SDMI Cracked Too Soon

Andrew Leonard writes "Two off-the-record members of the SDMI coalition have confirmed to Salon's Janelle Brown that all of the SDMI watermarks have been solidly broken." It's too bad this didn't happen in a year - because now it's been cracked before it was even released, and they'll delay even longer.

Re:Disappointing

[ewhac]

and that is one of the [ ... ] most asinine things I've ever heard.

Perhaps you haven't been paying close enough attention: They are out to screw you.

They want to re-write the rules of retail sales, replacing title transfer with "end-user licenses" (just about any software package).

They want to re-define lawful behavior, taking away your right to exercise your curiosity about the world around you (anti-reverse-engineering clauses).

They want to take away your standalone computer and replace it with a "licensed networked digital media reception terminal," complete with credit card reader.

They want to take away your right to do with your property as you please (:Cue:Cat).

And they want to do this without soliciting your input or consent, and then make you pay through the nose for the privilege of being screwed.

Now, perhaps those things aren't important to you. Perhaps you're not a terribly curious person, or perhaps you're of the opinion that, "I would never need or want to do those things." Perhaps you feel that The Law is The Law, regardless of whether there's a valid ethical foundation for it, or how or why or for whom the law was enacted. Or perhaps you're thinking, "That will never happen in this country." Well, fine, you don't think it's important.

But in my book, this is tyranny, pal; it's damned important; and I will not sit still for it for one nanosecond. This is war, a war of ideas, a war for the digital society of the future. And the enemy has all the lawyers, guns, and money. (And no, this is not hyperbole. What is at stake here is nothing less than who will get to define the social and ethical framework by which we will conduct our lives in the digital universe.)

We are not dealing with people here; we are dealing with corporations. They have no ethics, no morals, no conscience. They are amoeba. They respond to but a single stimulus: Money.

Look at what they are doing. Think about the possible consequences (not just to yourself, but to your neighbors and family). I hope you will discover that the situation isn't as easily dismissed as you may currently believe.

Schwab

Crack SDMI-HOWTO

[Mike1024]

Hey,

Here's how to crack your SDMI-campatible player:

1) Download SDMI file
2) Download compatible player
3) Set your sound card input to 'What you hear' or whatever equivilent
4) Start your choice .wav recorder, like 'Sound Recorder', free in Windows 3.1
5) Press 'Record'
6) Play SDMI file
7) Wait until end of play
8) Press stop
9) Encode your .wav to an MP3, using your choice encoder
10) Put on gnutella

Or if you have a hardware player:

1) Prepare player to play music normally
2) Dismantle the player, until you get down to a loudspeaker. Cut off the two wires and solder them into a standard microphone audio jack from your local hardware store
3) Start your choice .wav recorder and click 'record'
4) Plug the new microphone jack into your sound card
5) Play SDMI file
6) Wait until end of play and click 'stop'
7) Encode .wav file into MP3
8) Put on gnutella

Clever eh? I'll take my $10,000 in cash, sterling used notes please.

Michael

...another comment from Michael Tandy.

Re:Crack SDMI-HOWTO

Ummm - not quite. Digital-Analog-Digital conversion is an obvious attack, and watermarks are designed to withstand this sort of thing. Image watermarking schemes, for example, are often tested against a print-scan cycle. For a simple example in audio - echo manipulations within audio streams withstand DAD conversion.

If you are actually interested in learning something about this, get Information Hiding: techniques for steganography and digital watermarking by Katzenbeisser and Petitcolas and read the proceedings of the Information Hiding conferences, called Information Hiding I and II (maybe a III by now), published by springer.

Actually, I recommend reading the Information Hiding conference procecedings for everyone - they present a number of techniques that will appeal to those with interests in privacy, cryptography, information theory, steganography, watermarking, biometrics, covert channels, etc.

One of my favorites in the proceedings covers designing biometric authentication tokens that are anonymous, non-transferable, and privacy protecting.

Ok, so who did it

[Anne+Marie]

I thought we all agreed not to crack them, so they'd release the standard and we'd get lots of poorly protected audio floating around for us to grab. So which one of you did it?

