Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Music Media Government The Courts The Internet Your Rights Online News

RIAA Tracking Songs by MD5 Hashes 779

aSiTiC writes "Apparently RIAA has obtained some technical experts in their prosecution of file swappers. Currently they are tracking traded mp3 files from the Napster network by matching MD5 hashes. This seems quite interesting but I was under the assumption that identical hashes could be created with identical rips and id3v2 tagging. Now may be the time to update your illegal mp3 file MD5 hash sums."
This discussion has been archived. No new comments can be posted.

RIAA Tracking Songs by MD5 Hashes

Comments Filter:
  • gee? (Score:5, Funny)

    by Comsn ( 686413 ) on Thursday August 28, 2003 @07:27AM (#6812611)
    The RIAA, the trade group for the largest record labels, said it also found other hidden evidence inside the woman's music files suggesting the songs were recorded by other people and distributed across the Internet.


    ya think? and here i thought it was the magical mp3 fairy who put mp3s on my hd...
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Thursday August 28, 2003 @07:45AM (#6812771)
      Comment removed based on user account deletion
      • Re:gee? (Score:5, Interesting)

        by nearlygod ( 641860 ) on Thursday August 28, 2003 @08:17AM (#6813015) Homepage
        About this interpretation of Fair Use: I agree that downloading mp3's of CDs that you have purchased should be fair use. I am in a similar situation. A couple of years ago I lost 90% of my CD collection in an apartment fire. I had about 20 of these CDs ripped at the time and since then, I have downloaded many of the others to replace what I had paid for. In some cases, I re-purchased the CD because I wanted to have an original for some of my favorite artists but I didn't mind the mp3 mastered replacements for many of the CDs. Would this fall under Fair Use? I would think that it does since the RIAA seems to think that we are only purchasing a license to listen to the music. However, if I had to present the original CDs to a judge to prove that I do/did own the physical CD, I would be SOL.
        • Lost in a Fire? (Score:5, Insightful)

          by medscaper ( 238068 ) on Thursday August 28, 2003 @10:04AM (#6814256) Homepage
          A couple of years ago I lost 90% of my CD collection in an apartment fire. I had about 20 of these CDs ripped at the time and since then, I have downloaded many of the others to replace what I had paid for.

          Just out of curiosity...Did you have insurance? Did they write you a check for the CDs you lost in the fire? I doubt it, but if it had happened, would still feel you had already "paid for" the CDs, and simply thumb your nose at the RIAA and Big Insurance and download the files, as you'd already "paid for" them?

          I promise, I'm not begging to be flamebait. I'm really curious.

          Where does the line get drawn between physical property and intellectual property, and what rights do you have if you HAD purchased it, but it's gone now? I mean, I can't go to the lot and get another car because mine is destroyed in a fire. Of course, I could go take a picture of it...but I could do that anyway.

          I'm curious.

          • Re:Lost in a Fire? (Score:3, Interesting)

            by nearlygod ( 641860 )
            No, I did not have renter's insurance, so it was a complete loss for me. If I had been reimbersed, I would have likely re-purchased the CD's that I wanted most and forgotten about the ones that I seldom listen to. This brings up another question/issue. Before the fire, I could have made backup's of every CD that I had. Then after the fire, I wouldn't have lost anything audiable, just the physical packaging. However, after the fire, it was too late, but couldn't I have considered napster to be my backup
          • Re:Lost in a Fire? (Score:3, Interesting)

            by Dirtside ( 91468 )
            I mean, I can't go to the lot and get another car because mine is destroyed in a fire.
            The obvious difference is that if you download a copy of the CD, you haven't deprived anyone the use of the data you've downloaded. If you take another car, you have deprived that car's use to anyone else. (Similarly, if you copy a song from Bob, you can still both listen to it simultaneously. If you take Bob's car, you can't both drive it at once.)
        • by turnstyle ( 588788 ) on Thursday August 28, 2003 @10:29AM (#6814562) Homepage
          The 'Fair Use' stipulated in US Copyright law has nothing to do with making copies of music.

          Fair Use is about the right to quote portions of one work within another, as a means of making commentary, criticism, or parody. See Standford's explanation [stanford.edu] or Title 17, Chapter 1, Section 107 of the Copyright law [cornell.edu].

          You might argue that it's 'reasonable' to download an MP3 file that corresponds to a track from a CD that you own, but it's simply not 'Fair Use'.

      • Re:gee? (Score:5, Interesting)

        by arth1 ( 260657 ) on Thursday August 28, 2003 @08:49AM (#6813337) Homepage Journal
        This wouldn't, though, be a defense for the central problem that she made all of these MP3s available for download by millions of anonymous strangers without the consent of the copyright holders.

        Unless she had an OC-48 or two going into her home, she didn't make the files available for download by *millions* of strangers. When the resource is limited, the magnitude of the crime is likewise limited. If you offer a stolen watch on the streets of New York, you can't be charged with trying to sell it to MILLIONS of people, cause there's only one watch. Likewise, in this case there's only enough bandwidth for a certain number of potential downloads, and speaking of millions here is plain misleading.
        If the people who downloaded files from her spread them further, that's THEIR crime and not hers, much as the guy who sold a stolen watch won't be found guilty for the watch buyer illegaly selling it to someone else.

        And in this case, it's even less severe, as it's not a theft, but a copyright violation.

