SDMI Cracked Too Soon

Andrew Leonard writes "Two off-the-record members of the SDMI coalition have confirmed to Salon's Janelle Brown that all of the SDMI watermarks have been solidly broken." It's too bad this didn't happen in a year - because now it's been cracked before it was even released, and they'll delay even longer.

Re:Disappointing

[ewhac]

and that is one of the [ ... ] most asinine things I've ever heard.

Perhaps you haven't been paying close enough attention: They are out to screw you.

They want to re-write the rules of retail sales, replacing title transfer with "end-user licenses" (just about any software package).

They want to re-define lawful behavior, taking away your right to exercise your curiosity about the world around you (anti-reverse-engineering clauses).

They want to take away your standalone computer and replace it with a "licensed networked digital media reception terminal," complete with credit card reader.

They want to take away your right to do with your property as you please (:Cue:Cat).

And they want to do this without soliciting your input or consent, and then make you pay through the nose for the privilege of being screwed.

Now, perhaps those things aren't important to you. Perhaps you're not a terribly curious person, or perhaps you're of the opinion that, "I would never need or want to do those things." Perhaps you feel that The Law is The Law, regardless of whether there's a valid ethical foundation for it, or how or why or for whom the law was enacted. Or perhaps you're thinking, "That will never happen in this country." Well, fine, you don't think it's important.

But in my book, this is tyranny, pal; it's damned important; and I will not sit still for it for one nanosecond. This is war, a war of ideas, a war for the digital society of the future. And the enemy has all the lawyers, guns, and money. (And no, this is not hyperbole. What is at stake here is nothing less than who will get to define the social and ethical framework by which we will conduct our lives in the digital universe.)

We are not dealing with people here; we are dealing with corporations. They have no ethics, no morals, no conscience. They are amoeba. They respond to but a single stimulus: Money.

Look at what they are doing. Think about the possible consequences (not just to yourself, but to your neighbors and family). I hope you will discover that the situation isn't as easily dismissed as you may currently believe.

Schwab

Crack SDMI-HOWTO

[Mike1024]

Hey,

Here's how to crack your SDMI-campatible player:

1) Download SDMI file
2) Download compatible player
3) Set your sound card input to 'What you hear' or whatever equivilent
4) Start your choice .wav recorder, like 'Sound Recorder', free in Windows 3.1
5) Press 'Record'
6) Play SDMI file
7) Wait until end of play
8) Press stop
9) Encode your .wav to an MP3, using your choice encoder
10) Put on gnutella

Or if you have a hardware player:

1) Prepare player to play music normally
2) Dismantle the player, until you get down to a loudspeaker. Cut off the two wires and solder them into a standard microphone audio jack from your local hardware store
3) Start your choice .wav recorder and click 'record'
4) Plug the new microphone jack into your sound card
5) Play SDMI file
6) Wait until end of play and click 'stop'
7) Encode .wav file into MP3
8) Put on gnutella

Clever eh? I'll take my $10,000 in cash, sterling used notes please.

Michael

...another comment from Michael Tandy.

Re:Crack SDMI-HOWTO

Ummm - not quite. Digital-Analog-Digital conversion is an obvious attack, and watermarks are designed to withstand this sort of thing. Image watermarking schemes, for example, are often tested against a print-scan cycle. For a simple example in audio - echo manipulations within audio streams withstand DAD conversion.

If you are actually interested in learning something about this, get Information Hiding: techniques for steganography and digital watermarking by Katzenbeisser and Petitcolas and read the proceedings of the Information Hiding conferences, called Information Hiding I and II (maybe a III by now), published by springer.

Actually, I recommend reading the Information Hiding conference procecedings for everyone - they present a number of techniques that will appeal to those with interests in privacy, cryptography, information theory, steganography, watermarking, biometrics, covert channels, etc.

One of my favorites in the proceedings covers designing biometric authentication tokens that are anonymous, non-transferable, and privacy protecting.

Ok, so who did it

[Anne+Marie]

I thought we all agreed not to crack them, so they'd release the standard and we'd get lots of poorly protected audio floating around for us to grab. So which one of you did it?

Re:Can I point out...

[ewhac]

I see plenty of direct-action "break the codes and set them free" type talk on /., talk about fighting for the digital future and our rights. Wholly absent from the debate seems to be a coherent vision of what the future should be, how corporations can survive in the digital age and still make money from their efforts.

Thank you!! An intelligent, incisive question, one worthy of conspicuous, public debate.

Speaking entirely on behalf of myself, you are correct that a cohesive vision of How Things Should Be has been absent from my rants. This is because I believe designing a successful, durable, workable, just system would require the efforts of a group of incredibly talented, wise people, the likes of which have not been gathered since the framing of the Constitution. I don't believe I possess such gifts.

