DoxPara Research
12-Feb-2001 / Dan Kaminsky Cryptography Doesn't Save Napster, and The War Over Parodies

From: "Dan Kaminsky" <dankamin@cisco.com>
To: "Jon Winters" <winters@obscurasite.com>; "Whitney Broussard" <Whitney@smmmusiclaw.com>
Cc: <pho@onehouse.com>; <hardware@obscurasite.com>
Subject: Pho: Cryptography Doesn't Save Napster, and The War Over Parodies
Date: Monday, February 12, 2001 6:55 PM

> If the IP is _music_ and the encrypted file is _noise_ then you're in the > clear.

A couple people have been talking about how cryptography is a magic salve for Napster.

It's not even close.

The entire concept of Napster is that anyone can play the music, with absolutely no difficulty. Transfers are anonymous; there's no way to know that the person you're giving the data to isn't an enforcement agent. If a peer can play it, so can the warden. If a peer can decrypt it, so can the warden.

And if the warden *can't* decrypt it...don't look for the peer to. Now, if peers aren't anonymous, you actually have something--the Aimster model actually does something, because you can differentiate the warden from your peers. But Napster has no ability to differentiate.

What's funny is, if it did have the ability to differentiate, through a distributed cryptographic reputation engine...suddenly you'd have a hell of a way to convict someone--look at all those nice digital signatures signing somebody's guilt :-)

Look. Link oriented crypto is very useful for circumventing link based censorship(port/content blocking). It does nothing when one of the endpoints is possibly untrusted. File oriented crypto is similarly unsuitable, and both are ultimately defeated by the fact that the indexes that make the system useful are the ultimate point of failure. Either entries are trusted, and thus are centrally destructable, or are untrusted, and thus are globally spoofable.

Now, what's going to be really, really interesting to watch is what happens to PARODIES on Napster. Think about it for a moment--what if the only way to listen to Britney is to hear "her" blast her own record company. Media companies for years have been trying to figure out how to shut down criticism; the ever-ignored software IP lawyers have even bug trying to include anti-criticism clauses into their EULA's. With Napster on the ropes, and song parodies an effectively viral source of criticism...I'm quite curious to see exactly what would become of a major-label free Napster.

Talk about a reversal of fortune: If people are looking for your material, would you rather they find it, or something even worse?

Yours Truly,

Dan Kaminsky, CISSP

Access Archives
Mission
DoxPara Research exists as a repository for information security analysis, UI theory, and the miscellaneous writings of its founder, Dan Kaminsky.

Authorship

Writings
ZapMail Redux
RFID Security
The Absentee SIGGRAPH 2002 Review
Deaf and Dumb: A Critique
Speech Vs. Vision
Why Most Albums Suck
Tracing Smart Fridges
Password Rejected
Trinity Redux
Thoughts On Secure Deletion in 2001: Part 1
Thoughts On Secure Deletion in 2001: Part 2
On The Nature Of Data Shredding
Cryptography Doesn't Save Napster, and The War Over Parodies
Passfaces: An Intriguing Way To Authenticate
BugTRAQ-- Re: Security Hole in Win2K's FTP server

Security and Networking
Insecurity By Design: The Unforseen Consequences Of Login Script
TCP Chorusing in the Windows9x TCP/IP Stack
Vectorcast

Editorials
Core Competencies: Why Open Source Is The Optimum Economic Paradigm For Software
Mandatory Registration: Bad Business

User Interface Proposals
Analogous Key Arrays
Cluehunting