SDMI Cracked Too Soon

Andrew Leonard writes "Two off-the-record members of the SDMI coalition have confirmed to Salon's Janelle Brown that all of the SDMI watermarks have been solidly broken." It's too bad this didn't happen in a year - because now it's been cracked before it was even released, and they'll delay even longer.

oh, here...

[MenTaLguY]

WinAmp Plugin

Re:Disappointing

[ewhac]

and that is one of the [ ... ] most asinine things I've ever heard.

Perhaps you haven't been paying close enough attention: They are out to screw you.

They want to re-write the rules of retail sales, replacing title transfer with "end-user licenses" (just about any software package).

They want to re-define lawful behavior, taking away your right to exercise your curiosity about the world around you (anti-reverse-engineering clauses).

They want to take away your standalone computer and replace it with a "licensed networked digital media reception terminal," complete with credit card reader.

They want to take away your right to do with your property as you please (:Cue:Cat).

And they want to do this without soliciting your input or consent, and then make you pay through the nose for the privilege of being screwed.

Now, perhaps those things aren't important to you. Perhaps you're not a terribly curious person, or perhaps you're of the opinion that, "I would never need or want to do those things." Perhaps you feel that The Law is The Law, regardless of whether there's a valid ethical foundation for it, or how or why or for whom the law was enacted. Or perhaps you're thinking, "That will never happen in this country." Well, fine, you don't think it's important.

But in my book, this is tyranny, pal; it's damned important; and I will not sit still for it for one nanosecond. This is war, a war of ideas, a war for the digital society of the future. And the enemy has all the lawyers, guns, and money. (And no, this is not hyperbole. What is at stake here is nothing less than who will get to define the social and ethical framework by which we will conduct our lives in the digital universe.)

We are not dealing with people here; we are dealing with corporations. They have no ethics, no morals, no conscience. They are amoeba. They respond to but a single stimulus: Money.

Look at what they are doing. Think about the possible consequences (not just to yourself, but to your neighbors and family). I hope you will discover that the situation isn't as easily dismissed as you may currently believe.

Schwab

Re:Still don't understand

[jms]

Is the RIAA's strategy to simply litigate every non-SDMIing player into oblivion?

They don't have to. They planned on using the same strategy as the MPAA. All legitimate downloaded music files from major labels would be in SDMI-encrypted format.

You could still manufacture an ordinary MP3 player, but it wouldn't work with SDMI files. It would be like manufacturing a DVD player without licensing CSS. Sure you can do it, and you could have digital outputs and no macrovision, but it won't play store-bought DVDs, so no one does it.

Re:... I think they did expect this ...

[bughunter]

they may well have been angling for this crack, in order to take advantage of some legal or PR leverage it would give them

Yeah - a chill ran down my back as I was reading the Salon article. I imagined this conversation transpiring:

Judge: "Why didn't you encrypt your music more strongly?"

RIAA: "We tried, but every encryption and watermarking scheme we tried proved vulnerable. It turns out to be physically impossible to secure digital media. So we just went with ROT13 as our copy protection to limit costs."

Judge: "Is this true? Is it impossible?"

Geek: "Well, ummm... in a word, Yes... mmmm - mayven"

Judge: "I see. Well, if it's impossible to protect the data, then any means of protection can be considered reasonable protection when applied to defend a copyright. [whack!] Rule in favor of the plaintiff."

Crack SDMI-HOWTO

[Mike1024]

Hey,

Here's how to crack your SDMI-campatible player:

1) Download SDMI file
2) Download compatible player
3) Set your sound card input to 'What you hear' or whatever equivilent
4) Start your choice .wav recorder, like 'Sound Recorder', free in Windows 3.1
5) Press 'Record'
6) Play SDMI file
7) Wait until end of play
8) Press stop
9) Encode your .wav to an MP3, using your choice encoder
10) Put on gnutella

Or if you have a hardware player:

1) Prepare player to play music normally
2) Dismantle the player, until you get down to a loudspeaker. Cut off the two wires and solder them into a standard microphone audio jack from your local hardware store
3) Start your choice .wav recorder and click 'record'
4) Plug the new microphone jack into your sound card
5) Play SDMI file
6) Wait until end of play and click 'stop'
7) Encode .wav file into MP3
8) Put on gnutella

Clever eh? I'll take my $10,000 in cash, sterling used notes please.

Michael

...another comment from Michael Tandy.

Re:Crack SDMI-HOWTO

Ummm - not quite. Digital-Analog-Digital conversion is an obvious attack, and watermarks are designed to withstand this sort of thing. Image watermarking schemes, for example, are often tested against a print-scan cycle. For a simple example in audio - echo manipulations within audio streams withstand DAD conversion.

If you are actually interested in learning something about this, get Information Hiding: techniques for steganography and digital watermarking by Katzenbeisser and Petitcolas and read the proceedings of the Information Hiding conferences, called Information Hiding I and II (maybe a III by now), published by springer.

Actually, I recommend reading the Information Hiding conference procecedings for everyone - they present a number of techniques that will appeal to those with interests in privacy, cryptography, information theory, steganography, watermarking, biometrics, covert channels, etc.

One of my favorites in the proceedings covers designing biometric authentication tokens that are anonymous, non-transferable, and privacy protecting.

Re:Crack SDMI-HOWTO

[yerricde]

Two problems:

1. SDMI content is watermarked in such a way that it survives D->A->D->A->D conversion and most audio compression schemes. Anything watermarked that hits Napster, iMesh, Gnutella, etc. is fully traceable.
2. Operating systems can be made SDMI-compliant too. For example, Windows ME and Whistler have a secure audio path that sends audio only to signed drivers. Fat chance Microsoft will sign a driver that fails to disable What-U-Hear (a waveOut to waveIn redirector) or, for that matter, any redirection to a digital stream, for audio data sent down the Secure Audio Path.

<O
( \
XPlay Tetris On Drugs!

NDA

[sulli]

But as I recall you could link directly to the files made available for cryptanalysis. So if someone GOT the files but DID NOT agree to the NDA, could not that person, if a cryptographer, distribute independently the results? And if such a person were an AC on /., would not the results be pretty much untraceable?

Just a thought, for all you SDMI h4x0rs out there.

As for me, I wasn't going to buy it anyway, so fuck 'em.

Re:Wow...the Linux community really IS "the enemy"

[ucblockhead]

Uh...I think that was meant to be parsed as "members of the programming community suspicious of the SDMI"

Too soon?

[jmv]

After all, it might have been a good idea to break it that soon. I work in speech coding (not that far from audio coding) and, though this is still subject to debate, I believe that watermark cannot work. An indication of this would be that (if I understood correctly) all the watermarking systems have been completly broken. If it had been only one, then they could have picked the strongest one (which would have been bad). If it had been only a detail, they could have fixed it...

But maybe the answer is that it's not posible to have watermarking that really works. If this is true, the ones pushing SDMI have two choices:

1) Come up with a new watermarking system every 6 months, have it all broken with 1-2 weeks, and be effectivly stalled for years. Even if they finally find something that works after 4 years, it would be way too late anyway.

2) They could release something they know to be broken and play the same game the MPAA is playing with CSS. Only in that case, they'll get even less sympathy, because everybody will know that they knew from the start that their watermark was broken.

Re:They didn't expect this?

[Dirtside]

Right, but if you intercept someone's RSA-encrypted message, you don't get the key.

SDMI would HAVE to provide you with the key, so that you could decrypt and listen to the music! I was incomplete before; what I should have said was, "They give you the encrypted data, the decryption algorithm, AND THE KEY".

Ok, so who did it

[Anne+Marie]

I thought we all agreed not to crack them, so they'd release the standard and we'd get lots of poorly protected audio floating around for us to grab. So which one of you did it?

Re:Ok, so who did it

[B'Trey]

It's a little silly for us to talk about how people should be allowed to reverse engineer things and then get upset when they do it to something we don't want them to....

There's a difference in saying someone shouldn't hack/reverse engineer something and saying that they can't, particularly when that can't is backed by the threat of state violence.

Re:Ok, so who did it

[dragonfly_blue]

lol, I was trying to make a joke...sorry if I offended you. But, please remember that if you take your example to the extreme, (as if there really is a single true Hacker Ethic), logically, a hacker would know that telling the RIAA that their security measures were cracked at this stage would simply lead to them trying to create even more elaborate ways to keep their digital property from being free (Speech, not Beer.)

<PROPOGANDA>So, my poor attempt at humour yields the philosophical question, Would a Real Hacker(tm), knowing that the system he disagrees with is faulty, help that system persist by informing it of it's inherent weakness? Or, would this hypothetical hacker just keep his mouth shut until the faulty design was finalized, henceforth guaranteeing the complete Freedom of the information in question? </PROPOGANDA>

Feel free to rephrase the question in a less biased manner. =P

Re:Ok, so who did it

[jms]

So, my poor attempt at humour yields the philosophical question, Would a Real Hacker(tm), knowing that the system he disagrees with is faulty, help that system persist by informing it of it's inherent weakness? Or, would this hypothetical hacker just keep his mouth shut until the faulty design was finalized, henceforth guaranteeing the complete Freedom of the information in question?

That would depend on whether the Real Hacker's interests lie in:

1) Being able to bypass the system
2) Not having the system implemented

There is a good reason to choose (2). The SDMI watermark will introduce distortion into the audio signal. If the Real Hacker's interest is in purchasing music with as little distortion as is technically possible, then her interest lies in killing SDMI before it is deployed.

Re:Ok, so who did it

[phil+reed]

MP3 went out of business last week & none of the artists got paid a dime.

Uh, that's not what it says on the site. Do you have information that nobody else has? Or are you blowing smoke out your butt?


...phil

Re:Ok, so who did it

[TBHiX]

(TBHiX turns around, looks at cat)

"It was you, wasn't it, Tizzy?!"

(Cat stares balefully at TBHiX for a moment, then goes back to licking herself.)

"BAAAAAAAAAAD kitty! You just go to your basket and think about what you did!"

Hmph. Sorry about that, folks. She just hasn't been the same since she slept on my copy of Knuth's "Art of Computer Programming". Well, at least I know where that pre-paid order for eight gross of catnip toys came from.

-TBHiX-

Re:Ok, so who did it

[NecroPuppy]

And here I was, sitting in my cube this morning, thinking about how much fun it would be to have this sucker cracked and not tell anyone....

Until it was released...

Re:Is This a Surprise?

[jms]

Divx (the circuit city product) was, as far as I know, never cracked. Of course, they went out of business so fast that no one even had a chance to try. :-)

Re:Disappointing

[Jason+Earl]

The problem is that the RIAA probably has the necessary muscle to force SDMI products down consumers throats. As soon as the RIAA finds a way to make SDMI work, they will guarantee that it is impossible to by a new music player of any sort that doesn't honor their wishes.

For now it is a trivial thing to make copies of your CDs, and rip MP3s to carry on your MP3 player, but in the future this will not be possible if the RIAA has there way.

So it won't only be the idiots that lose their fair use rights, you will lose your rights as well. They will essentially be able to control where, when and how you may listen to music that you have paid for. Your music collection will also probably "expire" and require re-licensing.

I am all for having SDMI fail in the marketplace, but I wouldn't feel sorry for a moment if someone "gave it a push." If the RIAA and their cronies had sunk billions of dollars into implementing SDMI and then had it broken, then we would definitely see it crash and burn.

Delays aren't necessary bad...

[S1mon_Jester]

After all...that just gives MP3's more of a chance.

But the REAL question I have is whether or not those who broke the watermarks *TOLD* RIAA HOW THEY DID IT.

Sorry dude...we, like know what the answer is..but we forgot to tell ya how we did it. Sorry.

Re:Delays aren't necessary bad...

[jafac]

There is no uncrackable protection.

It is a fundamental fact of information theory that you cannot securely transmit information from one party to another if the other party doesn't want it secure.

You can make it a total pain in the ass, which means in terms of time, effort, and hardware (all translatable into $), if the commodity isn't worth as much as it costs to crack it, then it won't be pirated on a large scale.

But the more they delay, the more MP3s get pirated.

Re:Delays aren't necessary bad...

[Jason+Earl]

Delays are better than an uncrackable SDMI implemented tomorrow, but the best possible outcome would have been for the RIAA and their hardware cronies to dump billions into hardware and software with big holes in it. As an added bonus many of their customers would have found their draconian stance on IP to be too restrictive, and sales would have dropped. Simply because the "pirated" versions were easier to use.