        Regards,
        --
        *Art
        • Re:gee? (Score:5, Insightful)

          by 3terrabyte ( 693824 ) on Thursday August 28, 2003 @09:20AM (#6813667) Journal
          Excellent point. The "magic number" system the RIAA uses is astounding. 52X burners count as 3 cd burners? $750 to $150,000 damages PER song is crazy.

          I thought I remembered seeing something about how you have to have a certain $$ amount before getting a felony. $2000? ANyway, they then said each song was worth about $200. I think it was something like $20 per song, times 10 people. 10 people being the gestimate of people you magically distributed it to, because obviously more than one person can download a song from you. Anyway, 10 songs and you're a felon.

          Anyway, these numbers don't add up. The RIAA likes to paint a screen of terror by saying that your one song you shared, can then be shared exponentially after that. Sure, it's true. You share it to 2 people. They share it to 2. By the end of the day, 1,000,000 people have it. But why would you be responsible for the 2nd thru 20th level of distribution? You only gave it to 2 people. And if it's "worth" $1 on iTunes, why isn't the damage $1 per song per download?

          It's this magic number system the RIAA counts by that causes them to sue 4 students for 47 billion dollars. It would have taken the RIAA 5 years of GROSS profits to hit 47 billion dollars. How can a search engine running for a couple months on a campus amount to 5 years of GROSS profits?? It doesn't...make...sense.. you must acquit.

    • Revealed: How RIAA tracks downloaders [cnn.com]


      (Music industry discloses some methods used)

  • MD5-hashes (Score:2, Interesting)

    As far as I know, you will get indentical hashes from identical files with the same ID3. How can they track files with the help of MD5-hashes?
    • Re:MD5-hashes (Score:3, Insightful)

      by whaley ( 6071 )
      I'm not sure what you mean, but they don't track mp3s by generations, they just look at the mp3 hash and compare it to the known hashes of files they found on the internet, so they 'know' you didn't rip the mp3 yourself.
    • Re:MD5-hashes (Score:5, Informative)

      by nolife ( 233813 ) on Thursday August 28, 2003 @08:36AM (#6813207) Homepage Journal
      I just did some consecutive rips of an audio track and compared the md5 checksums.

      I did the same song three times. The first two times, all things were equal including all settings. The MD5 checksums were the same.

      I swapped out my DVD/CD player for a different model. Reripped the track on the same computer with the same exact settings and the MD5 was different.

      I am using Exact Audio Copy in secure mode and Lame for the encoding. The ID tags were recieved the first time and the same tags used for all three attempts (EAC remembers the disk).

      I'm sure I could try many things like changing the read speed, comparing the wav files and not just the resulting mp3 etc.. but I do not have the time for more analysis.
      • Re:MD5-hashes (Score:4, Informative)

        by henele ( 574362 ) on Thursday August 28, 2003 @09:20AM (#6813669) Homepage
        If you read places like CDFreaks [cdfreaks.com] you'll see that extracting CD Audio is a mix of science and voodoo.

        Theres issues of offset values (as with CD audio it is difficult to hit an *exact* location on the disk), plus the way the reader deals with C1 and C2 error correction, as well as how different extracting software interfaces with the hardware.

        It would almost be safe to say two mp3s with the the same MD5 are one file copied twice (as opposed to two individually created mp3s), but that doesn't mean they are illegal...

  • What if... (Score:5, Interesting)

    by moehoward ( 668736 ) on Thursday August 28, 2003 @07:28AM (#6812620)
    What if I own the CD but got files off the Internet because I was too lazy to rip them? Would I still be expecting to be sent to the prison camp?

    In other news, all songs produced by RIAA artists in the last 10 years all have the same MD5 hash anyway, because they're all the same.
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Thursday August 28, 2003 @07:33AM (#6812663)
      Comment removed based on user account deletion
      • Re:What if... (Score:4, Informative)

        by IpalindromeI ( 515070 ) on Thursday August 28, 2003 @08:27AM (#6813108) Journal
        you have to be sharing them, which is the illegal part

        Actually that's not true. They only care about the sharing because it leads to what they really care about: people listening to music that they didn't pay for. If everyone who shared mp3s had bought every CD of the songs they downloaded, no one would care because they would have already paid to listen to those songs. The problem is that most people don't own all of the CDs for the songs they download, and the RIAA doesn't like it when you try to wriggle out of their money trap. If the actual sharing was the problem, the distribution itself, then we wouldn't have radio stations playing music either, because that also lets people listen to music they didn't pay for, but it's a bit different because you don't really get a choice of what you hear. But now if you go and start recording songs you hear on the radio, so you could listen to them whenever you wanted, you're getting into that grey area. Of course the RIAA doesn't really care about that because they know that radio quality is shit, so there won't be widespread radio recording anyway.
        • Re:What if... (Score:3, Informative)

          No, you are demonstrably wrong. The RIAA cares about sharing because it means loss of control for them. The RIAA is all about controlling distribution channels and sharing disintermediates their existence. Make no mistake, if they could come up with a way to sell you the same song twice, they would (ever try to get a cracked 3-year old CD replaced? They won't do it, you gotta buy a new one even though you already "own" the music.

          Now here is where it gets good - the downfall of mp3.com was exactly becau
    • Re:What if... (Score:2, Insightful)

      by Anonymous Coward
      In all seriousness, just the other day I wanted to rip an old CD of mine, but could not due to media damage. So, I went the net and got myself an mp3 of the track.
      Is that illegal? Am I a fellon?

