Money For Nothin' From The SDMI Hacking Contest

OS24Ever points to this CNN story, writing: "SDMI is announcing that they are paying two hackers $5000 each for breaking the encryption on their watermarking technology." And as the article points out, conspicuously ignoring the fact that independent researchers have broken four of the watermarking schemes without getting taking part in the official contest.

Re:Is any encryption safe?

[11223]

They may already have a O(lg n) or O(n) factoring algorithm, where n is (respectively) the number or the number of digits in the number.

They may already have broken discrete log.

Yes, PGP can be broken.

Re:Makes you wonder...Digital Snake Oil

[CyberGarp]

The whole thing flys in the face of OpenSystems. When the printing press was invented, did they figure out how to prevent people from copying books by watermarking?

This P.S. is the most distrubing part of the whole thing.

If a watermarking scheme is required to play music, a free, open source player that had the code to check the watermark could easily be changed to play without the watermark. Then what about all the music out there that doesn't have watermarks. I.E. Don't delete this line of code. Kinda like the old police scanners that were illegal, but you could buy one that didn't work, then open the box and there was a diode (sometimes marked!!!) that you cut out. But then who cares about those silly open source freaks anyway :P

If a watermarking scheme is used to prevent copying. Hah! If it's digital, it's copyable. Like your O.S. going to check on every write and make sure you don't do something you shouldn't. Hah!

About the only use of a "watermark" is to insure downstream somewhere, that a file wasn't tampered with. Very useful.

I think the P.S. here hits the nail on the head. SDMI stands to profit from selling digital snake oil to the music industry. The music industry suffers from the "cure" and drops the idea after funding several SDMI careers.

The Ultimate Solution

[workers_unite]

There is one way to solve all of these problems that a lot of people don't think about, and that is to publically subsidize the arts and nationalize the recording industry.

Let's face it... corporatism has totally taken over the music industry, and the people are the victims. We must completely eliminate the greed and bring art back to where it belongs -- to the people.

With only public ownership of art allowed, we wouldn't need any of these encoding schemes, and the greedy record industry would stop stealing from the people.

--

Re:The Ultimate Solution

[Chris+Johnson]

I like your attitude. Now excuse me while I duck a hail of libertarian-hurled bricks, rocks, molotov cocktails and hand grenades. ;)

*duck*

The Only Way

[sacremon]

In the end, as others have noted, you can simply make an analog recording of the music as it is played, giving you a non-watermarked, non-encrypted version of the music, which you can then copy/encode/whatever.

There is only one way to make music 100% secure:

1) Distribute music only in self-contained package (like a cartidge) that operates only in a particular type of device.

2) Have it so that the package erases the music after a single use.

3) Destory/Buy/Confiscate any other publically available means of playing music than said device.

Number 3 is the real toughy, of course.

Re:The Only Way

[sacremon]

And play the unwatermarked copy on what? See point #3.

Re:The only way you can encrypt music

[ideut]

I think it's time for you to admit you don't know what you're talking about.

You are assuming...

...that everyone has a crappy sound card, and wrongly so. I personally have an M-Audio Delta 1010 and let me assure you, it would make great copies. Supposing SDMI works like I assume it will and is computer based, I can make perfect digital copies. I simply play the music to one of the outputs on the Delta 1010, but have the Delta route it back to a port I can record, and do so using a seperate program. Bingo, a perfect (the internal routing is all digital), unencrypted copy. Then I just encode it using LAME at 256k/sec which has been proven to be CD-quality and I'm good to go. Suppose, though that they try to detect the recording and it won't play back if recording software is loaded. Still no problem, I just reroute the output to go to my S/PDIF port, and record that on to my Alesis Masterlink, then bring that back to the computer. Again, a perfect digital copy. Ok, well now suppose the files will only play on their own physical devices. Still no problem. If the device has a digital output I hook that in and record from it. Since the soundcard is classified as a professional device, it is exempt from having to obey SCMS (so it doesn't). Now even if they have no digital output, it's no problem. The Delta has 24-bit converters with specs far exceeding CD-quality and a good, low jitter crystal. I just make an analogue recording and encode that. It won't be a perfect copy, but I highly doubt you'd be able to hear any difference between it and the orignal.

Basically, the point I'm trying to get at there is there really is nothing they can do to stop the copying of music. So long as I can listen to it, I can find a way to copy it. Also, going to analogue just once does not have a significant detriment on sound quality. Yes, if you record something from your portible CD-player with your SoundBlaster Live it is going to sound like crap, what do you expect? You are dealing with cheap consumer electronics with cheap converters, lots of noise and jitter on both ends. However there are some of us that do own real professional gear (you don't need a liscence or anything) and will use it. And of course once we have translated it and released, everyone can have it and believe me, we will.

Posting AC for reasons that shoudl be apparant.

Re:You are assuming...

[crucini]

Your logical chain is good until the last link. That's where I have a doubt:

And of course once we have translated it and released, everyone can have it and believe me, we will.

You're going to put an mp3 on the internet that is the cleanest possible encoding of the song given that it's already been through a different codec and the player's cheap D/A conversion. (No, I don't see the music industry allowing an unencrypted digital output!) I could play your mp3 on my soundblaster awe64 and probably be happy. There's a watermark in there, but I can't hear it and my hardware doesn't read it.
But when SDMI-compliant soundcards become the norm, Joe Schmoe who bought his computer at Circuit City will find your mp3 impossible to play. Over time, this is meant to marginalize and eventually destroy mp3.
Also, the strength of the current mp3 scene is that ripping/encoding is easy and doesn't require special equipment or skills. If the percentage of the "mp3 community" producing mp3's is drastically reduced, we'll have a lot less mp3s and it will be easier to demonize and shut down the remaining workers.

Re:This is DIVX Part 2 - Audio Edition

[FigWig]

I hope you're only a freshman at MIT...the point of the watermark is to add analog encoded watermark information to the signals without compromising audio quality. The watermark is designed to hold up even after analog recording - such as through the output of your soundcard. Think of it as the opposite of mp3 encoding - mp3 uses a psycho-acoustical model to remove sounds that we won't perceive, SDMI uses a psycho-acoustical model to add sounds we won't perceive.