I do have a few vague, disconnected ideas. To fully appreciate them, however, you need to understand the framework in which I developed them:

Axiom: When the ability to copy is ubiquitous, and when the incremental cost of copying is effectively zero, the effective value of any given copy -- including the "original" copy -- is zero. (I state this as axiomatic, but I'm willing to discuss its merits. And please note that this assertion says nothing about the effort/resources required to create the original in the first place.)

As a supporting argument, consider the universe presented in the TV show Star Trek. (This may seem silly, but Star Trek is a useful framework for comparison, as everyone's familiar with it.) In a world where everything, including physical objects, can be replicated at zero cost, what is the economic impact? I argue that the market-based economy collapses completely, since its fundamental supports (scarcity and inconvenience) have been eliminated.

I also believe that the social impact will be that casual copying will be seen as perfectly okay, and that the desire to not share copies will be seen as childish. After all, if anyone anywhere -- including artisans -- can copy anything at any time for nothing, then what, fundamentally, will be wrong with copying anything?

So, in a universe where copying everything is seen as perfectly okay, is there anything an artisan should still have control over? I contend that the most crucial aspect of creativity still needing strict controls is the artisan's reputation.

Consider: On a visit to the Enterprise, you see an object you quite like. Naturally, you ask, "Wow! Who made that?" Both you and the object's creator would like to be certain you receive an accurate answer. Note that the question of whether the object you saw was an original or a copy is irrelevant. You no longer care if an object is "genuine;" you want to know who did it. In other words, you want to know about their reputation. (After all, maybe they did other cool stuff, too.)

...Okay, so we don't live on the Enterprise (yet), and we all still have to pay the rent. However, I strongly believe the concept of reputation will be central to a re-design of economics and the concept of intellectual "property" in the digital universe. Reputation will become a chief scarce resource in the digital universe, because it is an artist's reputation that will guide you to their other scarce resource: their time. And it is their time that you will be paying for (no more doing stuff "on spec").

In terms of more immediate, concrete proposals, I've heard the following ideas floated:

• Mass-Market Buskware, or the "tipping jar" model. Many question whether such a system can work on a large scale. So far, author Stephen King seems to be doing rather well by it with his free offering, The Plant. However, it's probably worth noting the primary reason he's doing so well is largely due to -- drumroll, please -- his reputation.
• Pre-Release Mass Auction (preBay?). This is a system whereby software/music/whatever is made available for a flat price, and bidders can contribute whatever amount they wish toward that price.

  For example, let's say John Carmack creates his latest game, qDuOaOkMe, and decides that, for all his efforts and that of his company, he wants to see $50 million. So he posts it to the site: "qDuOaOkMe: $50,000,000". People the world over pledge $25, $50, $100, whatever they feel it's worth toward the final price. When the price is reached, Carmack gets the money, and the game is released free to all. The entry is also kept open on the site so people who didn't bid can continue to throw tips. If the price is not met after a pre-set time, all pledges are returned to the bidders, and the game isn't released.

• Shareware. This model has met with mixed success in the past, mostly due to the relative inconvenience of sending in the requested fees. "Impulse" buying, until recently, hasn't been easy. Fortunately, services like Kagi and PayPal may well rejuvenate this idea.
• Automatic Micropayments. This is certainly an idea worthy of exploration, but I have concerns about the implications for privacy.

Other ideas are likely out there, and worthy of attention.

Also for immediate consideration, there should be some study into the use of digital watermarks for identifying the artist of a given work. Right now, all the discussion surrounding watermarks has been with an eye toward controlling proliferation of copies, which is unworkable. However, I believe even the most virulent opponent of copy protection would support using digital watermarks to identify the artist, thereby preserving -- wait for it -- their reputation.

Like I said, I don't think I have what it takes to completely design the new system. I've also completely avoided rather sticky issues, such Moral Rights (e.g. should an artist be able to enforce the declaration, "No, you can't use my painting in the background of a porno video"). But I do know that the current system will ultimately prove to be fundamentally unworkable, if for no other reason than the sheer numbers involved (how many copyrighted works will you need to test against to make sure you're not infringing?).

So, yes, you're right. We need to think about this, and it needs to be done rationally and publicly. Too bad the entertainment industry's using all that bandwidth to paint us all as criminals.

Schwab

Do market powers apply any more?