      -- A.C.
    • No one knows (Score:3, Insightful)

      by jcsehak ( 559709 )
      From the article:
      Copyright lawyers said it remains unresolved whether consumers can legally download copies of songs on a CD they purchased rather than making digital copies themselves.

      So it's still up in the air. But here's where I get confused:
      For example, the industry disclosed its use of a library of digital fingerprints, called "hashes," that it said can uniquely identify MP3 music files that had been traded on the Napster service as far back as May 2000.

      By comparing the fingerprints of music
  • What happen if (Score:5, Interesting)

    by Anonymous Coward on Thursday August 28, 2003 @07:28AM (#6812622)
    you just normalize or edit the begining or the end of the song? Does the MD5 Hashes still works?
    • Re:What happen if (Score:5, Informative)

      by l1gunman ( 463233 ) on Thursday August 28, 2003 @07:34AM (#6812685)
      Any modification, to ANY bit of the file covered by the hash, will change the MD5 hash (that's how hashes work). If you assume the hash includes the ID3 tag info, then simply editing the info (putting something in the notes field, for example) would change the hash.

      On the other hand, if I were the RIAA attempting to identify common files in this way, I might be inclined to exclude the ID3 tag from the MD5 computation since it is so easily modified.

      Any changes to the actual content, though, will ripple into the MD5 computation.

      Short answer: "normalizing" the file for volume, or even chopping off a few seconds of trailing silence with something like CoolEdit will certainly change the hash and make it distinct from whatever their baseline hash value is.
      • Re:What happen if (Score:5, Informative)

        by 1u3hr ( 530656 ) on Thursday August 28, 2003 @08:36AM (#6813205)
        Short answer: "normalizing" the file for volume, or even chopping off a few seconds of trailing silence with something like CoolEdit will certainly change the hash

        If that's all you want to do, much better not to use Cooledit, which has to expand and recompress the file to MP3. Use something like MP3Trim [logiccell.com] which can chop off any given number of MP3 frames, or normalise the volume, by operating on the MP3 directly. Much much faster, and no expand/recompress quality loss.

  • by Organized Konfusion ( 700770 ) on Thursday August 28, 2003 @07:28AM (#6812623) Journal
    The md5 hashing algorithm has been proven to contain flaws [ottawa.on.ca]allowing two files to produce identical md5 sums.
    • ANY hash can produce same result on two different files since the amount of information in hash is amount of information in files.
    • by Urkki ( 668283 ) on Thursday August 28, 2003 @07:52AM (#6812832)
      A bit of clarification is in order I think.

      First of all it's very clear that two files can give same MD5 checksums. After all, MD5 is only 16 bytes (2^128 different possible). So if you have just 17 byte files (2^136 different possible), it's clear that on average every MD5 sum matches to 256 of all possible files.

      It's just damn unlikely to get 2 files with same MD5, and if you wanted to brute force it, you would have to try average 2^64 different files before you found one with identical MD5 to another file. And this would take a long time (actually not that terribly long, a few years at most, and it parallelizes perfectly).

      The page you link to implies that it's possible to "easily" fabricate a file that produces a given check sum, so instead of months of processing time, only days or hours would be needed to get a MD5 hash collision.

      So all P2P users / software makers need to do to circumvent this, is to agree on a specific MD5 sum, then patch every file so that they produce this same MD5 sum :)

      Of course the obivious solution for RIAA would be to use a more secure hash algorithm, with more bits. Unbroken algorithm with enough bits can't be faked, as it would take more than age of the universe to brute force it.

      Though the basic problem with this RIAA method remains. If you rip with same software from identical CD digitally, and there are not bit errors at ay point, then you should end up with identical file, and therefore identical hash no matter how secure the algorithm is...
      • by Mechanik ( 104328 ) on Thursday August 28, 2003 @08:31AM (#6813156) Homepage
        So all P2P users / software makers need to do to circumvent this, is to agree on a specific MD5 sum, then patch every file so that they produce this same MD5 sum :)

        That would totally pooch clients such as E-Donkey that use MD5 hashes to actually figure out which clients have a particular file (whether just a portion thereof, or in their entirety), irrespective of how each individual client may have renamed it.

        And trust me, there are fringe benefits to the hashing as well, such as making it apparent when someone is trying to masquerade a file as something that it's really not.

        E.g., consider the following scenario...

        1. You are searching for Red Hat ISOs.

        2. You find a match called "Red Hat.iso" shared from one user.

        3. You notice that there are 50 other users sharing the same file.

        3. The other 50 versions are named as "Goatse.cx guy and tubgirl together at last.mpg"

        4. Therefore, something is very very rotten in Denmark... :-)


        Mechanik
    • So its possible that a Britney Spears mp3 and an mp3 of me raking my fingernails across a chalkboard might have the same md5...

      Now that I think about it, those two things actually sound alike also. :P

      -prator
  • MD5 Hash (Score:5, Informative)

    by fruey ( 563914 ) on Thursday August 28, 2003 @07:28AM (#6812629) Homepage Journal
    This seems quite interesting but I was under the assumption that identical hashes could be created with identical rips and id3v2 tagging.

