old MP3==stealing argument.

    What you did has a techical name, jerk. It's called "theft".

    #ifdef flame
    Assholes like you give all the legitemate MP3 listeners a bad name. If you want to steal, that's your problem, but don't f---ing brag about it on a public message board!
    #endif

    Just because you can steal something doesn't make it right to do so. Just because the RIAA is a bunch of greedy lawyers doesn't justify stealing from them, or from the artists they screw over err... represent.
  • An unscrupulous marketer could correlate musical preferences with other lifestyle choices and use this for targeted advertisement. MP3.com's pri-vacy policy 5 does not offer strong guarantees against this kind of behavior, and the ability to opt-out is at the bottom of the user-preferences page - something that most users will never do.

    Oh I doubt it. Most people who are going to be using this service are most likely going to be like the people who read slashdot. We have high speed internet access and are at least a little technically inclined. I've opted out, as I always do when I give anyoned my email address... -WG
  • It WILL be cracked, it's just a matter of time.. client-side security doesn't mean much anymore.

    That's what I thought too, before I read this. I figured it would be too easily crackable. But if you read this paper, and you believe these guys who wrote it, then it looks pretty good. The client sends raw CDDA data (from an unpredictable(?) offset) as part of a challenge, and this is checked at the server. I dunno how I would spoof it. I guess I'm a convert now.

    There's still a lot of potential for account sharing, though, and the paper even mentioned it. (Along with a totally impractical "solution" for it.)


    ---
  • you're (still) missing the point. You're wasting your harddrive space - potentially in multiple locations (home, work, etc).

    I've beamed almost my whole CD collection in. 1400 songs so far. I can listen to this at home (DSL), at work (T3), or wherever. I no longer have to haul around stacks of disks, nor switch disks, nor waste my own harddrive space.

    No swapping disks, custom playlists, etc etc etc. I'm in heaven.... :)

    >>supposing you've got the bandwidth to
    >>upload from home to Beam IT

    try to follow closer - BeamIT DOES NOT upload your CD. All it does is verify that you actually own it. It takes seconds.

  • I completely agree with your last point regarding the security of the CD itself. Section 1.2 (Account Sharing Security) of the paper discusses the possibility of users pooling money to purchase CDs and then share passwords. Why bother using my.mp3 at all. Once you have the CDs you could just rip them and then share them with who ever you want. The CD itself is not secure. Stopping mp3.com would be an unnecessary bandaid when the real problem is that the RIAA needs to find other ways to make money with music, not just through record sales.
  • Ok, could you put your expertise where your mouth is? Could you tell me how to rip CDs or point me to resources for doing so? I have RedHat 6.1 installed on a Pentium 75 with 48 MB RAM and a 8GB Scsi harddrive. My CDRom is scsi as well and not very fast. Will this set up work?

    I also have a cable modem and dloading mp3s is quite easy. The difficult part is finding someone who has ripped the same CDs i have.

    I also have lots of tapes from the 80s. They suck for sound quality after too much, but can't i legally have MP3s of the songs from those albums? Why shouldn't I be able to download MP3s of my tapes and vinyl and 8 tracks as well as my CDs.
  • Very nifty protocol. I wouldn't have thought of a random CD block check.

    This potentially makes it much more difficult to fake the response to the server, tricking it into thinking you have the CD when you don't. Also the hash of the block is computed on the server side for verification, rather than on the client side. Good. They don't trust the client at all. :-)

    Now, of course, someone will just find a back door somewhere. Still, it shows that they didn't just whip the thing out, but put some thought into it.

    It's still a stupid service without widespread broadband. But more of that is appearing every day.

    ---
  • Score 10.

    They have showed that you can actually implement a secure sale of media content and how to do it.

    Something Mr Valenti and the MPAA/RIAA crowd have yet to understand. If you want to use challenge response and/or encryption it makes sense if and only if it is personal. Period. Otherwise it will always get cracked. And the moment it gets cracked everybody gets it.

    The most important fact in this article is that even after successfully reverse enginering beamer you cannot steal CD's from MP3.com and violate the (C) laws.

    A good lesson to MPAA on how to design your marketing and protocol specs properly.

  • This would be to prevent the "cartel" discussed in the article. I think they will leave some leeway, in case there are legitimate reasons to be playing two or more mp3s from the same account simultaneously.

    The easiest way to cheat would be to borrow and beam your friend's CDs. A good afternoon of beaming and you could double your collection.
  • OK, so this is completely OT. But I hate it when you see documents like this that are written in 2 column style. Sure that might work well on paper, but it really sucks in the Acrobat reader unless you've got a monitor with high enough rez to easily read the whole page at once. A single column layout is MUCH MUCH easier to read
  • by levl289 ( 72277 ) on Wednesday February 16, 2000 @08:09AM (#1268101) Homepage
    Folks, instead of keeping your heads in the ass of "make all music free", realize that artists need to eat.

