SDMI Officially Reports on SDMI Hack

A reader sent us the press release that the Secure Digital Music Initiative folks have put regarding the hack SDMI challenge. They are stating that three out of the five were not cracked, contrary to earlier reports, and that of the two that were cracked, one was not a replicable event. Meanwhile, Salon has continued their coverage of the whole shebang.

regardless...

[cybercuzco]

no matter what happens with SMDI it will be cracked. I think that the fact that even part of it was cracked with a massive boycott going on speaks to the encryption schemes weakness. Even if the whole thing had been broken, i dont think SMDI would have released the fact. They have too much money riding on it now to start over with something new, which is what they would have to do if everything was cracked. what will be important in the following months is that if SMDI is actually released into the wild or not. If it isnt, i suspect the whole thing has been cracked, if it is, then it will be cracked soon enough. Either way mp3's are the future of music, not smdi.

How does SDMI define crack?

[segmond]

If it was broken, AND there system could not detect ie the watermark, do they consider not cracked if THEY determine that the sound quality is not good enough? good enough for who? for them? for the people who will be glad to pirate it?

Re:Re-encoding as Ogg?

[algae]

In an SDMI world, your soundcard would refuse to play the new .wav because it still has the magic mark of Cain.

Do you realize how *unlikely* this is to happen? Your average game probably has between several hundered and several thousand sound effects, and maybe a few dozen cinematics. Suddenly, every single one of them has to be encoded with the watermark from a completely different industry, just because they happen to both use the same hardware. Amateur musicans would be another group who might not quietly accept getting screwed if SDMI hardware becomes the law.

Princeton Team

[Mad+Hughagi]

A coalition of cryptography and watermarking researchers from Princeton University, Xerox PARC and Rice University claims to have successfully defeated a music protection system proposed by the Secure Digital Music Initiative (SDMI). - From Salon

The only consideration is that this group hasn't submitted their technical information (which automatically excludes their attempt from being considered). Now I don't know about most skeptics, but when a group of this stature claims to have done something, I would guess that they were being sincere - how many universities would allow research groups to do work on something like this and then make false claims?

this is what was sticking in my craw

[beckett]

I remember a few weeks ago there was that streaming radio interview with Chiariglione, some linux webpage, some guy from 2600.org, and the FSF. in that interview, Chiariglione addressed several issues involving "fair use", and he said (rightly) that and SDMI will provide someone with the ability still to copy, but not serially (like the presnet SCMS).

The FSF rep wasn't able to respond to this, but from my point of view, SDMI's ability to make a limited number of digital fulfills the "free speech" needs of the FSF, which was their main concern.

what do people think about that? do i have this wrong?

Re:Re-encoding as Ogg?

[g_mcbay]

In reality it doesn't matter...Your assement is correct.

The music industry blindly believes that as long as you can't make a perfect digital copy, their investment of millions into a protection scheme is a good one.

The music industry is wrong..Nobody seems to mind all the fairly crappy (compared to 'perfect digital copies') MP3 rips on Napster. Nobody will mind a protected song going to over high quality analog and being redigitized back into an unsecured format (Ogg or MP3).

It is all an exercise in futility and corporate self-ass-protecting.

heheheh...

[AugstWest]

"Each submission -- whether successful or not -- taught us important lessons about what can and cannot work in the marketplace."

Ok, lesson here is... if you can encrypt it, someone can break it. Plain and simple.

If it can be streamed, it can be recorded.

Secure Music?

[MarNuke]

Is there such a thing?

Ok, let say you make it where a watermark is 'somewhat secure' (there is nothing "secure" only "somewhat secure"). Say it uses a bunch of random bits that is encoded in the music. What would stop someone from just remvoing the code from the music? The DMCA?

Everyone here has seen a sound wave. Wouldn't the "code" produced abnormal spikes somewhere in the wave? With a powerful sound processor, it could be possiable to proccess the wave in a way to detect the code and remove it. Oh course this is analog.

With digtal music, random bits can be place in locations where typicaly would not produce sound or abnormal sound. Drawing from a "clean" sample patterns can be found for the encoding. Do some math, and the water become clear as day. Once the pattern is found on the single sample, you have to find out how this sample compare with another samples.

This is where it gets complex. If the music effects the pattern of the watermark, one would have to figure out what influece the pattern. It can be rather complex. But here's the problem. One can't just add a bunch of random bits on digtal music and expect it to sound the same. Figuring out where to put the bits, helps the cracker, becuase it makes it easier to find a pattern.

Also, one is limited to the number of bits to the lost of enjoyment. How many can you really put using complex anaglothes in a 4 minutes song? How many of the 50 megs of a wave file or 4 meg in a mp3 isn't really used?

There is one good thing, with effective encoding, it can increase security for simple text messages.

