Feeds

Siphoning MySpace tunes using Safari

MySpace leaves them free for the taking

SANS - Survey on application security programs

When it comes to protecting digital content holders from the hordes of naughty file grabbers, you'll be hard pressed to find a more zealous partner than Apple. So we were surprised to learn that Apple's Safari browser makes it easy to download MP3 files hosted on MySpace that are supposed to be limited to streaming only.

MySpace programmers have taken pains to obfuscate the location of the MP3 file music artists embed into their MySpace profiles. Until now, pirates had to use programs like Ethereal or Burp to divine where a tune was stored. But thanks to a Safari feature called the Activity Window, that cumbersome process is no longer necessary.

We read Dave Shanley's writeup of the technique and were able to replicate the process, although with a few minor modifications.

At the moment, we're huge fans of the Dexateens, a Tuscaloosa, Alabama, quintet that plays a gritty, southern-fried psychedelia infused with punk. (So moved are we with their song "Makers Mound" from their most recent album that the sectors of our hard drive where that song is stored have been damn near ground to dust.)

So we were eager to see if we could use the technique to acquire "Lost and Found," a demo that we're pretty sure can't be acquired anywhere else. It took us a little while, but we got it. Here's how:

  • Safari will open that link, but it won't tell you very much without a little prompting. To do this, choose View Source from the view menu. You now have a window that contains lots and lots of links. Finding the link to the demo is as simple as searching for the string "mp3."

There are a few caveats. MySpace appears to behave differently depending on your IP address. For instance, if you're in California and put the last link into a browser, you're likely to get an error message indicating you are not authorized to access the file. We got around this by using the Unblock City web proxy.

We were also stymied by QuickTime, which popped up as soon as we were able to access the page. It presented us with a window pimping QuickTime Pro, which we were told is needed to actually download the file. Now, we know there's a way to change settings so QuickTime isn't invoked each time we click on an MP3 link, but we really, really wanted to download this demo. So we simply uninstalled QuickTime.

(We'd be indebted if someone would add a comment below reminding us how the hell to appoint some other player that doesn't try to punt pesky up-sell pop-ups.)

The lesson here is the same one we've heard over and over. Technology designed to limit what can be done with files distributed over the net to millions of people are at best a mere inconvenience. There's no putting the toothpaste back in the tube. Once you release something online, it's pretty much out there forever.

It's also worth noting that it's MySpace that has left the door open here. Safari is just an enabler that makes the hack easier than using a third-party app.

The insecurity doesn't seem to be lost on the Dexateens. The MP3 file containing their demo is encoded at a paltry 96 kbps. Any fan worth his salt is going to want a better sounding version of this song once it becomes available. ®

Top three mobile application threats

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.