Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Music Piracy Security

Audiophile Torrent Site What.CD Fully Pwnable Thanks To Wrecked RNG (theregister.co.uk) 138

Reader mask.of.sanity writes: Users of popular audiophile torrent site What.CD can make themselves administrators to completely compromise the private music site and bypass its notorious download ratio limits thanks to the use of the mt_rand function for password resets, a researcher has found. From the report (edited and condensed):What.CD is the world's most popular high quality music private torrent site that requires its users to pass an interview testing their knowledge of audio matters before they are granted an account. Users must maintain a high upload to download ratio to continue to download from the site. [...] "I reported it a year ago, and they acknowledged it but said 'don't worry about it,'" said New-Zealand-based independent security researcher who goes by the alias ss23.
This discussion has been archived. No new comments can be posted.

Audiophile Torrent Site What.CD Fully Pwnable Thanks To Wrecked RNG

Comments Filter:
  • What's this "CD" thing you speak of?

  • News at 11.

    This doesn't seem like particularly shocking news, nearly all torrent sites are poorly run.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      News at 11.
      This doesn't seem like particularly shocking news, nearly all torrent sites are poorly run.

      They could easily solve this problem by purchasing and installing some solid gold Monster Brand ethernet cables between the server and the router.
      I'm actually surprised they don't already do this, in order to provide the clearest audio for their torrents.

      • They need to run their server on an analog computer and install a special "real analog modem" that stretches the sound out to fit in the 20-2000Hz range and sends it directly over the phone line as a pure analog signal. Their customers will need to buy analog computers and analog recording devices and of course one of those special "modems." Only then will their users get the best sound possible coming out of their $10,000 home audio system.

        Yea, it will be more expensive and keeping it temperature- and hum

        • by ArmoredDragon ( 3450605 ) on Monday May 02, 2016 @02:48PM (#52030195)

          I've been a member of W.CD for about a year, and that's not the type of site it is. Most torrent sites that host music haven't the slightest clue how to make sure it is a decent quality release. Similar to how TV and movie torrent sites have extensive rules for quality (similar to what scene releases have,) W.CD has its own rules that can guarantee you aren't going to waste ratio or time on a crap release. But they don't go to those silly analog extremes. For example, 192kbit VBR MP3 (aka LAME v2) is a perfectly acceptable encode there because it provides audible transparency [hydrogenaud.io]. What won't be accepted is i.e. having a 128kbit CBR MP3, or having anything that is up-encoded to fit the rules (and yes, you can empirically measure when somebody has done this, W.CD even provides guides for doing so.)

          I personally am not an audiophile, nor am I a music enthusiast, but it's a nice site. In addition to music, it's also a wonderful site for college textbooks (I personally have uploaded several, including ones I've scanned myself.)

          • 192kbit VBR MP3 (aka LAME v2) is a perfectly acceptable encode there because it provides audible transparency.

            MP3 can't produce transparent audio at ANY bit-rate. It has many design compromises like the anti-aliasing which produces audible distortions, and besides that, it's a frequency domain codec, like AAC and most others, which makes them all incapable of true transparency:

            https://en.wikipedia.org/wiki/... [wikipedia.org]

            For lossy transparent audio, you MUST use a temporal domain audio codec, which only includes a few

            • MP3 can't produce transparent audio at ANY bit-rate. It has many design compromises like the anti-aliasing which produces audible distortions, and besides that, it's a frequency domain codec, like AAC and most others, which makes them all incapable of true transparency:

              https://en.wikipedia.org/wiki/... [wikipedia.org]

              BS.

              If you want to prove your claims, please provide ABX test logs where you successfully detect any difference between high-bitrate MP3 and the lossless source. Because yes, MP3 is technically inferior to later codecs, but that doesn't make it useless, it just makes it less bitrate efficient for full transparency. And there are a couple of problem samples (not music) that it cannot achieve full transparency with, even at 320kbps, but those are only relevant for test purposes, they're very far from actual mu

              • The fact that YOU couldn't detect any difference only says your ears aren't that great. There's really no need for ABX testing, because the unavoidable artifacts with frequency-domain codecs such as MP3 are well known, and they certainly aren't just non-music. Percussion and other transient instrument sounds are decidedly involved in music.

                Pretty sad you'd recommend a completely uncited Wiki on Hydrogen audio, as superior to an extensively cited Wiki on another cite. Clearly your own bias needs some work

                • It's not that relevant that I could not detect a difference at a specific quality setting, that just means I've found my personal quality level for transparency.

                  What is relevant is that no one seems to be able to detect a difference between something like 320kbps MP3 and a lossless source. Certainly not anyone willing to prove it by supplying verified ABX test logs showing that they can indeed hear a difference.