Did they not expect this?

[Nonesuch]

If all of the candidate watermarks have been broken, what is their next step?

The best possible result for SDMI would have been for at least one of the watermarks not to have been broken during the public examination period, then they could have released hardware and software knowing that it was better than any of the discarded watermarking solutions.

This sort of test is silly- just because it can't be broken today, by people for whom $10K is a lot of money, doesn't mean it won't be broken the day after it is released.

Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm.

Re:Did they not expect this?

[plover]

A couple of points: First, there is no next step. It is not mathematically possible to secure data in a non-trusted non-secured HARDWARE environment. Can't be done, mathematically provable (wish I could offer the URL of a decent proof here, oh well, that's what google's for, right?) Physically provable also, as well evidenced by this announcement.

The ONLY possible result was to have their watermarking broken. As I mentioned above, it's not possible to secure it.

What you describe as their best possible result would actually be the penultimate nightmare scenario for SDMI. Ramping up production of new hardware and media is an incredibly expensive undertaking. Not to mention the risk of public rejection (for a primo example of this, learn the lessons of DIVX.) To get $2 billion down that path, only to be shot down by hackers. At this point, they're only out a few million. The $10K prize was a spit in the bucket.

As to your last point, professional cryptographers have been telling them this is impossible and a huge waste of money. People with money don't believe in "impossible." They don't understand technology, they understand money. And in their world, money can buy the impossible. They don't live in our world, where code can always do the possible.

John

Re:Excellent!

[DaveTerrell]

Not so excellent. If you read between the lines, the technology companies are hoping that they throw out watermarks and go with Digital Rights Management. DRM is a codeword for "end to end controlled encryption." It's like Kerberos for music, and it means that you have to use their software, special hardware, etc etc.

Re:Can I point out...

[ewhac]

I see plenty of direct-action "break the codes and set them free" type talk on /., talk about fighting for the digital future and our rights. Wholly absent from the debate seems to be a coherent vision of what the future should be, how corporations can survive in the digital age and still make money from their efforts.

Thank you!! An intelligent, incisive question, one worthy of conspicuous, public debate.

Speaking entirely on behalf of myself, you are correct that a cohesive vision of How Things Should Be has been absent from my rants. This is because I believe designing a successful, durable, workable, just system would require the efforts of a group of incredibly talented, wise people, the likes of which have not been gathered since the framing of the Constitution. I don't believe I possess such gifts.

I do have a few vague, disconnected ideas. To fully appreciate them, however, you need to understand the framework in which I developed them:

Axiom: When the ability to copy is ubiquitous, and when the incremental cost of copying is effectively zero, the effective value of any given copy -- including the "original" copy -- is zero. (I state this as axiomatic, but I'm willing to discuss its merits. And please note that this assertion says nothing about the effort/resources required to create the original in the first place.)

As a supporting argument, consider the universe presented in the TV show Star Trek. (This may seem silly, but Star Trek is a useful framework for comparison, as everyone's familiar with it.) In a world where everything, including physical objects, can be replicated at zero cost, what is the economic impact? I argue that the market-based economy collapses completely, since its fundamental supports (scarcity and inconvenience) have been eliminated.

I also believe that the social impact will be that casual copying will be seen as perfectly okay, and that the desire to not share copies will be seen as childish. After all, if anyone anywhere -- including artisans -- can copy anything at any time for nothing, then what, fundamentally, will be wrong with copying anything?

So, in a universe where copying everything is seen as perfectly okay, is there anything an artisan should still have control over? I contend that the most crucial aspect of creativity still needing strict controls is the artisan's reputation.

Consider: On a visit to the Enterprise, you see an object you quite like. Naturally, you ask, "Wow! Who made that?" Both you and the object's creator would like to be certain you receive an accurate answer. Note that the question of whether the object you saw was an original or a copy is irrelevant. You no longer care if an object is "genuine;" you want to know who did it. In other words, you want to know about their reputation. (After all, maybe they did other cool stuff, too.)

