Security Analysis of My.MP3.com and Beam-It Protocol

Serg writes, "Potential ammo for the upcoming MP3.com trial? From a member of the Rice University CS Dept: "We found the protocol to provide strong protection against a user pretending to have a music CD without actually possessing it, however we found the protocol to be unnecessarily verbose and includes information that some users may prefer to keep private." You can grab the report in either PS or PDF format. "

Good and bad...

Any user who uses My.MP3.com is inherently giving up a remarkable amount of privacy. My.MP3.com knows every CD in a user's collection that they "beamed" to the server along with the user's e-mail address, network IP address and and Ethernet MAC address. An unscrupulous marketer could correlate musical preferences with other lifestyle choices and use this for targeted advertisement. MP3.com's pri-vacy policy 5 does not offer strong guarantees against this kind of behavior, and the ability to opt-out is at the bottom of the user-preferences page - something that most users will never do. And that is the reason for this sort of thing in a nutshell. While it sounds like a great idea for people who have a lot of CDs that they want to listen to both at home and at work, they will find themselves at the end of a barrage of "targetted" advertising. The spread of information from MP3.com will be exponential as more and more agencies sell your profile to interested parties. Oh joy, yet more spam. On the other hand, the lawsuit issue could be a good thing. MP3.com have a lot more money than the defendants in the other similar cases recently, and they are a company, able to organise their defence better than we've seen in the DeCSS trial so far. A victory in this case would have implications for the entire issue of people's right to use what they've bought, and for the digital media industry as a whole. Despite the privacy issues, which I don't like, I still hope MP3.com can win this case.

Showing that it's secure shows that...

It is possible to respect the intellectual properties of others while still offering new and innovative services. Rock on.

There was definite worry about whether or not MP3.com's Beam-It software was going to be sufficiently secure as to avoid lawsuits. Since the MP3.com software was closed-source, and the protocol wasn't specified, it was a definite possibility that MP3.com was relying on "security through obscurity", just as the MPAA did with DVD (gee, doesn't this all just tie together nicely?).

However, the Beam-It protocol was obviously written with security concerns in mind. Knowing the protocol does not make it easier to spoof MP3.com into thinking you have music you don't (well, not *reasonably* easier).

Contrast this with CSS. Once the algorithm is known, it's easy enough to distribute unencrypted copies of the software, if you are so inclined (note: this *wasn't* the original intent of DeCSS, and I certainly haven't seen any evidence to support the idea that people are now pirating DVDs with DeCSS. And, yes, it was possible *before* DeCSS came about. There's also the whole bit-for-bit copy thing, if you can find the media...).

Yes, it's comparing apples and oranges. But you'll notice that MP3.com has achieved a happy medium for consumers-- allowing them to listen to other people's music, but still respecting the intellectual property of others.

Funny, huh? That, in my mind, was the last legal hurdle-- proving that the Beam-It software took legitimate measures against piracy. The paper is well-written enough that MP3.com could probably submit it as evidence (both in the RIAA's lawsuit against MP3.com, and in the slander lawsuit, since the RIAA has said that MP3.com has a flagrant disregard for IP, and this proves otherwise).

I'm an AC because I don't want my real name moderated down for run-on sentences :-)

Re:What I don't understand

You're forgetting a few things.

I only have 10GB of hard drive space. That couldn't hold my 300+ CD collection. The space is used for things like software, source code, information and work on various projects, etc.

It takes much longer to rip a CD than use Beam-It. The most outdated piece in my computer is the 4x CD-ROM that I bought many years ago specifically so that I could use Slackware CDs instead of downloading at 2400bps. I have had absolutely no reason to buy a new CD-ROM, concentrating my budget on processors, hard drives, video, and sound cards.

With a large CD collection, it gets annoying to be constantly swapping CDs. With Beam-It, I simply leave a browser window open and play arbitrary CDs easily.

You mention errors. It has never skipped on me yet, the performance is great. The quality is also really good.

As for privacy, this isn't that much different than buying CDs from a "club." They're not grabbing financial information, email, Netscape history, etc. Them knowing what CDs I have is integral to the system, and I'm comfortable with that.

the article is useful...

Folks, instead of keeping your heads in the ass of "make all music free", realize that artists need to eat.

This internet thing, and the OSS mov't is new to most people...especally those that have lots of money invested in the "old" way of doing things. It takes time for ppl to get used to it..this is a good start.

The article itself is very useful in explaning how the system works, and it gives wannabe programmers (me), the ability to see how something is reverse engineered (it really took away a lot of the mysticism IMO).

Services vs. Privacy

That's really what this thing comes down to. In most cases, to get the services that you want, you have to give up some privacy. You want the goverment to give you Social Security; then you have to have a number attached to you. You want a credit card company to loan you money; then you have let them know about every purchase you make. If you want to have MP3.com handle all your music, then you have to let them know what music you like. That's just the way things go.
Although there are often some insidious reasons for collecting user data, the biggest reason is usually because it is either integral to the service or it makes it work much better. For example, /. has a feature to remember your user name and password. It is pretty insecure but it makes getting access easier. In MP3.com's case, some of the information is needed, some of it may make improve the service, and a some of it may turn out to be nefarious. The consumers can dictate what they want by either using or not using the service. That is part of the beauty of a free market. Consumers can dictate the forms of new products and services with their buying power. Companies will not offer what people do not want.