[drenehtsral]

I was about to post a comment along the lines of "so what! If they delay longer, and release something harder to crack (even for the sake of argument, impossible to crack), the market can just refuse to use it, and keep using MP3s and other such unencumbered technoligies...
But then I thought about it. I believe that the music industry has enough power over the users that they'll take what they can get. I don't think the market _could_ realisticly fight the will of these companies. They have little competition, because all the "competing" companies have all globbed together in the form of RIAA.
I don't see a peaceful end to this, because there is a lot of money at stake, and whenever there is money, there is also a rabid foaming-at-the-mouth mob of greedy bastards willing to trample anybody in their way to get at it.
So maybe we should not worry so much about this standard being cracked, because if it was, it'd work just like the DeCSS fiasco, but maybe they'd learn from the mistakes of the MPAA's lawyers. What we need to start worrying about is a way to break loose from this feudalism where the consumer no longer has the power to change things in their favor (partly because most of the consumers are not informed enough to fight back, and there is a lot of money going to PR to keep it that way). Consumers are now Serfs, and large media companies are now lords. I imagine eventually there will be something like a revolution, moving us along the line towards democracy in the information world, but it'll take a while =:-(

Better idea: cheap mp3s

[ShortSpecialBus]

Regardless of what format they use (SDMI or whatever) it will be cracked somehow. DECSS comes to mind. That was supposed to be very secure and it was cracked because Xing messed up. Any two way hash can be decrypted, and it will be in this case with music pirates dying to get their hands on music. What the RIAA should focus on is selling it cheap enough that people would actually buy it. I would personally be willing to spend 25 or 50 cents a song for mp3 music, and I think that actually most people would be willing to do that. The whole problem with the RIAA is that they say that prices need to be higher because of piracy, but piracy happens mostly because of high prices. They should run an experiment and have mp3s for download for $0.25 each or something like that, and see what the response is.

Excellent!

[ckedge]

I was initially 'with' everyone here and in the community on the issue of boycotting the challenge, because I thought it would 'punish' the proponents of SDMI if they went to the trouble of commercializing it only to have it quickly broken. I presumed that breaking it now would help the SDMI.

However this article points out a lot of things that seem to be coming true and mentioned in the article that is the focus of this slashdot item, that basically the music company executives didn't expect it to be broken, don't have anything to fall back on, and the SDMI may in fact fall apart now that two years of their work have been effortlessly cut into shreds! Which is EXCELLENT news!

I really wish that the article quoted above had been written earlier and had come to our attention earlier, for it is quite a valid and compelling counter to the "rah rah let's boycott the challenge" idea.

Basically, maybe we were all wrong, and cracking it quickly and effortlessly will not help the SDMI, but actually destroy it! Go crackers!

Sucks to be the RIAA

[ErikTheRed]

Could you imagine how depressing it must be to spend years of your life engaged in a hopelessly Quixotic struggle against advancing technology? Of course, it couldn't happen to nicer people...

Vorbis! Does noone here remember Vorbis?

[MenTaLguY]

After all...that just gives MP3's more of a chance.

Ahem, leaving SDMI for MP3 is just leaving the DMCA Swamp for the Patent Quagmire. Out of the frying pan, into the fire.

Why don't we go for the option that doesn't involve breaking the law (and has nice fringe benefits -- MP3 is old tech now), when we can?

And, by the way, the Vorbis format is finalized and has been for some time. bps limitations of current encoders are only a result of the encoding software, not of limitations of the underlying format. Not to mention that .ogg seems to be sounding better than higher-bitrate .mp3s as the encoders improve...

This does it, I'm re-encoding[1] all the music on my site to .ogg when I get the chance. I need the space savings anyway.

---

[1] that is -- encoding new .oggs from pristine audio, not "converting" the existing .mp3s.

"converting" among lossy formats is always going to sound bad.

Re:Did they not expect this?

[plover]

A couple of points: First, there is no next step. It is not mathematically possible to secure data in a non-trusted non-secured HARDWARE environment. Can't be done, mathematically provable (wish I could offer the URL of a decent proof here, oh well, that's what google's for, right?) Physically provable also, as well evidenced by this announcement.

The ONLY possible result was to have their watermarking broken. As I mentioned above, it's not possible to secure it.

What you describe as their best possible result would actually be the penultimate nightmare scenario for SDMI. Ramping up production of new hardware and media is an incredibly expensive undertaking. Not to mention the risk of public rejection (for a primo example of this, learn the lessons of DIVX.) To get $2 billion down that path, only to be shot down by hackers. At this point, they're only out a few million. The $10K prize was a spit in the bucket.

As to your last point, professional cryptographers have been telling them this is impossible and a huge waste of money. People with money don't believe in "impossible." They don't understand technology, they understand money. And in their world, money can buy the impossible. They don't live in our world, where code can always do the possible.

John

This is nice - but what about other DRM systems

[szyzyg]

I'm amazed that nobody has published code to break the DRM (or at least capture unencoded data) on other established formats like Liquid Audio, Blue Matter (basically Real Audio) and everyone's Favourite - Windows Media.

OK there's the little issue of the DMCA which would make such things illegal in the US.

I wouldn't be surprised if some of the SDMI breaks came from Microsoft to help promote their DRM server based technology.

... I think they did expect this ...

[MenTaLguY]

Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm.

They had professional cryptographers working on this, and I expect the cryptographers told them as much, which is why this gives me the willies.

My gut feeling says that they may well have been angling for this crack, in order to take advantage of some legal or PR leverage it would give them.

One way or another, the successful crack is a worth a lot more than $10k to them...

We'll have to wait and see...