hype/m: revivified, then vivisected

There’s a new version of the Hy/pe Mac/hine! Cool. The mp3 blog aggregator’s gotten a new coat of paint and a different flash player. It looks pretty nice, although I’m not entirely sure what substantive changes have been made. Nevertheless, it’s at least much more t-shirt-compatible.

I decided to celebrate the occasion by digging into the workings of the site a bit more. Hype/m provides a lot of music but is understandably hesitant to provide direct downloads lest they be busted by The Man. But how do you go about providing an mp3 for listening but not for saving? It’s as fundamentally unsolvable as any other DRM problem — more so, given the relatively open technologies that the site uses.

Still, they do their best. For instance, only requests from known web browsers are allowed — try to use a command-line tool like wget or curl to fetch content and you’ll get an ACCESS DENIED message. But it’s easy to fake user agent strings (or just to do the dirty work within your browser). Consequently, this isn’t the only security that the site employs.

Let’s have a look at the anatomy of playing a song on hypem:

  1. You click the play button next to a track.
  2. An AJAX request is sent that looks something like this:


    The part in bold is an identifier that’s unique to the song you requested.

  3. Some HTML is sent back and placed in the portion of the page where the play button used to live. It looks like this:

    <object class="play" classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=7,0,0,0" width="36" height="18">
    <param name="movie" value="http://hypem.com/h2p.swf?autoplay=true&url=N2NjZGZkYTJkMjc0ZTZmNGY3OTVmNmQ0Mzg4MTEzYTVjMTgyM2NhY2ZmYzI2ZTAyMzE2MGIwMDY1NjJmOTA5MTJlMzE1ODA5MzYyYzBjODJiYjdjODBhNGI0ZDIwODkyMDRhNTQ3M2U4OWQwOGE2Mjk5YjQ1MWRjMjk1ZjFkNTlmYmIyZWIwZmU5YThlMDU1">
    <param name="wmode" value="transparent">
    <param name="quality" value="high">
    <embed src="http://hypem.com/h2p.swf?autoplay=true&url=N2NjZGZkYTJkMjc0ZTZmNGY3OTVmNmQ0Mzg4MTEzYTVjMTgyM2NhY2ZmYzI2ZTAyMzE2MGIwMDY1NjJmOTA5MTJlMzE1ODA5MzYyYzBjODJiYjdjODBhNGI0ZDIwODkyMDRhNTQ3M2U4OWQwOGE2Mjk5YjQ1MWRjMjk1ZjFkNTlmYmIyZWIwZmU5YThlMDU1" quality="high" wmode="transparent" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="36" height="18"></embed>

    This code tells the browser to load an Adobe Flash object called h2p.swf and pass it parameters telling it A) to start playing immediately (autoplay=1) and B) where to find the mp3 that it should play. This is accomplished via a mysterious url parameter, which I’ve highlighted in bold in the HTML above.

  4. Using the LiveHTTPHeaders plugin for Firefox, we can see that the flash video then requests a file named something like:


    That’s straightforward enough. But how does it get that long URL from the even-longer url querystring parameter that’s passed to the Flash movie?

To find out, we’ve got to take a look inside the seemingly black box of the flash movie. Fortunately there’s a great tool that lets us do that: Flare, which is free, cross-platform, and will happily extract the ActionScript from a Flash movie. I grabbed the h2p.swf file and passed it to Flare. Here’s the interesting part of what I got back:

this.m = new mp(this, com.meychi.ascrypt.RC4.decrypt(com.meychi.ascrypt.Base64.decode(_root.url), 'abcdef1234567890'));

Hello there… looks an awful lot like a decryption routine… and something that looks suspiciously like a decryption key! This line takes the aforementioned url querystring parameter, Base64-decodes it, then passes it to an RC4 decryption routine along with the decryption key abcdef1234567890 (not the actual key). This turns the url parameter into a usable URL, which the flash player then fetches.

The meychi.ascrypt library’s website is offline, but a little digging into its code (also returned by Flare) shows that, unlike most RC4 decryption libraries, it expects to receive a string of hexadecimal bytes which it first converts into a string of chars before applying the RC4 decryption algorithm. The need for this extra step had me scratching my head for a while, but eventually I figured out what was going on and cobbled together the following script to replicate the functionality. It’s in Perl, since I couldn’t find any RC4 routines in Ruby.

use MIME::Base64;
use Crypt::RC4;
# hype mac/hine's secret encryption cipher... shhh!
$passphrase = 'abcdef1234567890';
if($src = <>)
# decode the URL-safe parameter from base64
$unencoded_src = decode_base64($src);
# convert decoded input from hexadecimal bytes to a string of chars
$charred_ciphertext = '';
$char = substr($unencoded_src, 0, 2);
$charred_ciphertext .= chr(hex($char));
$unencoded_src = substr($unencoded_src,2);
# decrypt with RC4 algorithm
print RC4($passphrase,$charred_ciphertext);

Pipe the url querystring parameter to that script and it’ll spit out the URL of the actual file. Paste that into your browser and you’ll be redirected to the file’s actual location — your browser will begin downloading it quite happily.