Re:This is DIVX Part 2 - Audio Edition

[sdo1]

If you capture the analog output, there is no way that the watermark could be preserved

That is completely false. The watermark is imbedded in the ANALOG signal. There are several technologies that SDMI is proposing, and I'll be honest, I couldn't hear them all on the samples they provided with and without the watermarking. Some were audible, but perhaps those are the harder ones to break. The quality of the original works wasn't that great to begin with, so maybe that had something to do with it. I'd imagine that it'd be easier to bury a non-audible watermark in "busy" music than it would something that's soft and simple.

The watermark is designed to survive digital conversion and compression. And some of the technolgies do survive. I did some of my own testing of the "sample" files that SDMI made available. I subtracted the "watermarked" from the "unwatermarked" files leaving just the watermark. Then I compressed the files with various schemes (mp3 file compression to different bit rates), and again sutracted the watermarked from the unwatermarked files. This leaves behind a post-compression watermark. I then compared this to the uncompressed watermark. And in most cases, they were, both visually and audibly, similar enough that I could imagine that the watermark may have survived.

In theory perceptual coding (which .mp3 compression is) should get rid of non-audible parts of the files. The fact that the watermarks did remain to some extent shows that they are, at least in theory, audible.

-S

Re:The only way you can encrypt music

[Hard_Code]

Yeah, but watermarks don't prevent copying. So what the hell is the difference if my friend just makes a copy of the perfect-sounding media file. I can play it to my heart's content without any degradation, and short of the RIAA storming my house, who would ever know??

Re:This is DIVX Part 2 - Audio Edition

[sdo1]

By doing a bitwise comparison of two different "SDMI-approved" players, anyone of even moderate programming talent could identify the "new" watermark the players were adding and either eliminate it, or make it untracable by filling it with random data.

SDMI provided .wav samples (44.1 KHz, 16 bit - Same as CD). A pair were exactly the same except one was watermarked. The challenge was to remove a watermark of the same watermarking technology from a 3rd piece of music.

And believe me, it's NOT trivial. Many of the technologies are certainly beyond "anyone with even moderate programming talent".

Furthermore, the watermark isn't just a couple of bits thrown in the file. It was an analog signal hidden with the music and it seemed to repeat, somtimes at random intervals, throughout the file. It's impervious to a "bit dropped here" or "a skip there". I don't think the "refuse to play" issue is an issue at all. If it sees the correct watermark throughout the file, it plays. If it sees that the file is filled with ones that it doesn't like, it doesn't play. I think it would be easy enough to keep it from barfing on the occasional "bad" watermark caused by dropped bits, scratches, or skips.

-S

Re:Morons

[Shoeboy]

Did these elite dudes also tell you how to MAKE MONEY FAST!!?
Wow, you must have hacked my email server to know that. Tell me how you did it. I need to get back at K\/\/4k3_g4\/\/D and his crew for calling me a l4m3r.
--Shoeboy

Re:Morons

[cookieman]

I've met over 65536 elite hackers on IRC who have become millionaires that way.

So you've met exactly -1 hackers on IRC (by MS rules) :)
O wait that's only 65535, I guess I will never be millionare :(

Re:idoits at large

[talesout]

Well, karma burning time I guess. To quote Queensryche:

I used to trust the media to tell us the truth, tell me the truth
But now I see the payoffs, everywhere I look
Who do you trust when everyone's a crook?

Sorry, but I think the entire idea of "free" press is eventually going to lead to what we have in corporatized America. The only thing free about the press is the bidding process. Unless you got the cash to back you, the story will be told from the other guy's perspective. That's why hackers are still seen as "the big bad bogeymen" of the Internet.

Is Timothy insane?

[KlomDark]

"without getting taking part in the official contest."

What in the hell does that mean?

the contest's purpose

[ddent]

10 grand is pretty cheap to have your security tested by thousands of people.. plus, if they want the money, you need to give them an NDA, so basically, they improve their methods AND people don't find out how it was originally broken...

Re:No big deal

[OmegaDan]

Hey bro, maybe he needs the 5,000$ to pay for college or to buy his family out of slavery or something ...

the real pitty is they only gave them each 5gs ... shoulda been more like 50 ... I would have tried for 50 :) ... Winning 50g could change your life if you were smart with the money (pay off the mortage, invest the money you save ... divorce your wife and start dating 18 year olds ... etc :)

Together we stand

[WildHunter]

The shear beauty of this is that they essentialy made enemy's with the wrong people. They whine about infrigment of copywrites by geeks who converted their product into a freindly digital package (something they never thought was economicaly viable.) Then they ask for our help?

What tops the cake though is that when they do release their technology there are hundreds of thousands of people that will be out to break it just simply on principle!

Whatever encription, water mark etc they use it won't be good enough. Everything is breakable with the right equipment and time. (and geeks have both).

Suck on that RIAA, MPA and anyone else who pisses off the geek community.

Re:Why don't the bands just stop whining?

[leviramsey]

I think Metallica's concern is less that the trading is going on, and more that they are opposed to a company profiting (or trying to) without cutting them in. For instance, the band has always supported bootlegging of their shows, with the ability to trade them being implied. They have cracked down on stores that *sell* bootlegs. That is, I think, the distinction that is drawn between Napster/Scour and Gnutella/Freenet. As far as I can tell, Metallica have no objections to the latter two.

No big deal

[buttfucker2000]

> SDMI is announcing that they are paying two hackers $5000 each for breaking the encryption on their watermarking technology." And as the article points out, conspicuously ignoring the fact that independent researchers have broken four of the watermarking schemes without getting taking part in the official contest.

So? The money is for taking part in the contest.

They didn't, so they can hardly be expecting to get paid any money.

Re:No big deal

[StoryMan]

Actually, the money was awarded because the hackers followed the bizarre *rules* of the contest.

What hacker worth his (or her) salt would follow rules set by some corporate entity?

A whore hacker in search of a corporate pimp is who.

Re:No big deal

[Kierthos]

Why should SDMI care? Under the abortion that is UCITA (yes, I know it's not passed hardly anywhere yet) they would not be responsible for the flaws even if they know about them.

About the only way to get a software company to fix anything these days is to broadcast the bug or abuse as loud as possible so they have to fix it to avoid having every script kiddie in the world using the bug in question.

And I agree, SDMI should look at the non-contest cracks as well. You'd think because it breaks their 'watermark' they would... no corp likes copyright/patent infringement, and this would let anyone with the crack make their own duplicates.