The RIAA isn't going to learn unless the lesson is painful. I am all for the RIAA making money from their copyrighted material, but not at the expense of my fair use rights.

Oh, and by the way, hopefully this will give Ogg Vorbis more of a chance. MP3s aren't bad but Ogg is better!

Re:cracked?

[monkeydo]

First, assume the noise has to be identifiable as a watermark (or else their players won't refuse to play it.)

This is not a safe assumption. And just because a compliant player can identify the watermark bits doesn't mean that you can

Thus, any software player that can identify it can be disassembled to point out which bits of the stream are watermarks.

Please support this assertion. You have never seen such a player have you? How do you know it can be dissasembled for any purpose? Is it inconcivable to build a player that cannot be disassembled?

Remove those bits, and it's gone. The meanings of the bits are irrelevant.

The point is to make the meaning of those bits relevant. If those bits are also meaningful to the data stream you can't remove them without altering the data.

The goal of SDMI is to put the watermark in significant areas so that you can't remove them. Just like the security watermark on your paycheck. If you try to change the amount of the check you ruin the whole thing.

And this has nothing to do with getting rid of MP3's or tracking pirates. The point of SDMI is to be able to distribute digital music without worrying about piracy. SDMI prevents pirtacy the same way CSS prevents pirating of DVDs; not because the encryption is secure, but because you must play a DVD to copy it. Sure you could make a bitwise copy of a DVD and it would play in any DVD player, but to do so is prohibitivly expensive.

As long as you must play music to copy it you (the vast majority of people) will not be able to make digital copies of it. And the music industry has never been very concerend with analog piracy of digital music.

Did they not expect this?

[Nonesuch]

If all of the candidate watermarks have been broken, what is their next step?

The best possible result for SDMI would have been for at least one of the watermarks not to have been broken during the public examination period, then they could have released hardware and software knowing that it was better than any of the discarded watermarking solutions.

This sort of test is silly- just because it can't be broken today, by people for whom $10K is a lot of money, doesn't mean it won't be broken the day after it is released.

Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm.

Re:Did they not expect this?

[jmv]

Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm

What's been broken is not about cryptography, it's the watermarking system. Watermarking means adding to the audio a message that the ear cannot hear, but that contains copyright information. Breaking the watermarking system means either removing that message (which is probably impossible) or, at least, changing it so it is not recognizable anymore.

Re:Did they not expect this?

[jafac]

you make the best possible point.

Those who believe in such a thing as uncrackable encryption are either poorly misinformed, or have no imagination.

For some reason, money seems to gravitate towards such individuals. . .

Re:Did they not expect this?

[plover]

A couple of points: First, there is no next step. It is not mathematically possible to secure data in a non-trusted non-secured HARDWARE environment. Can't be done, mathematically provable (wish I could offer the URL of a decent proof here, oh well, that's what google's for, right?) Physically provable also, as well evidenced by this announcement.

The ONLY possible result was to have their watermarking broken. As I mentioned above, it's not possible to secure it.

What you describe as their best possible result would actually be the penultimate nightmare scenario for SDMI. Ramping up production of new hardware and media is an incredibly expensive undertaking. Not to mention the risk of public rejection (for a primo example of this, learn the lessons of DIVX.) To get $2 billion down that path, only to be shot down by hackers. At this point, they're only out a few million. The $10K prize was a spit in the bucket.

As to your last point, professional cryptographers have been telling them this is impossible and a huge waste of money. People with money don't believe in "impossible." They don't understand technology, they understand money. And in their world, money can buy the impossible. They don't live in our world, where code can always do the possible.

John

Re:Excellent!

[jafac]

Well, the boycott idea was stupid anyway.

bocott coke, and maybe 20% of the people who agree with your cause will boycott it.
That translates into a 20% drop in revenues (um, if Coke didn't own every other company in existence, and only produced just coke).

but with this contest, if just one hacker doesn't boycott it, (and who wouldn't want an extra $10,000 for a few hours work?), then the boycott utterly fails. Y'all should've just gone for it.

It would have been nice to see the wasted effort to mass-market this stuff and watch it be cracked. That would have been sweet. But it's also pretty satisfying to watch a hacker-boycott still crack the thing in a matter of weeks. If all the hackers had gone full-tilt into this, can you imagine how quickly it would have fallen? Might have saved them a little hubris.

Re:?????

[kallisti]

I think you are trolling, but if not does this count?

Section 107:

Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include-

(1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;

(2) the nature of the copyrighted work;

(3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and

(4) the effect of the use upon the potential market for or value of the copyrighted work.

The fact that a work is unpublished shall not itself bar a finding of fair use if such finding is made upon consideration of all the above factors.

Or perhaps ; ;SONY CORP. v. UNIVERSAL CITY STUDIOS, INC., 464 U.S. 417 (1984) in which "Any individual may reproduce a copyrighted work for a "fair use"; the copyright owner does not possess the exclusive right to such a use".

Re:Excellent!

[jafac]

yes. SDMI would have been a hard sell, until they "bundled" it with "better audio quality". It wouldn't have to sound better, they'd only have to bribe a few audiophile magazines, and run a small astroturf campaign, and it would BE better.

But yeah, indie labels (using unprotected MP3 technology) *is* what we really, ultimately want.

Re:Better idea: cheap mp3s

[miracle69]

Why use the proprietary Frau encoder when Lame has been proven to be not only faster, but of better
quality?

And regardless of where mp3 ends up legally, Ogg Vorbis will replace it if licensing becomes a huge issue.

Meaning of "suspicious".

[seebs]

Yes, the hackers *WERE* suspicious. They said "I don't trust this, it looks like a bad deal".

"Suspicious" does not necessarily mean "worthy of suspicion".

Re:They didn't expect this?

[jafac]

The guys who came up with SDMI thought they could fool the RIAA companies into buying into this technology, and face it, they would have become incredibly wealthy, whether it failed or not. It was worth a try, eh?

Re:Vorbis is cool, but not quite there.

[PiMan]

I track the CVS a bit, and there's been a good deal of optimizations, at least in the XMMS arena, since beta1. CVS info is available at vorbis.com.

However, if you're lazy like me,
deb http://www.stud.uni-hannover.de/~ingo/vorbis ./
deb-src http://www.stud.uni-hannover.de/~ingo/vorbis ./

is a set of sources.list lines for your Debian box that have compiled CVS versions updated daily.

Re:that isn't capitalism.

[interiot]

The buyer also has to appease the seller to some extent, or all the sellers will go play a different game.

Yeah, SDMI sucks. I was just saying that no matter the alternative, I don't think much music will be released online without copy control. If some organization actually makes a large amount of money with MP3's, then the labels might sit up and listen. Until then, they want some form -- any form -- of copy control before they'll do music online.
--

Re:Of course....

[jafac]

But DAT wasn't that well established yet.

Computers are big. I think a lot of the manufacturers out there would have something to say about a tax like that.

My lobbyist can beat up your lobbyist.

Re:Better idea: cheap mp3s

[TheGratefulNet]

lame has NOT been proven to be better quality to my ears. firstly, there is NO free encoder that is even listenable (to me and most of my friends) at 128k. frau was my only choice - if disk savings is of importance (and with 35gig's so far, it has saved me a whole 2nd disk!)

for 160 and above, lame is 'ok'; but for 128k, its never been demonstrated that even vbr j-stereo lame or blade or gogo can compare with frau.

THAT's why I forked out my $200 linux license fee. I didn't want to - believe me - but it paid for itself in disk space (even though it was god-aweful inefficient in terms of compute time for encoding).

--

Right, but...

[sulli]

Nobody would buy an SDMI player when an ordinary MP3 player delivers more functionality for less money. So this strategy would fail even if the technology worked. Sorry, RIAA!

Re:Right, but...

[sulli]

But the Music Clip got terrible reviews, and I don't know a soul who uses it! People may be uninformed, but when they can't use their MP3s without all sorts of stupid-ass authentication protocols, they'll return the Clip and get a Rio.

You're right with your rant about the DMCA and so on. But the consumer still has a voice. After all, DIVX died, and other crappy techs like Minidisc never took off.

Re:This is nice - but what about other DRM systems

[Foogle]

Oh so clearly in the recent DeCSS case, the judge was just stupid, right? Did you read his paper? He most definitely understood the DMCA, and abided by it to the letter. A judge's job is to interperet laws, not to overturn them.

Re:Ok, so who did it (who cares?)

[sdo1]

BTW: Once you convert it to analog you start losing quality, and they don't really care what you do after that.

Once you go through lossy compression (i.e., MP3 compression), you start losing quality, and they sure as heck seem to care about that!

-S

When Cryptography Becomes a Political Attack...

[Christopher+B.+Brown]

I agree with you that from the perspective of trying to preserve the ability to demolish SDMI's ciphers at a later time, it may have been foolish to break the codes now. Eric Raymond wrote a pretty entertaining letter on the matter commending the idea of luring the RIAA into a false sense of security, so that they would invest some real money in SDMI, foolishly getting NO security out of the deal, vulnerable to be badly scarred by the later serious attacks.

On the other hand, the Salon article seems to indicate that the consortium that created SDMI is politically fragile. Which suggests a different set of outcomes:

• An attack on the ciphers now whilst they are politically vulnerable to attack might knock the whole consortium down.

  Which leaves nobody there to agree on a "SDMI Mark II".

• Not attacking the ciphers now allows the consortium to gather political stability, which leads to financial stability.

  Given financial stability, they might attain the funding to mount a legislative response to a later cipher attack.

In effect, the hackers might attack now, while SDMI is weak, and destabilize it from a political perspective.

It is possible that the scenarios I suggest are not representative, but if they are, which seems possible, this certainly paints a rather different picture.

Re:When Cryptography Becomes a Political Attack...

[roca]

Also, there is no limit on the number of attacks. Some people have expressed the fear that attacking now helps them build a stronger SDMI. That is rubbish, because there is no technology for building a stronger SDMI. Whatever they release, we will break.

Basically two things can happen from here:
-- Industry sinks millions into "SDMI Mark II", it's immediately broken, and they wasted a lot of money just as they would have if no-one had cracked SDMI Mark I.
-- Industry eventually gives up on SDMI and purchases more legislation from Congress instead.

Cracking it now increases the likelihood of the latter happening soon, but it would have happened eventually anyway.

Vorbis is cool, but not quite there.

[CritterNYC]

Vorbis as a format is definitely there, but the software isn't there yet. The beta reference encoder is quite slow and the beta winamp decoder plugin is too CPU intensive (over 60% CPU usage on a PPro200, 96megs, Win98SE to decode a default quality (VBR up to 160kbps) file... while a similar quality VBR MP3 hovers around 12% CPU usage). I definitely suggest checking it out, but wait for the release version which will undoubtedly be much more optimizied.

BTW - The beta encoder (for Windows, Linux x86 and BeOS) as well as plugins to winamp, xmms and sonique are available at www.vorbis.com.


--

Re:Ok, so who did it (who cares?)

[Atlantix]

It's impossible because DACs turn a specific digital value into an exact, corresponding analog value (+/- the error rating of the DAC) and an ADC turns a RANGE of analog values into a corresponding digital value. This means the result of ANY signal that undergoes an A->D->A or D->A->D conversion is not the original signal. It's close but the lowest bits of precision of each sample are slighty modified. The watermarking that SDMI proposes must be contained in those low bits or users would hear distorted audio. So if one uses this simple process on an SDMI compliant audio file, the watermark will become unrecognizable to an SDMI compliant player. The player will then be forced to assume the audio file is pre-SDMI and will play it fine because SDMI players are supposed to play ALL non-SDMI audio.

Re:... I think they did expect this ...

[FreezerJam]

Yep - this is exactly right.

The problem, as the post-Napster environment will show, is that the only people left to sue are your preferred customers.

*This* is the bind - you don't need to protect the music from those who don't really care about the music, and you can't protect it from the people you want to please. And last time I checked, suing people doesn't usually make them happy.

They want the impossible technical solution because they see it being practically impossible to protect it legally.

What they've really got is that there will be no effective and usable protection either legally or technically.