...Okay, so we don't live on the Enterprise (yet), and we all still have to pay the rent. However, I strongly believe the concept of reputation will be central to a re-design of economics and the concept of intellectual "property" in the digital universe. Reputation will become a chief scarce resource in the digital universe, because it is an artist's reputation that will guide you to their other scarce resource: their time. And it is their time that you will be paying for (no more doing stuff "on spec").

In terms of more immediate, concrete proposals, I've heard the following ideas floated:

• Mass-Market Buskware, or the "tipping jar" model. Many question whether such a system can work on a large scale. So far, author Stephen King seems to be doing rather well by it with his free offering, The Plant. However, it's probably worth noting the primary reason he's doing so well is largely due to -- drumroll, please -- his reputation.
• Pre-Release Mass Auction (preBay?). This is a system whereby software/music/whatever is made available for a flat price, and bidders can contribute whatever amount they wish toward that price.

  For example, let's say John Carmack creates his latest game, qDuOaOkMe, and decides that, for all his efforts and that of his company, he wants to see $50 million. So he posts it to the site: "qDuOaOkMe: $50,000,000". People the world over pledge $25, $50, $100, whatever they feel it's worth toward the final price. When the price is reached, Carmack gets the money, and the game is released free to all. The entry is also kept open on the site so people who didn't bid can continue to throw tips. If the price is not met after a pre-set time, all pledges are returned to the bidders, and the game isn't released.

• Shareware. This model has met with mixed success in the past, mostly due to the relative inconvenience of sending in the requested fees. "Impulse" buying, until recently, hasn't been easy. Fortunately, services like Kagi and PayPal may well rejuvenate this idea.
• Automatic Micropayments. This is certainly an idea worthy of exploration, but I have concerns about the implications for privacy.

Other ideas are likely out there, and worthy of attention.

Also for immediate consideration, there should be some study into the use of digital watermarks for identifying the artist of a given work. Right now, all the discussion surrounding watermarks has been with an eye toward controlling proliferation of copies, which is unworkable. However, I believe even the most virulent opponent of copy protection would support using digital watermarks to identify the artist, thereby preserving -- wait for it -- their reputation.

Like I said, I don't think I have what it takes to completely design the new system. I've also completely avoided rather sticky issues, such Moral Rights (e.g. should an artist be able to enforce the declaration, "No, you can't use my painting in the background of a porno video"). But I do know that the current system will ultimately prove to be fundamentally unworkable, if for no other reason than the sheer numbers involved (how many copyrighted works will you need to test against to make sure you're not infringing?).

So, yes, you're right. We need to think about this, and it needs to be done rationally and publicly. Too bad the entertainment industry's using all that bandwidth to paint us all as criminals.

Schwab

This is going to be really redundant

[dizee]

But hey, I couldn't resist beating a dead horse some more.

They should be using CueCat XOR encryption (tm) for their watermarks.

Mike

"I would kill everyone in this room for a drop of sweet beer."

Do market powers apply any more?

[drenehtsral]

I was about to post a comment along the lines of "so what! If they delay longer, and release something harder to crack (even for the sake of argument, impossible to crack), the market can just refuse to use it, and keep using MP3s and other such unencumbered technoligies...
But then I thought about it. I believe that the music industry has enough power over the users that they'll take what they can get. I don't think the market _could_ realisticly fight the will of these companies. They have little competition, because all the "competing" companies have all globbed together in the form of RIAA.
I don't see a peaceful end to this, because there is a lot of money at stake, and whenever there is money, there is also a rabid foaming-at-the-mouth mob of greedy bastards willing to trample anybody in their way to get at it.
So maybe we should not worry so much about this standard being cracked, because if it was, it'd work just like the DeCSS fiasco, but maybe they'd learn from the mistakes of the MPAA's lawyers. What we need to start worrying about is a way to break loose from this feudalism where the consumer no longer has the power to change things in their favor (partly because most of the consumers are not informed enough to fight back, and there is a lot of money going to PR to keep it that way). Consumers are now Serfs, and large media companies are now lords. I imagine eventually there will be something like a revolution, moving us along the line towards democracy in the information world, but it'll take a while =:-(

Better idea: cheap mp3s

[ShortSpecialBus]