                  So please, go ahead and post proof at the Hydrogenaudio forums that you can detect any audible di

                  • I've made supported and verifiable statements, and provided a link to plenty of citations. You choose to ignore the actual evidence, and instead insist on subjective anecdotes.

                    • No, you have not. Please provide adequate ABX proof that your can distinguish between high-bitrate MP3 and loss, or shut up.

                      It's one thing to read a list of shortcomings in the MP3 format and go "mmm yes, I can definitely hear the pre-echo, higher noise floor and fuzziness that I just read about on Wikipedia", but it's a completely different thing actually hearing it.

                      Like I wrote above, so far no one has apparently been able to distinguish clearly between high-bitrate MP3 and the lossless source, with ABX l

                    • You're making sweeping conclusions in contradiction to facts, all because you don't happen to have seen a subjective anecdote that contradicts your bias.

                    • I am actually completely disregarding your unproven subjective assertions, which seem to be based only in reading a list of technical limitations in the MP3 format, and not in any kind of actual controlled double-blind listening tests.

                      As I wrote before, I have yet to see adequate proof that anyone can distinguish between high-bitrate MP3 and the lossless source, in a controlled and verified double blind test. If hearing the difference is as easy as you claim, why have you not provided any kind of proof?

                      All

                    • I am actually completely disregarding your unproven subjective assertions,

                      Human listening tests are subjective, by definition. More precise and repeatable methods are objective. This is basic terminology, continually used in the field, and of course fits nicely with the standard definition. Neither of which you apparently grasp.

                      which seem to be based only in reading a list of technical limitations in the MP3 format,

                      No, actually it's based upon expert knowledge from many years working in the field.

                      I'm don

                    • You clearly do not understand the concept of double-blind testing (such as ABX and MUSHRA), which is specifically designed to perform objective testing on otherwise subjective inputs, by reducing the user response to positive or negative on whether they hear a difference. The detail comes from multiple repeated tests with varying stimuli.

                      It is a well-established and respected method of testing for audible differences, and your complete disregard for double-blind testing betrays your complete lack of knowled

                    • your complete disregard for double-blind testing betrays your complete lack of knowledge and experience in this field.

                      Haha! I'm well aware of the different listening tests, and I am an expert. They are all subjective tests... they are by definition and in common industry terminology, and you're just making a fool of yourself.

                      You won't find one expert who calls listening tests objective. All academic or industry papers involving listening test will have "subjective" in there. eg. http://www.aes.org/e-lib/ [aes.org]

                    • Right, you're an expert. Suuure thing, buddy. I'm sure you graduated top of the class at Navy SEALs, too :-D

                      And yet you have not supplied a single shred of even halfway credible evidence of your wild assertions of audible artifacts in high-bitrate MP3.

                      Funny, that.

                    • It's one thing to back-peddle, or just refuse to accept that you're wrong (which I see a lot of here)... It's quite another to repeatedly double-down on your own ignorance.

                    • And yet you persist in doing just that. Astounding.

                      Where was that concrete proof of your amazing hearing ability, again?

                    • You feel the need to lie to yourself?

                    • I'm still waiting for that bulletproof, iron-clad proof of the audibility of artifacts in high-bitrate MP3.

                    • It's not my fault you can't comprehend the sources I provided.

                    • The source you provided was a link to Wikipedia, which has a particularly vague section on audio quality and mistakenly asserts that MP3 does not provide "critically transparent quality at any bitrate". If you had actually bothered to do a double-blind test yourself, you would know that this is blatantly false. High-bitrate MP3 can easily provide audibly transparent compression, which would become clear to you, if you would only bother to actually test it yourself, instead of blindly relying on second- or t

                    • The WP article has dozens and dozens of authoritative citations you can follow. As I said before... doubling down on your ignorance is a mistake.

                    • You can cite as many technical papers and sources as you want, but reading whitepapers and studies will not actually tell you if MP3 is audibly transparent to you.

                      You hear with your ears, not with your eyes.

                      What are you afraid of? That your hearing is not as perfect as you thought? Why not just give it a go, do a couple of ABX tests and hear for yourself?

                • by adolf ( 21054 )

                  ABX, or go away.

                  It's easy to measure an MP3 and to visualize its faults. It's much, much harder to hear them.

                  Go ahead. Use your ears, your gear, and your most-familiar and/or challenging music. Let us know what you find.

  • How can everyone maintain a high ratio. Doesn't having a high ratio require someone else to have a deficit?
    • B/c this a torrent site, it probably means you must seed for more than you DL.

      • I understand that. How can everyone upload more than they download?
        • I understand that. How can everyone upload more than they download?

          These are audiophiles so what they probably do is download something thats only 128bps then re-encode it to 256bps then upload the improved tracks.