    This internet thing, and the OSS mov't is new to most people...especally those that have lots of money invested in the "old" way of doing things. It takes time for ppl to get used to it..this is a good start.

    The article itself is very useful in explaning how the system works, and it gives wannabe programmers (me), the ability to see how something is reverse engineered (it really took away a lot of the mysticism IMO).

  • Now unless I'm mistaken, if you borrow a friend's CD, and 'add it to your collection', you've now got unlimited play access to MP3s from that CD, right?

    Of course, if you borrow your buddy's CD, you can rip the MP3s yourself. Mind you, if you own a CD, you can do it as well.

    What is this service good for again? :)

    I suppose not *everyone* has free and easy access to a personal FTP site. But I'd expect that will change over the next couple of years, what with bandwidth and hard drive space being so darn cheap.

  • People really don't mind if others know what CDs they listen to - often quite the contrary. Hell, many people (myself included) [ducker.org] spend a fair ammount of time publishing a database of their music collection.
  • Ok, could you put your expertise where your mouth is? Could you tell me how to rip CDs or point me to resources for doing so? I have RedHat 6.1 installed on a Pentium 75 with 48 MB RAM and a 8GB Scsi harddrive. My CDRom is scsi as well and not very fast. Will this set up work?

    This should work fine. I recommend the program Cdparanoia, which is a free command-line tool that runs under Linux (prolly other Unices too, but I've only used it with Linux). It'll let you turn each track on a CD into a .WAV file, which you then can feed into an MP3 Encoder. Cdparanoia is a *great* program that does its own error-correction, and has worked on every CD-ROM drive I've tried (both SCSI and IDE).

    As far as MP3 encoders go, the most popular free one is probably Bladeenc, also for Linux. To be honest, though, the commercial encoders (which use the Frauenhauffer(sp?) algorhytms) *do* sound better than any of the free encoders. I also haven't seen any good commercial MP3 Encoders for Linux, so that part may require a reboot into Windows.

    Be aware that encoding MP3 can be a very time-consuming process, espescially if you're only rocking a P75. But this shouldn't be prohibitive - it just means you'll want to fire off a batch job before you go to bed.

  • by soldack ( 48581 ) <soldacker@yLIONahoo.com minus cat> on Wednesday February 16, 2000 @08:19AM (#1268105) Homepage
    That's really what this thing comes down to. In most cases, to get the services that you want, you have to give up some privacy. You want the goverment to give you Social Security; then you have to have a number attached to you. You want a credit card company to loan you money; then you have let them know about every purchase you make. If you want to have MP3.com handle all your music, then you have to let them know what music you like. That's just the way things go.
    Although there are often some insidious reasons for collecting user data, the biggest reason is usually because it is either integral to the service or it makes it work much better. For example, /. has a feature to remember your user name and password. It is pretty insecure but it makes getting access easier. In MP3.com's case, some of the information is needed, some of it may make improve the service, and a some of it may turn out to be nefarious. The consumers can dictate what they want by either using or not using the service. That is part of the beauty of a free market. Consumers can dictate the forms of new products and services with their buying power. Companies will not offer what people do not want.
  • While it may have not been the original intention, showing interest in security is showing responsibility. By showing that MP3.com is taking active interest in attempting to solve some of the problems over which they have been criticized they will get big brownie points.
  • it seems like the industry is trying to put a stop to "illegal" mp3 sites by coming up with a way to verify that you already own a physical disc. they will then be able to say that because they can verify you have this disc, there is no longer a reason that songs from label-controlled artists should be available freely on the web because it constitutes copyright infringement. the great thing about mp3s is that they're small, quick to download or create, and give you the option of listening to parts of a CD BEFORE you buy the album, listen to the rest of it and find out that the whole album sucks except for the one or 2 catchy songs that happen to make it onto MTV. it's hard enough to find a STORE that will let you listen to CDs before you buy them. (i know of one whole such store in my area). it will also be impossible to obtain ONE good song from an album of sh*tty ones because you don't want to go pay $15-$20 for a full album to obtain a single. i wonder what sort of revenue in sales is created for the music industry by consumers buying a full album to get that "neat song i heard on the radio". the target-related advertising part of this bothers me too, because if you sample the way target advertising works for companies like BMG, you'll find madonna and christina aguilera (sp?) and nine inch nails and metallica in the same "if you like this artist..." category...and the associated artists most certainly are nothing alike. basically, i think what is going to happen here comes down to people receiving a lot of email and promo offers for things they don't want/need/have time for, and it's going to empower the government and coprorate junkies to have a tighter grip on what citizens do with the things they own.
  • WTF is encrypting/challenge-response to an anonymous recipient?

    You either know who is on the other end of the line doing challenge response or you do not. If you do not you do MPAA/DeCSS.