Re:Better idea: cheap mp3s

[TheGratefulNet]

Ogg Vorbis will replace it if licensing becomes a huge issue.

it'll never happen. superior audio means nothing; its all inertia. the masses 'know' mp3 and that's all that exists. WMA, vorbis, shorten - all better than mp3 in one respect or another. but the Rio's and Empeg's out there speak mp3 and that's the standard. once its in hardware, its a done deal.

ogg is for geeks and software players. but that's probably 1% of the mp3 target population.

remember how long it took for cd's to become the popular defacto standard? has anything (dat, etc) dislodged it yet? (nope).

--

Unless your name is Valenti or Rosen

[A+nonymous+Coward]

What jobs these geniuses have! Imagine having a well paying job pretending to do an impossible job and knowing all the time that your paymasters are stupid enough to believe not only in the job itself but in what you claim to be doing.

Yeh, it sucks. All the way to the bank.

--

Re:?????

[jms]

Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.

Fair use is not a defense that allows you to break the law. Fair use is defined as being an exception to copyright. You have the right to make fair use of legal copies of copyrighted works. Whether you have the ability to do so is a different issue, and that's where the DMCA comes in -- the DMCA is designed to take away your ability to exercise fair use, but it does not affect your right to do so. The CSS lawsuits are not copyright infringement cases. The fact that you have the right to fair use is supported by decades of law.

um, sorry. here's your reality check...

[MenTaLguY]

I'm sorry, but there are perfectly legal ways to use MP3.

*sigh* ... name one (except playback) involving nothing but Free Software.

The MP3 issues I was referring to have nothing to do with content; they have everything to do with licensing the Fraunhoffer patents.

From mp3licensing.com:

mp3 Software Encoders

(patents and object code developed by Fraunhoffer IIS)

Fraunhofer IIS developed fast, efficient and high-quality implementations for mp3 encoding, supporting bitrates from 8 kbps to 320 kbps, samplerates from 8 kHz to 48 kHz, mono and stereo. Evaluation copies are available upon request, after signing an mp3 evaluation agreement. Please contact us for details.

• US$ 5.00 per unit
• US$ 15,000 annual minimum, payable upon signature and each following year in January, fully creditable against annual sales.

mp3 Software Encoders

(patents-only)

If you have developed your own implementation of an mp3 encoder or if you have licensed such an implementation from a third party, you need a patent-only license.

• US$ 2.50 per unit
• US$ 15,000 annual minimum, payable upon signature and each following year in January, fully creditable against annual sales.

Oh yes, and LAME is not exempt... from the LAME page:

Personal and commercial use of compiled versions of LAME (or any other mp3 encoder) requires a patent license in some countries.

...and no, I don't have US$ 15,000 to throw around. Do you?

Re:Still don't understand

[jafac]

The CD would never be playable in a player you could digitally connect to a computer. They're talking about replacing everyone's CD player. Most likely with some digital memory type player.

Sounds like a hard sell, until that new Backdoor Boyz CD is ONLY available in SDMI. Possibly given away in some kind of promotion. Then all the kiddies run out and buy SDMI players. (or they give them away at McDonalds or something) Then, armed with those sales figures, the industry approaches the hardware manufacturers and sez "hey, this is profitable" cash flies under the table, a blowjob here, a blowjob there, (my embellishment), then there are more SDMI players out there, and they don't threaten their revenue by making MORE music SDMI-only. Soon, only non-RIAA companies sell non-SDMI music, and while this is a competitive advantage in an ideal market, RIAA propaganda, promotion, marketing, legal-dirty-tricks, drive the indies out of business.

Then, the RIAA bribes, er partners with Microsoft to provide free SDMI players in the ONLY web browser still available, that just happens to be on 90% of desktops - and breaks other plugins that play MP3s, only geeks will be able to download MP3s and get them to play.

Then, you could likely download SDMI files and listen to them on your computer, but no player (in theory) will allow you to decode the content, other than directly to the speakers.

Of course, where this fails is when someone comes up with their own decoder, or even a sound-card driver that dumps the sound data to a place that can be decoded, instead of to the speakers. Or if someone figures out a hack for the player to do raw digital-out, or something like that. Worst-case scenario, if SDMI is better than CD sound quality (it would almost have to be to sell, unless they sell for a reduced price, unless they could fool all of the poeple all of the time - which isn't really necessary, you only have to fool most of the people with most of the money), then output from the player is audio, you simply take some decent equipment, and re-encode it. Some loss, but free distribution of previously copy-protected works makes it worth it, as long as the quality is acceptable.

But then D:C would sue for using their patent!

[A+nonymous+Coward]

Wouldn't that be a shame...

--

Pitiful

[StoryMan]

10,000 bucks is a paltry amount of money. These codebreakers have saved the RIAA much, much, much more than a pitiful 10 grand.

Someone should have offered twice that for the codebreakers to keep their mouths shut.

Re:Excellent!

[DaveTerrell]

Not so excellent. If you read between the lines, the technology companies are hoping that they throw out watermarks and go with Digital Rights Management. DRM is a codeword for "end to end controlled encryption." It's like Kerberos for music, and it means that you have to use their software, special hardware, etc etc.

*sigh* ...naivete...

[MenTaLguY]

the Reference Code (i.e. the patentable piece) has all been removed

Nope, sorry, reread the LAME page again:

"Personal and commercial use of compiled versions of LAME (or any other mp3 encoder) requires a patent license in some countries."

Still nailed by patents.

Be wary of sour grapes

[Richy_T]

OK, I'm not saying that it wouldn't have been good for this not to have been cracked until after it was released properly but it's easy to say that noone should crack it when you don't have the skills to do it yourself.

If I was able to do it, that money would undoubtedly look might attractive. It would be easy to say I would hold the moral high ground and hold off but I'm not in that position and so can't make that claim. I think it's something that people should think about before they start whinging about those who did crack it.

Rich

What benefit would SDMI yeild for ~5 years?

[ahg]

Regular CDs that play on today's players are going to be sold for at least another 5 years. The consumer market just won't accept their new 200 CD jukeboxes being obsolete overnight.

So... since they can't get rid of MP3 for another 5 years, why all the effort to come up with a perfect encryption and loose the opportunities here today?

I think all they need is a variation on current encryption schemes (different enough so they can seek protection from the DMCA for "circumvention") that locks your music files to a pass-pharse. That same pass-phrase will be linked to your credit card. Anyone you give your password too will be able to buy music on your account.

Grant it this does nothing to keep people from getting MP3s but it allows them to satisfy a market for online commercial quality music files in a way that doesn't put their product any more at risk for piracy then it already is.

Let's face it, most kids and bootleggers don't care enough about quality that good analog recording equipment won't satisfy them.

RANT ON
The amount of loss due to (quality) analog equipment pales in comparrison to what's lost in your typical 128 bit MP3. In the "old" days when cassettes were "Hi-Fi" - the main problem was tape transport noise of older/cheap units and hiss caused by poor quality tapes/heads. My $200 Kenwood Cassette player doesn't suffer from those problems today. My guess is that after MP3 encoding, 98% of the population couldn't tell the difference between an encoding whos ariginal source was a CD and one whos source was a cassette. (even a recoding I made from CD - I find that recordings I make are often better than those cassettes from the label)
/RANT

Sorry, I thknk this all turned into one long rant. I had a point but it got lost, I just find the lack of sense in the whole matter frustrating...

Re:Still don't understand

[jafac]

I forgot one other angle;

In the part where the RIAA bribes/partners with Microsoft, .NET figures in, because if all software is "rented", computers won't need CD players anymore, and since MS controls the manufacturers, CD players will become rare commodities. non standard items. Like ZIP disks.

Re:Better idea: cheap mp3s

[TheGratefulNet]

but dat HAD the copy protection that the RIAA wanted. they HAD their way with that one. of course folks found ways to zero out the SCMS bits ...

the failure of dat was 3 things: expensive to build and buy mechanisms (mini vcr's inside), hard to find pre-recorded tapes (yeah, I know, why bother. sigh.); and unreliability unless meticulously maintained (which consumers would not do; many pros didn't either. I'm talking head cleanings every year).

but I agree that mp3 was a hit mostly due to its compression size and it was the right fit for where we are in the Inet today (in terms of spare b/w on personal Inet lines). in a few yrs from now when t1 is considered slow, maybe shorten or some other non-lossy compression scheme will be king.

--

Re:Excellent!

[barleyguy]

However this article points out a lot of things that seem to be coming true and mentioned in the article that is the focus of this slashdot item, that basically the music company executives didn't expect it to be broken, don't have anything to fall back on, and the SDMI may in fact fall apart now that two years of their work have been effortlessly cut into shreds! Which is EXCELLENT news!

I disagreed with that article, because even if it was cracked AFTER they released it, they still wouldn't have anything to fall back on. Assuming they don't. If they do have something, they can use the results of the contest to eliminate possible cracks. So overall, I think cracking it before its release is a bad thing.

Because the music industry has appeared to be clueless up to this point, here's another possibility:

It really has been broken, and they really don't have anything to fall back on. So they DENY it's been broken, and release it anyway. Then it gets broken again after its release, and they pretend they weren't expecting it, along with playing stupid legal games.

I'm not sure if they are really this clueless. But it's possible.

Re:Can I point out...

[ewhac]

I see plenty of direct-action "break the codes and set them free" type talk on /., talk about fighting for the digital future and our rights. Wholly absent from the debate seems to be a coherent vision of what the future should be, how corporations can survive in the digital age and still make money from their efforts.

Thank you!! An intelligent, incisive question, one worthy of conspicuous, public debate.

Speaking entirely on behalf of myself, you are correct that a cohesive vision of How Things Should Be has been absent from my rants. This is because I believe designing a successful, durable, workable, just system would require the efforts of a group of incredibly talented, wise people, the likes of which have not been gathered since the framing of the Constitution. I don't believe I possess such gifts.

I do have a few vague, disconnected ideas. To fully appreciate them, however, you need to understand the framework in which I developed them:

Axiom: When the ability to copy is ubiquitous, and when the incremental cost of copying is effectively zero, the effective value of any given copy -- including the "original" copy -- is zero. (I state this as axiomatic, but I'm willing to discuss its merits. And please note that this assertion says nothing about the effort/resources required to create the original in the first place.)

As a supporting argument, consider the universe presented in the TV show Star Trek. (This may seem silly, but Star Trek is a useful framework for comparison, as everyone's familiar with it.) In a world where everything, including physical objects, can be replicated at zero cost, what is the economic impact? I argue that the market-based economy collapses completely, since its fundamental supports (scarcity and inconvenience) have been eliminated.

I also believe that the social impact will be that casual copying will be seen as perfectly okay, and that the desire to not share copies will be seen as childish. After all, if anyone anywhere -- including artisans -- can copy anything at any time for nothing, then what, fundamentally, will be wrong with copying anything?

So, in a universe where copying everything is seen as perfectly okay, is there anything an artisan should still have control over? I contend that the most crucial aspect of creativity still needing strict controls is the artisan's reputation.

Consider: On a visit to the Enterprise, you see an object you quite like. Naturally, you ask, "Wow! Who made that?" Both you and the object's creator would like to be certain you receive an accurate answer. Note that the question of whether the object you saw was an original or a copy is irrelevant. You no longer care if an object is "genuine;" you want to know who did it. In other words, you want to know about their reputation. (After all, maybe they did other cool stuff, too.)

...Okay, so we don't live on the Enterprise (yet), and we all still have to pay the rent. However, I strongly believe the concept of reputation will be central to a re-design of economics and the concept of intellectual "property" in the digital universe. Reputation will become a chief scarce resource in the digital universe, because it is an artist's reputation that will guide you to their other scarce resource: their time. And it is their time that you will be paying for (no more doing stuff "on spec").

In terms of more immediate, concrete proposals, I've heard the following ideas floated:

• Mass-Market Buskware, or the "tipping jar" model. Many question whether such a system can work on a large scale. So far, author Stephen King seems to be doing rather well by it with his free offering, The Plant. However, it's probably worth noting the primary reason he's doing so well is largely due to -- drumroll, please -- his reputation.
• Pre-Release Mass Auction (preBay?). This is a system whereby software/music/whatever is made available for a flat price, and bidders can contribute whatever amount they wish toward that price.