    The only way for two files to have the same MD5 hash is for them to both be encoded with the same encoder, from the same WAV file, with the same bitrate and all advanced options, and to have exactly the same ID3 information, the same filesize, and to be identical to the last bit.

    Otherwise, the MD5 will be nothing like the same, for two perfectly identical songs where one has a spelling error in one field of the ID3 tag. I imagine for any one song, there are many many different MD5sums out there, although perhaps one or another good quality version would exists on hundreds of different PCs...

    • You could improve on it slightly if the encoder ignores the tags, and just go for the data. This means that any file shared could then be tracked around even if someone changes the tag info...

      Even so, it sounds really impractical... unless they are trying to prove that "you got this file from that guy, that got it from that guy"...

      Utterly useless in tryin to prove that any mp3 is in fact this or that song, without listening to it.
      • unless they are trying to prove that "you got this file from that guy, that got it from that guy"...

        That is exactly what they're trying to prove. They have MD5 sums from files traded over the Napster network, and they are sneaking around comparing people's files to those. If you have a file that matches, then that means you have one of the files that was traded on Napster, which means you're going to JAIL. YOUR ASS = MEAT

        My problem with this is the assumption that any file traded over the Napster netw
    • you mean like use a ripper with default options that gets the id3 tags it uses from a database like most consumers are expected to do?

      -
    • Re:MD5 Hash (Score:5, Interesting)

      by kzinti ( 9651 ) on Thursday August 28, 2003 @07:35AM (#6812690) Homepage Journal
      The only way for two files to have the same MD5 hash is for them to both be encoded with the same encoder, from the same WAV file, with the same bitrate and all advanced options, and to have exactly the same ID3 information, the same filesize, and to be identical to the last bit.

      If two people used the same ripping software set to all its default settings (as many unsophisticated users do), got a perfect rip off the CD, and relied on CDDB information for tagging the song, then it's possible that they got mp3s identical down to the last bit, and thus identical MD5 hashes. BUT to make this a plausible defense, you'd have to show that your rip was in fact perfect. In other words you'd have to be able to recreate the mp3 independently. If the old Napster mp3 had any ripping errors, then it would be hard to claim that the later rip just happened to have the same errors - assuming errors are essentially random.

    • by eddy ( 18759 ) on Thursday August 28, 2003 @07:37AM (#6812702) Homepage Journal

      Are we sure they're actually using MD5? The article doesn't even contain the string "md5" that I can see. It mentions hashes though, but there's something called Robust Hashing [google.com] which can be used to identify, or at least, compare content in a "fuzzy" way.

    • Stick a CD into my laptop, fire up Windows Media Player, hit Record CD, pick MP3 from the options, allow it to grab the track info etc...

      I'm willing to bet that that will be being repeated tens of thousands of times for any one track - especially mainstream pop-crap like the lovelyiciouis Beyonce. Surely an identical MD5 comes out at least x% of the time!
    • Re:MD5 Hash (Score:3, Insightful)

      by szemeredy ( 672540 )
      In other words, every lazy user that downloads lame with a frontend or some other encoder without modifying default settings and that leaves the ID3 tag alone (most use CDDB/Gracenote or freeDB to generate an ID3 tag, resulting in identical tags) will end up with the same MD5 hash when compared to someone else who did the same thing with the same CD. The only ways you're going to get a different MD5 checksum from an MP3 file is by: A) using a different encoder B) using a different version of an encoder C)
  • by Anonymous Coward
    I only trade plumber porn pics. Should I be worried?
  • by Comsn ( 686413 ) on Thursday August 28, 2003 @07:31AM (#6812642)
    The RIAA has said it expects to file at least several hundred lawsuits seeking financial damages as early as next month. U.S. copyright laws allow for damages of $750 to $150,000 for each song offered illegally on a person's computer, but the RIAA has said it would be open to settlement proposals from defendants.


    will they start sending subpeonas to aol/tw customers this time?
  • by powerlord ( 28156 ) on Thursday August 28, 2003 @07:31AM (#6812646) Journal
    Gee ... I would have thought that most people had moved on from Napster to BitTorrent, KAZAA or eDonkey/Overnet
  • by shione ( 666388 ) on Thursday August 28, 2003 @07:32AM (#6812655) Journal
    hmm Isn't that how k-sig, built into Kazaa Lite K++, works, by tracking MD5 hashes so ppl get exactly the file they want.

    Changing MD5 hashes on songs to avoid RIAA would also lessen the effectiveness of K-SIG. Trading hashes of know working files was one of the ways ppl on P2p avoided downloading those fake RIAA files.

  • by Kombat ( 93720 ) <kevin@swanweddingphotography.com> on Thursday August 28, 2003 @07:32AM (#6812659)
    Now may be the time to update your illegal mp3 file MD5 hash sums.

    I sincerely hope this is tongue-in-cheek. For all the self-righteous, pompous sabre-rattling that goes on in here about how good Slashdotters only possess MP3's that are ripped from personal collections, I would certainly hope that we wouldn't stoop so low as to blatantly and openly be trading tips on how to avoid getting caught doing illegal things.