Just my 2 shekels.

Kierthos

Re:No big deal

[Monte]

What hacker worth his (or her) salt would follow rules set by some corporate entity?

You may want to look up the origin of the term "worth his salt" before you use it again. It's the basis of the english word "salary", from the Latin salarium, a reference to the payment, in salt, to soldiers.

Essentially you're asking "What hacker worth his salary would follow rules set by some corporate entity?". The answer, of course, being "all of them", salary being dependent on following the rules.

Hope this helps.

Re:No big deal

[EvlG]

Whether the independent researchers get any money is not the point. Rather, SDMI is ignoring the fact that four watermarking schemes have been broken, instead focusing on the results of the silly contest.

The fact that the researchers are being ignored, and SDMI is focusing on the hackers is telling; they know the researchers have done serious work that could compromise the system.

Who cares

[Jedi+Alec]

We're geeks. We don't need money. What happened to the chicks for free part?

Re:Who cares

[Jedi+Alec]

Last time I used Napster,
man I felt bad.
Worst download I ever had
It took six upgrades,
and ICQ all night.
Quake 3 for breakfast just to put me right.

Cause if you wanna run cool,
yeah, if you wanna run cool.
Cause if you wanna run cool,
You've got to run on heavy, heavy fuel.

Re:never gonna happen

[pjrc]

modemboy says:
if you can listen to it you can copy it. They'll never develop an effective copy protection scheme

It all depends on the meaning of the word effective. It looks like Lumpy already brought up the macrovision example I was thinking of when I started this post. You can watch your video, and determined consumers can copy using older VCRs or special boxes that remove the crap from the retrace time. If effective means preventing absolutely all copies, then no, but I'd say that effective could mean causing lots of consumers to buy the tape or DVD for about $20 instead of renting for $3 and taking the time to copy onto a $2 blank.

Macrovision only works because the VCR manufacturers use a faster response AGC circuit (than used in the TV). With the world of open source, it seems like it'll be a bigger problem to get all recording devices to respect a dont-copy-me signal, but again, if winamp, microsoft media player, and most of the hardware devices at best buy respect such a signal, perhaps it gets 95% of listeners to pay. Sure, anyone greedy would want the last 5%, but it becomes expensive, and any business man with a brain(or a cost accountant) will take the path that is most profitable.

Part of my initial reaction, honestly, is more along the lines of "totally unprotected MP3 with p2p file sharing is just damn cool", followed by "it sucks that they're trying to foul it up". I suspect that's the emotional response behind a bunch of the "It'll never work, you dumb..." responses here and elsewhere on the net.

Now the part that is "going too far", is an attempt to outlaw MP3 players without SDMI features. The RIAA has already tried to do this (and won in the first round, but ultimately lost against the Diamond Rio).

As long as it's not illegal to make non-SDMI MP3 players, someone will. I know that to be an absolute fact, because I will! (trying really hard to resist a shameless plug/link to my website). As long as there are legal Free/Open-Source (GPL'd I hope) MP3 players, there will be relatively easy ways around SDMI protection.... but if these players are a small portion of the whole (mine's about as tiny as you can get, next to student projects), SDMI might be effective in allowing the recoding industry to continue its profitability, even if it's not at all effective at stopping anyone determined to copy.

Naivete: The only way you can encrypt music

[robl]

No offense or anything, but you're being a tad naive. Look at what Bruce Scheiner said in his latest Cryptogram:

2. Even if the contest was meaningful and the technology survived it, watermarking does not work. It is impossible to design a music watermarking technology that cannot be removed. Here's a brute-force attack: play the music and re-record it. Do it multiple times and use DSP technology to combine the recordings and eliminate noise. Almost always there is a shortcut technique to neutralize the watermark, but the brute-force attack always works.

3. Even if watermarking works, it does not solve the content-protection problem. If a media player only plays watermarked files, then copies of a file will play. If a media player refuses to play watermarked files, then analog-to-digital copies will still work. If a watermark is designed to identify the legitimate owner of the file, it still doesn't prove who copied the file or provide the copyright owner with a party worth suing.

You write "The song file will be viewable if you decode it with your private key." Well, just decode it with your private key and then distribute the decoded song to all your friends around the world, no real magic here.

Re:The only way you can encrypt music

[sqlrob]

Please point out the holes in the above arguments.

Re:This is DIVX Part 2 - Audio Edition

[MeNeXT]

Funny, how many people register thier software today?

How many would go through the trouble?

And the best one of all........

What happens if your player/system is stolen after it has been registered?

GOD! I think I'm stupid but I just DO NOT get it!!!!

Re:Watermark Nightmares

[MeNeXT]

Is it me? Or has no one else lost, misplaced, and/or lent a CD to someone else.

And DO NOT give me the argument of a player because they can be stolen, lost or misplaced.

And since they can be stolen lost or missplaced, they can be used to make copies.

Well...

[ChenKenichi]

"I cracked SDMI, baby" isn't much of a pickup line.

--

Re:Well...

[ideut]

It is when you pronounce it "I cracked sodomy"

Re:This is DIVX Part 2 - Audio Edition

[robl]

Well, you're mostly right here, sorta. But as Bruce Schneier pointed out, it still won't survive a brute force attack.

See, you can either make the watermark as an audible signal, which most people won't accept, or you can bury it in the noise.

If it's audible, most people won't even bother.

If it's in the noise, a digital noise filter can potentially remove it. Or just get several differently watermarked files, and use a DSP to smooth over any differences, and then convert it to MP3/Ogg, or any other player that doesn't have a license restriction.

It's not that SDMI will fly, it's that it won't even get off the ground.

Re:This is DIVX Part 2 - Audio Edition

[Chris+Johnson]

Hell, I could preserve it through running the output through my studio's mains and _miking_ it. The level of detail inherent in 16 bit 44.1 is _not_ very great. That's why real studios run 20 or 24 bit these days, and mix to a format that's higher-resolution than CD. I flat guarantee that with a bit of experimentation I could run CD-D/A-amp-speakers-air-mic-preamplification/compr ession-A/D-file and preserve the watermark. That's because I have a lot of very custom hotrodded gear that I build myself. However, _anybody_ could just run outs into ins and have the watermark preserved- if you're not showing off by running the whole recording chain, any old gear will do.