    It is an either or. MP3 does not keep your exact name and snail mail address. So make sure you use a good mail filter on a proper mail account and write an anonymizer proxy for the protocol and run it from a shell account somewhere (Not like they are not going to get youor IP when you request streaming data).

  • Or they could just post it in HTML and let people view it how they want to. If they want to release a PDF version for the suits, fine, but please...
  • Start with Grip, You'll need to get a ripper and encoder to go with it but I started with Grip and found it is a nice interface for starting out.

    grip homepage [nostatic.org]

    or you can just do a search on freshmeat [freshmeat.net] for ripping software. Download one, install it and play around with it. It is not that hard.

    I suspect that the reason you can only download mp3 files of CD's you own is not a legal one but a technological one. When you insert a CD into your drive, your PC can read the info (CCDB?) on it and use that verify that you own the CD. Can't do the same thing for tapes or LP's.

  • This report is important because the protocol is important. Some people (e.g. me) have argued against mp3.com's beaming service on the grounds that it would be easy to spoof, either by reverse-engineering the beamit client, or by writing a virtual CD-ROM driver that returns fake CDDB tags. The guys that wrote this report confirmed that it challenges the client to return some raw CDDA data from an unpredictable offset. That's a lot better than what I feared.

    Maybe it's not important to you, but to me, this information changes my opinion of my.mp3.com's beaming service from an easy-to-crack w4r3z/mp3z server to something a bit more legitimate.


    ---
  • It's nothing like a one time pad at all. This is authentication, not encryption.

    --
  • I take it you have never tried to stream audio over a modem before. Nobody encodes MP3s at 48kbps anymore, for good reason, they sound terrible. Plus whenever I stream audio, the audio invariably breaks up/pops whenever one of the other two people I share the modem with decide to download an mpeg, view a webpage, check their mail, etc...
  • If we must put up with ads, then why shouldn't they be targeted? If I am going to see ads, I at least want to see ads for products that I might want to buy.

    I make a rational choice when I use services that demand information in exchange for a service... I opt out of systematic junk emailings and give them the info that they request in exchange for the service that they provide.

    Take, for example, one of my favorite sites on the net, Moviecritic.com [moviecritic.com]. This site has saved me lots of money and time by helping me to avoid movies that I wouldn't like. The site uses collaborative filtering to do so, but in the process also asks for some demographic information. Now, I'm sure that the demographic data which moviecritic collects is highly valuable. I'm also sure that its owner (the person who collected it from consenting moviegoers like me) sells it to movie studios, etc. I don't care. I like the service and just because there is capitalism and age/sex/zipcode information involved doesn't mean it's evil.

  • by 348 ( 124012 )
    I agree, but two points:

    1) You chose to make public your DB of music likes and by ommision dislikes. You made the decision to make this information public.
    2) This architecture can allow the hosting entity to capture this and other information to use as they wish, without consent. Targeted spam etc.

    I would rather be in the position to make a decision to make public this information than to have a service provider capture and distribute the information without me being asked.

  • [ Okay, it's terms and conditions, but just as odious ]
    from the 'Terms and Conditions [mp3.com]' on mp3.com :
    You agree to bound by and subject to such terms and conditions, including but not limited to the
    (i) Instant Listening Service Terms and Conditions of Use and (ii) Beam-it End User Web Site And Software Terms And Conditions Of Use, each of which are incorporated herein by reference.
    (my ephasis)

    Does anyone with an mp3.com account have a copy of these or a link to them? I'm curious if any of these agreements (which you can't read before saying 'I Do') prohibits reverse engineering of the software, and/or attempts to circumvent it.

    -Red

  • Oh get over yourself. You said it yourself, record companies screw over artisits.

    Technology has eliminated the need for this middleman, the record company. Therefore, I will bypass them because they are unneeded. They don't offer me the cost model that I want: Where the album costs at most 5 dollars and about 80% of the money goes to the artist. The technology isn't totally ready as far as bandwidth, but the record companies aren't exactly moving twords this model anyway.

    I buy about 1 cd a month, usually AFTER I've heard it on mp3. So I end up screwing over some artists out of a few cents. Hopefully they'll realize that there are alternatives out there. Its limited as to whats out there, but all we need is one company willing to run the cost structure I just mentioned, and thats all it will take.

    Record companies would rather push proprietary formats with SDMI, or even worse, a pay per play format!!

    Record companies view new technology as a reason for prices to increase for the consumer, while driving their own costs down. This is COMPLETELY unacceptable, and I will not go with it.

    How many CD's are worth 16 dollars? I'd say maybe 10% of my collection qualifies. Do you realize CD prices haven't changed in about 10 years? Am I the only one who is bothered by this?

    The whole stealing argument is legitimate, but it isn't the end of it. Record companies are much more immoral than I could ever hope to be.
  • There is a security hole ....

