A couple of days ago I was talking about the Pandora ( http://www.pandora.com ) music service that Brinstar ( http://acidforblood.blogspot.com ) brought to my attention. Well, I've finally had a chance to get back and take a deeper look at it. It's a nice little package which uses Macromedia Flash to download and play songs that match with my request. The matching back end is awesome! It does a great job of finding similar tunes. The last.fm ( http://www.last.fm ) system can't touch this at all. Well, after checking it out for a couple of days it turns out that I used my ten hour free trial. What to do? There are two subscription choices: annual (12 months of unlimited use for $36) and quarterly (3 months of unlimited use for $12). I think we can see where the deal is... So, in the interest of exploring the web application that makes this tick I started digging. I knew I wasn't supposed (well according to the terms of service anyway) to disassemble the flash file they were using to play the MP3s. Since that was out I decided the easiest thing to do would be to use a proxy server on my local machine to watch the 'conversation' between my computer and *.pandora.com. I have to admit after watching it work for a few seconds I already knew I could trick the flash application into thinking I had logged on to the service. The flash seems to be coded to only expect a couple of different answers from the server so with two small changes to the reply from the server I was 'logged in' and to my surprise the rest of the application continues to work flawlessly - the music plays on. During the dig I was able to see the method that they get the MP3s to the computer and it's just a web address - all of the files are world readable with any web browser - if you know where to look or the url to type. Of course, it's not nice to steal MP3s from poorly coded web apps now is it? I'll probably go into some more detail later but it's time to go to the bar.