Slashdot Mirror
Set Digital Music Free
The latest issue of EFF's newsletter covers the HackSDMI challenge. Probably not surprisingly, they're urging the same thing as Don Marti, who Salon interviewed.Update: 09/19 3:33 PM by michael : The RIAA, EFF, and 2600.com debated SDMI on Pacifica radio today.
As I submitted earlier, Don Marti has stepped down from the boycott. Hopefully it will get posted on Slashdot soon.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
I am rather partial to this editoral myself.
~~ What's stopping you?
The goal is to have no eyeballs look at this until it is ratified. This increases our chance that once they force this down everyone's throats someone can find a hole.
Remember, if the system is really secure there isn't much we as hackers can do. 128 bit encryption is 128 bit encryption, and baring major advances is unbreakable to hackers. Let the music industry get a strangle hold on the people with a new standard and there isn't much we can do to lossen it technologicaly.
Of course there is the other way to look at this: help make this standard as secure as possibal. Then keep reminging people that you used to be able to copy music for your own purposes, and legally you still can. When people get mad congress does listen, and they can force the industry to release the ability for everyone to take advantage of fair use. Grass roots politics is where things get done in the US, so join a political party that mostly thinks like you, and get things done. (It doesn't have to be the republicrats, but a major party gives you a better shot of getting your canidate elected in exchange for some lesser issues going against you)
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Extract the watermark, don't extract it. It really doesn't matter.
Yesterday's Forrester report on the new Nomad reiterates the commonly held view that SDMI is irrelevant:
"SDMI is too late to make a difference. Net users see access to free music as a key benefit of digitally downloading music. While the Jukebox is hardware-ready to support SDMI -- the security rules developed by the music industry's Secure Digital Music Initiative -- owners will ignore secure, paid-for music downloads and opt for the free version."
I don't have any problem paying for music, but I am going to continue to rip my CD's to use the unrestricted MP3 file format, rather than use watermarked SDMI files. Flexibility and convenience is very important to me as a music consumer. And there will always be music players for unrestricted formats.
Corby
Why do we need "secure digital music"?
CDs and MP3 files seem to do just a fine job of handling my music needs, there seems to be nothing missing.
Would this initiative secure funding for the artists, or offer new capabilities for the listeners that don't currently exist?
Would this allow me to secure my music by getting access to it if the media it came on was damaged?
How does this guarantee my right to fair use under existing copyright laws?
--Mike--
What would that prove? That the evil hacker(sic) types are bad and nasty and want to make life difficult for the RIAA?
Guess what? They know that already.
DDoS isn't going to do anything except make our reputation *worse*. What we need to do is boycott the challenge, and be very, very vocal about *WHY* we are boycotting the challenge -- not that we can't do it, but that we won't do their dirty work for them until and unless they decide that it's time to play nice.
"RFC 882: We put the . in
Lately I've been thinking that we're drawing the lines for battle in the wrong places. Perhaps there SHOULD be a secure format that can be used for things like limited listening. I know we all cringe about self-destroying CDs and the like, but really it could be a great method of exposure -- 2 listens, and the disc is done, and then you can buy a PERMANENT CD. That might be an agreeable setup, material waste aside. A limited download might be used to accomplish the same thing. You can play it n times, but then you have to buy. Sort of like the trial period/limited number of times kind of shareware (which has a place, even if it's non-free).
Now, I think most of us fear that if secure initiatives come out:
1) they WON'T be used wisely. We might be forced to pay per every viewing/listening/reading.
2) that it will somehow be made illegal and/or very difficult to freely view/distribute stuff you actually have the rights to.
It seems to me that #1 is possible, but that if we start fighting the battle from the other end (#2),
we might be able to make a lot more headway with conservative policy makers AND preserve the freedoms that are truly important. Remember, the GPL doesn't stop Intellectual Property from existing under the law, and make everything free. It (and other free licences) just makes Free Software possible.
We are fighting the battle for #2 in a number of places (DeCSS I think falls in this category), but we're also wasting a lot of time on #1. Given a chance, I think secure initiatives might find a fair place next to free alternatives.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
This is actually a very, very good idea. One of the alleged reasons for this competition in the first place is to try and track the people who would or could crack this. I for one couldn't (unless I happened to be the perfect monkey happening on War and Peace at the keyboard) but I would want to see this cracked the second it is released. I am going to go and download everything I can find now, and everyone else who wants to see this cracked in the end should do the same. Then when they go chasing the crackers we can watch them plough through the slashdot effect to try and find a culprit.