  For example, let's say John Carmack creates his latest game, qDuOaOkMe, and decides that, for all his efforts and that of his company, he wants to see $50 million. So he posts it to the site: "qDuOaOkMe: $50,000,000". People the world over pledge $25, $50, $100, whatever they feel it's worth toward the final price. When the price is reached, Carmack gets the money, and the game is released free to all. The entry is also kept open on the site so people who didn't bid can continue to throw tips. If the price is not met after a pre-set time, all pledges are returned to the bidders, and the game isn't released.

• Shareware. This model has met with mixed success in the past, mostly due to the relative inconvenience of sending in the requested fees. "Impulse" buying, until recently, hasn't been easy. Fortunately, services like Kagi and PayPal may well rejuvenate this idea.
• Automatic Micropayments. This is certainly an idea worthy of exploration, but I have concerns about the implications for privacy.

Other ideas are likely out there, and worthy of attention.

Also for immediate consideration, there should be some study into the use of digital watermarks for identifying the artist of a given work. Right now, all the discussion surrounding watermarks has been with an eye toward controlling proliferation of copies, which is unworkable. However, I believe even the most virulent opponent of copy protection would support using digital watermarks to identify the artist, thereby preserving -- wait for it -- their reputation.

Like I said, I don't think I have what it takes to completely design the new system. I've also completely avoided rather sticky issues, such Moral Rights (e.g. should an artist be able to enforce the declaration, "No, you can't use my painting in the background of a porno video"). But I do know that the current system will ultimately prove to be fundamentally unworkable, if for no other reason than the sheer numbers involved (how many copyrighted works will you need to test against to make sure you're not infringing?).

So, yes, you're right. We need to think about this, and it needs to be done rationally and publicly. Too bad the entertainment industry's using all that bandwidth to paint us all as criminals.

Schwab

Re:This is nice - but what about other DRM systems

[aphrael]

A judge's job is to interperet laws, not to overturn them.

Unless they're inconsistent with other laws or the constitution.

Re:Better idea: cheap mp3s

[miracle69]

Respectfully, I believe you've been blinded by your $200 licensing fee. The Lame versions sound much better than Frau at 128 and beyond. It is possible that your version of Frau isn't equivalent to the one displayed but I find it hard to believe that Frau has improved to a point where their 256k version can compete with the 128k version of lame.

The tools used to create these are readily available, and I'd love for you to run these tests and post the information on the web. Hell, I'd like an e-mail

miracle@nospammage.procyon.com

Re:Better now than later

[sheldon]

Hmm, I think you might be a little bit confused.

There is nothing about SDMI that will strongarm you into buying new players or new collections, as I understand it. Your CD player will still work, your current CD's will still work, and music will still continue to be sold in the CD format for many years to come.

I believe one of the theories behind SDMI is that the player requires no decoding software, it just plays the music as it is written.

SDMI detection is part of the recording process. Presumably to limit the number of copies of a song that can be made. i.e. you can make a copy from the original, but not from a copy of a copy.

The DVD-Audio format is being held up for this technology, along with an improved CSS like implementation to encode the digital bits.

Actually music has been available on DVD discs for a couple of years now. It's not been terribly popular, however, because few recording studios support it and it hasn't gained widespread acceptance for fear a new format that is just around the corner.

Even when DVD-Audio comes into being, again you will not be forced to go out and buy new collections. The DVD-Audio players will play older CD media, just as current DVD players do. In fact I suspect you'll just see the DVD-Audio spec wrapped into DVD players such that you'll have a device capable of playing several different audio and video formats.

There seems to be a lot of confusion and frankly, FUD, being spread by the anti-music-industry groups.

I don't care about copy protection, as long as it doesn't get in my way. Unfortunately the macrovision on video, and this new SDMI both corrupt the purity of the source and affect the potentional enjoyment.

Re:?????

[jms]

That's like claiming that "zip" is useless because I can make you a file that does not compress at all. Well, yeah ...

An uncompressable audio track would be very atypical. I've used the shorten program on many different music tracks, ranging from soundboards to concert recordings. I've never found one that doesn't compress, and they all compress to approximately 2:1.

Even if there were music files that were uncompressable, SDMI would still be on a collision course with uncompressed audio. It would just be 1:1 instead of 2:1.

This is going to be really redundant

[dizee]

But hey, I couldn't resist beating a dead horse some more.

They should be using CueCat XOR encryption (tm) for their watermarks.

Mike

"I would kill everyone in this room for a drop of sweet beer."

Re:This is going to be really redundant

[Farq+Fenderson]

From what I've seen on the VULN-DEV list, it's doesn't look far off from XOR (on low bits).
---

Re:Suspicious members of the programming community

[naasking]

"The hacker boycott of SDM organized by suspicious members of the programming community has turned out to be irrelevant."

lol. I didn't read the article, but if they really said that, then they REALLY have problems. The boycott is anything BUT irrelevant. If the watermarking scheme was cracked without the help of the hackers, then imagine how fast it would be broken if it weren't being boycotted.

-----
"People who bite the hand that feeds them usually lick the boot that kicks them"

Re:Ok, so who did it (who cares?)

[Farq+Fenderson]

I don't think they've got any hope of DA->AD->DA resistant watermarking that a moron couldn't defeat. As far as I'm concerned, they'll be holding these contests until they give up. They won't -ever- come up with anything difficult to defeat. I promise.

BTW: the 'who cares?' is in the spirit of Starstruck.
---

too lazy. but here's a link anyway:

[MenTaLguY]

OGG Vorbis

Actually, it really would have been common courtesy of me to include more links. Sorry.

To paraphrase Ian Clarke

[joshv]

"If your business model is selling water in the desert and it starts to rain, you'd better find a different business model."

-josh

I'm worried too...

[DreamingReal]

I'm not so worried about how big the RIAA's share of the market is. I'm worried about how big the RIAA's share of *congress* is...

So am I - that's why I'm voting Nader on November 7th.

-------

Do market powers apply any more?

[drenehtsral]

I was about to post a comment along the lines of "so what! If they delay longer, and release something harder to crack (even for the sake of argument, impossible to crack), the market can just refuse to use it, and keep using MP3s and other such unencumbered technoligies...
But then I thought about it. I believe that the music industry has enough power over the users that they'll take what they can get. I don't think the market _could_ realisticly fight the will of these companies. They have little competition, because all the "competing" companies have all globbed together in the form of RIAA.
I don't see a peaceful end to this, because there is a lot of money at stake, and whenever there is money, there is also a rabid foaming-at-the-mouth mob of greedy bastards willing to trample anybody in their way to get at it.
So maybe we should not worry so much about this standard being cracked, because if it was, it'd work just like the DeCSS fiasco, but maybe they'd learn from the mistakes of the MPAA's lawyers. What we need to start worrying about is a way to break loose from this feudalism where the consumer no longer has the power to change things in their favor (partly because most of the consumers are not informed enough to fight back, and there is a lot of money going to PR to keep it that way). Consumers are now Serfs, and large media companies are now lords. I imagine eventually there will be something like a revolution, moving us along the line towards democracy in the information world, but it'll take a while =:-(

Re:Do market powers apply any more?

[interiot]

I believe market powers want to make money and not give away things for free. Many of the labels believe that releasing music online without something like SDMI is essentially giving away something for free.
--

Re:This is nice - but what about other DRM systems

[jon_c]

RealAudio - StreamBox Ripper, Now illegal due to law suits, but still lurking in warez sitz

Windows Media - ASFRecorder (google it)

Shoutcast/Icecast MP3 - Streamripper

-Jon

Better idea: cheap mp3s

[ShortSpecialBus]

Regardless of what format they use (SDMI or whatever) it will be cracked somehow. DECSS comes to mind. That was supposed to be very secure and it was cracked because Xing messed up. Any two way hash can be decrypted, and it will be in this case with music pirates dying to get their hands on music. What the RIAA should focus on is selling it cheap enough that people would actually buy it. I would personally be willing to spend 25 or 50 cents a song for mp3 music, and I think that actually most people would be willing to do that. The whole problem with the RIAA is that they say that prices need to be higher because of piracy, but piracy happens mostly because of high prices. They should run an experiment and have mp3s for download for $0.25 each or something like that, and see what the response is.

Re:Better idea: cheap mp3s

[StoryMan]

Well, there's also more flexible hardware than the Rios and Nomads out there: the MiniDisc.

For whatever reason MD hasn't caught on here like Japan, but if you want a *flexible* MP3 player (and recorder) that can handle *any* format, the obvious choice is a MD player/recorder.

And, yes, I know MD uses a compression scheme but I think most will agree with the ATRAC is pretty damn near undetectable.

It surprises me actually that more people haven't latched onto MD players in light of the (amazing) amount of music now available digitally.

Re:Better idea: cheap mp3s

[jafac]

more like 5 or 10 cents.

But the record companies want to charge 3 to 5 bucks.

Re:Better idea: cheap mp3s

[Cplus]

Have you ever owned a DAT player, or a cd player?

If you will recall, when the cd player first came out in the 80's it was prohibitively expensive. It was through the development of better manufacturing processes that it became cheaper. Production of mass quantities of an item brings the price down.

You're right about finding the pre-recorded tapes, I've only ever seen one.

As for the unreliabilty of the DAT, they are about as reliable as a cd player. I've had many cd players die on me because I didn't care for them. You forget that the DAT recorders we see these days are very high-end machines designed for high-quality professional audio. These are not toys or made for listening to music, they are tools and justifiably very expensive ones.

Re:Better idea: cheap mp3s

[TheGratefulNet]

minidisc missed its market.

it was too expensive and never ever got cheap enough to wean folks off cassettes. even though us geeks use cdr's as the recordable of choice, for field recording, its still either cassette or dat. and for home recording, its mostly cassette with Joe Sixpack.

MD doesn't have a long enough storage capacity. 74 minutes is primitive. soon there will be recordable HD-based mp3 recorders. that will put the final nail in the ATRAC/md coffin.

MD can also scramble its TOC if you're not careful, thus risking losing ALL of your data. no thanks.

you can't find the blank media even as much as you can find blank music or data cdr's.

I can't see anyone new getting into MD that isn't already invested in it. its on its way out.

--

Re:Better idea: cheap mp3s

[TheGratefulNet]

Have you ever owned a DAT player

being a VERY active member of dat-heads for many years, yes, I've owned up to 7 dat recorder/players. some pro, come car, some portable, some consumer. I've been there my friend...

as for the unreliabilty of the DAT, they are about as reliable as a cd player

now its time for me to ask YOU your question: you must not have owned a dat if you say this. dat is VERY unreliable. ever had tension issues when using thinner dat tapes? ever had dropouts and the famous 'buzzsaw' effect on mistracking? ever had condensation on the head (change from cold to warm, like being outside then coming inside) and having the deck lock up on you?

no pro in the industry trusts his sole master on dat. that should tell you something.

a cheap $5 cd player plays all but the most ruined cd's. but it takes about $1k of a dat player to be even 80% as reliable as that $5 cd player.

like I said, I was very heavy into dat for quite a few years. as much as I wanted, it just never got to archival quality and reliability. sad but true.

--

Re:Better idea: cheap mp3s

[Mad+Hughagi]

I couldn't agree with you more about the cheap mp3 thing. You would definately still have piracy, but I think that people would have much less incentive to pirate music.

One of the problems with cheap music is that RIAA won't make as much money, plain and simple. They figure they've got their optimum price right now - if they could make more money by selling music cheaper there's no doubt in my mind they'd have allready implemented it. The root of the problem is the RIAA itself. Maybe a non-profit organization (government regulated??) should be implemented to take care of this. In Canada the goverment funds most of the up-and-coming talent through cultural grants and whatnot since it is harder for canadian acts to break into the US market. I don't see how it would be that much harder to set up a federal organization for recording artists - shit, we got one for pretty much everything else up here.

The sad thing is that most artists probably don't even get 25 cents for each song that they sell - it's all gobbled up by the middle man - the RIAA.

Re:Better idea: cheap mp3s

[TheGratefulNet]

you have my vote as well: make it cheap and the amount of work it takes to either rip/encode/tag your own mp3's or to break the watermark will be more than the cost of just buying legit files.

at home, I have a ripping farm (well, if 4 boxes is a farm) of mp3 encoders. they're all k7-800 class boxes. and it STILL took me over 2 months to r/e/t my whole 500 cd collection (with the frau encoder, at --qual=9. this is with 800mhz k7 systems! a lot of folks have this kind of HP but most probably don't.

a friend of mine who has 'only' a k6-2/300 system waited 24 hrs of constant machine mp3 encode time just for one album. would he pay 50cents for properly (like with Frau.) encoded and labelled mp3's? you can sure bet he would!

riaa: make mp3's cheap and just TRY the online sales thing. and promise us that you keep just enough cash to 'get by' and that the lion's share goes to the artists (that you CLAIM you exist for) and lets just see how well that experiment works.

will they try it? nah - they're too busy suing everyone and his brother. reminds me of the monty python movie where the knight is being defeated one hacked-off arm and a leg at a time; yet still won't give up the fight.