=)

Re:Re-encoding as Ogg?

[Dr.+Evil]

What if the Watermark contains information to the effect of:

"Purchased on 11/09/2000, by g_mcbay. By listening to this music, g_mcbay agrees that he/she will not copy this music. BTW, his credit card number is xxx111222333"

If that gets all over the world, you could be tracked down and potentially held responsible for the unauthorized duplication of the music. So how do you ensure that the message is scrubbed clean without degrading the sound quality?

SDMI will win

[mikej]

I have less and less faith that people like those behind SDMI, the DMCA, Library/School filtering, etc. can loose. Yes, thus far people with reasonable, intelligent, knowledgeable positions have been able to hold all that money in check, but I just don't see how that situation can continue. What isn't technically possible _will_ be legislated into effect by people with the resources and desire to see it so.

What those who rose to the SDMI challenge did, if I'm to understand the implications of the end to the DMCA commentary period correctly, is now a felony. It is my understanding that even the Princeton team, a legitimate academic research effort, put themselves at risk of ending their careers by participating in this overtly sanctioned exercise in reverse engineering.

If the mind-blowing amount of money behing initiatives like SDMI can't create a technical solution, you can guarantee that it will realign to bring about a legislative solution, and once that's done, that money will move toward financing enforcement. The truly sad part is that we're already moving into the enforcement phase, and neither of the two possible next presidents have displayed any willingness to curb the trend. As the subject says, SDMI will win, not because of its technical superiority, but because there's too much money working to guarantee that it does.

I've been a cynic for a long time, but I've never seen so much to be cynical about as I have in the past year on the internet.

Re:SDMI will win

[i-Chaos]

When was the last time internet legislature actually secured anything? Don't tell me that you're completely blind that "warez" site that you KNOW exists. Don't tell me that you're unaware of the existence of FTP sites running on OC-3 backbones massively transferring pre-release games and microsoft betas. And lastly, don't even think about saying that you've never seen a file called "class.nfo" or "myth.nfo" Well, if you really don't know what I'm talking about, then you should reconsider your post, as you obviously don't have enough information about the topic in question.
We're talking about securing music files to rid the world of internet DIGITAL music piracy. Let me just say that the only piracy protection on games that the "Release Groups" have not been able to crack is the logged reg-key. Logged reg-keys are stored remotely, and every time a game - for the sake of argument, let's use Quake 3 as an example - is played (over the internet only) there is a check for the reg-key. If the reg-key which the user entered into the game is in their file of "released keys", then the user is allowed to play, if not, then the user is not. Besides, Quake 3 has been cracked to work with single-player. What can SDMI do? Force only internet-connected users to listen to music? Ha! That's a laugh. Anyway, good day.

Oh yeah, a note on "resources"... umm... one would think that MR Gates has LOTS and LOTS of resources, yet a lot of people use pirated Windows - just a thought.

Re:SDMI will win

[gotan]

Well, it would be a bad idea for Microsoft to raid all that people and generally prevent them from using an unauthorized copy of windows. It surely would be easy for them to scan the net for duplicate registration keys (we all know that they could coax that kind of information out of any IE visiting one of their websites) and thus gather enough evidence.

But they would loose more than win, many people would abandon windows and use alternative OSes, and once they use them at home they could use them at work too ... and that's where MS gets the real money for their OS: selling licenses and training to all those employers equipping tens to tenthousands of computers with it.

For games it's a little different, by now the Softwareindustry has learned the fact, that any software selling millions of copies (games and popular tools) will have it's copyprotection cracked sooner or later, so they calculate to make their revenue in the first two or three months after it appears on the market (that's why they have to hype the product so enough people will rush to the store and buy it the day it comes out).

For the music industry neither of these arguments work: they loose more than gain from anyone grabbing their music for free, and once SDMI is cracked free copies of music may hit the net instantaneously after release. So for the music industry with their current business model (make the main income from selling copies of music) it's a simple equation: each 'pirated' copy is one copy sold less (a more realistic calculation would be more like 10:1) and so they will drag everyone they deem worthy of sueing to court (probably down to the student who shares his music files with the whole university) to frighten people from 'pirating'.

What good that will do them remains to be seen, maybe it only helps to create a free music scene, like commercial software bothered enough people to spark initiatives for free software, and as there can be money made from free software (with good documentation, training and support for example) there could be money made from free music as well (with fan articles, advertising, and concerts for example). It would be less money altogether, but OTOH there would be less overhead (mainly distribution and marketing) too, in the end the artists share might even be bigger (and that's what the music industry most cares about, the rights of the artists, let's not forget that).

Re:Easiest crack...

[delysid-x]

They're going to watermark CD's? Does that mean they'll want everyone to fill out a form and agree to the ToS at the record store?

Re:Re-encoding as Ogg?