    If Alice (who happens to own a large cd collection) register her collection using Bobs MAC and IP address, Bob could listen to all the music that Alice owns. Then Alice could do this again, and again, giving all here friends access to her collection. Alice could automate this, she creates a web site, where you enter your MAC and IP address, and a beam-it account is created on your behalf. To do this Alice needs a big disc, or a lot of CD players in her computer.

    Lets take this another step:

    Create a distributed registration service (think Napster), where every user has a CD in his/her cd player and a common database of avable CD at the moment. When you want to listen to a particular CD, you register it on beam-it, and receives the challenge. Then you forward the challenge to the machine which has the original CD, and get a response back which you forward to the beam-it server. Viola, you receive your MPEG2-layer3 file, without owning the CD.

    The weak spot in the protocol is that you don't want to transfer a lot of data (that's the whole point with beam-it), so you could easily send the data to another machine for validation.

    QED

  • haven't seen any good commercial MP3 Encoders for Linux,

    There is the Xing MP3 encoder [xingtech.com] for Linux that should work with RHS 6.1. For the $20 I spent on it, it's well worth it (and very FAST!)

    --

  • First post is a quick and zippy way of dumping off your mod points. If this wasn't the motivation, the moderator would have used his points to mod good threads up and not dump them on a post which was rated zero to start with. Zero remains at the bottom of the heap anyway, why move it further? It makes no sense. See this monkey?! It makes no sense, Why does Chubacka live on Endor? It makes not sense. . .
  • >>I take it you have never tried to stream
    >>audio over a modem before.

    I have, but i don't. I don't have to.
    Not trying to state the painfully obvious, but bandwith is increasing. All my net connections are full speed (T3, DSL at home, etc) and my.mp3 works great.

    The world is going broadband. Sure modems suck to stream, but this isn't meant for modems.
  • I use the service rather than dragging CDs to work or when travelling. I have access to my entire collection, and can quickly and easily select tracks for the playlist I want.
  • How do you figure this is client-side security? MP3.com owns a copy of all the disks, they could change the data they ask from from the CD periodically. Your 'spoof database' of information that mp3.com asks for would only be good for a week or two.

    I suppose that's good enough for you to set up your account and download the mp3s, but its likely that the spoof database is similar in size to just providing the pirated mp3s for download in the first place.

    Its not like someone's going to set up an account that has EVERY disc mp3.com owns (yeah, they won't notice that) then publish the username on the net for thousands of people to use. Only one person can connect on a username at a time, so your account would be shut off pretty quickly if you tried that. Even if you had multiple accounts, you're going to be turned of pretty quickly, as well as investigated.

    It seems to me that there are waaay easier ways to pirate music than hacking through mp3.com.

    Zipwow
  • Perhaps this isn't "stuff that matters," but it directly fits under "news for nerds." Did you bother to read the article? It is pretty interesting even if it isn't, as you say, "newsworthy."
  • Sure, you could do what you've described, but is it really practical? If you're going to create a distributed database of illegally copywrighted works in the range of terabytes of data, would you want to provide the raw CD information, or just the damn mp3s themselves?

    Additionally, this sort of 'service' would be clearly illegal, and anyone involved in it would be both detectable and prosecutable.

    That's assuming they live where there's laws, but if they live in China they probably just have a big database of mp3s ANYWAY, which is really the easiest route.

    This is akin to saying "The banks in the world are insecure because the vault could be broken into by freezing the lock and applying 40 tonnes of pressure" when you can just point a gun at the teller and ask nicely.

    Zipwow
  • Something I haven't heard mentioned before that might be another incentive to use the service: The ability to once again listen to damaged tracks.

    Imagine, for example, that your CD is scratched in such a way that certain tracks are unlistenable. If you were to use the Beam-it software, and the verification process wasn't hampered by the scratches, you could regain the ability to listen to those "lost" songs. I'm not sure how much of the CD is randomly checked in the verification process, but most likely after a few tries you would be able to have a scratched CD verified.

  • if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.

    You are severly underestimating the convenience that a service like this provides. It allows you to turn your computer into the equivalent of a CD jukebox without eating up your hard drive space. Now that my Kenwood jukebox is constantly flaking out on me I'm seriously considering switching to something like BeamIt. I have a couple hundred CDs and I'm constantly getting more, so it would be very convenient for me if I could pop a new CD into my computer for 10 seconds and then put the physical CD into storage so that it's not cluttering my work area. I would also love to have access to all my CDs on the days that I'm not working from home and without the need to lug 200+ CDs into the office.

    You are also grossly underestimating the effort that such a service can save in ripping as well. If I were to rip every new CD I got I would spend a good hour or so each week interfacing with the ripper (typing in the song title, etc). That may not seem like a lot, but that is essentially what keeps me from doing it. I was thinking of extending Gtcd so that with the push of a button it would automatically rip all of the tracks from a CD and label them based on their CDDB entries, but I may look into using BeamIt instead (if it's available for Linux) since it has the added bonus that I could access my music from anywhere.