--

an easier route

[jafac]

I guess if the music industry wants it's garganuan profits now, it will need to do the following:

1. lobby congress to legalize murder.
2. hire disenfranchised serbian death squads.
3. locate any person with an IQ above 90.
4. kill all persons with an IQ above 90.

This will have two impacts. It will mean that they'll finally be able to sell Backdoor Boyz to EVERYONE, and that nobody smart enough to crack SDMI will be left alive.

That would be MUCH easier and cheaper than developing a crack-proof protection scheme.

Oh wait, I forgot, there's always DONGLES!

Technology's no solution. The problem's more basic

[crovira]

Encryption's cute but its only encryption. Todays algorithms are tomorrow's object lessons in how not to do it.

The problem is one of economic distribution. How to get money from the consumers into the pockets of the producers in some fair and equitable way.

One model which almost works is ASCAP. They're in charge of charging radio stations and other broadcasting media, based on their market penetration numbers, some money for every piece of material the boadcasters, uh, broadcast, (ASCAP IS Big Brother,:-) and then they shovel that money into the pockets of the "authorities of record" who can claim to be the producers of the material that was broadcast. (That's how artists still get screwed today. NEVER, ever, give away your copyright.)

One model which would work in the "Age Of Napster" is to use micro-payment to charge a published sum from the recipient of a file, if the transmission is not declined, regardless of the content or the size of the file, for every transmission of the file over the internet.

Purely local transmission of the file can be presumed to be fair use, back-ups, change of media etc. Re-transmission over the internet would kick-in the micro-payment scheme which would insure that the Metallica's of the world can please just shut up!

This could even be applied to establishing connections for streaming media.

By the way that leaves the RIAA, the MPAA and other neo-Luddites out in the cold. Let those parasites get real jobs.

Re:Ok, so who did it (who cares?)

[Danse]

Sure there's something wrong with it. It's giving the record industry free assistance in their attempts to increase their control over digital music, just as the movie industry is trying to do for digital video. Helping them acheive their goals is, IMO, wrong because those goals are wrong. Of course, obviously not everyone shares my opinion, or at least they are using some different logic to justify assisting the record industry by cracking SDMI.

The MP3 encoding ought to take care of it.

[Sangui5]

It being the watermark. If you have an ideal watermark (it cannot be heard) and an ideal lossy encoder (it dumps everything you can't hear), well, your watermark should go bye bye.

Of course, given that watermarks are far less than perfect (you can hear them) in order to be a bit more robust, you could D-to-A-to-D several distinct copies of the secure music, 'average' them, and then encode. With a sufficiently high number of sufficiently different copies of the music, the watermark will eventually be destroyed. This has the added benefit that the noise from the D-A-D conversion will tend to neither add nor cancel, but the signal will tend to add during the recombination phase, improving quality.

In any case, so long as I can buy my digital music anonymously with cash (at a brick+mortar store), what do I care if the watermark is still there? So the music has a serial number? That doesn't necessarily correlate with anything in the real world.

Excellent!

[ckedge]

I was initially 'with' everyone here and in the community on the issue of boycotting the challenge, because I thought it would 'punish' the proponents of SDMI if they went to the trouble of commercializing it only to have it quickly broken. I presumed that breaking it now would help the SDMI.

However this article points out a lot of things that seem to be coming true and mentioned in the article that is the focus of this slashdot item, that basically the music company executives didn't expect it to be broken, don't have anything to fall back on, and the SDMI may in fact fall apart now that two years of their work have been effortlessly cut into shreds! Which is EXCELLENT news!

I really wish that the article quoted above had been written earlier and had come to our attention earlier, for it is quite a valid and compelling counter to the "rah rah let's boycott the challenge" idea.

Basically, maybe we were all wrong, and cracking it quickly and effortlessly will not help the SDMI, but actually destroy it! Go crackers!

Re:Excellent!

[danderson]

I really wish that the article quoted above had been written earlier and had come to our attention earlier

Believe it or not, there was a story

Re:Excellent!

[Ross+C.+Brackett]

You'll notice that all the SDMI engineers quoted were still hopefully optimistic that some sort of still-secure-yet-not-quite-as-bad system would emerge. The fact is, they still want the same thing - for the music industry to remain in power, just without the facist copying controls. But what's the fun in that? The fact that SDMI was cracked now doesn't hurt the industry at all, because although the music industry only thinks it's losing money in its absence. But it isn't.

However, if SDMI had been cracked after billions of dollars had been spent on marketing of SDMI (a hard sell, IMO, it would be quite the campaign,) then the industry would have actually lost all that money. Which means less money for future marketing/promotions, which means more opportunity for indie labels and smaller artists to gain a larger market, which means better, cheaper music for everyone. And that's what we really want, right?

Re:Excellent!

[rlowe69]

Ok, so what if they do a Kerberos end-to-end thing?

How many people out there can see that it's a shit sandwich and not eat it? Most of us - and that's all it'll take.

One word: Divx

rLowe

PS> ... and I ain't talkin' about DivX :-)

Suspicious members of the programming community?!?

[Tracy+Reed]

"The hacker boycott of SDM organized by suspicious members of the programming community has turned out to be irrelevant."

What the heck do they mean by this? I'm quite amused that some SDMI members are finally facing the reality that it might not be possible to protect music.

could this be a ruse?

Anonymous sources say that its been cracked - no evidence for that, why should anyone involved in this whole scheme be trusted, and why should any information leaked out be trusted?

Cracking SDMI gives the RIAA enough excuse to go running to the governement for even more backing than they got in the DMCA.

They already are asking for all TVs to have anti-copy protection in them, how soon will they be asking for trusted hardware for audio as well?

The assertion that SDMI has been cracked may well come from SDMI members who know that trusted hardware is the next step, and not from disgruntled hacker-anarchists in their midst.

Trust nothing that comes out of this process - there are billions at stake, not to mention hot and cold running blowjobs in the back of limousines.

Re:cracked?

[roca]

> Is it inconcivable to build a player that cannot
> be disassembled?

We're talking about software players here, so yes, it's inconceivable. I'll bet my PhD on it.

Some of the best CS theory profs around have given some thought to what it would mean for a program to be effectively "undisassemblable". They've had a hard time coming up with a definition that doesn't just reduce to the empty set. AFAIK, their current best definition hasn't yet been shown to reduce to the empty set, but no-one's been able to construct an undisassemblable program either.

Irony

[StoryMan]

The irony of this mess is this: Napster's user list -- containing e-mail addresses -- is probably worth more than the RIAA or MPAA or Jackie Valenti is willing to admit.

The gold isn't in the music itself. The gold is there for the taking, but no one is moving to take it: it's Napster's gazillion user e-mail addresses.

Why isn't Napster dangling their databases more "publically" in front of the RIAA and MPAA. Why aren't they saying: Screw the content. We've got something better. We've got gazillions of users with e-mail addresses who crave your product??

... and they didn't even half try

[gotan]

I mean, the guys who cracked this where probably some folks who thought $10K was a lot of money and didn't mind about giving their work away for that really cheap price, hey, the record industry doesn't even acknowledge their work and downplays it all.

Now after the RIAA chose to ignore all advice by the developpers they paid (in total) some million US$ and who must have told them that it wouldn't work, will they finally listen to some hackers who did it for cheap (hell if they hired some decent experts the RIAA 'd have spent $10.000 just to draw up a contract) and dump SDMI?

Obviously not, they will come up with some new watermarks (probably worse than the first batch because it's really urgent now before MP3 is so widely accepted even they can't stop it) and when it's cracked we'll see the DeCSS case all over again. Meanwhile players will hog the shelves because customers don't want to be screwed (we saw it all with DAT tapes) until it leaks out that with one player copy protection can be turned off, at which point "without copyprotection" will become a salesargument for players.

If the RIAA just wants to ignore the fact that digital information can be copied, they should buy earprotectors and blindfolds for their members, but maybe that costs more than $10K ...

Time for Fairtunes

[MattW]

It's time for the record companies to get with the program. The _smart_ thing to do would be to just start releasing albums and songs on their own sites. Let people download whatever they want, and pay for it if they keep it. I'd be all over it. Naturally, I'd expect it to cost less than a CD, but not a ton less.

I hope artists also move to fore -- popular artists (those whose recording contracts permit) should release a song or three (or an album) in all mp3, and just take payment if you keep it. Say, 24 hours trial period, if you keep it longer, you have to pay. Obviously, its all voluntary, but who would balk at paying $3 to $6 for an ablum from an artist they like? I think the honest users of such a service would vastly outway any thieves.

Here lies the earthly remains...

[Slackrat]

SDMI never had a chance. Though there are many things wrong with the concept, the biggest seems to me that it is no big deal to hack SDMI once an SDMI-compliant players come out. If the player can read the watermark, YOU can read the watermark and figure out how to remove it. Technically, there is nothing stopping you from going crazy Napster style. Thus, the only thing to protect SDMI is the fact that hacking it is illegal. Drugs, gambling, and listening to MP3s you didn't pay for are also illegal. RIP SDMI.

Re:Ok, so who did it (who cares?)

[rgmoore]

Please explain why you believe it's impossible. Is it because they haven't done it yet?

Because the fundamental premise is obviously self contradictory. In order to have a truly effective watermark, the sound must be damaged to the tolerance of an ordinary listener when it's removed. In order to have a publically acceptable watermark, the sound must be unchanged to the most sensitive listener when it's added. The result is that you should always be able to create a procedure that mangles the sound at above the level at which the watermark exists, but below the level where an average listener will care. Doing so may damage the sound for true audiophiles, but won't mean anything to the casual listeners who constitute the lion's share of the market.

Sucks to be the RIAA

[ErikTheRed]

Could you imagine how depressing it must be to spend years of your life engaged in a hopelessly Quixotic struggle against advancing technology? Of course, it couldn't happen to nicer people...

Re:... I think they did expect this ...

[jafac]

My guess is that the professional cryptographers they had working on this were trying to sell someone something (SMDI to the RIAA), and therefore had a conflict of interest going.

'cmon, spend another few million, see what you can come up with, hit us with your best shot! How many failed formats are you going to come up with before you free the information. You know it wants it!

Re:?????

[dwyn]

This is not copy protection, it is watermarking. Basically, a secret inaudible wave is added to the song that you download that identifies your copy. Privacy concerns aside, if you then distribute your copy over the Internet and falls in the hands of someone who can decode this secret wave, it will be traced back to you. The goal was to remove (or alter beyond the point of recognition) the watermark without affecting the quality of the sound.

Vorbis! Does noone here remember Vorbis?

[MenTaLguY]

After all...that just gives MP3's more of a chance.

Ahem, leaving SDMI for MP3 is just leaving the DMCA Swamp for the Patent Quagmire. Out of the frying pan, into the fire.

Why don't we go for the option that doesn't involve breaking the law (and has nice fringe benefits -- MP3 is old tech now), when we can?

And, by the way, the Vorbis format is finalized and has been for some time. bps limitations of current encoders are only a result of the encoding software, not of limitations of the underlying format. Not to mention that .ogg seems to be sounding better than higher-bitrate .mp3s as the encoders improve...

This does it, I'm re-encoding[1] all the music on my site to .ogg when I get the chance. I need the space savings anyway.

---

[1] that is -- encoding new .oggs from pristine audio, not "converting" the existing .mp3s.

"converting" among lossy formats is always going to sound bad.

What may happen :-(

[Lumpish+Scholar]

The recording industry has said, in effect, "We won't sell electronic music (for less than overpriced CDs, Senator Hatch) until we have a secure way to do so."

What's their rush?

Re:Public key system for watermarks???

[jon_c]

Sure, but then your back to just recording the audio output and making a OGG or MP3 file out of it. The reason watermarkers are cool is because they actually stay in the data through format conversions. They want this so they can track who bought what music, and who gave who what music.

