Been Caught Stealing: One “Hacker” Exposed How Insecure “Secure” Promo Services Are - Features - Alternative Press




Been Caught Stealing: One “Hacker” Exposed How Insecure “Secure” Promo Services Are

May 10 2010, 5:54 PM EDT By Luke O’Neil

The music industry has taken a lot of hits in recent years, particularly as digital music has become a dominant force. As a result, it's now the norm for albums to find their way onto file-sharing and torrent sites well before their release date. Naturally, the industry considers this a huge detriment to potential sales. There are a number of ways that record labels have sought to stem that tide of free-flowing music online, through watermarking systems and the like meant to discourage piracy, but there has never been a completely secure process for delivering pre-release material to critics. From the looks of things, there might never be.

Since launching in 2003, Play MPE, a digital delivery system that enables invited parties to access watermarked files, seemed like the best bet. Billed as the most secure system available, it's used by major labels like Universal Music Group and Warner Bros. and indies like Epitaph and Bridge Nine to get their pre-release albums into the hands of tastemakers. Long considered the figurative Titanic of secure content delivery, the company finally encountered its iceberg. According to reports, late last month a hacker posing as a music journalist was able to access the system and found his way to a number of albums from high-profile bands that he was never intended to receive. He then leaked those records to the online public. The casual manner in which this individual strolled through the digital gates of Play MPE sent shockwaves through the industry, and it seems to be yet another blow in the inevitable cycle of new technologies being exposed as vulnerable against the onslaught of fervent music piracy. There have been many stories online alluding to the alleged events behind this breach. But what actually happened?

"A European user impersonated an Australian music reviewer and was granted an account by our partner in Australia," says Steve Vestergaard, CEO of Destiny Media Technologies, the company that owns Play MPE. "Between the labels and ourselves, we add over 200 new users per week, so occasionally this happens." While the hacker was able to spread the music illegally, he wasn't able to do so anonymously. "Our proprietary watermarking security worked as intended," says Vestergaard, who also says that previous stories written about the incident weren't entirely true. "He was identified and his account disabled within a half-hour of his upload to other users against his license agreement. He's been identified based on our security logs and because there is an active industry investigation, we're not able to comment further, except to say that you're the first one to contact us to verify the story and that stories being carried elsewhere attribute leaks to our system that didn't come from us."

The labels with music involved are now wrapped up in the investigation, he says, and Play MPE has shared forensic evidence against the alleged hacker. Due to the ongoing investigation, Vestergaard declined to comment on the steps the labels plan to take now.

So how did the breach occur? "We offer both locked access which restricts playback through our proprietary Mac/PC/iPhone players, secure access through our partners (Mediabase, RCS, internal radio network systems) and unlocked access through a direct web browser interface," Vestergaard says. "If the labels grant export rights, the song is available in unlocked form in the web browser system. The user was able to access music through the unlocked system, through an exploit, which he did not have access rights to, but that content was watermarked to identify him. The exploit was fixed at the same time his access was disabled."

An explanation from the "hacker."

A watermark, commonly used on important documents including passports and bank notes, is a recognizable pattern that can be obvious or hidden to prove the authenticity of the document. A digital watermark works in a similar way. "Music is always encoded with a proprietary watermark, which survives on air broadcast, filtering, compression and conversion to other formats, but which doesn't show up in spectral analysis and which is completely inaudible," says Vestergaard. "The technology allows any leaks to be forensically traced to the source." Although he declined to confirm the number or names of the albums that were leaked due to the ongoing investigation, he says that this is the first time a user has accessed unauthorized music on the system.

All of the labels and bands alleged to have been affected by the leak contacted for this story declined to comment. One of the reasons for that, says Cathy Pellow of Sargent House--the label behind acts like Rx Bandits, Good Old War and Omar Rodríguez-López--is because for a label, sometimes ignoring a rumored leak is the best strategy. "I don't want to answer you because I don't want more people to know it's leaked," she says.

For people in the technology world, this sort of breach involving Play MPE is an inevitability. "To say I'm not surprised is the understatement of the century," says Scott Steinberg, head of high tech consulting firm TechSavvy and AP's resident tech writer. "I'm stunned that it hasn't happened sooner." He says that any security system, no matter how high level or how complex, is subject to human error. "If you look at the supposed facts in this case, essentially what [Play MPE] had was ostensibly one of the most secure systems in the world, and yet via social engineering and the ancient art of bullshit as we used to call it back in the day, an individual was able to gain access to the system and then by simply changing the URL, he realized he could procure copies of additional albums that he wasn't intended to receive."

The bigger lesson this incident points to is that there is always going to be a way to work around security systems. "When you're dealing with digital content, no matter how secure you think it's going to be, there's always a loophole," says Steinberg. "There's always a way to crack the safe. So it's inevitable in my mind that anything that is made accessible to any group of individuals beyond a tiny small core is without a doubt going to leak. It's just a matter of when."