And the SDMI watermark _does_ screw up the music- what makes you think it doesn't? If it's going to be detectable after mp3 128K encoding, it's going to degrade the music _more_ than 128K encoding, and the degradation is cumulative.

Actually, I love it. Go to it guys. Degrade your music all you want. It only makes it easier for indie guys like me to compete with you and kick your arses :)

Makes you wonder...

[PureFiction]

If the 'hackers' are SDMI employees or such, and this is simply an attempt to give credibility to a completely flawed process.

Perhaps they beleive that posing the contest as a legitimate, well executed test of the cryptographic properties of their watermarking systems will make the remaining UNBREAKABLE! cyphers seem bomb proof.

If they were to publish the attacks, complete with cryptanalysis and how the crack was discovered, I would have a bit more faith in the result.

P.S. I wonder how much they are going to charge to license these forced watermark encryption schemes...

Re:The only way you can encrypt music

[otis+wildflower]

Because unless the decrypting and playback equipment is embedded within your skull, some enterprising hacker will simply find a way to take the decrypted audio stream and create a replayable file out of it.

Your Working Boy,

Re:Morons

[Shoeboy]

All I know is that my shorts overflowed.
um.
That sounds kind of gross actually.
sorry.
--Shoeboy

Re:Makes you wonder...Digital Snake Oil

[Howie]

When the printing press was invented, did they figure out how to prevent people from copying books by watermarking?

When the printing press was invented, there was no way of copying the image of the printed book. You either got your own printing press and re-set the whole thing, or hired a bunch of monks. In a tortured music analogy, they are the equivalent of learning to play stairway to heaven yourself on your guitar, or telling someone to play you that song that goes da-da-da-daaaa-dada-dooo.

(I agree with the rest of your post though :-) )

Re:The only way you can encrypt music

[GreenCrackBaby]

Why won't something like this system work?

Step one: connect line out from player to line in on recorder

Step two: press record

Step three: press play

Step four: enjoy your unwatermarked song

Can't Stop Piracy

[(eternal_software)]

No matter what, you can always record the lineout from your soundcard, then recompress into whatever you feel like (MP3, for example).

You may say "not many people would go through the trouble", but only ONE person has to, then they can share the MP3 just like we do now.

Nothing will stop this, so why are they bothering with all this encryption technology?

Re:Can't Stop Piracy

[fishbowl]

> No matter what, you can always record the
>lineout from your soundcard, then
> recompress into whatever you feel like (MP3,
>for example).

Right. The 16bit sample, and the noise from the
analog stream is enough of an aberration that the
record companies don't really care. The people who use this approach to copy digital music are
polluting the mp3 community with their unlistenable crap.

Anyone who encodes a crappy mp3 should be shot.

Re:Can't Stop Piracy

[JackDeth]

Nothing will stop this, so why are they bothering with all this encryption technology?

That's easy: Money. The SDMI thinks (probably correctly) that piracy costs them a great deal of money eash year. They also think that if they could prevent that piracy, their revenues would increase significantly (very debatable). They also have five other companies telling them that they could stop a lot of that piracy by using their encryption technology.

As dumb as it sounds, the marketing and sales people of those five companies are probably more convincing to the SDMI than a bunch of geeks screaming on a message board.

Re:Can't Stop Piracy

[ch-chuck]

Maybe GWB will push to get the death penalty for piracy? That should deter anyone about to plug & rip, "Man, I could get the chair for doing this!".

Ready for the new, improved dark ages.

June, 1992: Microsoft Chairman Bill Gates receives a National Medal of Technology for Technical Achievement from US President George Bush.

Re:The only way you can encrypt music

[LoveMuscle]

It won't work because I can still post the UNENCRYPTED version of the music, thereby removing the inciminating evidence. The only way this would work is if there was a way to prevent us from writing a decryptor, and a player that can play the decrypted version...

Re:idoits at large

[ReverendGraves]

Nothing like irony, huh? You spelled "idiots" wrong.

Re:The only way you can encrypt music

[sqlrob]

Technically, I don't see why it wouldn't

In real terms - Who the hell would put up with it? Most people I know would say FU to the company.

Why don't the bands just stop whining?

[AFCArchvile]

Smashing Pumpkins did, and they published their most recent full album over the Internet in MP3 from their website.

As for Metallica, I just don't understand why they're whining. Back in the middle of recording "Ride The Lightning", they had enough money to buy Dave Mustaine a one-way bus ticket and send him packing. They had enough money to rebuild after the tragic bus crash that took Cliff Burton's life. They had enough money to go out and get a haircut after "Load." They had enough patience to grow their hair back out after "Reload" bombed, and enough money to hook up with an orchestra for an entire album. So why can't they withstand the "loss of revenue" from a throng of audiophiles? Metallica survived among the death of other 80's metal bands, and rignt now each member is a millionaire, yet they're whining like babies about this.

Lars, maybe you should stop beating on the batter head of the snare drum and start pounding on your forehead. It'd sure make us consumers feel a lot better.

Re:Why don't the bands just stop whining?

[fwr]

Yep, music, like all "intellectual property" is intangible. Musicians should make their money from performances and not on some intellectual property that they created 30 years prior. Yes, this is contrary to the laws of the United States of America, and probably most other countries, but that's my view. It's the "what have you done for me lately" perspective. Perhaps musicians should get paid more for performances so that they can invest their money to live off of in their elder years like the rest of us instead of collecting proceeds for copyrighted works for years on-end. The saddest part is that a lot of musicians don't even get any significant income, it all goes to the music companies.

Re:Why don't the bands just stop whining?

[jonnythan]

They got the haircuts before Load ;)

Re:Why don't the bands just stop whining?

[Ill_Omen]

So what you're saying is that they should let people "steal" their music because they can afford it? I can afford a new TV, but if someone walks into my house and takes it away, I'm going to be pissed, I'm going to report them to the police, and if they are caught I'm going to press charges.

The legality of copyright is not and should not be dependent upon the copyright holder's financial situation. Debate all you want about the legitimacy of their claim, but don't try to justify illegal behavior by saying the victim can afford it.

Re:This is DIVX Part 2 - Audio Edition

[robl]

To be truthful, the watermark is embedded in the digital representation of the analog signal.

Once that digital representation is converted back to analog, all bets are off. Now you get into the so-called Signal to Noise ratio area. Is there enough signal in the Watermark to stick through the noise? I don't know.