But like the guy above said, it's not possible. the MPAA, RIAA, etc.. are all fucked.

-Jon

Was that the best they could do?

[Decado]

We read earlier how the Code Book challenge took over a year to solve and that was just a puzzle set in a book being worked on by hundreds of enthusiasts the world over, Yet the best the SDMI can come up with is broken in under 1 month despite being bycotted by most of the capable programmers out there.

Well it seems the SDMI really know what they are at :)

Re:They can't keep it a secret

[Chris+Johnson]

Um, the boycott was irrelevant because it DIDN'T TAKE A SKILLED HACKER to break all the watermarks. Reminds me of genetic algorithm stuff- out of ten thousand poverty stricken script kiddies, there were enough smart guesses to result in solid cracks for every single one of the watermarks. And of course the same thing would've happened 'in the wild' and the information would've been distributed far and wide.

The thing is- what does it matter? These people do not HAVE another idea. That was it! That was their only hope (and at that, it was against the advice of the computer industry members). Now they're just totally _hosed_.

The EFF being unable to stop 10,000 random script kiddies from trying to crack lame encryption is one thing. The EFF stopping draconian 'anti-hacker' special interest legislation from passing is _quite_ another. There's a limit to how fascist you can conveniently get in US government- and the hackers were _invited_ to crack SDMI, remember. There was a $10,000 prize for Christ's sake! Nobody's going to get far trying to paint the hackers as evil conspirators after _that_.

Re:Contest Materials anyone?

[Chris+Johnson]

Why would the new watermark be any different? The whole thing was a useless endeavor from the start.

Re:?????

It doesn't. The bad thing about this and other "piracy-prevention" tech like Macrovision is that all it does accomplish is prohibiting law-abiding citizens from exercising their fair use rights under the law. Fair use means you can make copies of any software/music/videos, etc which you buy. You can make copies. You can make copies. You can make copies and you can make as many as you want. That is fair use for any product you buy. In other words, you can do whatever you want with anything you own in your physical possession. However, the law can prohibit you from reselling your copies. That is *all* that copyright covers: the sale and public dissemination of IP which you do not have the copyright rights to.

So, the problem: SMDI stops us from being able to copy our music, just like Macrovision stops us from copying our video. These technologies which *no* consumer asked for, have been added to consumer poducts we buy -- which means we are forced to pay for stuff which makes it so we cannot exercise our fair use rights.

Does anyone understand what is wrong with this picture? The record companies are trying to stop consumer rights & their making us pay for it.

Re:Ok, so who did it (who cares?)

[jmv]

I don't think they've got any hope of DA->AD->DA resistant watermarking

I'm sorry, but building watermarking that resists DA->AD->DA conversion is very, very easy to do. You can just apply the same principle behind CDMA that is, add broadband signal with a lot of redundency, and you're all set. Now, resisting to mp3 encoding/decoding is a bit harder to do, but still feasable. Resisting to all the other kinds of attacks, like phase distortion and time scaling, is much harder.

Personnaly, I don't think you can come up with some kind of watermarking that will resist any attack, but we'll see soon enough.

Re:This is nice - but what about other DRM systems

[Ben+Hutchings]

Isn't there a Windows audio driver that records to disk? There's been one for Linux for a while now. These will give you access to the raw audio data, no matter what the original format was, since it has to go through the audio driver to get to the speakers.

Re:This is nice - but what about other DRM systems

[szyzyg]

Nonononono!!

ASFRecorder only rips the stream from the server - if it's DRM'd it's still encrypted and it won't work if you don't have the license. Similarly Streambox ripper only captures the file - it doesn't remove the encryption.

So I'm wondering when an ASF ripper will appear which - given a valid performance key - extracts the media into some unprotected format. And I'm not just talking audio - but video too.

This is nice - but what about other DRM systems

[szyzyg]

I'm amazed that nobody has published code to break the DRM (or at least capture unencoded data) on other established formats like Liquid Audio, Blue Matter (basically Real Audio) and everyone's Favourite - Windows Media.

OK there's the little issue of the DMCA which would make such things illegal in the US.

I wouldn't be surprised if some of the SDMI breaks came from Microsoft to help promote their DRM server based technology.

erm... not quite _that_ bad

[MenTaLguY]

I bought MP3Enc years ago from them, but was not notified that I owed them anything for every song that I ripped and encoded for myself. Or is that only applicable if you use it to distribute music?

Well, you're probably okay. If you purchased a legal copy of a licensed encoder, then the patent license is already covered there.

Most Free Software projects, however, cannot afford the $15,000/yr minimum, though, so the licensing fees fall on the individual user instead.

As for MP3 distribution, that's kind of complicated. Nonprofit distrbution should be okay... it depends on how you read it. Again, see mp3licensing.com for the exact details.

Re:?????

[jms]

There's no such thing as a generalizable anything:1 lossless compression algorithm. I never talked about anything except for compressing audio. If you really think you have an audio file that will not compress using this algorithm, I invite you to download shortn32.exe (do a web search) and see for yourself. This entire discussion is about compressing audio, not about general compression of arbitrary data.

Not exactly...

[Danse]

onerously burdening him with a system which is useless even for the purpose for which it was created.

You'd have a point, except for the fact that the customer isn't buying the hardware for the purpose for which it was created. It was created to suit the RIAA, not the consumer. The consumer just has to use it because their won't be an alternative. Consumers won't care a bit if the system is cracked... the RIAA might though, but that's their problem. If they tried to make consumers buy yet another set of hardware, you'd REALLY see a backlash like none we've seen yet. I'm not talking about a Divx-like backlash where people just boycott the thing. I'm talking about something more along the lines of firebombing the RIAA headquarters in the middle of the night sort of backlash. Basically, they wouldn't be able to pull it off. So consumers would have a system that does what they want, but not what the RIAA wants. Sounds good to me.

In a Related Story

[Gothland]

Anonymous sources close to MyButt informed slashdot today that a recent test of project "Flying Monkey" was unsuccessful. Apparently, it was determined that monkeys do not have wings. Reaction was mixed.

MyButt Inc. president Lart Foudly said "This failure does not preclude our finding another of species of monkey which does, in fact, have wings." Industry analyst Lar Jass countered, "It wouldn't have mattered. Even if they find a monkey with wings, which they won't, they won't be able to fit it in there."

The "MFOOMA" coalition has reportedly not been told of the results of the test, but are expected to try and minimize the publication and impact of the results when it is announced next week.

--------

Terrific!

[Chris+Johnson]

Terrific! Your posts here are inspiring, Schwab- brilliant thinking. I'd like to add another concept or two to your arsenal: commissions should not be overlooked. Your example for Carmack is like "I am making X, give me this much or I'll refuse to release it". I think that's a bad bluff to attempt- what if someone leaks it? Consider, instead, someone going to Carmack and saying "Hey, I really want Y." "Well, that's great, but I'm making X." "But I really want Y! Can you do Y instead?" "What's it worth to you?" That's commissions.

Your observations about identifying the artist are right on- that's why I for one am very excited about one of the 'fingerprinting' technologies being developed. Basically it will be possible to do net searches in the future on snippets of unlabelled digital audio and return the artist's current website/information. This is incredibly important in a world where the information flows so freely- an example, if you use Napster you'll find all sorts of utterly unrelated bands uploaded mistakenly as They Might Be Giants. This is great for TMBG but unhelpful for the real artists- with the sort of fingerprinting we're talking about this would be trivially fixed, and anyone could track down the true creator's identity easily- again, _reputation_ is the key concept. It will become possible to accurately associate a positive musical experience with a specific name no matter how obscure and non-mainstream: compare this with the days of broadcast radio where you had to first fight just to get _on_ the radio and then pray/pay for the DJ to actually announce your name in association with it! This sort of gatekeeper will become a thing of the past- though it'll still have a place, with the new type of DJ being someone of known good taste and ability to audition more new stuff than most people have.

I can relate an anecdote of stuff that's still going on, that illustrates your point. I used to have music on mp3.com (before they turned their contract towards the Dark Side ;) ). It's not mainstream at all- in fact some of it is rather user-hostile, for instance a strange marimba-driven track named Bone Dragon. None of this brought me pop stardom, understandably- but I know my way around a mixing desk and build a lot of radical, high-performance equipment that goes against the habitual sonic dreck people inflict upon their recordings these days (see Britney Spears...), and I attracted some attention from some iconoclasts, and in fact I built *REPUTATION* as someone who could get a sound, an impressively professional sound. This has led me to the point where I'm seriously contemplating doing sound engineering work for a startup (not RIAA) that I've been talking to, and in fact already have a sale of commercial rights for a piece of my music waiting for when the deals are finalised (I'm also making extensive use of my sharpness and paranoia in relation to the contract that people will end up seeing- another area of reputation getting involved). And the first piece of music to find a home in this new context is... 'Bone Dragon'. Yes! The totally uncommercial, peculiar one! *g*

The point is- reputation is fscking _gold_ man. It is substantially more important than immediate cash. The fact that 'Bone Dragon' is out there as lots of mp3s, with my blessing upon their further noncommercial copying, does _not_ make it licensed for commercial use. If someone wants to run that in an advertisement they have to talk to _me_! (If they want to add cheesy singing munchkin jingles to it they'd better be offering a LOT of money, and I mean a LOT. Background use or use under narration does not tend to destroy the soul of the music so readily.) And if they want something else that's like that- again, they have to talk to me. Commercial interests can't legally copy and use the free music I have out there being copied under fair use- and _nobody_ can copy what hasn't been performed yet.

It all reminds me of some of the tenets of the Progressive Party (for which I'll do some voting this November). They are not big fans of inherited wealth, or of wealth derived from high lofty positions. If you think about that a bit you see that what they're advocating is a much tighter link between WORK and wealth- and that speaks for me, very much. Trouble is, I'm a musician (among other things) and that industry is utterly fixated on the creation of intellectual property which is expected to go on earning money _without_ me, for longer than I live. Frankly, I can't see the logic behind this. Okay, supposing I write a hit song and record it wonderfully- certainly that's worth being paid for. Once it's been recorded- then what? Where is the justification that I should be _entitled_ to never work again based on having done really great work once upon a time?

I don't see it, so I am essentially unperturbed by the idea of tossing my music and work out there for the world to scavenge and copy back and forth unpayingly. If I'm any good at it, there'll be people who like what I do- like it well enough that they _ask_ for more, or want me to spend my time engineering _their_ music or some such activity. "Shut up and play your guitar!" "Mix my album!" "Do more ambient!" And the answer is of course "What's it worth to you?". My ability to earn a living wage ought to be tied to my willingness to _keep_ _working_ and producing stuff to benefit people.

For this reason I completely and totally disrespect the RIAA and everything they stand for, and have total contempt for SDMI. It's just more attempts to impose a price on something that was once rare and has become a commodity too cheap to meter- art. Instances of art in the digital domain are too cheap to meter, they are free, there's no sense even _trying_ to mess around with micropayments and that crap (you'll be nickel-and-dimed to death!). Art is free. ARTISTS ARE EXPENSIVE. Think commissions, 'patrons'. If you can imagine a sort of art you _can_ get someone to produce it- what's it worth to you?

Re:Can I point out...

[ewhac]

"People would pay in a fair system" is something I have heard here on /. Oh yeah? How many unregistered copies of WinZip are there out there?

*urk!* Guilty as charged.

However, I did pay for VoodooLights...

Schwab

They didn't expect this?

[Dirtside]

Let's see. We'll take some data, encrypt it, and then not only will we GIVE YOU THE ENCRYPTED DATA, we will also GIVE YOU THE SOFTWARE TO DECRYPT IT. And they don't expect anyone to be able to decrypt the data? What the hell is wrong with these people?

BFG set to *stun*

[Danse]

Wholly absent from the debate seems to be a coherent vision of what the future should be, how corporations can survive in the digital age and still make money from their efforts.

There's actually been quite a bit of discussion about this. People know that corporations exist to make money. They know that there's no getting around that. Micropayments has been the most popular suggestion as near as I can tell. The problem is that corporations aren't just trying to adapt their business models to the digital way of doing things. They're looking at it as an opportunity to increase their control over their "intellectual property" to the point that we, as consumers, can't do anything with it that they don't want us to do and that we haven't paid through the nose for permission to do. Once they've got their laws in place and the technology to exploit those laws, they can increase their revenues significantly because there is no competition. Anyone who doesn't play their game is out in the cold.