    It's amazing how big of an effect a little convenience can have. I bought a TiVo a few weeks ago and at first glance it doesn't look like it does anything too revolutionary (aside from time shifting live programs). The features that it provides are available elsewhere for the most part. You can use a VCR to record shows you want to watch and you can use a TV Guide to pick shows that you want to watch. But when you combine all the little things that you could do using some other method into one very convenient system the end result is incredible. BeamIt sounds like it could be to music what TiVo is to TV and I intend to check it out...

  • Yeah, I've been thinking along the same lines for a while. As far as I know, individual CDs don't have unique identifiers such that the BeamIt software could tell you, 'Sorry, this particular CD has been beamed already!'. The CD identifier being mentioned in the paper seems to only identify the album as Title X by Artist Y, not Title X by Artist Y, number Z in series . Maybe I am am wrong and someone who knows can enlighten us?

    In the end it all boils down to whether an action is legal and to what extent we as individuals are willing to obey the law. Noone prevents me from speeding, but I can get caught and fined, so I choose not to speed. I would think that many people would respect copyright laws and fines imposed on violators if caught and therefore not beam CDs they don't own.

  • Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues.

    You don't drag CD data "across the Net" with Beam-It ... you drag a code on the CD that identifies what it is. MP3.COM looks for that code in its database of ripped CDs, and if it exists, the CD is added to your private listening area on http://my.mp3.com [mp3.com]. The process requires no uploading or downloading -- I beamed a dozen CDs in 10 minutes on a 28.8 connection.

  • Is that if you have the CD, and you're too lazy to rip it to your hard drive and would rather drag it across the net at some arbitrary speed, with errors, and without knowing if the song is actually there, you've got issues. I have ~100 CDs. Ripped at 10:1, that's 6.5 gigabytes, or ~80% of my work machine's hard drive. Not to mention dozens of hours of ripping/encoding/editing time. Perhaps your time is of no value, mine is.
  • by Anonymous Coward
    - How does it protect against borrowing friends CDs?

    Besides which:

    - It challenges you for random blocks from each CD? Well... so you have to put the CD in your CD drive... which means, why not just listen to it from the CD drive?

    Its fair enough if you say "oh it means you dont have bother taking your CDs around", but eh? I'm confused. If it needs to grab info from teh CD, how does this mean you dont have to carry the CD around?
  • You said it yourself, record companies screw over artisits.
    Probably mostly true, unless, of course, the artist OWNES the record company.

    Technology has eliminated the need for this middleman, the record company.
    Wrong!!! A record company does a hell of a lot more for the artist than what you think.

    and about 80% of the money goes to the artist.
    Wrong again!!! What about the time it takes to record the damn thing? Or about paying the recording engineers, graphic artists, extra musicians, or even guitar techs that fix the broken guitar strings? There's alot more going on than you think. And what about the promotional videos? Did you take any of the extra expenses invloved with record/ CD production? The artists do NOT recieve 80% of the price you pay. I am sure that the record store where you buy it from makes about a 100% mark-up.
  • It's isn't a broadcast. That's the difference. People that are ignorant about technology think that all of this stuff is the equivalent to broadcasting. It's not. They are not throwing a bunch of data into the air allowing whoever wants to grab it to listen. What MP3.com is doing is sending a customized stream to an individual. This stream only contains music that the user was verified for.

    Even Shoutcast isn't broadcasting. Those 'stations' send a separate stream to each user who requests the stream -- they aren't sending the stream to everyone on the Net.
  • My linux box has never successflly run windows. It started life as a Novell 4.1 server and was loaned to me by my employer until such time as they needed it back ;-) I tried installing 95 and nt, but it crashed immediately and the harddrive would not remain formatted, at least in a way windows would recognize. I have installed windows on all sorts of machines and not seen similar problems. It hated my cd-rom drive( so what if it is a Plextor and you need to use a caddy, redhat liked it) I fdisked my hd and installed Red Hat. No prob, except netscape crashes way too often.

    I tried to rip cds on my nt laptop, but the programs seemed not to work for my wierd laptop cd drive. I have several gigs free on my linux box, so ripping cds to it seems like a good use especially since my stereo stopped working.
  • I was referring to non-mechanical keys. A mechanical key reader for a computer is probably going to lose (horribly) on price/performance to an electronic reader.

    The method I was thinking of at the time of the original post was mag-stripe style readers. These demagnetize annoyingly often and are not overly difficult to copy.

    Smart chips (a la AMEX's Blue card) would be OK, if there were readers for them. A mechanically simpler (thus cheaper) alternative would be the ID buttons made by Dallas Semiconductor. Two contacts, powered by the reader, and they have quite a large data capacity. (I don't have the link anymore.) These microchip-style authentications would be more resistant to replay attacks than magstripe.