    What's next? A HOWTO on setting up an encrypted file system for our child porn?
    • by geeveees ( 690232 ) on Thursday August 28, 2003 @07:36AM (#6812698) Homepage Journal
      modprobe loop
      modprobe cryptoloop
      modprobe aes

      losetup -e aes /dev/loop0 /dev/hdb1
      (input password)

      mke2fs -j /dev/loop0

      mount -t ext3 /dev/loop0 /home/kombat/pr0n

      enjoy!
    • Well, if that's what you're interested in: try this link [sourceforge.net].
      Knowledge in itself is neutral. But it can be used for good or evil purposes. You might want to try, just as an exercise, to imagine five positive and five negative uses of encrypted filesystems or altered MD5 sums.
    • by Anonymous Coward
      I would certainly hope that we wouldn't stoop so low as to blatantly and openly be trading tips on how to avoid getting caught doing illegal things.

      Yea maybe its illegal. But imho its NOT ethically wrong. Its kinda like back in time when you had to pay customs for crossing bridges.
      For what do we pay the RIAA again? We pay them for maintaining a huge organisation which is dedictated to copy and distribute music. But, eh, we can do this by ourself now...!?

      The RIAA was needed before mp3 and there was no
  • by Rosco P. Coltrane ( 209368 ) on Thursday August 28, 2003 @07:33AM (#6812667)
    Apparently RIAA has obtained some technical experts in their prosecution of file swappers. Currently they are tracking traded mp3 files from the Napster network by matching MD5 hashes

    After all, in these dot-bust days, it's still possible to get a nice highly paid job and be called an expert by putting the right spin to strcmp() in your resume ...
  • by truffle ( 37924 ) on Thursday August 28, 2003 @07:33AM (#6812668) Homepage

    It is generally believed amongst file traders that it is legal to download an mp3 for a song, when you own the CD. In other words, you don't need to rip and encode songs from your own CD. However, this may not be true (I am not a lawyer).

    The RIAA is using MD5 hashes as a basis for proof that the individual in question downloaded the files they are sharing, instead of ripping them from their own CD collection. This is supposed to show the individual is a willing participant in stealing and distributing music, instead of someone who is just sharing what they already own. But, see above.

    I think this is mostly just a FUD tactic. They can talk to the media about how their MD5 hashes prove so-and-so is a big mean pirate hacker. MD5 hash certainly sounds scary, especially when the technology is described by the media as a tool used by hackers.
  • Pity the RIAA (Score:5, Insightful)

    by heironymouscoward ( 683461 ) <heironymouscowar ... m ['oo.' in gap]> on Thursday August 28, 2003 @07:35AM (#6812688) Journal
    They are really fighting a losing battle.

    Exchanging music is not about piracy, it is about exchanging culture, just like when my grandfather leant me some old Jazz records and said, "here, you might like this".

    Today culture moves at the speed of light and the RIAA believes it has the right to tax this movement. It cannot succeed except by destroying the Internet.

    I'm starting to believe, watching this debate evolve over many years, that the file traders are right, for the wrong reasons.

    Human culture depends on exchange of ideas and information, and music and films are a large part of this in today's world. No album, no movie scene, no written text is a personal creation, they are all taken from the pool of common culture, modified, and redistributed.

    Seeking all means to do this faster than ever - and ignoring the barriers, such as "ownership", that stand in the way - is the prerrogative of today's world. We simply can't put the genie back into the bottle and start exchanging pieces of paper and vinyl discs again.

    The debate is huge, but the results already seem clear: any laws designed to stop the process from continuing will be further and further ignored until they are seen by a majority of people to be useless vestiges of a material-obsessed past.
    • by MarkusQ ( 450076 ) on Thursday August 28, 2003 @08:39AM (#6813235) Journal

      There is an interesting pattern here:

      • Some one comments that the IP laws have not kept up with technolgical and social change, and that they are now impeding the cultural goals they origonally served. They may have made sense when we were limited to exchaging physical objects, but they don't make sense now.
      And the responses are allong the lines of:
      • But it's the law.
      • I hope the RIAA gets you.
      • Then I suppose an idiot like you won't mind if I take your stuff!

      The respondents are completely missing the point. To see this, imagine what the discussion might have looked like if it had happened way back when:

      • The rule about not eating X hasn't kept up with the times. It made sense when we didn't know about the parasites, but now that we know how to clean and cook them it doesn't makes sense.
      I suspect the responses would have been along the lines of:
      • But it's the law.
      • I hope the gods get you.
      • Then I suppose an idiot like you won't mind eating dog poop!

      Every time I see this played out, my response is, "Gee, IP law really is dying, isn't it?", with the same sort of awe I had watching little bits of sand wash downstream at the bottom of the grand canyon.

      -- MarkusQ

  • Easy (Score:5, Informative)

    by sprouty76 ( 523155 ) <[stephen_douglas] [at] [yahoo.com]> on Thursday August 28, 2003 @07:37AM (#6812705) Homepage
    Just take a random id3 field that you don't use for anything, and fill it with a random number. You can probably write a srcipt in a few seconds. Bingo, different md5.

    The only problem is that a lot of file sharing software uses the fact that 2 files (from different sources) have the same hash in order to swarm the download from multiple sources. If everybody goes around intentionally making their mp3s have different hashes, swarming basically won't work anymore.

    • Re:Easy (Score:3, Insightful)

      by 3terrabyte ( 693824 )
      True. But then again swarming isn't that popular yet. Downloading from a single source is still popular. (IRC, NG's, FTP, most P2P apps)

      Also, if we did use a non-used ID3v2 tag field, then the RIAA would just go ahead and ignore that field in their hashing technique, since it's located in a specific part of the file

      The problem with letting the whole world know about a technique like that, is that the RIAA is part of that world.