You can test this, hook a cable from the line-in to line-out of your sound card, and see if the watermark actually survives the digital-to-analog-back-to-digital process. You didn't mention if you actually did this, but I, and others would be interested in your results, if any.

Re:Is any encryption safe?

[grahamsz]

Any high school student who's done a basic course in number theory can break RSA. The simplicity is part of the beauty of it.

RSA and SDMI are not comparable though.

SDMI is not an encryption scheme in the normal sense since every user with an sdmi enabled winamp can decrypt it. It is however a watermarking scheme - something which is immensly difficult to acheive.

What SDMI is trying to achieve is roughly equivilent to trying to hide the message "BILL SUCKS DICKS" inside this posting - but so no-one could see or remove it - complex stuff.

Re:The only way you can encrypt music

[fwr]

I think the idea is to put a watermark that includes your name in all files that you purchase from the Big5. That way, if you made those songs available on the Internet to anonymous users they could find out that you were doing that and possibly get a court order to search your house. Then they would sue you for Copyright infringement, even though you didn't copy anything, because you were making it available on-line. That's what they are trying to do. So, if you only make it available to your friends that you know instead of to everyone in the world then you will probably be safe, unless your friends make it available on-line and then you're in the shit house again.

A reprehensible tactic. Might as well all write numbers on our foreheads...

Open Source vs SDMI

[crucini]

My understanding is that SDMI will only trust hardware, not software. Hardware can be made very hard to reverse engineer; software can't. So, when SDMI sound cards become widespread, they'll probably release the specs so Open Source drivers can be written. It won't compromise SDMI because the access control decision will be made in the same chip that does the decryption and codec functions.
If they license a single software player, their scheme will come crashing down immediately.

Re:Open Source vs SDMI

[nickco3]

My understanding is that SDMI will only trust hardware, not software.

That, to use a technical expression, is bollocks. Firstly, execution in software is mathematically equivalent to execution in hardware, in other words there is no way SDMI can tell the difference between a hardware player and a software player.
Secondly, your hardware and software executes the SDMI data, not the other way around, so if the SDMI data contains something like "If (player_is_software) then refuse_to_play" your software player can easily choose to ignore it.

The SDMI people have the fundamental problem of untrusted hardware. What they are trying to do, decrypt something securely on someone else's system, can't be done without control of the hardware.

Re:The only way you can encrypt music

[3-State+Bit]

Rambling ends at D) with actual point.

A) $120 gets you 7 minute full CD burn time on a $200 computer pre-pre-last generation computer. For something more commercial, it would take significantly longer than 30 minutes, my guess being somewhere in the vicinity of a moderately long checkout line.

B) There would be 0% flaw. There is 0% flaw in home burner systems, given enough feed. CD burners are as reliable as floppy disk drives. With a dedicated system it wouldn't be difficult to include a quick full read to ensure it burned right.

C) However, you miss utterly the whole "mass production" thing we got going from the industrial revoltion: Manufacturing in large quantities significantly reduces the cost. Right now a burned CD will run you upwards of 25 cents at least, while if you get 10,000 manufactured, the per-disk cost will be roughly 2 pennies. Manufactured CD's far outlast burned CD's -- think about it, you 'burn' a CD by etching information onto a special receptive surface using light (lasers), in levels that because they must be safe for home use are relatively low compared with commercial manufacting . Wouldn't you expect a light-sensitive medium to deteriorate over time as it is exposed to light, if it is activated by not that great a factor compared with everyday light conditions? A burned CD's life expectancy with use is 4 years before errors are expected to start cropping up.

D) All of which is of course totally irrelevant: it is absolutely impossible under the way things work now, it is impossible to conclusively restrict who accesses information, once that information is made available to someone in private.

Do you think you could control the content on a book, limiting it to being read by a single person, by restricting the book somehow magically to only show letters in that person's house? Of course not. He could simply photocopy the information in the privacy of his own home, and then disseminate it. In the same way, if you allow a computer to play sound, then it is 'displayed'. Once it is displayed, it is free to be recorded.

The only trade-off is quality: However, with present schemes, it is possible to have perfect quality, ie, the player playing the ripped content gets the same quality as the player playing the original. Because it is possible yet to keep everything digital while transferring to an unsecure medium (and if you allow an unsecure computer to be doing the unencrypting, this necessarily is allowed), right now no encryption can keep content from being distributed. The question is one of how much trouble it is for a hacker to rip it into a different format.

It should be obvious that anything an eye can see, anything an ear can hear, a device with the same proportions can also access. This means it is futile to encrypt, as long as any hacker worth her salt will concern herself with unencrypting it.
Further, the only way to restrict the quality is by having your own output system, as opposed to that of the user, much as a movie theater can keep you from copying a movie, while a VHS player cannot. Neither can encrypted DVD. If it is allowed to go unencrypted through a line, it is allowed to go into a separate medium without detriment.

However, there is the small caveat: All this only applies to static content. I can rip someone's web site and disseminate it onto the world, but only if I can find every bit and their connection. With static content, this is easy. With dynamic content, much more difficult. How would you rip {xyz} company's site with a complex search engine? In the same way, how would you rip content that is dynamic, such as an encrypted DVD movie that displays things on the screen (as most do) besides content running beginning to end.

It is at this point, once the "content" you're delivering is mixed with interaction with it, that encryption begins to play a key role. If you get root access to see {xyz} company's server, you can before too long rip their site.

However, you need root access to their server. Interacting with their content isn't enough. In the same way, if you have a standalone player system, then it would be difficult to get at encrypted information (not just content) on whatever it's playing. It is difficult to make such a system, however, because once a piece of hardware is in someone's hands, it's difficult to hide how it functions. With dedicated hardware, though, it is certainly possible. No for the helluvit hacker has the resources to analyze what a gigahertz processer does internally, and in the same way if you make a piece of hardware complex enough, it can handle unencrypting content internally, feed it out, and handle interaction with it. It becomes virtually impossible to rip, just as {xyz} company's web site with it's complex search tools is, even though every page of /content/ on it is public.