They've screwed people enough with conventional tactics in the real world. They buy legislation to extend copyrights, even retroactively(which is my biggest gripe about them). They engage in price-fixing. They screw artists whenever possible. Now they're trying to screw us even harder in the digital world. They've gotten the DMCA passed (by a voice vote no less), UCITA is being adopted by the states (slowly though, but it won't matter since you will be dragged to the state of the corporation's choice and sued under that state's laws), and now they're breaking out the lawsuits to try out their newly acquired legislation.

These corporations have too damn much power and we should not let ourselves be beaten into submission by them. They are the enemy! Let there be no mistaking that. They are not just a company out to make an honest profit by providing consumers with a good product. They are a cartel out to monopolize a market and turn copyright law into a grotesque shadow of what it was intended to be. They are out to ensure that fair use becomes nothing but a fond memory and reverse engineering is made illegal. We should be doing everything in our power to stop them. The main barrier to this is the fact that the people lobbying for legislation such as the DMCA are the same people who control the media in all its forms. Most people are completely ignorant of what's going on because you don't hear about it on tv or read about it in the paper. As long as only a few know about and understand what is going on, the media industries can continue to plunder our rights.

Of course....

[plastickiwi]

.... this will just allow the RIAA to lobby Congress for appliance taxes the way they did with DAT.

"You see?" they'll say. "Evil nasty hackers destroyed our benevolent effort to release music to the masses before we could even bring it to market. They've proved there's no way to distribute music in an open model."

The solutions they'll offer, of course, are:

• a hardware tax on everything, including computers, that can play or create audio files; and
• mandatory hardware-based encryption for CD players.

Don't laugh. No one thought they'd get the same requirements passed on DAT, which was heralded as all that and a plastic Jesus.

An Exercise in Futility

[Code+Archeologist]

What many of us touted as a PR stunt to show that their new method of encryption and protection of digital music was going to be unbreakable has instead been crushed by one simple truth.

"Anything created by a 40 year old man can be broken by a 14 year old boy"

There is never going to be such a thing as the unbeatable encryption. Or the perfect protection. the only thing that can be hoped for by the recording industry is to make a system that is difficult and discouraging to the general populace. But the information age and the example of DeCSS has proven that once a genie is released from the bottle it becomes nearly impossible to put it back. Sure you can persecute everybody who even looked cross-eyed at the horrible key that opened your magic lock... but that will not stop people from using it once out in the wild.

why are they fighting the technology instead of embracing it? Oh yeah, thats right because the technology makes it so cheap and easy now for a musician to record and release their music that the record industry would no longer be needed.

Come on Record Companies be good bloated dinosaurs and go become extinct, Ok?

Re:An Exercise in Futility

[jms]

Exactly! I was disassembling 6502 assembly language when I was 16 years old to remove the copy protection on my Apple II games, and it was easy. Any 16 year old brain will outthink a 40 year old brain. Younger minds are simply more flexible than older minds. DeCSS didn't come from a team of seasoned software engineers with degrees and 10 years experience in software engineering each. It came from a 16 year old playing at home!

Copy protection doesn't work. Never has, never will. Copy protection is like publishing all of your trade secrets in Latin, because, after all, hardly anyone knows Latin, so your secrets are secure. Hello? Some of us know Latin, and we're laughing at you!

Disappointing

[ewhac]

While I'm pleased to see that SDMI was so trivially cracked, I'm disappointed that the individuals mounting the successful attack chose to inform the recording industry. As any military intelligence officer will tell you, you don't brag to the enemy that you've broken their codes. Just ask the British government officials from World War II what their policy was when the German Enigma was cracked.

The idea here is to cause the enemy to commit time and resources to a futile exercise. If the crackers had waited until SDMI had been fully deployed in the marketplace, it would have cost the recording industry and anyone else foolish enough to follow their example at least a few billion dollars; enough money to make them seriously reconsider the whole misguided notion of copy protection as too costly to pursue. As it is, it's only cost them one or two million in research, plus the paltry $10K for the "prize".

I would like to see Slashdot invite the SDMI crackers for an interview, so that we can get an insight into their ethical framework, and why they chose to save the recording industry's lunch.

Schwab

Re:Disappointing

[MenTaLguY]

...an insight into their ethical framework, and why they chose to save the recording industry's lunch.

If they accept the prize, it will be clear that the answers are, respectively: "Money is good," and "about $10k."

Still don't understand

[Ross+C.+Brackett]

I still don't quite get it. I go to the store and buy a CD that is SDMI watermarked. Then, I rip it and put the file on Napster and someone downloads and runs it in Winamp. Now correct me if I'm wrong, but won't SDMI not work unless every single mp3 player checks for the watermark? Is the RIAA's strategy to simply litigate every non-SDMIing player into oblivion?

Yes, I realize that they could trace the file back to the initial ripper, but if I buy the CD with cash, does it matter? Or is their strategy to simply force every music purchase to take place with an archived credit card transaction associated with that specific watermark?

Am I missing something?

Re:Still don't understand

[Tackhead]

> The latest version of WinAmp has copy protection (misleadingly referred to as "digital rights management") designed by InterTrust Technologies.

And this compels me to upgrade my current, non-DRM-enabled copy, exactly how?

(Or to FDISK away my Linux partition and nuke xmms, how?)

Granted, you're right in that compulsive upgraders will suffer as SDMI worms its "triggers" for Phase Two into software. But the vast majority of software simply doesn't need to be upgraded.

My MP3 playback software needs to be able to... play MP3s. Anything else is bloat. I haven't upgraded since WinAMP 2.09 - after 2.09, the "Generate HTML Playlist" feature ceased to generate track lengths in the generated HTML. AFAIwasConcerned, any versions after 2.09 were buggier than 2.09, so I stuck with 2.09.

Re:Still don't understand

[Tackhead]

> The latest version of WinAmp has copy protection (misleadingly referred to as "digital rights management") designed by InterTrust Technologies.

And this compels me to upgrade my current, non-DRM-enabled copy, exactly how?

(Or to FDISK away my Linux partition and nuke xmms, how?)

Granted, you're right in that compulsive upgraders will suffer as SDMI worms its "triggers" for Phase Two into software. But the vast majority of software simply doesn't need to be upgraded.

My MP3 playback software needs to be able to... play MP3s. Anything else is bloat. I haven't upgraded since WinAMP 2.09 - after 2.09, the "Generate HTML Playlist" feature ceased to generate track lengths in the generated HTML. AFAIwasConcerned, any versions after 2.09 were buggier than 2.09, so I stuck with 2.09.

Re:Still don't understand

[ewhac]

Am I missing something?

Possibly. The latest version of WinAmp has copy protection (misleadingly referred to as "digital rights management") designed by InterTrust Technologies.

It's quite possible your shiny new version of WinAmp will refuse to play your ripped MP3.

More broadly, the RIAA and MPAA's strategy is to collude with electronics and software vendors such that copy protection-free systems never reach consumers. A quick look at the roster of attendees of the Copy Protection Technical Working Group should illustrate this.

Schwab

Re:Better now than later

[Chris+Johnson]

I'd rather see them make newer better watermarks that degrade the sound even MORE >:)

After all, these guys are my competition! I can put in a lot of hard work getting my sound to be warmer and richer and more expensive-sounding than theirs, but how unutterably sweet it is to have them not only destroying their own sounds through loudness wars on radio (massive, brutal overcompression) but to see them, on top of _that_, inserting digital watermarks to further ruin their sound quality :)

I wonder what it would take to convince them to master all of their recordings by playing them through an old transistor radio and re-recording it with radio shack microphones on a sound blaster PC card in a tin closet? :) Call it pre-emptive analog security bypassing, that's the ticket...

"Suspicious" hackers

[EricEldred]

This word came from the Salon writer, not the music industry.

But one possible outcome from this would be that the music industry blames "hackers" for preventing them from introducing digital content for consumers. Then they go to Congress to get a bill even stronger than the DMCA to lock up music and lock up "hackers".

If the SDMI members who represent computer companies and not music companies will step forward and explain what has happened, that SDMI volunteered this test, then the "hackers" will get a fair showing. They should even join us in calling for the music industry to produce open source products at a reasonable price.

If not, then this whole episode is another trap for Free Software people and genuine cryptanalysts to get excoriated in the press and their freedoms threatened. Which is it going to be?

Re:Can I point out...

[/dev/kev]

IMHO, the "/. herdthink" is an urban myth. The vast majority of posts I see are either (roughly) "Copyright is fine, paying for that stuff is fine, but don't mess with my current rights (eg. fair use)." or "Everyone at /. thinks that they should be able to get music and stuff for free. Wake up and realise that you have to pay for stuff.". But the actual posts saying "I want free music and warez, how dare the feds make that harder!" I can't seems to find.

You can't read all the /. comments, particularly with threshold < 2 and threaded or flat mode, and expect to get the overall view. You've got to filter out most of the shit, and the best way to do that is with a threshold >= 3 and nested mode. Oh, and don't forget to actually use your brain to identify any trolls or twits that are left.

As for digital assets, well, the corporate world needs to become aquainted wth the fact that it is extremely easy to duplicate digital information without any loss in quality. Whether or not it's ethical to duplicate a given piece of data doesn't change the fact that it's stunningly easy to actually do it. If they want to get into the digital world, they need to figure out how to deal with this. At the moment, they're not dealing with it, they're trying to make it go away. It won't go away, and that's why they'll continue to be screwed by it, and attempt to screw us in the process.

The corporate world is having a tough time because they're not willing to accept change, particularly when it comes to changing their current comfortable lifestyle. Of course they'll be allowed to make money, they just have to figure out how to do it WITHOUT FUCKING US OVER. Is it so unreasonable to demand that they not dimish our existing rights in their mad scramble to profit from the digital age?

Is This a Surprise?

[none2222]

Show me a copy-protection scheme that hasn't been broken, and I might be suprised.

What is the RIAA thinking? All moderately popular music is available in MP3 format; and those MP3s aren't going to suddenly all disappear. My understanding is that SDMI was supposed to allow record companies to sell music via download. Why not simply sell music in MP3 format, and forego copy-protection?

People who want to trade music will continue to do so even if the RIAA somehow manages (magically) comes up with unbreakable copy-protection. People will always be able to rip CDs. SDMI and similar efforts are pointless, and a waste of money.

Who gets the money?

[Col.+Klink+(retired)]

The article implies that they may claim that they are still evaluating results and try and keep it quiet. But what about the $10K award winners? How can you give out the money and not admit they lost?

... I think they did expect this ...

[MenTaLguY]

Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm.

They had professional cryptographers working on this, and I expect the cryptographers told them as much, which is why this gives me the willies.

My gut feeling says that they may well have been angling for this crack, in order to take advantage of some legal or PR leverage it would give them.

One way or another, the successful crack is a worth a lot more than $10k to them...

We'll have to wait and see...

Re:... I think they did expect this ...

[Mad+Hughagi]

No doubt aboot it!

We're talking about an association that plays around with millions of dollars. To have set this up with the expectations that it wouldn't be cracked would have been a complete waste of time, they must have known it would be done.

When you're at the top, you don't leave any options unturned and you definately do not create situations which can bring about your downfall. It's more than likely that we're going to see something fly out of their sleeve that no-one expected, and I just hope it can be dealt with as easily as this SDMI crap.

Re:?????

[seebs]

I never said it was useless, I was just pointing out that there's no such thing as a generalizable 2:1 lossless compression algorithm.

Techies are supposed to be precise about these things. It's the big difference between us and folks like the RIAA; we care enough to get the details right.

MS DRM's Secure Audio Path defeats this.

[yerricde]

Isn't there a Windows audio driver that records to disk?

Windows Media Digital Rights Management has a Secure Audio Path ( Google search )that only drivers signed by Microsoft can use. To get signed, a driver has to be bug-free in Windows Hardware Compatibility Labs stress testing, and it also must disable all cleartext digital outputs (including without limitation writing to a file, digital output on the card, and waveOut to waveIn like SB-Live). Unsigned drivers (like your waveOut writer) will not get signed.

Circumventing this with VMWare under Linux and a /dev/audio grabber is most likely a violation of DMCA.

<O
( \
XPlay Tetris On Drugs!

sound-card driver? No.