[Fat+Rat+Bastard]

Theoretically the watermark will survive re-encoding. It is nothing more than an audio signal that is put in a part of the spectrum that will cause the least amount of "damage" to what we as humans can hear (probably not the best explanation, but the best I can do right now). The theory goes the more you distort the file to destroy the watermark, the more you destroy the "good" stuff as well (you really distort the music to the point that its noticable). That's the theory anyway. Assuming that you cannot destroy the watermark (doubtful IMHO) they still have a huge problem. So what if the songs I have have a watermark. It only matters to SDMI aware programs/hardware. The RIAA may be able to strong arm the consumer electronics firms into producing SDMI compatible equipment (thru crap laws or pictures of Sony's Prez with a goat or somthing) which will slow things down for a while (and the CE companies will fight tooth and nail... they know the consumer HATES things that complicate their products) , but it should be dead easy to come up with a program that plays thier format and totally ignores thier watermark so you can still play SDMIed music on your computer care free, and there are quite a few do it yourself stereo component and portable units that hobbiest can build.

Re:So called golden ears tests

[Chris+Johnson]

Not to mention that anyone who can hear the difference of removing a watermark of this nature... could plainly hear the sonic damage the watermark itself causes... and very likely could hear the difference between CD and, say, 20/48 or 24/96 digital.

If it wasn't for the fact that all freely accessible music formats are apt to be declared illegal I'd _love_ the idea of these clowns going ahead with SDMI. I can tell you that it is going to be _noticable_ if you have an ear- perhaps less so if you are 'watermarking' Britney Spears junk, but anyone who is getting a good sound will find that sound _defaced_ by the watermarking. That's not all- radio stations have elaborate equipment to compress and enhance detail on the music they play. Played through that even the Britney Spears stuff will be obviously flawed by the watermarking- it will bring out the distortion and make it audible, that is what this type of equipment is _for_: bringing out hidden detail in sound.

There is a Chinese ideogram (?) which represents both danger and opportunity. This SDMI garbage is just that- both danger and opportunity. There was a time when major label/corporate musical content actually was better than garage stuff- studios were paid for, artists got to concentrate on their work, and a lot of music got created that was really rather good. That's why you're still hearing it 20, 30, 40 years later instead of last year's corporate music product.

That time is gone- now, with SDMI, the corporate music product is boldly choosing to degrade the quality of its product to _substantially_ below what a clued electronic musician (with some sound engineering experience) can produce. That's because the corporate people think they have such a lock on media in general that they can _afford_ to do this to tighten their control- and that is the opportunity.

It's never been a better time to become a musician- not because there is industry support- there's not- not because there's money in it, there has never been money in it compared to, say, going public with a dotcom. The reason it's such a good time to be an indie musician is because the main competition, commercial media, is becoming so arrogant that it no longer cares about any sort of quality. This tends to alienate people, and there are going to be a lot of alienated people milling around trying to find music, entertainment, stuff to listen to or watch or even stuff with a message and a purpose. It's simple mathematics- as the corporate product gets complacent (check), lower in quality (check BIGTIME) and cynical (check), a market opens up for competition to come in. Straight capitalism- capitalism cuts both ways *g*

Re:So called golden ears tests

[Masem]

As an earlier link to the SDMI thing, I remember reading that the sound engineers that were selected to test the quality were all from RIAA organizations. And of course, RIAA wants the cracks to fail.

What's odd about this is that we have a means to break SDMI and produce a file which probably has excellent (given that the people to submit said cracks would be sufficiently happy with their results), but not quite excellent (failing the golden ear test), but free of copy protection. When it comes to "distributing" free music, what will the average user of such services look for? I'd argue that only true sound affectionados would be the ones to get the CD given the option between it and digital music files, and they'd be the only ones that could hear that difference that the golden ears tests revealed.

Basically meaning that since it can be hacked to remove the watermark, SDMI is pretty much defeated.

Save for that stupid little thing we call the DMCA.

Go ahead, fib..

[iamsure]

It seems to me based on the Salon reporting, the MULTIPLE universities and other groups that claim to have cracked all their watermarks, and protection schemes that they are fibbing.

Maybe they have some cute little exception (cant be reproduced on a p100, doesnt sound the same to golden-ears after the fact), but it seems like a fib or a stretch at LEAST to me.

So, what if they are fibbing?

More power to them. Let them release a flawed product, get everyone's support, have it added to a million products and songs, and weeks after release have a winamp plug-in come out that real-time decodes them.

Suits me just fine.

The honest, appropriate, and correct solution to the problem of digital security is to not be militant about it.

Sure, anyone can copy cassette tapes, and lots do. That didnt stop PLENTY of cassette sales.

You say its different because its digital, but it really isnt. The general populace doesnt have the knowledge, time, nor toys that support mp3's in a wide-spread way yet.