Once industry realizes that any content can be ripped, the focus will shift drastically to dynamic content, and to interaction. It is unclear how this would work for music. It is by nature static: and therefore, it is by nature prone to full interception bettween being played and being heard, whether it is a local computer running it, which makes such a task easy, or dedicated hardware, which makes it more difficult. Short of hooking up a piece of hardware that interacts directly with one and only one person's specific brain structure, music content will always be rippable. While this may dismay old-school groups such as Metallica. Let me reiterate. Old-school groups such as Metallica. Oh, how the world goes! Anyway, groups like Metallica might oppose such a movement (you catch my reference to their vehemently opposing napster, right?), younger upstarts will be sure to embrace dynamic content. And what does that mean? Can you say {annoying sex queen music star} stripping to your cursor? A little to the left, baby. That's it...Now bounce a little. ahhh....



Flamers:
No! Of course I mean stripping RJ-45 cables! Don't be perverted! Uh, did I say bouncing? I meant uh...{step step step...SLAM!}

Re:Morons

[cookieman]

No problem, just cast it to INT. O wait casting is baaad ;).

Cheers,

Bring on SDMI 2.0

[mikethegeek]

And it will end up being cracked as well not long after it comes out. Face it, there is no such thing as a protection scheme, or security measure that cannot be cracked.

Actualy, there is one that MAY be uncrackable... Lock up all the CD's and don't let anyone ever have one. But then, someone can always break into the warehouse and steal them. :)

As for the hackers getting the money, more power to them. $5K would buy me a nice multi-alpha Linux box. I'd certainly not turn it down :)

Per device encryption

[ABetterRoss]

What bothers me more than per-person encryption is per-device encryption, similar to GemStar (Rocket eBook) and Audible.com (audiobooks). When you purchase content, it could ONLY be used on a specific device. I really hope music does not go this way...

Watermark Nightmares

[Adrian+Lopez]

That a piece of music carries a watermark linking it to the person who purchased it raises certain important issues. For instance, certain problems arise when person X transfers his copy to person Y (permanently or otherwise). Imagine what happens if person Y pirates a copy of the song without person X's knowledge. Would person X be held responsable, given that X's identity is linked to the file? Companies seem to believe it's their right to track our every move, privacy be damned.

Of course they really don't want us to transfer our files to anyone else. Every sale is a "first sale" under their little scheme. Why should hackers help out a group whose only purpose is to limit our rights as consumers?

Re:Watermark Nightmares

[theancient1]

I thought SDMI wasn't a file format, but some sort of watermarking (or "whatever we can do to stop those darn geeks") scheme. So even if you encode all of your music in MP3 (or OOG or whatever), if the music has a SDMI watermark buried in it and you try to copy it to your SDMI-restricted player, it's not going to work.

Re:Watermark Nightmares

[mikethegeek]

"That a piece of music carries a watermark linking it to the person who purchased it raises certain important issues. For instance, certain problems arise when person X transfers his copy to person Y (permanently or otherwise). Imagine what happens if person Y pirates a copy of the song without person X's knowledge. Would person X be held responsable, given that X's identity is linked to the file? Companies seem to believe it's their right to track our every move, privacy be damned.
"

This is the whole point... The RIAA wants it to be impossible to legally transfer music between people. They HATE used CD stores (which is where I usually buy my music). They can't do much about it right now, because even Judge Kaplan isn't such a helpless drooler that he'd throw the book at someone for giving the original CD to someone.

When music starts being sold electronically, on the other hand, the RIAA can, with SDMI, control this.

I do not think there is much reason to panic, SDMI 1.0, 2.0, 3.0, whatever. It WILL be broken. And the more the RIAA delays in implementing SDMI the more entrenched MP3 becomes.

I really don't think SDMI has much of a chance in the marketplace anyway, it's going to go over like the RIAA is proposing everyone browse the web with their new protocal not compatible with HTTP.

And even IF SDMI couldn't be hacked (which it will be able to be), somewhere it has to produce AUDIO, which can be recorded.

Re:SDMI: Is it "Unbreakable" or just acting?

[HiNote]

once they start to license out the technology dont you think that all the independent test would prove it was truly unbreakable or not.

That doesn't matter. Trying to remove the watermark is illegal. Heck, even _thinking_ about trying to remove the watermark is probably illegal. Do you want to face SDMI in court just because you "tested" the watermark?

Re:The only way you can encrypt music

[crucini]

I think the idea is to put a watermark that includes your name in all files that you purchase from the Big5.

I used to think that, but from reading SDMI's docs it seems they have a different plan, which doesn't involve customizing the data for each user. In SDMI, the watermark identifies the 'business rules' that apply to a recording. SDMI-compliant hardware won't perform an operation that violates the business rules. Non-compliant hardware won't be able to play the data at all.

Re:This is DIVX Part 2 - Audio Edition

[Azog]

Or just get several differently watermarked files, and use a DSP to smooth over any differences...

I pretty much agree.

If you assume that everyone ends up purchasing and downloading SDMI-formatted digital music online, and each track has a watermark in it that uniquely identifies the purchaser, then to remove the watermark, what you would do is get a whole bunch of people to buy the track. Then convert each of them into a standard 44 KHz .WAV file, and average them all together.

However, if the watermark involves subtle changes in timing and pitch, then the process of "averaging" might be computationally expensive. You might also need a LOT of copies, each with different watermarks, in order to detect and remove all the changes.

But with enough differently watermarked copies and sufficient computational power, you will be able to detect all the changes and remove them. When you are done, reencode the resulting .WAV file back to MP3 and distribute.

Incidentally, I'm almost sure that the watermarking technology would use a combination of very subtle pitch shifting and timing changes in the music. Hiding information in the insignificant bits is useless - it would be trivial to remove. Adding inaudible sounds would also be useless - as another poster pointed out, the whole point of encoders like MP3 and Ogg Vorbis is to remove the sounds you can't hear anyway.

So the only way I can see to watermark something would be to change pitches and timing. For example, a high-pitched note in a song might last for 0.5 seconds and be pitched at 9620 Hz. If that was changed to 9640 Hz, you wouldn't notice it was ever-so-slightly out of tune - but that change would survive encoding as MP3, and even being repeatedly run through DA/AD converters.

The averaging process to remove the watermark wouldn't be done in the space of "16 bit samples, 44K times per second", though. You would have to use a Fourier transformation to convert everything to some sort of frequency / time domain, and do the averaging in that space. But no sweat - that's how MP3 does compression anyway.

Torrey Hoffman (Azog)

Re:The only way you can encrypt music

[crucini]

The only possible way to encrypt any sort of content that is intended for mass-distribution is by encrypting it on a per user basis.