      Besides, this whole MD5 checking & database the RIAA may be assembling doe

  • Give up (Score:5, Funny)

    by Rutje ( 606635 ) on Thursday August 28, 2003 @07:37AM (#6812708)
    Ok guys.. let's all give it up. Let's delete all our MP3's and start buying CD's now. The RIAA has clearly won!
    Hail to the king!
  • by rnd() ( 118781 ) on Thursday August 28, 2003 @07:40AM (#6812726) Homepage
    I think this [freedomads.org] sums it up!
  • MD5? (Score:4, Insightful)

    by barcodez ( 580516 ) on Thursday August 28, 2003 @07:41AM (#6812732)
    The article does not mention MD5 anywhere. So one can not assume this is the technology they are using in their proof. As the technical information in this article has more than likely gone through several iterations of "dumbing down" we can not say what technology is being used. It is quite feasible that they are comparing segments of the encoded information with files that where groked from Napster (pre 2001). Additionally as very few people change all the information contained within the ID3 tags ("meta information" from the article?) it maybe enough to show how unlikely they are to match unless the file is from the same source. For example if I insert the string "whateverbarcodezwashere" into some obscure tag with the ID3 tag of an MP3 and it arrears in an MP3 file on someone elses computer it is likely that they orginated from the same source. For the record it is conjectured that it is astronomically unlikely that two randomly choosen different byte sequences will produce the same MD5 hash.
  • Protection (Score:3, Insightful)

    by rf0 ( 159958 ) <rghf@fsck.me.uk> on Thursday August 28, 2003 @07:46AM (#6812776) Homepage
    Just change the ID3 tag on all the files and that will break any existing MD5 checksums. Even addiing a capital will do it

    Rus
  • by thecampbeln ( 457432 ) on Thursday August 28, 2003 @07:49AM (#6812798) Homepage
    Lets see someone put together an app that flips bits here and there within MP3s to make each one it runs against unique enough to create a new MD5 hash!? (I would, but I can only program in a pseudo-language [microsoft.com] ;) It could even be as simple as adding in a trailing byte to all of your MP3s, though that could be easily filtered. Hell, if you can hide messages within compressed JPEGs [outguess.org] without noticeably affecting their quality, why not do something similar to MP3s just to jack up this sort of tracking!?
  • by Psyborgue ( 699890 ) on Thursday August 28, 2003 @07:50AM (#6812811) Journal
    Pretty much no rip is identical.

    First step: the *.wav is ripped. Using libcdparanoia, which i personally perfer, i find slight variation in size depending on the machine and cdrom drive i rip them on.
    Second step: encoding on different machines, with different encoders, using different algorythms, using different levels of floating point precision, on different architectures etc... produces vastly different files.
    Third step: sharing. Oftentimes an mp3 is downloaded 99.8% before the connection is broken. You keep the mp3 becuase mp3 is a sequential file format and you only lose a second or two of music. The rest of the file is intact.

    Their md5 searching scheme could be circumvented quite easily by changing a comment in the id3 but they could get around that by cutting out the id3 part of the file when they make their md5sum.
    The downside to this is that if you are searching for music on something like gnutella by the ***sum, the content would differ and you would not get as many results. Gnutella would not download from multiple sources becuase the file would not have the same signature.
    Whatever the case, it is clear that some form of file obfuscation is now needed for safety online. Or we can wait for freenet to mature.
  • Protection (Score:3, Interesting)

    by t_allardyce ( 48447 ) on Thursday August 28, 2003 @07:53AM (#6812841) Journal
    What good evidence destroying/hiding mechanisms are there around? Apart from deleting and overwriting the area several times? How about something that can kill the hard-drive even when the computers off? I see crime scenes on the news all the time with police carrying out computer cases for examination - it always struck me that you could fit tamper protection in your computer - any attempt to move it, open the case or anything with out proper authorisation would cause the hd to torch its-self, this could be as simple as a battery inside with enough power to boot the machine quietly and very quickly destroy the data, the police would have no time to stop it, while all this is probably illigal itself, it could be better than being sued for $50000 per song or whatever their price is?

    I hope the next kazaa lite comes with file altering/deleting/anti-riaa utilities :)
  • by re-Verse ( 121709 ) on Thursday August 28, 2003 @07:58AM (#6812871) Homepage Journal
    From the NAPSTER network??? This is worse than i thought - it appears the RIAA has built a Time Machine! Next they will be going further back than napster andprosecuting free-thinking pilgrims who would share their newspapers.

    Yikes.
  • A problem with this (Score:3, Interesting)

    by DrXym ( 126579 ) on Thursday August 28, 2003 @08:02AM (#6812891)
    Hashing is used so you can download the same song simultaneously from multiple users. If everyone has different hash keys (e.g. by scewing with the ID tags), it defeats the point of most P2P.


    I suppose that (if its possible) you would either want to swamp these guys with false positives, or distribute the hash keys and the files somehow to make it more difficult and protracted to discover who actually owns that file.


    I suppose that one viable option in P2P would be a freenet model where downloading involves a number of encrypted hops between peers to search or get the data, and where peers cache popular data and indexes in encrypted form. It would be much, much harder to figure out who shared that file then.