    And the radio man says it is a beautiful night out there
    and the radio man says Rock and Roll lives
  • I take it you have never tried to stream audio over a modem before. Nobody encodes MP3s at 48kbps anymore, for good reason, they sound terrible. Plus whenever I stream audio, the audio invariably breaks up/pops whenever one of the other two people I share the modem
    This is increasingly not a problem as faster connections are becoming increasingly more pervasive, not less. Personally, I haven't needed to use an analog modem in the last two years. Given the millions of people who have cable or DSL, streaming audio is becoming increasingly usable.
  • I can't believe that no one has mentioned this: the RIAA lawsuit has nothing to do with the Beam-It technology, its security, or MP3 encoding. Nothing.

    To provide the music stream, MP3.com has to have ripped versions of every CD. They claim that they've got a database of 40,000 CDs available to be "beamed".

    The RIAA claims that MP3.com didn't BUY these 40,000 CDs; that they made unauthorized copies to create their database.

    Here is the relevant information from this CNN story: [cnet.com]

    But the RIAA is accusing MP3.com of creating an unauthorized digital music catalog of up to 45,000 CDs, claiming many of the copyrighted works are the property of its members.


    "Simply put, it is not legal to compile a vast database of our members' sound recordings with no permission and no license," Hilary Rosen, CEO of the RIAA, stated in the letter. "Obviously, you are not free to take protected works simply because you want them."

    [snip]

    But legal experts say that by creating a catalog of digital music without an explicit license, MP3.com has overstepped copyright laws.

    "I don't know what MP3.com is thinking," said Lon Sobel, editor of the Entertaiment Law Reporter and a former Loyola University Law School professor. "Under the Audio Home Recording Act of 1992, consumers get the right to make copies of material for their own non-commercial uses. It does not give others the right to do it on consumers' behalf."

    This RIAA statement [riaa.com] reiterates:

    The lawsuit against MP3.com has nothing to do with MP3 technology. It has to do with MP3.com, the company, taking music they don't own and haven't licensed to offer new services to make money for themselves.

    While all these discussions are fascinating and relevant to many outstanding legal issues, they somewhat miss the point of this particular lawsuit.


    ------
  • Yes this is still possible, but you couldn't possibly distribute as many copies this way as you could by posting an mp3 to the Internet. The recording industry has lived with this level of borrowing and copying for years. Just like when friends borrowed and taped LP's and CD's in the olden days.
  • Actually, (I think) Beam-It protects against that by only allowing one IP per login at any given time. Sure, people could share an account and take turns, but it kind of limits the usability of it, especially if you've got an assload of people using the one account.
  • >"Simply put, it is not legal to compile a vast database of our members' sound recordings with no
    >permission and no license," Hilary Rosen, CEO of the RIAA, stated in the letter. "Obviously, you
    >are not free to take protected works simply because you want them."

    And how is this different from a public library "compiling a vast database of sound recordings"? Do they need special permission from the RIAA?

    Is the RIAA saying that mp3.com didn't pay for the CD's at $15 each or that they didn't buy public performance rights? It's not really clear from the CNN article.
  • >As for privacy, this isn't that much different than buying CDs from a "club." They're not
    >grabbing financial information, email, Netscape history, etc. Them knowing what CDs I have is

    Exactly, you give up more privacy buying from a club. Let's compare what info they get about you:

    CD club:
    Real name, street address, credit history, and all the CDs you bought from them. All cross-referenced with whatever they bought from the direct marketing company that sold them your profile.

    my.mp3.com:
    Email address, MAC address, IP address, and all the CDs that you choose to beam in.

    If you're paranoid about privacy, use a throwaway email account from a free mail provider. The IP is probably a dynamic dialup IP. The MAC address is troubling, but not that many things record and cross-reference your MAC address yet (Windows 98 and Office 97 do). If they do, it's easy enough to replace. I have a closet full of old ethernet cards.

    Oh yeah, and block cookies from mp3.com and their banner ad providers.
  • Okay, consider the question of why MP3.com found it necessary to put most of this in a closed-source library.

    I suspect that that is because there is no way for the MP3.com server to verify the ethernet MAC. An open-source implementation of this library (which I'm sure will be forthcoming real soon now) could forge the MAC.

    Why does MP3.com want the MAC? I assume it's to prevent account sharing -- if three or more MACs use the same account, they'd probably start denying requests, or at least they want to be able to start doing that if it becomes a problem.

    If the MAC is their _only_ security against account sharing in this protocol, a reverse-engineered reimplementation would allow wide-spread account sharing. Moreover, it is reasonable to assume that the MAC is the only security: To rely on IP would flag anyone with a dynamic IP as an account-sharer.