Of course if I happen to have a monkey day and do crack it......I'll be waiting for launch time:-) About the only thing this competition should guarantee is that everything will be broken even quicker than before!
Never underestimate the dark side of the Source
I'm a bit disappointed by the reaction of all the big guys in the hacker community. Did they actually read the challenge? You can get to try to break their stuff with almost total privacy (all but your IP address), and you don't have to give up any of your rights if you don't want the money.
Also, you don't give them expertise, as nothing forces you to explain how you hacked their stuff if you did.
Whether you like the idea that SDMI are trying to implement or not, a public challenge is always a good thing. And they are actually giving up a rather convenient and powerful way to test their algorithms...
Finally, the best way to prevent SDMI from existing is certainly to undertake their challenge and to break the schemes. Otherwise, they'll implement it, and maybe it will be broken afterward, but bypassing it then may involve more complicated legal issues...
If you don't want to read the click-through license agreement, just use this URL:
http://hacksdmi.org/hackDownload.asp
I'm not sure if the agreement prevents me from telling others how to circumvent it, but I don't really care that much.
Have a nice day.
-----
It took almost two years to crack CSS, and that was only because Xing didn't encrypt their keys (BTW, did Xing ever get in trouble for this?)
If the "crack SDMI" goes on for 3, 6, 9 months, even a year, without being cracked, it doesn't prove anything. There is no such thing as an uncrackable algorithm. The Germans thought Enigma was uncrackable, they were wrong. The MPAA thought CSS was uncrackable, and they were wrong. Now the RIAA is trying to build anther "uncrackable" code. And they're going to find out in a year, two years, 5 years, whatever, that they're dead wrong as well. The best that the RIAA can hope for is making the encryption such that it can't be cracked brute-force by today's computers. How long have CDs been around? 20 years or so? How far has computing technology gone in that time? Will computers sometime during the life of SDMI be enough to do a brute-force attack against SDMI? I'd wager yes.
They aughta go read "Applied Cryptography" and just give up. SDMI is irrelevant, CD-Audio will take years to catch on. MP3 is here, working, popular, and sufficient for most users.
PS, I just proved that SDMI can (and will) be cracked. Send me my $10k.
-- Ever notice that fast-burning fuse looks exactly the same as slow-burning fuse? I didn't... (Edgar Montrose)
Anyone thought about hacking the HackSDMI website? Maybe change the index file to something talking about the boycott and laying down the real reason that they want SDMI to become popular...
Of course, I'm just putting this out there as an idea... I don't condone it one bit! No siree!
-- Dr. Eldarion --
Okay, let's see here: SDMI want me to test the strength of their proposed security measures, measures on which the entire future of the music industry's electronic offerings will be based. An industry that earned over $16 billion in profits last year.
...And they're only offering me $10,000. And they want me to do it "on spec".
How very typical of the music industry. What cheap bastards.
Tell you what, SDMI: Crank the prize offering by at least three orders of magnitude, and we'll talk...
Schwab
Editor, A1-AAA AmeriCaptions
Here's a quote from their click-through license agreement.
(1) you will not be permitted to disclose any information about the details of the attack to any other party,
They're just going to buy the silence of everyone who does, then they'll be able to say that the hole they discovered is closed (because everyone who could exploit it has and has been payed off). Worse than that though, it'll enable them to sue these people for breach of contract for ever talking about anything related to digital music, encryption, watermarking, or anything else they they take offense to. Kiss your right to participate in Slashdot discussions goodbye, unless of course you're prepared to toe the SDMI-party line.
The RIAA and MPAA are all cheats, thieves and liars. Bah, why do they bother, their usual method of bribing all the politicians and judges has carried them this far.
SDMI and those big music companies are about to deploy billions of dollars in software, hardware, and content, and $10k is all they can cough up? If they add another three zeros to that, together with binding arbitration, we could start talking.
I think this shows us what we probably knew all along: Chiariglione is cheap. Chiariglione doesn't respect other people's work or intellectual property, he only cares about his own.
And to anybody thinking about participating in this challenge: don't sell yourself cheap.
I hate the fact that the new windows media player, by default, has a little box checked that says, "Allow WinMedia to send information to sites you download movies from.." .20 or .10 for that matter.. either way you slice it MP3's are free once they are made.. no CD art, no reproduction cost, no CD case, no shipping or handling..