Regardless of what format they use (SDMI or whatever) it will be cracked somehow. DECSS comes to mind. That was supposed to be very secure and it was cracked because Xing messed up. Any two way hash can be decrypted, and it will be in this case with music pirates dying to get their hands on music. What the RIAA should focus on is selling it cheap enough that people would actually buy it. I would personally be willing to spend 25 or 50 cents a song for mp3 music, and I think that actually most people would be willing to do that. The whole problem with the RIAA is that they say that prices need to be higher because of piracy, but piracy happens mostly because of high prices. They should run an experiment and have mp3s for download for $0.25 each or something like that, and see what the response is.

Excellent!

[ckedge]

I was initially 'with' everyone here and in the community on the issue of boycotting the challenge, because I thought it would 'punish' the proponents of SDMI if they went to the trouble of commercializing it only to have it quickly broken. I presumed that breaking it now would help the SDMI.

However this article points out a lot of things that seem to be coming true and mentioned in the article that is the focus of this slashdot item, that basically the music company executives didn't expect it to be broken, don't have anything to fall back on, and the SDMI may in fact fall apart now that two years of their work have been effortlessly cut into shreds! Which is EXCELLENT news!

I really wish that the article quoted above had been written earlier and had come to our attention earlier, for it is quite a valid and compelling counter to the "rah rah let's boycott the challenge" idea.

Basically, maybe we were all wrong, and cracking it quickly and effortlessly will not help the SDMI, but actually destroy it! Go crackers!

Time for Fairtunes

[MattW]

It's time for the record companies to get with the program. The _smart_ thing to do would be to just start releasing albums and songs on their own sites. Let people download whatever they want, and pay for it if they keep it. I'd be all over it. Naturally, I'd expect it to cost less than a CD, but not a ton less.

I hope artists also move to fore -- popular artists (those whose recording contracts permit) should release a song or three (or an album) in all mp3, and just take payment if you keep it. Say, 24 hours trial period, if you keep it longer, you have to pay. Obviously, its all voluntary, but who would balk at paying $3 to $6 for an ablum from an artist they like? I think the honest users of such a service would vastly outway any thieves.

Re:Ok, so who did it (who cares?)

[rgmoore]

Please explain why you believe it's impossible. Is it because they haven't done it yet?

Because the fundamental premise is obviously self contradictory. In order to have a truly effective watermark, the sound must be damaged to the tolerance of an ordinary listener when it's removed. In order to have a publically acceptable watermark, the sound must be unchanged to the most sensitive listener when it's added. The result is that you should always be able to create a procedure that mangles the sound at above the level at which the watermark exists, but below the level where an average listener will care. Doing so may damage the sound for true audiophiles, but won't mean anything to the casual listeners who constitute the lion's share of the market.

Sucks to be the RIAA

[ErikTheRed]

Could you imagine how depressing it must be to spend years of your life engaged in a hopelessly Quixotic struggle against advancing technology? Of course, it couldn't happen to nicer people...

Re:Delays aren't necessary bad...

[Jason+Earl]

Delays are better than an uncrackable SDMI implemented tomorrow, but the best possible outcome would have been for the RIAA and their hardware cronies to dump billions into hardware and software with big holes in it. As an added bonus many of their customers would have found their draconian stance on IP to be too restrictive, and sales would have dropped. Simply because the "pirated" versions were easier to use.

The RIAA isn't going to learn unless the lesson is painful. I am all for the RIAA making money from their copyrighted material, but not at the expense of my fair use rights.

Oh, and by the way, hopefully this will give Ogg Vorbis more of a chance. MP3s aren't bad but Ogg is better!

Vorbis! Does noone here remember Vorbis?

[MenTaLguY]

After all...that just gives MP3's more of a chance.

Ahem, leaving SDMI for MP3 is just leaving the DMCA Swamp for the Patent Quagmire. Out of the frying pan, into the fire.

Why don't we go for the option that doesn't involve breaking the law (and has nice fringe benefits -- MP3 is old tech now), when we can?