Not to mention I dont think it will become super-widespread for another 3-4 years.

(Yes, I know napster has a large user base. Thats not the same as the user base of people with cd-players (home, car, personal, AND computer) now is it?)

In short, the media giants need to just tuck tail. Its a losing battle. Mp3's sound more than decent, and are not secured. They will always be around now. If the music companies had gotten on board sooner, and done digital distribution sooner, they may have prevented it.

All they can do now is try to save their ass.

Re:Re-encoding as Ogg?

[overshoot]

In an SDMI world, your soundcard would refuse to play the new .wav because it still has the magic mark of Cain. Likewise, your video display will only display approved images, etc.

Yes, I know: this whole scheme depends on having every single manufacturer of electronic components and systems play along. That's what the DMCA is for (and the recent FCC decision requiring that TV sets do "rights management.") It's Part One of the move to make manufacture of non-SDMI equipment illegal.

SDMI will fail--so sorry

[Sara+Chan]

The most important point was made by the Princton team in their FAQs:

All hacks to SDMI attempted so far have been made without access to the watermarking algorithm. If SDMI is ever released to the public, however, someone will reverse engineer the algorithm--and post it on the web for all to see. As soon as that happens, SDMI will almost certainly be cracked more or less completely. The current contest wasn't at all close to a real-world test.

Golden ears is not a misnomer

[vees]

Has anyone ever had the chance to listen to some of those ear training tapes that sound people listen to to get that good? I listened to one once as it went through a series of sound bursts of 3 seconds through 1 millisecond. Past half a second, they all sounded identical to me. Then there was the test where they raised a certain frequency a few dB above a noise floor, at 50 Hz, 100 Hz, etc. all the way up to 22KHz. That sounded like a 2400 baud modem played backwards.

And yet, my friends in the professional sound field can hear these minute changes in the quality of the sound and correctly identify each one. That's why they get paid as much as ninja Solaris admins. They can't listen to anything less than digital to the speaker theatre quality sound without cringing. Me? I like MP3s and AM radio. So much for the golden ear test. Now back to my Rio.

--

Re:So called golden ears tests

[mangu]

To see how much those "golden ears tests" mean, take a look at rec.audio.high-end. It's not those very few people who are naive enough to spend $6000 for a pair of "oxygen-free copper" speaker wires who matter to the music industry.

The majority of people who buy music are those who are already used to the degradation caused by broadcasting, people who listen to audio cassetes in noisy cars, etc. As long as the music passes "tin ears tests" it's good enough, and the RIAA knows that.

This is perfect

[Jafa]

Everyone was trying to boycott the challenge earlier, thinking that if we let them release, we'll break it after it's official. Then some people broke it (for the most part. Not forgetting that it's impossible to secure anyway). Now, they're saying it wasn't broken and are moving ahead anyway! That's the impression I get.

Sounds like a good deal to me.
Jason

Re:but why?

[danderson]

Why should i use SDMI when i already have MP3!

(If you live in the US: ) Easy. MP3 will be found to be an illegal bypass of the security measures found in SDMI and will be declared illegal. So will the CDs you own. And any tapes. And the concept of Fair Use will be thrown out. Just prepare yourself

(If you don't live in the US: ) Try not to laugh too hard at our stupid coporate laws.

Translation: from Corporate to English

Of course, there's another translation available:

...successful attacks were not identified on three technologies, and were identified on two. Of those apparently successful attacks, one of them was not reproduced on additional music samples as part of our evaluation process.

Neatly morphs into...
"Despite our best efforts, it appears that all 5 encoding methods were cracked. We could not figure how people did it on 3 of the methods because they didn't send the program.
On the two groups that were kind enough to send their program, we could only figure out how to use one of them"

So called golden ears tests

[g_mcbay]

The 'golden ears' tests are what make me laugh the most. Haven't these people ever downloaded an MP3 from Napster? Even I can tell that the quality is fairly poor on many of the MP3s people host..Yet, it doesn't seem to deter the masses.

It is incredibly naive of them to consider a hack on SDMI unsuccessful because professional sound engineers could hear the difference in the watermark-hacked version!!! Especially in the case mentioned in the article where it was a 2-1 vote, meaning one of these professional sound engineers out of 3 didn't hear the distortion.

irrelevant

[xeno]

I'm not sure there's real news yet: The SDMI proclamation and the Salon reporting is just a war of words at this point. What will be of real significance is when an SDMI format is selected, files becomes available, and can be played by commercially available devices. THEN it will be significant if there are cracks of the chosen SDMI format.

imho, I don't think that the people motivated to produce the best cracks (and to build gui crack tools, which are what would do the real damage to SDMI) are also motivated to share the results with the SDMI folks. The real news will be whether successful, reproducable cracks and crack tools become available immediately after the SDMI release.