[yerricde]

or even a sound-card driver that dumps the sound data to a place that can be decoded

There is a secure audio path in newer versions of Windows (ME and Whistler) that only signed drivers have access to. Anything sent down the secure audio path will not get sent to anything but an analog receiver/speaker/etc. because Microsoft signs a driver if and only if:

• the driver passes stress tests in Windows Hardware Compatibility Labs, and
• the driver shuts off all digital outputs (including without limitation waveOut->file, waveOut->socket, SBLive-style waveOut->waveIn, and waveOut->digital out on card).

Using VMWare virtualization under Linux to get between the sound card driver and the sound card is a violation of 17 USC 1201 (commonly known as DMCA).
<O
( \
XPlay Tetris On Drugs!

Boycott still in effect?

[mr.ska]

The article claims that the boycott was rendered pretty much worthless, but is this in fact the case?

The contest stipulated that you had to divulge HOW you cracked their security to get your share of the $10000. If someone cracked them all, submitted them for analysis, but didn't tell anyone what they did or how they did it, I'd say that action is still inline with the boycott. After all, the RIAA knows nothing more than they're up shit creek now.

In fact, this might have been the most humane way to do this. Crack it before the contest deadline, that way:

1. SDMI doesn't get implemented (yet)
2. "secure" music seems all the more unlikely
3. hardware manufacturers aren't screwed by having to produce SDMI-compatible hardware (at significant cost) just to have the whole thing blow up in their faces

In any case, not much we can do about it now.

Re:?????

[jonnythan]

And..erm....what if I go the record store and buy a cd with..gasp..CASH? Unless they're making me sign a form to buy a freaking cd, they can't trace a damn thing back to me. I can distribute at will.

Better now than later

[sheldon]

I don't understand why you would want to have waited until after music was being released in this format for it to be broken.

The watermark concept is technically undesirable as it has an effect on the quality of the sound.

I'd rather see the whole concept killed before it get's implemented into the marketplace rather than afterwards.

Re:cracked?

[plover]

The algorithm is completely irrelevant. They could have used RSA, DH, El Gamal, IDEA and Rijndael all strung together and it wouldn't have made the slightest difference.

The reason is pirates don't care what the algorithm is. They just want to remove the watermark, and the watermark is just a series of pseudorandom noisy bits hidden in the datastream.

First, assume the noise has to be identifiable as a watermark (or else their players won't refuse to play it.) Thus, any software player that can identify it can be disassembled to point out which bits of the stream are watermarks. Remove those bits, and it's gone. The meanings of the bits are irrelevant.

John

Keep them at the drawing board...

[CokeFiend]

If the community keeps cracking it before it comes out it keeps SMDI at the drawing board for even longer! Theres nothing that they can come up with that wont be cracked eventually.. if we keep sending them back to rethink it, maybe they will eventually give up! Who knows? Draw back to that is if the do actually release something it will be a pain in the A$$ to crack, but hey it gives us something to do on those lonely weekday nights!

Re:?????

[dwyn]

No, they cannot be on CDs, for economical reasons. CDs are mass-produced; the same CD image is used for tens of thousands (maybe millions) of CDs. Watermarking individual copies is not feasible.

However, this raises an interesting point. What if I agree to buy a watermarked version of the song, then decide to sell it? I will either have to sell it through a SDMI-licensed broker (can you say monopoly?), or reselling it will be forbidden. (You don't "buy" a song, you "license" it for your own use, for ever. Licensing terms subject to change without notice.)

Re:?????

[jms]

The point of the watermarking system, as claimed on their web site before they shut it down was:

(1) four different watermark technologies that are designed to detect compression and

(2) two additional technologies that are designed to ensure that under certain circumstances individual tracks of an album are not admitted into an SDMI domain without the presence of the original CD.

SDMI is designed as a "Napster Killer." Here's their strategy:

1) Apply a watermark to all CDs. This watermark takes the form of deliberate digital distortion, and is designed so that "most" people won't notice it.

2) Make all SDMI MP3 players scan MP3 files for the remnants of that watermark, and reject them. Hence, MP3s made from ripped CDs won't work anymore on new players. Napster is dead.

3) To allow people to download their own CDs into their SDMI MP3 players, provide special SDMI ripping software that allows the creation of an SDMI-encrypted MP3 from watermarked CDs, but associate these encrypted MP3s with the computer of the person who did the rip, so that they can download them onto their portable player, but if someone downloads this file from Napster, it won't work for them, because it wasn't made on their computer. The SDMI ripping software would look for the watermark, and make sure that the watermark is intact, signifying an original CD. This is so that you can't download an MP3, uncompress it into a CD, and run the SDMI ripping software on it. This is the purpose of the "two additional technologies."

The "detect compression" part is the fundamental mistake. The entire SDMI initiative is based on a basic misconception about the future of digital music and the reason why people use MP3s in the first place.

The only reason that people use lossy MP3 encoding is because it makes the files smaller by a factor of about 10:1. However, there are lossless encoding schemes that can compress by a factor of about 2:1.

Even if SDMI had worked, it would only have bought the industry a year or two, before DSL, or whatever faster technology replaces DSL makes downloading an uncompressed file as fast as downloading an MP3 is today, and before hard drive prices fall to the point where no one cares that their music files are 5 times as large.

Cracking SDMI now is a good thing.

Watermarking introduces deliberate distortion into the audio signal. By cracking the watermarking scheme before it was ever introduced to the market, we have avoided a scenario where all CDs would have included deliberate distortion, to no one's benefit.

This is not a problem of decryption...

[MenTaLguY]

...but of stripping watermarks; hidden signals in the audio that are supposed to be able to survive re-encoding and other audio transformations.

The watermarks don't have to be perfectly robust, just robust enough that removing them requires sufficient manipulation of the media stream to appreciably destroy the quality.

Unfortunately, I can think of better methods than what were ostensibly used in the SDMI stuff that was cracked here... interferometry and holography have a lot of related technology to offer...

This is A Good Thing(tm)!

[iElucidate]

I am very excited about this. Want to know why? Because not too long ago, I read this article in Salon.com. It stated:

Is the SDMI boycott backfiring? Programmers don't want to help the recording industry test its new security "solution." But the technology insiders behind the system say hackers could kill it once and for all by participating.

The SDMI coalition is falling apart. The electronics companies hate the tactics the record companies are employing, and are on the verge of splitting off of the group. The final release specs for SDMI were the last draw - if someone cracked this system, it could mean the end of the coalition.

Of course we will break the code - any new code is inevitably broken, especially one tied to hardware like SDMI. Many have talked about the prospects for breaking the code, and most agree - it will be possible in most forms, due to fundamental flaws in the architecture.

Don't worry about breaking any potential codes - it will happen regardless. Look at the massive support for Napster and you can see why SDMI won't work. On the other hand, look at the RIAA's coalition now: fractured, broken. Will they EVER be able to repair it? I hope not.

Seems to be real.

[Soko]

From the HackSDMI web site, the following:

Secure Digital Music Initiative Public Challenge

Thank you for contacting us. We appreciate your interest in the public challenge of proposed SDMI screening technologies. The challenge closed at noon on October 8, 2000,
and we are no longer accepting submissions.

If you have previously submitted a challenge, we should already have
contacted you. If we have not yet contacted you, or you have other
questions, please e-mail us at contact@hacksdmi.org. If you need more
information about SDMI in general, please check the website www.sdmi.org.

Thank you again for your interest.

So, looks like it happened on Oct. 8. Sheesh.

What WAS SDMI? CSS for Audio!

[d.valued]

The main restriction that CSS, err.. SDMI would impose is that would mandate that hardware and software MP3 solutions would have to convert to SDMI only within a short timespan. Now, if you read the article, it says one thing that none of us would have expected: Many SDMI members think there isn't [another solution to watermarking] -- and that this could mean that SDMI will now implode for lack of any plausible ideas for how to meet the recording industry's demands for secure music. Maybe this means that there won't be an SDMI for a technological century! (Or six years ;)

Re:Vorbis! Does noone here remember Vorbis?

[cduffy]

Is it all that finalized? I heard something about wavelet support being in the works.

Better than the Boycott?

[crushinator]

I was pro-boycott from the start - I didn't want to do dirty work for the RIAA, serving to strengthen their algorithm which they would eventually use against me. But in spite of my reservations, a successful, across-the-board crack this early may be a good thing.

I think the bad PR will constitute a serious blow to the SDMI (unless they somehow manage to downplay or spin it), and I think the lost time will be even more crippling to the initiative.

This means no SDMI players by christmas... meanwhile, more and more MP3 players will emerge and gather market share. If, by the time they come out with a new, improved SDMI, millions of people have mp3 products (especially non-technophile people), it will be much, much harder to pitch it to the average consumer. Hopefully at that point SDMI will go the way of DivX (the pay-per-view DVD, not the compression).

SDMI is bad for other reasons

[stokessd]

That particular watermark is audible, wich is a very bad thing in my opinion. At least they should try to do a good job at copy protecting, and do it in a way that doesn't damage product. But why should I be suprised that the music industry doesn't care about sound quality; they gave us the marginal digital standard we have today, and are pushing even lower standards like lossy compression.

Sheldon

yes, the current spec is stable

[MenTaLguY]

Is it all that finalized? I heard something about wavelet support being in the works.

Good catch. Short answer: Yes, everything specified so far has been finalized, will not change, and is already superior to MP3. As I understand it, the proposed wavelet stuff would be another level, rather like MPEG has layers.

My original point was twofold:

• Vorbis audio encoded today will remain playable by all future Vorbis players
• Vorbis is nowhere near a "quality ceiling" yet; the only quality limitation we're currently hitting is the relative immaturity of Vorbis encoders, and it's still better than MP3 now despite that

Re:Vorbis! Does noone here remember Vorbis?

[talesout]

Are you implying that the MP3 format is illegal and somehow vorbis format isn't?

I'm sorry, but there are perfectly legal ways to use MP3. And Vorbis is in exactly the same boat.

Believe me, if Vorbis was as popular as MP3, the RIAA would be all over it. It is the distribution of the copyrighted material in MP3 format which is illegal, not the format itself. Personally, I have six and a half gigs of 'legal' MP3s because I still own the CDs that I ripped them from. These are legal under fair use laws. Now, in a couple of years, when the RIAA and the MPAA have managed to have fair use laws abolished (because we all know the constitution was really all about protecting big business, and not protecting citizens), then Vorbis and MP3 will both be illegal.

Let them delay it... forever...

[itripn]

An opposing strategy to the boycott would be for the community to crack everything they release to be tested. This will a) delay boneheaded schemes from hitting the market, and b) demonstrate that the community can and will crack anything they come up with, showing the futility of encrypted music. No, we need new and bold business models to distribute the music such that the ARTISTS get the bulk of the proceeds, not the good ole boys. So let them keep coming up with stuff, and let's keep cracking it until they figure it out. itripn

Re:um, sorry. here's your reality check...

[talesout]

Ah, I wasn't aware of any of that. I bought MP3Enc years ago from them, but was not notified that I owed them anything for every song that I ripped and encoded for myself. Or is that only applicable if you use it to distribute music?

I think fair use would have to apply in this case. I still say it's legal to rip and encode CDs that you own. Especially if you purchased the legal encoder (as I did) for just that purpose.

Re:Ok, so who did it (who cares?)

[YKnot]

The other way around: High-pass filters filter out low frequencies (and let the high frequencies pass through, thus the name), low-pass filters filter out high frequencies.

BTW, it is much more complicated than that. MP3 compression is achieved in the quantization step, where psycho-acoustic models of human perception dictate which part of the signal gets encoded in which number of bits. These psycho-acoustic models describe what will and what won't be heard. Since these models are based on empirical research, they can probably be refined to a point where the commonly used models encode parts of the signal as audible where the more advanced model identifies this part as unaudible and can put the watermark in there. The parts of the signal which are unaudible are much more complicated to describe than just with frequency ranges. For example, you can't hear a low-volume sound right after (and even a really short time before) a much louder sound of a similar frequency.

Re:Wow...the Linux community really IS "the enemy"

[Andrew+Leonard]

As the editor on the piece, I just want to note that the intent of the sentence was to indicate that the programmers were suspicious of SDMI's attempt to manipulate them, not that the programmers themselves were somehow evil. I'll go rewrite it to make it more obvious what themeaning was.