And, by the way, the Vorbis format is finalized and has been for some time. bps limitations of current encoders are only a result of the encoding software, not of limitations of the underlying format. Not to mention that .ogg seems to be sounding better than higher-bitrate .mp3s as the encoders improve...

This does it, I'm re-encoding[1] all the music on my site to .ogg when I get the chance. I need the space savings anyway.

---

[1] that is -- encoding new .oggs from pristine audio, not "converting" the existing .mp3s.

"converting" among lossy formats is always going to sound bad.

This is nice - but what about other DRM systems

[szyzyg]

I'm amazed that nobody has published code to break the DRM (or at least capture unencoded data) on other established formats like Liquid Audio, Blue Matter (basically Real Audio) and everyone's Favourite - Windows Media.

OK there's the little issue of the DMCA which would make such things illegal in the US.

I wouldn't be surprised if some of the SDMI breaks came from Microsoft to help promote their DRM server based technology.

Of course....

[plastickiwi]

.... this will just allow the RIAA to lobby Congress for appliance taxes the way they did with DAT.

"You see?" they'll say. "Evil nasty hackers destroyed our benevolent effort to release music to the masses before we could even bring it to market. They've proved there's no way to distribute music in an open model."

The solutions they'll offer, of course, are:

• a hardware tax on everything, including computers, that can play or create audio files; and
• mandatory hardware-based encryption for CD players.

Don't laugh. No one thought they'd get the same requirements passed on DAT, which was heralded as all that and a plastic Jesus.

Disappointing

[ewhac]

While I'm pleased to see that SDMI was so trivially cracked, I'm disappointed that the individuals mounting the successful attack chose to inform the recording industry. As any military intelligence officer will tell you, you don't brag to the enemy that you've broken their codes. Just ask the British government officials from World War II what their policy was when the German Enigma was cracked.

The idea here is to cause the enemy to commit time and resources to a futile exercise. If the crackers had waited until SDMI had been fully deployed in the marketplace, it would have cost the recording industry and anyone else foolish enough to follow their example at least a few billion dollars; enough money to make them seriously reconsider the whole misguided notion of copy protection as too costly to pursue. As it is, it's only cost them one or two million in research, plus the paltry $10K for the "prize".

I would like to see Slashdot invite the SDMI crackers for an interview, so that we can get an insight into their ethical framework, and why they chose to save the recording industry's lunch.

Schwab

... I think they did expect this ...

[MenTaLguY]

Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm.

They had professional cryptographers working on this, and I expect the cryptographers told them as much, which is why this gives me the willies.

My gut feeling says that they may well have been angling for this crack, in order to take advantage of some legal or PR leverage it would give them.

One way or another, the successful crack is a worth a lot more than $10k to them...

We'll have to wait and see...

This is A Good Thing(tm)!

[iElucidate]

I am very excited about this. Want to know why? Because not too long ago, I read this article in Salon.com. It stated:

Is the SDMI boycott backfiring? Programmers don't want to help the recording industry test its new security "solution." But the technology insiders behind the system say hackers could kill it once and for all by participating.

The SDMI coalition is falling apart. The electronics companies hate the tactics the record companies are employing, and are on the verge of splitting off of the group. The final release specs for SDMI were the last draw - if someone cracked this system, it could mean the end of the coalition.

Of course we will break the code - any new code is inevitably broken, especially one tied to hardware like SDMI. Many have talked about the prospects for breaking the code, and most agree - it will be possible in most forms, due to fundamental flaws in the architecture.

Don't worry about breaking any potential codes - it will happen regardless. Look at the massive support for Napster and you can see why SDMI won't work. On the other hand, look at the RIAA's coalition now: fractured, broken. Will they EVER be able to repair it? I hope not.

Let them delay it... forever...

[itripn]

An opposing strategy to the boycott would be for the community to crack everything they release to be tested. This will a) delay boneheaded schemes from hitting the market, and b) demonstrate that the community can and will crack anything they come up with, showing the futility of encrypted music. No, we need new and bold business models to distribute the music such that the ARTISTS get the bulk of the proceeds, not the good ole boys. So let them keep coming up with stuff, and let's keep cracking it until they figure it out. itripn