The interesting part about this break-in is the ease with which it was accomplished. To call what the perpetrator did "hacking" isn't quite accurate, says Kaiser Wahab of Wahab & Medenica, a New York law firm that regularly deals with technology and media issues and run the business media "This guy is not really a hacker in a traditional sense," says Wahab. "A hacker is someone who tinkers with or undermines some kind of software or security apparatus--people who can break into things. This guy is more of a prankster. He didn't break any super-secure systems. He just saw that the URL was a database query and just flipped the numbers. It was like, 'Oh, a new track.'"

The problem is that Play MPE exists exactly to make something like this difficult. "This is a company whose job it is to prevent this from happening. They get paid to do this," says Wahab. "The Motion Picture Association of America does the same thing for the Academy Awards. They have these specially encrypted super-secret briefcase-with-a-handcuff type of scenarios when they deliver DVDs. What happens? They're leaked. Leaks are always going to happen."

Steinberg says that leaks like the Play MPE breach happen commonly but this one only received media attention due to its magnitude. "Is it comically inept when you see banks lose millions of addresses and governments leave laptops with top secret data lying around?" he asks. "We like to assume that the gatekeepers are all smarter than we are, that someone is in charge. But they get sleepy, they get tired, someone in IT forgets to put up a password. It's human nature. No matter how many levels of checks and balances, inevitably there's always going to be a glitch in the system."

The public at large is savvier than they've ever been, and more empowered. "We have to assume that the collective brainpower of the public at large, even when it comes to things like security, is smarter than we are," says Wahab. "Their time and resources are literally unlimited." Taking that as a given, it still behooves the industry to try to discourage this sort of piracy. But the options for using the law to prevent further digital breaches are not always clear. Because what was done here was not technically "hacking," the labels probably won't be able to go after the perpetrator with any kind of anti-hacking or encryption laws like those outlined in the Digital Millennium Copyright Act dealing specifically with the manipulation of digital rights management rules. But there is an issue with regard to terms of service. "That's an argument that Play MPE is making," says Wahab. "Any time you sign up to use any website, you agree to their terms of service. It usually says things like we can cut you off at any time and we can take certain actions if you violate these terms of service. So they can try to pursue on a contractual theory, saying you and I had a contract, you were supposed to play nice but you did not. That may be true, but if they go to court, I'm not sure what the damages will be or, in other words, what the court will say this guy actually did."

Play MPE aren't necessarily the ones who have claims against this fraudulent user. It's the copyright holders, the publishers, labels and artists who do. "Somebody has the copyright to these songs," says Wahab. "This guy, just like anybody, did not have the right to take a track and distribute it on the 'net. I don't think it's Play MPE who has the right to pursue that." In almost any country, be it Australia--where this user was pretending to be from--or the U.S. or the U.K., all of which have similar copyright laws, distributing copyrighted material is illegal. The place where this case gets complicated is that the user in question entered into the contract with Play MPE under false pretenses. "It's interesting to say, 'Oh, okay. You pretended to be a journalist but you're not, so we're gonna enforce the contract that you had no interest in following because the whole thing was a sham."

What court the case ends up in will likely dictate the consequences. A pro-business court, one not sympathetic to the freedom of information movement, or the "copyleft," will likely side with the music industry. Although since the perpetrator is rumored to be a teenager in Finland, the international scope of the issue complicates matters. It depends on the terms of service for any given website. Some, like Facebook, say when you sign up that you agree that if there is a lawsuit it will be conducted in the United States under Unites States law. "It depends on which country is going to go with it," says Wahab. "Where did the infringement even happen? If we have to fight a case in Finland, do we get to use American law? Maybe the infringement happened there, or because it went all over the net do we get to pick the one we like?"

That's the inherent issue in internet cases like this--the lack of specific geography. The global scope of music sharing makes it a difficult problem to pin down. "Generally, most albums leak before release. It's not always clear who's doing the leaking, or how," says Matt Rosoff author of Digital Noise, a blog about music and technology. He thinks it's unlikely something like this is going to change the way labels go about distributing music. "I think labels still want to get music out to interested parties digitally ahead of release, and leaks are probably an acceptable and manageable cost. Watermarking is already used, so it's fairly easy to trace leaks back to their source. It's possible that labels and artists might stop pre-releases in some cases, but only for acts that have devoted fans who are likely to buy the album without much advance marketing."

Some, however, see the system as overall effective. Mark Kates of Fenway Recordings, the management company behind bands like MGMT and Saves The Day, says security hasn't been an issue with albums he's worked as of late. "The system works because people realize that watermarks actually work. It's a weird thing, because on a certain level it's almost like the honor system." Being too protective of your music creates a fundamental contradiction in the interest of artists and labels. "At some point, the person you're protecting against, the intended listener, is the same person who has to have access to the audio," says Rosoff. "At that point, there's always going to be a way to make a recording. The only solution would be to have no advance copies, release music to everybody at the same time. Some folks have tried that. This could work with certain artists whose fans are likely to buy whatever they put out. The problem comes when you're trying to break a lesser-known act, or hype an act without an organic fanbase, the old pump-and-dump method of music marketing."