What about DVD? They only need one public/private key pair per player manufacturer. Yes it was cracked, but a version of this scheme in tamper-resistant hardware would be hard to crack. The idea of one key per user is only necessary if users control their hardware. If the content cartel controls the hardware, they have no theoretical need for more than 1 key. However they'll create a bunch so that if one device is cracked they can stop including that key in future recordings.

Re:This is DIVX Part 2 - Audio Edition

[pjrc]

It's hardly DIVX, which was an invasion of privacy. With DIVX, information about what you watched and when was transmitted back to a central server. DIVX felt like Big Brother was watching. Nobody wanted to leave the player plugged in to their phone line.

DIVX also caused discs that had been purchased, to not play just two days after the initial viewing. Consumers rejected having to pay twice, and not being allowed to play a disc that they had already paid (admittedly very little) for. Consumers buy a piece of media, they expect to own it and use it as much as they like whenever they like.

People may not like registering their players, but if it's easy (like activating a cell phone), they'll probably just do it and forget about it. It won't feel like they're been spyed upon, like DIVX. SDMI won't make the discs you've purchased stop playing, like DIVX did. They may not like not being allowed to play a copy on their friend's player, but it won't feel like they're being cheated out of something they paid for with their own money, as DIVX did.

If SMDI works like "sdo1" described, I doubt it'll even be important to have all the players registered. As long as the output from one won't play on any others, it'll put enough barrier in front of most consumers that they'll just go pay for a legit copy. If non-SDMI software exists, but portable hardware doesn't, it may be the best situation, as consumers could sample on their PCs, but not listen on any SDMI-compliant CD player, thereby causing them to pay for when they've already got for free (illegally) on the computer! If the registration step isn't required, it's unlikely most consumers will even notice until they try to copy with their friends... both of whom already own the SDMI-compliant players at that point.

As far as getting consumers to boycott SDMI, it's be a lot harder sell than the invasion-of-privacy (Big Brother is watching) and cant-play-your-own-disc (they're ripping you off) and hassle (your house has a phone jack next to the TV, right?) associated with DIVX.

DataPlay is DIVX Part 3 - "Everything" edition

[theancient1]

>If SDMI comes out like this, people won't buy players for it

... assuming people know/care about that part. Many manufacturers and retailers are advertising SDMI support as a feature that will let you do cool things like "play music from major labels."

It's all about marketing. (and being able to get the mass media to take your side). I read about something called DataPlay today. 500 MB in a $5 recordable disc the size of a Canadian toonie. Support already announced by Eiger and Diamond. I thought this would be the ultimate flash-killer, until I read their corporate overview, detailing their vision of essentially making digital rights management part of the filesystem. (Note "digital rights management" always means "corporate rights management") It's an entirely proprietary system. Any content stored on the disc may require a key to access. Keys can be purchased online and can timeout after a given interval. You can transfer data to your friends, but they will require their own key. If all music was distribured this way, Napster wouldn't exist.

(They go on to claim that they essentially invented the CD-R.)

The thing is, they manage to make the whole system sound like it's the best thing since TCP/IP. Do I not put enough faith in people's ability to spot evil? (I always thought DIVX failed in large part because it required a phone line.)

Re:idoits at large

[Refrag]

Yea, that was the point of my post.


Refrag

Re:This is DIVX Part 2 - Audio Edition

[sdo1]

Once that digital representation is converted back to analog, all bets are off

I disagree. Some of the technologies that SDMI presented are certainly "in the noise", but others not.

For some, after subtraction, the remaining watermark file was in the -65db (average RMS) range (technology C and technology F), one was about -42db (technology B), and one was about -31db (technology C). FWIW, the original music sample was about -12db.

Certainly ones like A and B will be harder to get rid of, but they are likely the most audible (especially A which seemed to use a scheme of phase-change in which to bury the watermark. It sounded OK in stereo mode, but the presense of the watermark completely messed up Dolby Pro-Logic surround steering on it).

-S

Re:This is DIVX Part 2 - Audio Edition

[pjrc]

Insofar as SDMI players playing only "clean" originals, that would make SDMI players far to costly to build. Consumer-level hardware just isn't reliable enough to "refuse to play" because you have some tiny skip in the CD-ROM readback. It simply happens too frequently.

Too costly.... here's a little reality check, in case you haven't been keeping up with technology for the last several years...

You can afford to design in a 40 second playback buffer (at 174 kbytes/sec, that's about 7 megs), and in the case of MP3, a DSP capable of the 32 multiply/accumulate operations per sample for the polyphase filter, and even more for the IMDCT, and lots of data shuffling and other code for the complexity of the MP3 bitstream. That's at least 3M MACs/sec for 44.1 kHz stereo sampling. In practice, DSP's running at about 25 MHz seem to be about the lower limit for MP3 playback. If you've got enough computational power to decode MP3 (remember, in the PC world that's at least a faster 486)... you've probably got plenty of hardware to check a watermark. We can't know for sure, since they haven't published the algorithms, but even if the watermark takes a lot more CPU power, you can do the work before you start decoding.... the user expects a second or two of silent time between tracks anyways, and they'll wait a bit longer if needed.

Tiny skips in the stream from the CD hardly seem like a problem... you've got memory for buffering, and you can always read it again, since deciding wether to play is not a real-time process like maintaining in-progress playback. Watermarks are designed to be resiliant to attack.... they can certainly withstand small gaps in the audio, due to scratches or skips.

In the event there is no watermark, playback is allowed, so the failure mode is "safe". (apparantly the wont-play condition is the custom watermark added by a different player) Even if it fails 30% of the time (allowing playback of otherwise restricted input), 70% success is plenty to annoy the holder of the (presumably illegal) to spend some effort to get a cleaner copy, or maybe buy an original.

Re:SDMI: Is it "Unbreakable" or just acting?

[magnum32]

good point!!! :)

Re:SDMI: Is it "Unbreakable" or just acting?

[WillSeattle]

Heck, even _thinking_ about trying to remove the watermark is probably illegal

Well, they'll have to arrest everyone who posted on this thread, then.

Meantime, I think I'll go do something more useful than help RIAA pretend that SDMI is nigh-invulnerable, and go protest the WTO here in Seattle. Time to do some Christmas shopping at Westlake!