Of course, this is all kind of a huge pain in the ass. It’s much easier to follow the link to the blog where hype/m first found the mp3 and keep your fingers crossed that the original link is still alive. But! If you could just find Javascript libraries for Base64 encoding and RC4 decryption you could make a bookmarklet or Greasemonkey script that automatically adds a direct download link to every hype/m entry. Hmmmmm.

Anyway, I should probably finish by saying that none of this should be taken as an indictment of the hype/m programmers’ skills. The Hype Ma/chine is a truly impressive piece of software, and the countermeasures its creators have implemented to prevent direct downloading are pretty much everything I can think of doing. The problem is simply that allowing a user to hear content but not store it is an impossible task. And keeping secrets hidden in Flash — which is the only appropriate technology for this application — is similarly impossible, making whatever obfuscation they employ relatively easy to unravel.

The only improvement I can think to make would be to rotate encryption keys by serving a variety of different player SWFs, and invalidating an mp3’s URL as soon as an incorrect key is used (I assume that the URLs produced by my script are temporary redirects that rotate fairly frequently and can be expired as necessary). This way a user couldn’t cycle through the known keys. As far as I know, decompiling an SWF is not something that can be accomplished in Javascript.

But it probably could be done within a full-on Firefox plugin. And given browsers’ enthusiasm for caching Flash (and Javascript’s ability to easily differentiate SWFs with different names), the above proposal might not be a viable approach at all. Really, there’s no way to completely secure this system. “Good enough” is all that one can reasonably hope for, and I think they’ve already achieved that.

Cross-posted at EchoDitto Labs

if only we could drink gasoline

Megan is pondering an interesting question. Apparently some contrarians have begun trying to convince her that the carbon cost of transporting non-local food is so high that the metabolic energy she expends by biking to work may come at a larger carbon cost than just taking a cab. That is, a distantly-grown apple takes so much energy to grow, produce and deliver that we’d be better off burning fossil fuels rather than expending human effort.

Two things. First, as Megan points out, gasoline has to be transported, too. Second, not too long ago Drake Bennet pointed out some good reasons for wondering whether local food is actually environmentally friendly: it doesn’t take too many trips to the farmer’s market in a mostly-empty car for the tomato you just bought there to represent more energy use than the one shipped across an ocean in a massive container ship, then packed into a fully-loaded diesel semi.

But I’m still curious about how the energy use breaks down. Some figures arrived at via quick googling:

So bicycling is 32.4 times more efficient, in terms of pure energy use, than driving an average car (from 1987). Making energy by growing and harvesting food certainly takes a lot more energy than making it by pumping oil out of the ground and putting it through a fractionating column. But 32 times more per unit of produced energy? Well, maybe.

At any rate, the difference in locally- versus distantly-grown food seems unlikely to be the deciding factor. The real question is whether, carbon-wise, you should be making that bike ride at all, regardless of where your groceries began their journey. I can easily imagine a tomato requiring 32 times more energy to grow, harvest and deliver than it provides in food energy.

But who knows? It’s all very confusing, and the concerned individual taking deliberate action to save the environment through carefully researched lifestyle changes seems to me to be embarking on such a crapshoot that they’ll be very lucky if, when all is said and done, they’ve managed to even offset the carbon cost incurred by their EnergyStar LCD monitor’s daily display of Treehugger.

OR: What Ezra said.

the legends are true

It is possible to see this silhouetted figure rotating in both directions. Charles got it right away; yesterday I finally managed to as well. It seems extremely unlikely that the neuroscience claims attached to the demo mean anything. Still, it’s a pretty neat optical illusion.

But I’m left wondering: did they really have to give the figure nipples?

I assert my moral right to deliciousness

Matt and Ezra are discussing pragmatic justifications for progressive taxation, aka WEALTH TRANSFER OMG. Will Wilkinson breaks things down here, and his reading seems about right to me: Matt and Ezra are gunning for maximizing well-being rather than cosmic justice. Will’s probably also right about it not being a very good idea to make this argument to the public.

But this struck me as wrong, or at least unfair:

But surely Matt understands that the inability of utilitarianism to acknowledge principled constraints on the way people may use one another is the main reason why most moral philosophers believe utilitarianism to be false. Perhaps Matt thinks these philosophers confused. But if so, then they share their confusion with most Americans, who also don’t believe utility maximization is a good justification for the appropriation of their property.

Sure, hardline utilitarianism is unappealing. But I doubt that Ezra or Matt actually believe in it. Rule utilitarianism works just fine, and lets us simultaneously accommodate the public’s intuition that A) they should be able to go under anesthesia without having their organs harvested and B) there’s a fuzzily-defined and slight but real inverse relationship between wealth and property rights — i.e. it’s okay to take a few extra hot sauce packets from Taco Bell for later use. And isn’t accordance with intuition what the validity of a philosophical system is all about?