I would be about as excited to know that everytime I play a CD in my computer, or an MP3 file, that information is being sent to the RIAA (or anyone for that matter.) What exactly would be the point in surrounding an audio format in with a barrier to prevent copying? Besides what was mentioned before.. nothing is perfect. PGP isn't perfect (although it has not been cracked in some time, it WILL eventually get cracked..) And the same goes for this new audio format.. CSS got cracked, so will SDMI.
If I own a company and I invest millions of dollars in an encryption scheme, which I know will not last more than a year, maybe two, but will require a change from hardware manfacturer's to make a new encryption - I'm going to go out of business. Something tells me that 12 months is a pretty generous estimate considering the amount of hype this story has recieved.
Realistically, the RIAA should look at some different models to make money off of music. Naptser is insanely popular, even among novice users (my Dad is on Napster and he has trouble starting IE and searching Yahoo.) I would pay $5/month to use Naptser and Napter's 4 million + users would make that equivalent to approximately 500,000+ CD's.. ($15 apeice for the CD's). Napster pays the artists or the record labels a royalty and everyone is happy.
Or base it on downloads.. every song costs
However, if their intentions are to keep ALL of the pirated music off the net, well that will never happen. There will always be the squadrons for rouges for whatever reason will blatantly infringe on copyrights, just because they can. As there will always be people that download that material because it's free.
To think that someone gets paid to set there and say, "Hey let's make a new encryption scheme" is ludicris to me. I could be making a ton of money thinking up actual good ideas.. I wonder how that guy got that job... hmmm
"The same thing we do everynight Pinky, try and take over the world." - Brain
In 1976 Congress increased the length of time of a copyright to the author/artist's life plus 67 years. In 1995 Congress increased the time of a corporate copyright to well beyond a century (120 years, I think.) So any movie made before 1880 would be in the public domain. Know of any? Of course not. Congress has been systematically stealing from the public domain since 1909 when it was increased from a maximum of 28 years to an automatic 56 years. Write your congressmen, tell them you want Tolkien, Charlie Chaplin, and Mickey Mouse in the public domain where they belong. I have already done so.
Don't just complain - DO something about it!
New instructions:
Go to the ClickThrough Agreement, then use the link above. Looks like they might be using cookies, or some other method which forces you to view the license page before viewing the download page.
You still don't have to click on the 'I Agree' button.
-Adam
This space for rent.
If you actually go and download the files for the contest, you won't find much. Rather than any sort of description of the watermark technology, or any software that checks for the watermark, you get three .wav files. File 1 has no watermark. File 2 is the same audio as file 1 with a watermark applied. File 3 is a different song with a watermark applied. Your "challenge" is to remove the watermark from file 3. To check the file, you have to upload it to their server, and they will send you email with the results of the check.
So, from a cryptographic point of view, this is pretty worthless. It's along the lines of the newbies who post to sci.crypt saying "I've developed a new algorythm. Here is some ciphertext, crack it!". Of course, to do any valid analysis you need to know how the algorithm works.
My guess is that either the people setting up the "contest" are pretty clueless, or they have no faith in their algorithm, or both. Or this is just a publicity stunt to reassure the record labels. My money is on the latter.
Any hacker who attacks SDMI after it's released will certainly have access to a software implementation, or the algorithm, or both. So, to leave both of those out of the "contest" just makes it a sham.
And there's always the trick of having a soundcard driver that saves the audio stream to the harddrive.
No. SDMI requires that there be no way to get a digital cleartext out of an encrypted file. For example, all Microsoft Digital Rights Management sound card drivers disable all digital outputs (card outputs, write to file, or a fake waveIn) when an SDMI clip is being played. If a sound card driver driver is not digitally signed by Microsoft and rated MS-DRM compliant, it has no access to the Secure Audio Path and will play silence instead of music.
<O
( \
XGNOME vs. KDE: the game!
Will I retire or break 10K?
all it did was recive sound from windows applications like it was a sound card and write 44.1 kHz pcm sound
It won't work for long. Microsoft Digital Rights Management will silence all SDMI audio going to unsigned drivers. MS will only sign a driver if it shuts off all digital waveOut capability (this includes without limitation disk writers, digital out ports on the card, and waveOut to waveIn aka SB Live What-U-Hear) when playing secure audio; only signed drivers get access to the Secure Audio Path.
<O
( \
XGNOME vs. KDE: the game!
Will I retire or break 10K?