        • by Tensor ( 102132 )
          its a hidden pyramid scheme on donations, and the justification is to offset server costs.

          if you put up you torrents after pre-seeding them to a few seedboxes you´ll see you have a constant and considerable deficit towards the users
      • [Sigh]
        IOW: If you DL 10MB, 10MB+ must be UL/Shared from files on your PC.

        This is easily achievable provided your files are popular.

        (Too bad we can't edit existing posts...)

      • by Threni ( 635302 )

        I remember that sort of thing from years ago. Sort of made sense on slow, expensive dialup, when you had to limit leechers as they'd be on for hours grabbing one cd, but now we have unlimited 20-80meg broadband who gives a fuck?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      While many private sites have unreasonable upload ratios, what.cd isn't one of them. They have a graduated scale based on how much you've downloaded, but even at the highest point it's only 0.6, which is pretty easy to maintain even without all the freeleech tokens they hand out at holidays and special events.

    • by Aaden42 ( 198257 )

      ”High” is a relative thing for torrent ratios. 0.5 (download twice as much as you upload) is pretty common for a minimum ratio before sanctions (no more downloads) kick in. Plenty of room in that for leaching, but you can’t cut off uploads as soon as you’re done downloading and get away with it for long.

    • by Matheus ( 586080 )

      Your math is disregarding a few details:
      Just to be complete: Already mentioned:
      1) Highest enforced ratio is 0.6. I've been on sites that go to the full 1.0 so this is somewhat friendly.
      2) They have periodic Free Leech times (thanks for being a member this weekend, sorry for the downtime, etc) and items (editors/admin picks, Bowie catalog when he died, etc) which allow you to build up some buffer in your ratio.

      Not already mentioned:
      1) The biggest way to improve your ratio on any site is to upload material no

      • by tepples ( 727027 )

        Highest enforced ratio is 0.6

        Still hard to get to that on a torrent with dozens of seeds and no other downloaders.

        The biggest way to improve your ratio on any site is to upload material not already on the tracker.

        A lot of trackers have had rules such as "If it's not on NFOrce or grokMusiQ then forget it!" and "not older than seven (7) days", which makes it hard to find suitable "material not already on the tracker." (Search result [google.com]) Is a member supposed to compose, record, mix, and master his own material? Or even allowed to do so?

        many sites also have specific restrictions for time period which actually ease the ratio rules a bit. "Sorry you were a leaf on this torrent but we're going to make you stay seeding for at least 2 weeks to keep the torrent alive. you don't get the ratio but you at least tried" Stuff.

        Does What.CD have such a rule?

      • by AmiMoJo ( 196126 )

        The ponzi scheme is why I tend to avoid ratio sites. If someone's ratio is at +100MB, then there is a 100MB hole for everyone else that can't be filled without some kind of cheat code, which is why the sites give out freebies or have points systems to help people maintain ratio. If the balance is even slightly off it becomes impossible to maintain unless you are in the upper 30% of connections speed/time wise.

        The the site operators see a lot of people failing to maintain a 1.0 ratio and get pissy about it,

    • by Tensor ( 102132 )
      yes, 100% so.

      the sum total of all bytes downloaded must obviously equal the sum total of the bytes uploaded.

      so for every 2:1 there needs to be an equivalent 0.5:1
    • by Fross ( 83754 )

      That simple mechanic ignores freeleech / halfleech files, of which there are many and often even site-wide. This makes it more than a zero-sum game.

  • "audiophile" site... (Score:4, Interesting)

    by Lumpy ( 12016 ) on Monday May 02, 2016 @12:47PM (#52029255) Homepage

    Yeah not much in real good audio there. Sorry but a CD rip to FLAC is a joke. call me when you have found that rare japan release on SACD and then ripped that to FLAC....

    Also their questionnaire is mostly Pseudo Knowledge and not real knowledge. Buddy of mine is an audio engineer with 2 degrees and he did not pass their test because he answered what was correct answers and not their audiophile misknowledge answers.

    • by Anonymous Coward

      Keeping engineers out is probably a feature built into the test. Hard to have a fun hobby with a bunch of know-it-alls around correcting people!

      • by Anonymous Coward

        Hard to have a fun hobby with a bunch of know-it-alls around correcting people!

        Is that why Slashdot is full of trollish sham articles and troll comments designed to drive anyone with real technical competency completely mad?

      • Yeah, being around a bunch of pretentious pseudo-know-it-alls correcting each other with bad information is just as comical.

    • Ah, so it's a bit like the ITIL tests, don't give the correct answer, tell them what they want to hear.

      Gotcha.

      • And it sounds even more like "enhanced interrogation."

        • Reminds me of that old Soviet joke:

          The hare is running like crazy, and his friend the fox stops him. "What's the hurry?" "They... they're castrating the camels!" "So? You're no camel." "I know, you know, but do I look like the one who could convince them?"

    • by Anonymous Coward

      call me when you have found that rare japan release on SACD and then ripped that to FLAC....