    This suggests that their sharing-detection would be vulnerable to abuse by an open-source reimplementation of their closed-source library. It also I think explains why they found it necessary to close the library: They've got a security flaw that could be easily exploited here.

    Using the MAC was a clever solution to the problem of account sharing. I'm afraid though that it wasn't clever enough. In the absence of any way for the server to verify the MAC, they're vulnerable.
    --G
  • I make a rational choice when I use services that demand information in exchange for a service

    Your personal information is worth a great deal on money. Acquisition costs and QUALITY customer profiles are difficult to come by and are expensive. If you ever visit a site and it requests some type of consumer information from you, don't give it unless you feel you are being compensated fairly.

    Also realize that consumer targeting can cut down of the number of Tampax ads you recieve in the mail. The easier it is for companies to find the right customers, the less money they waste talking to the wrong ones, all of which helps to lower prices and make the market more efficient.

    One coin, two sides.

    --
  • A public library doesn't make a profit off of their vast database. Additionally, a library doesn't copy the music.

    IANAL, but I'm assuming that even buying the CDs wouldn't be enough. In fact, I wish I could modify my original post to change the word "buy" to "license".

    I'm not necessarily agreeing with this, mind you. It's just their argument, but "retransmission for profit" does seem to overstep the bounds "fair use" recording. An interesting twist -- my.mp3.com could be considered "fair use" for a consumer, but not for MP3.com the company.

    Back to the library analogy. I wonder how the RIAA would feel about a library buying CDs, then making copies to lend out (so they could lend 10 copies of Pavarotti, though they bought only 1). The library wouldn't be making a profit, but I think the RIAA would still sue (and win) because the use of the copies exceeds "fair use".

    ------
  • I can listen to this at home (DSL), at work (T3),

    if you're listening at work you either are the network admin, or have him locked in a closet. Nothing clogs a piple like 30 folks streaming 128kbps MP3s.

    --
  • I have a large box of cassettes and a HUGE
    collection of albums. (The large round black
    vinyl things, for the youth impaired.)

    Many MP3's I've acquired I own on these media.
    The equipment to move the tracks to digital is
    available to me here at work. However, it's
    easier (to say the least) to acquire music I
    wish to listen to (and have paid the fee to own)
    over the internet.

    While compromises like this service are nice,
    they're not an absolute solution by a long shot.

    The fact that they're grabbing an intrusive amount
    of information, however, is offensive. (I suspect
    I'm preaching to the choir here, though.) It's not
    enough for an organization to ask if you want to
    send information, they should disclose what's
    being sent.

    (A co-worker just mentioned his extensive eight
    track collection to me...)

  • My.MP3.com knows every CD in a users collection that they "beamed" to the server along with the users e-mail address, network IP address and and Ethernet MAC address. An unscrupulous marketer could correlate musical preferences with other lifestyle choices and use this for targeted advertisement.

    Keep in mind that even if they didn't know your CD list, the server would still always know what music you requested to be streamed back to you.

    The only way you can have privacy in this regard, is to use your own stream server (not mp3.com's), and encrypt everything that passes over a public network.


    ---
  • That, in my mind, was the last legal hurdle-- proving that the Beam-It software took legitimate measures against piracy.

    Uh-uh. MP3.com is still redistributing copyrighted material without the consent of the copyright owners. Even if they do have cryptographically strong verification of ownership, they do not have the right to redistribute those songs! I hate it, it sucks, but that's the way copyright law is written. The laws need to get fixed, but until they do, MP3.com is still violating copyright!
    --

  • What are you talking about? Beam-it has nothing to do with uploading of CDs or encoding or anything. How was this moderated up? This guy doesn't know what he is talking about. Beam-it according to the report on the site, only sends checksum type info. It doesn't send over whole songs -- that would be assinine.

    Just my $0.02,
    -Davidu
  • The Grip [ed.ac.uk] is a nice GTK app. It uses cdparanoia for the actual ripping and your choice of encoders. For encoding, LAME (LAME Aint No MP3 Encoder) is a good choice.

    The CDRom should be OK if it's not actually ancient (and may be OK even then). Things will go slow on a P75 though.

  • bladeenc is MUCH better than xing.

    and free, too.

    --

  • there's this sceanario: I borrow a stack of cd's, "verify" to mp3.com that I own (actually, just temporarily posess them), then all of a sudden, I now have access to them across the net.

    now scale this up to a whole company. I borrow a stack of cd's from all the folks in my company hallway. and they borrow each others (and mine).

    yeah, lots of holes in this model. just because you have a cd in your drive does NOT give mp3.com the authorization to allow you to access it from their site repeated.

    don't get me wrong - I hate the RIAA (who doesn't these days?) - but I have to admit that the reasoning behind my-mp3.com just isn't sound enough to stand up in court. IANAL, of course.