    Obviously there is a trade off going this route. You wouldn't want the sluglike performance of Freenet so it would not be as secure, but I'm sure you could reduce the number of hops and other measures and still make life massively more difficult for RIAA and their ilk to track down your activities.

  • Virus (Score:3, Funny)

    by MikeHunt69 ( 695265 ) on Thursday August 28, 2003 @08:10AM (#6812958) Journal
    Maybe someone should write an email virus that listens on the Kazza ports and reports back gigs and gigs of shared mp3's to anyone who asks.

    Then, when people get busted, they can say "It was a virus".

    Of course, this would make the search feature of Kazza useless...

  • by emptybody ( 12341 ) on Thursday August 28, 2003 @08:16AM (#6813008) Homepage Journal
    If I use KaZaa to access indie artists who are
    sharing their songs - as is their right - AND I
    also rip my entire 1000+ CD/LP/8track collection
    to the same computer AND I intellegently store
    all the files in the same heirarchy.

    Have any laws been broken?

    KaZaa is configured to share everything in my
    heirarchy so that the indie songs can continue to
    be shared.

    Have any laws been broken?

    I go in for Jury Duty, meanwhile Another Kazaa
    user downloads the indie shared files.

    Have any laws been broken?

    Another Kazaa user downloads the rips from my
    personal collection because their 8track player
    is on the fritz.

    Have any laws been broken?

    Another Kazaa user downloads the rips from my
    personal collection because their LPs were
    destroyed in a flood.

    Have any laws been broken?

    Another Kazaa user downloads the rips from my
    collection because they want to see what the
    latest Madonna single sounds like before going
    out and buying the CD.

    Have any laws been broken?

    If any laws were broken here - who broke them?

    Just because I leave the front door open does not
    mean that anyone can enter and take what they
    want from my house. Same as my computer.
    The action of downloading is at question not
    making the article available.

    YMMV. Consult a lawyer.
    • by kennylives ( 27274 ) on Thursday August 28, 2003 @08:46AM (#6813304) Journal
      Just because I leave the front door open does not mean that anyone can enter and take what they want from my house. Same as my computer. The action of downloading is at question not making the article available.


      Nonsense.

      To use your analogy, if you leave the front door of your house open (while you're away), you should expect that someone will come in, and if you're lucky, take something.

      Your situation gets significantly worse if you have, say, a handgun under your pillow, and some random neighborhood kid comes in, finds it, and shoots himself (or someone else).

      The issue here is that you've knowingly left your front door open, making you at least partially liable for the harm that occurs as a result (indirect or otherwise). Same thing if you leave the keys in your car and someone takes it and mows down a bunch of pedestrians with it. In either case, you cannot claim innocence simply because you didn't do the deed. You've made a substantial contribution in the commission of a crime, and you would be expected to pay for that crime.

      • What are you on?

        There are few people I know that lock up every door and window before they leave the house (I live in a small town). I've been to rural areas where people leave their keys in their cars. In both cases, there is no expectation of B&E or theft.

        If a kid enters my house, finds a gun (that's even hidden in your example), and shoots themselves I am not liable. If someone steals my car I am not liable. Negligence is leaving a loaded gun on the front lawn. You cannot be negligent just bec
    • Lets say that you buy a book.

      You then make a photocopy of the entire book.

      You take that photocopy around with you to read leaving the original at home.

      Now lets say that someone breaks into your house while you are home and steals your photocopy leaving you your original (it was locked up in a safe for example).

      The crime in this instance is two-fold. Breaking and entering, and copyright infringement. Who is responsible for the copyright infringement? You are.

      Now lets remove the breaking and entering.
  • I wonder... (Score:3, Interesting)

    by assaultriflesforfree ( 635986 ) on Thursday August 28, 2003 @08:17AM (#6813018)
    From the article:

    By comparing the fingerprints of music files on a person's computer against its library, the RIAA believes it can determine in some cases whether someone recorded a song from a legally purchased CD or downloaded it from someone else over the Internet.
    ... Copyright lawyers said it remains unresolved whether consumers can legally download copies of songs on a CD they purchased rather than making digital copies themselves.


    So, the RIAA has been downloading illegal copies of music for years, in fact probably has a huge library of music. Simultaneously, in their broad sword efforts to completely end p2p, they're arguing that it's illegal to download songs you've already bought. So, even if the RIAA has gone through all the hoops with this library, obtaining licenses for each song they swiped off of file traders in their investigations-- which I doubt; recall Microsoft's slip ups-- they're arguing that the methods they've been using to track down illegal file traders are actually illegal themselves! In fact, the RIAA might have the largest collection of illegal music of anyone, even larger than mine! Of course, this should come as no surprise, after all of the attempts to make it legal for them to attack suspected infringers PC's, it's pretty clear that the RIAA's privilege and property makes them above the law.
  • by bobthemuse ( 574400 ) on Thursday August 28, 2003 @08:24AM (#6813083)
    How long is it until a P2P client is created which appends a half second of noise to the end of everything you download, thus modifying the checksum?

    I can see it now... "And in recent news, according to the RIAA there are over 10 billion songs being traded. The organization is quoted as saying 'We intend to sue individual users for having more songs than we've created...'"
  • It's possible (Score:4, Interesting)

    by Zog The Undeniable ( 632031 ) on Thursday August 28, 2003 @08:53AM (#6813367)
    There are many different MP3 encoders, and they produce slightly different results. In addition, some shared MP3s are also imperfect in that they contain clicks and "dropouts", although this is becoming less common now that PC power has increased - my understanding is that using the PC for other activities while encoding can occasionally cause errors .