      Welcome to what.cd.

      Despite your ignorant friend's over-engineered answers to a bunch of simple questions, that's precisely what the website is for.

    • by tlhIngan ( 30335 )

      Sorry but a CD rip to FLAC is a joke. call me when you have found that rare japan release on SACD and then ripped that to FLAC....

      Which is a joke because you can't "rip" SACD to FLAC. You must convert it.

      SACDs are in a format called Direct Stream Digital, or DSD. Aka 1-bit because they are 1-bit ADCs and DACs run very fast. (Sampling theorem states if you have an N bit converter, you can oversample it by 2^M times the required sampling rate to get an N+M bit converter. So if you have a bandlimited audio sig

      • even pirate bay has tons of sacd ripped discs in either dxf or other various dsd formats. some convert 'down' to pcm, but there are a number of pure dsd files out there.

        and if you have a dac that can truly work natively at the dsd level, you can play the dsd files over usb (usually) or sometimes over usb using DoP (dsd over pcm, which is still just using pcm as a transport and does NOT TRANSCODE; it simply wraps dsd data, untouched, in pcm as a transport).

        very very very few dacs do dsd justice. the format

        • His point was that DSD is completely pointless, as every single DSD file or SACD ever released was actually PCM for most of the audio processing chain before it was converted to DSD and released. So the "purity" of the format is tainted right from the beginning.

          DSD and SACD was nothing but a money grab and an attempt to introduce DRM into the music market.

          It provides absolutely no benefits over PCM formats.

          • by Lumpy ( 12016 )

            Problem is a lot music released in a format that is higher quality than CD is on SACD only. So short of kidnapping the band, taking them to your studio and forcing them at gunpoint to play all their music so you can record it, you have to deal with SACD in many cases. It's the damned artists that refuse to release decent quality audio files that are to blame.

            ProTip: Don't break the knees of the lead singer or drummer to get them to comply and start playing, it completely colors the audio in a bad way.

            • By "higher quality than CD", do you mean better mastered audio, or so-called "high-resolution" audio?

              Because the latter is bullshit of the highest order. There is absolutely no audible difference between a hi-res audio file and a CD-quality resample of that same file. None at all.

              But if you mean better mastering, I'm 100% with you on that one. The loudness war kills good music.

    • Aside from qualms about wcd's management.. "Not much" good audio there? Wow, you have absolutely no idea what you're talking about on that one.
    • This site (not sure why it's not active anymore) Was designed by the site admins to teach people the information they would need to know to be successful on the site.

      https://web.archive.org/web/20... [archive.org]

      All the info there is all they ever asked about and covered in the interview questions. Back when I took it 5 years ago or so all the information was correct. What exactly is wrong about the information there?

      All they asked was about torrents/trackers/seeding/ratio. Questions about how to properly rip a CD to

    • by Fross ( 83754 )

      The interviews are run by (senior) users. Nobody is saying they're perfect. I'm an audio engineer myself and while I pointed out some inconsistencies / assumptions in the questions, the interviewer met them positively. They are also looking for personality matches as well.

  • I must be new here (Score:4, Insightful)

    by wwalker ( 159341 ) on Monday May 02, 2016 @01:12PM (#52029447) Journal

    We are on a relatively tech-savvy site, right? Why is there a link explaining what an audiophile is (as if I couldn't have guessed from the context even if I didn't know), but there is no link explaining how the exploit actually works? (It's not mt_rand that's the problem, it's how you seed it [di.uoa.gr]) Why do I have to google after reading the summary? What's the point of having editors here at all?!

    • We are on a relatively tech-savvy site, right? Why is there a link explaining what an audiophile is (as if I couldn't have guessed from the context even if I didn't know), but there is no link explaining how the exploit actually works? (It's not mt_rand that's the problem, it's how you seed it [di.uoa.gr]) Why do I have to google after reading the summary? What's the point of having editors here at all?!

      I'm surprised that the article doesn't include advice like "You can protect yourself from this hack by placing Mpingo disks on your wireless router."

      http://www.shunmook.com/text1.... [shunmook.com]

  • by Anonymous Coward

    A What.CD site administrator wrote in their forums that "We fixed this a few hours ago by using openssl_random_pseudo_bytes instead of mt_rand. This should have been done a long time ago, so thanks to the multiple users who reported this over the years."

  • by Anonymous Coward

    The exploit was fixed before the news hit the waves. Check the github.

    https://github.com/WhatCD/Gaze... [github.com]

  • Sounds like a load of pretentious fucks to me. There's only two grades of audio quality worth talking about: recorded or live . No one give a flying fuck about your hi-fi other than yourself.

  • You get everything on other ones as well. And it even lasts longer, as a private tracker just disappears, while a magnet link keeps working (and brings several opentrackers in its meta informations).

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...