Of course, this standpoint is still pretty paternalistic. To which I can only respond: meh.

part of my Halloween costume

part of my Halloween costume

Can you guess what it is? Winner gets to not be subjected to it. And no fair guessing if I’ve already told you.

productive things I have tried and failed to do tonight

  1. Fix my mom’s plane problems

    She forgot her passport and missed her flight to Amsterdam. After many calls to Orbitz, the next available flight toward which her fare can be applied appears to be on Saturday. And costs $4000.
  2. Migrate a friend’s Typepad blog

    After several tries, it appears that Typepad has a serious bug that prevents it from exporting more than 100 megs’ worth of archives. Ticket opened.
  3. Complete an Apple rebate

    They swapped in a new ipod for the older-generation ipod that Emily & I ordered under their promo deal, assuring us via email that it would still be eligible. Their online rebate form disagrees.

To hell with this. I’m going to play video games.

wealth but no wages

Matt weighs in on DIY fruit harvesting:

Kay Steiger, who went on the apple-picking trip Sara (pictured above, at the orchard) organized last weekend and that I attended under the time-honored principle “go apple-picking when your girlfriend tells you to,” retorts that apple picking’s not inefficient, it’s “a form of entertainment.” This would be a lot more convincing were agricultural labor entertaining. In reality, these are the jobs Americans won’t do.

But while Matt (and, one suspects, professional apple pickers) thinks it’s silly to pay to perform this sort of labor — even if just with time — he’s guilty of doing the same thing. Sure, he’s a professional pundit now. But for a long time Matt belonged to the class of folks offering electronic ruminations for free — a practice that leaves a lot of professional writers scratching their heads. It’s still not unusual to read a curmudgeonly journalist complaining about these damn kids writing without compensation. And while Matt may have done it as an investment in his future, not everyone does.

But writing and gardening are both at least conceivable as leisure activities. An even more astounding example of the reach of this phenomenon comes from Penny Arcade, via Quantum of a Wantum.

There are a bunch of people in their basements playing Flight Simulator, and a bunch of people in their basements pretending to be air traffic controllers, running an application that simulates a radarscope. All wearing USB headsets, they are connected to a big network called VATSIM where they talk to each other and simulate realistic air traffic procedures as accurately as possible.

It’s strange but true! These people labor over hour-long preflight checklists, pore over FAA manuals and file flight plans before launching their virtual jumbo jets into the virtual sky and then sitting patiently as autopilot sends them across the virtual Atlantic. They create imaginary airlines and imaginary regulatory agencies. It sounds incredibly tedious to me, but I’m sure they genuinely love it.

Of course, crowdsourced air traffic control is probably a somewhat less practical idea than user-generated fruit harvests. But it’s not hard to conceive of situations where that sort of energy and enthusiasm for tedium could be harnessed. And it’s undeniable that a lot of people are expending considerable effort online creating genuine wealth without direct compensation. Some of this is being harnessed and even occasionally rewarded — open source software’s sponsorship by big businesses like IBM and Novell is a good example. And various ventures are now trying to capitalize on the potential of crowdsourcing and UGC, with varying levels of success. But in many more cases it seems to be enough for authors to simply be allowed to create — so long as they continue to receive a sort of involuntary patronage from their regular employers.

In the past you could prove your mettle and gain entry to an industry via skillful amateur efforts, freely offered. The internet now makes it possible for those amateur efforts to actually compete with the industry they’re emulating. One can’t help but wonder if it’s a race to the bottom: do your real job less efficiently to free up time for your fake job. Meanwhile, your willingness to do your fake job for free reduces the compensation available for doing that sort of work, making it harder to actually become a professional. The first movers will be fine, but eventually their fields will be bled dry.

But this is a pretty depressing perspective, and not at all in keeping with my general internet triumphalism. Explanations why I’m wrong will be welcomed with open arms.

OH YEAH! I nearly forgot: I wrote about related issues in somewhat rosier terms a while ago.

a rebuttal

Ryan, in a manner deeply unbecoming an economist, is questioning the need for continued human progress:

I remember when men would shave with tools, real tools, that doubled as farm implements or at least good kitchen cutlery. And when we wanted a bracing splash of aftershave, well, that’s what the tumbler of scotch was for. All right, so I don’t remember that, but I do remember when the two blade disposable you got in your freshman welcome pack was sufficient to hold things down until that study abroad trip junior year when you first tried growing a beard. Rust builds character, my friends.

I’m sure this sentiment is heartfelt. But I can’t help but note that both Ryan and certain other razor traditionalists can plausibly be described as Aryan Supermen. I’m sure it’s very convenient to have the sort of blond, wispy facial hair that can be removed with gentle abrasion from, say, a disposable plastic dish scrubber. And I don’t mean to disparage my own more problematic stubble — men like Kriston and myself find rough facial hair useful in a variety of situations, e.g. igniting a strike-anywhere match and using it, with cupped palms, to light a hand-rolled cigarette as we stare flintily at the loneliness of the great Western range. From horseback.

It’s just that taming that sort of beard — some might call it the sort of beard that tamed America — requires more decisive, even violent measures. That’s all.

Speaking of beards, here’s a shot I took this morning before shaving:

the october protobeard

As you can see, it still sucks. But I’m happy to say that this is only about five days’ growth — reaching this point took much less time and involved much less discomfort than doing so has in the past. Like everything else in this increasingly globalized world, my beard’s crappiness remains constant, but its cost is plummeting.

(Take that, Avent.)