    --

  • The strange thing I see in all this is that everybody is making a big deal over the possibility of "faking" ownership of a CD so that you can download it illegally from my.mp3.com, but nobody (except several IRC channels who are doing this) seems to realize a much easier method - just share an account with lots of people. Each person legitimately "beams" the CDs they own, and all the people sharing the account can then access all the CDs. Sure, you could do this sort of piracy before by ripping your CDs and sending them to people, but here you're saved the trouble of ripping, and the bandwidth usage is all my.mp3.com's, rather than your modem/DSL/cablemodem/T1 connection.
  • What stops me from getting an account at MP3.com, uploading some CDs then sharing this account with ALL my friends?
    Won't this lead to the same kind of pseudo-piracy that exists today with downloading MP3s of people's computers via Napster? After all most sites allow you to log in from multiple computers, so what stops me from uploading a few CDs and posting my account info on my webpage so everyone can share my taste in music?
  • I'd like to make the point that it actually isn't at all secure. A napster style configuration of people interested in listening to a wide variety of music could, by distribution, make the security method pretty much redundant.

    As noted, in order to sign up a CD, you need to be able to verify a particular random track. If the client machine, rather than checking its own CD drive, made a request out to a collaborative network for a given CD before attempting authentication, it could, apon reception of the request for a particular random block, forward this request to another machine who claimed to have the relevant CD, and get the data from that machine, then forwarding it on. once this has happened, its in your account, you don't have to repeat this, so a system where CDs are in drives only on occasion is perfectly acceptable.

    Take 20 or 30 people, and an application that requires that they have a CD, any CD, in their drive on load, and they can Beam register any of the 20 or 30 CDs online at the time, and as time goes by, they would rapidly build up a massive collection without a huge number of resources being tied up.

    The Beam It method is perhaps, because of this, even less secure, and more convenient than Napster, no long download times, no scratched, damaged or badly made recordings, all available for free on the condition that you have at least on CD you can share with everyone else.

    I have no doubt this concept has been picked up already by others. Game over mp3.com :/
  • That's unlikely, unless the player software reports the MAC address back. AFAIK, only the submission client does that.

    I imagine the purpose is to build up a database of MAC addresses to lifestyle data. MAC addresses (being both unique and relatively immutable) are good keys for a database of things such as musical tastes, ad responses and such. That it can be correlated with an IP and an email address is a bonus.

    A lot of Windows websurfers have a tendency to blindly download "cool" software, such as that web cursor changing plug-in that was discovered to send personal data back to its maker. It is in this way that the MAC may be accessed, and may become more useful than a DoubleClick cookie.
  • If you borrow a cd you could just rip/encode it..

    yes, of course. if you own enough disk space and a fast (and accurate DA-able cdrom drive). not everyone has that.

    and not everyone wants to take the time to rip/encode a stack of cd's. from what I understand, the 'verification' process of my-mp3.com is very quick - just a few block checks and that's it. sounds QUITE a bit faster than the lengthy rip/encode process.

    and worth noting, most unix folks use blade-enc as their encoder. this is generally a good encoder when the rate is 160k and above. for 128, it sounds like shite. I would be willing to bet that the my-mp3.com files are encoded with Frau, at 128k vbr. to purchase Frau for linux, last time I looked it was in the neighborhood of $200-300! no way I'd pay that, just for some binary-only encoder.

    so considering that my-mp3.com saves you encode time (and gives decent quality), AND allows playback at remote locations, I do see some benefit to it. technically speaking, of course - ignoring any legal issues for now.

    --

  • Wrong comparison...it's the same thing as buying a CD and burning a copy for all your friends. The RIAA should be worried like this; for instance if I told you to go to MP3.com and select the user name MusicLover and the password PhatBeats to access all 200 of my CDs I have successfully ripped off 200 artists. This is rather interesting and right now it seems that no one is focusing on this.
  • I did not say that people are doing it, only that people other than myself have surely seen the possibilities. It is not in the least more combersome than napster. It utilises all the benefits of Beam-It (No local HD storage required, good quality encodes) without any of the negatives (Having to own or borrow the CD)

    Writing an application that could make this kind of exchange possible is trivial, and should the numbers of users on the network rise enough, users could even operate the registration application without a CD, taking advantage of the large number of offered CDs by others.
  • Not at all. I was only talking about 30 people, with a more napster-like level of hundreds or thousands of people, a vast number of CDs would be available at any given time, making discerning the usage from the noise much more difficult.

    Even in 20 or 30 people, having 20 or 30 cds constantly swapping in or out, with various members' music tastes being different and many of them missing swaps or already having a given CD from the last time, it would be difficult to pinpoint a particular group in a membership as large as Beam-It as CD sharing.

  • The encryption challenge responces are challenging random bits of data on the cd you own in your drive. This is a one time only thing, for when your beaming them your cd to prove you own it. After that you can receive the music without the need for proof

It is now pitch dark. If you proceed, you will likely fall into a pit.

Working...