    The ripping stage can also produce slightly different checksums, depending on the condition of the CD - Audiograbber actually reports "potential speed errors". Unlike data CDs, some level of read error is considered acceptable on music CDs; you don't want the player to keep re-trying a bad sector if it detects a big problem - it would ruin your listening pleasure!

  • by CoryS0L0 ( 702326 ) on Thursday August 28, 2003 @08:59AM (#6813437)
    The same story is posted on CNN.com. Accompanying this article is one by Marci A. Hamilton, a chairman at Benjamin N. Cardozo School of Law, Yeshiva University. She states that going after students who illegally download media is not only OK, but is RIGHT. I wouldn't have a problem with this were it not for the reasons she supports it with. She says that a world without copyright laws would cater only to the rich and the government. When was the last time you heard of a government worker writing a song on the top 10 list? When was the last time a millionaire, (not a musician) created a song that made it to the hall of fame? My point is, without free music/media, many of the people who come up with the latest and greatest entertainment would never see any of the media that's out there. Marci claims to be looking out for the poor country music singers in her article. If they're as poor as she says, how are they ever going to be able to afford a CD at $15 a piece???

    Musicians and music labels alike need to come to grips with the fact that their moneymaker, (CD sales) will need to take a back seat to actual performances by the artist. We need to take it back to the old days when music artists actually sang and performed and didn't just sit in a dark room behind some curtain tooling away on their synthesizer.

    http://www.cnn.com/2003/LAW/08/07/findlaw.analysis .hamilton.music/index.html [cnn.com]
  • by ramk13 ( 570633 ) on Thursday August 28, 2003 @09:02AM (#6813470)
    With all this hash talk going on, I thought I'd mention that Musicbrainz [musicbrainz.org] uses some sort of similarity hash in identifying songs. It compares the hashes of the files you have to an existing user submitted database. If the match is good, then you can use the database tag info, which is pretty handy.

    I've compared albums I've ripped myself to the database and gotten "100%" matches (along with some matches of a much lower percentage) That leads me to think that if the RIAA kept its own database like that, they could do a whole lot of comparison with similarity or quasi-unique (ala MD5) hashes. I'd also venture that, with enough work at the comparison system, they could make court-valid assertions. They can hire plenty of geeks to handle the statistics necessary to call something 'beyond a reasonable doubt.' (for criminal proof)
  • by Awptimus Prime ( 695459 ) on Thursday August 28, 2003 @09:24AM (#6813728)
    The MD5 thing isn't for tracking the same song ripped by different people. The thread on this, so far, has left me scratching my head as to why folks feel the need to restate that encoding an mp3 with different settings/software will result in a different md5. Right, this is slashdot and we all know this already.

    The reason for md5 matching is so they can nail someone as the 'origin' of the ripped song, then hold them liable for all the copies of a matching md5 on P2P networks. It would be more a demonstration of "look how much damage one copy did to us!".
  • I was under the impression that MP3 (MPEG-1, Layer 3) was a lossy algorithm. Even with the same ripper settings working off the same stored raw CD audio file, will it actually produce identical output? Can the MP3 encoder drop different bits as irrelevant on different passes in time on the same data with the same settings? If this is indeed the case (I don't know, I am not familiar with the detail of the algortithm), then MD5 sums become a virtually foolproof way to identify a file since an identical sum can only be produced from the exact source MP3, not one that is close. Just a thought on that matter. And a second point, more of an idea really... Has anyone thought of trapping RIAA? Here is my proposal... 1) Go and buy 50-100 CDs from your local music stores (I know, this is abhorrent since you are lining the pockets of the people you want to fight but it is a means to an end). SAVE ALL THE RECEIPTS! You will need these. 2) Download a popular P2P program and sign on. 3) Go download crazy and download an MP3 for EVERY SINGLE SONG on the pack of CDs you just purchased. Be obviously, be a bandwidth pig, get somone's attention. 4) Take screenshots and printouts of the directories containing your "booty". This will establish the timestamps of when they were downloaded. Sign and date the screenshots, preferably with witnesses who sign them as well. 5) Wait for a supoena from RIAA. 6) Join RIAA in court and argue "fair use" by throwing up your stack of legally purchased CDs and the receipts for them clearly indicating that they were purchased PRIOR to the supposed infringement and you were simply wanting MP3s of CDs you own but lacked the knowledge/skill/time/tools to rip them. Is such a case copyright infringement? It's a dangerous game to play because the fair use doctrine has been supported, it is not a matter of law. The outcome could be undesired because it could cause a rethinking of what constitutes fair use. The fun part of such rethinking could be the broadening of what is considered infringement into areas where it was not infringement and ignite an absolute firestorm.
  • RIAA Taxes (Score:5, Interesting)

    by brj ( 665333 ) <bryce@jasmer.com> on Thursday August 28, 2003 @10:32AM (#6814594) Journal
    Don't we already pay a small tax to the recording industry every time we buy blank audio CDs (but not data CDs)? I'd like to see some lawyer fight a case claiming that a P2P user has already paid the RIAA and is therefore exempt from their lawsuits when downloading the music and burning it to an audio CD. That would be an interesting lawsuit.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...