Re:The only way you can encrypt music

[ideut]

Technically, I don't see why it wouldn't

In that case, you're going to have to be told. Alice can not send Bob a message which Bob can read but not remember. It's as simple as that.

However, the original post also missed the point as we are talking about watermarking here, not encryption.

The non-geeks understand more than you assume.

I just think a story like this doesn't belong on cnn because a majority of the readers are too technically inept to grasp the point.

Did you even read the article? Let me quote it for you:

A music and technology forum that ran a $10,000 contest back in September challenging people to hack into copyright protection technologies said on Tuesday it was paying prize money to two hackers.

Pretty cut-and-dried. This statement is easily understood by just about anyone, even someone whose idea of a hacker is inspired by something they saw in a movie. My grandmother might not get it, but my mom does.

From the tone of your post, I can guess that you might assume that the mp3 format and its pandora's box of copyright issues is only being discussed by geeks. The fact is, it's on everyone's lips. My non-techno-saavy relatives were telling me news about the issue over Thanksgiving, and they had some pretty damn good points.

The ability to code a couple languages or run a webserver is no excuse for snobbery. Get over yourself.

Ciao,

Accountless Coward

Re:SDMI: Is it "Unbreakable" or just acting?

[Icebox]

once they start to license out the technology dont you think that all the independent test would prove it was truly unbreakable or not

Certainly they would (or already have), unless the license agreement prevents anyone from attempting to break the crypto, or uses the DMCA to prevent it in the US. I think their objective is twofold:
1. To make the clueless PHBs of the music industry buy into a technology that they think is unbreakable.
2. To turn the PR around and show that the recording industry is really trying to give consumers the digital music they want but the evil hackers keep trying to steal from them.

Re: The Real Crime

[grovertime]

The real crime is the 26 companies who presented watermark solutions to the SDMI that were ruled ineligible either because they didn't make their proposals in the bureaucratically approved format, or didn't get their proposal in on time (keeping in mind that the judging occurred over 3 months later than anticipated and that several "insider" companies were allowed to propose late because of their connections). The SDMI is surely representative of the ugly big five labels that founded it - they will never come up with a solution because it is time to phase them out.

1. 
   humor for the clinically insane
   

Re:The only way you can encrypt music

[gmhowell]

It won't work because, quite honestly, the RIAA and pals don't want it to work. Given their profits, it should be trivial to buy big number crunching machines (to watermark the music and house our public keys). Then they only have to do two things:

First, put a terminal into Sam Goody, Coconuts, etc. that reads your ID (username/password or smartcard. The latter is cool and could be combined with a discount card) and then burns your disc.

OR, cheaper still, let you enter your username/password and dl the music to your machine. While cooler, and while it would be a 'legitimate' method of selling emusic, it also would let you make a copy to a cd.

But, since THEY want you to buy a copy for the CD, a copy for the computer, a copy for your RIO, etc, they won't do the second option. At least not for so much money that we are right back where we started (CD's too expensive, so rip 'em off)

The former plan won't work: it takes too long to burn a disc (no, not really, but after you pay your money, are you gonna wait for 30 minutes to get a copy of Britney98SyncAguilera? No, you gotta go show it off to your friends.) There is also the issue of coasterization. I imagine there are essentially zero flawed discs coming from the music makers' plants. Even in a well designed system, in store burners might turn out .1%-1% flawed discs. Expensive both in terms of replacement and PO'ed consumers.

It is a good idea, and one that I think all parties SHOULD be able to live with. Problem is, it takes away enough freedom from the consumer, and enough profit from the manufacturer to make it unlikely to happen.

Re:Is any encryption safe?

[ekidder]

> Do you trust the NSA? Or MI6? Or GCHQ?
Well, no. But I don't trust anyone, be they government or corporation or innocent bystander :)

so what?

[Spittoon]

Saying the researchers should get the cash even though they're not in the contest is like saying I should win prizes because I played along with Wheel of Fortune.

Re:Makes you wonder...Digital Snake Oil

[Cyberdyne]

If a watermarking scheme is required to play music, a free, open source player that had the code to check the watermark could easily be changed to play without the watermark.

Wrong. The whole point is that if the system were truly secure, you could know everything about the encryption etc. and you still wouldn't be able to remove it. Does having the source code to PGP mean you can read encrypted mail without the key? Of course not. Similarly, if SDMI depends on security through obscurity, it is insecure.

If it is truly secure, the SDMI people should give us the source and all the information you have; if not, they should go away and learn about basic security.

What's it worth?

[telstar]

If $5000 is how much the value of cracking the algorithms is ... then does that mean that when this crap is released into the public domain that the maximum penalty in the courts will be $5000?

Re:The only way you can encrypt music

[Cyberdyne]

Because unless the decrypting and playback equipment is embedded within your skull, some enterprising hacker will simply find a way to take the decrypted audio stream and create a replayable file out of it.

Exactly. They will never succeed at this, because what they are trying to do is an oxymoron: they want a watermarking system which cannot be removed, yet cannot be detected by the human ear. Meanwhile, audio codecs are designed to remove everything which cannot be heard by the human ear (which will include a successful watermark).

Either they produce a watermark which ruins the music, so they fail - or they produce a watermark which can't be heard, and is promptly deleted from the music when you compress it.

Then, there's the simple DoS attack: take their watermarked track with your unique ID in - and add a couple of other inaudible watermarks at random, using the same method. After a couple of tries, the original watermark will have been corrupted by all the other "fake" watermarks you added.

Re:wow,

[Chagrin]

I wonder if those "hackers" feel like whores.

Watermarking is so ass backwards

[AudioPunk]

All watermarks currently screw with the orginal audio signal, thereby ruining your music. Some say they can't hear it. I ask you, what kind of system are you listening to it on? Try a high quality pair of speaker and a clean amp or maybe just some studio headphones. I guarentee you hear a difference. This is only at the current fidelity standard of 44.1kHz/16bits. What happens when the slow move to 96kHz/24bits takes off? Who the hell is going to want to plunk down 1000's of dollars to own the first DVD-A player and $30 a disc only to hear some hissing, clicking, or other crap that is a result of a watermark? No one in their right minds! The new standard dies and all of us craving a better standard than CD's get screwed.

But what if they did something smart for a change? Take a lession from Pearl Jam, you idiots. Pearl Jam had a big problem with bootlegging. So, instead of whining about it to the record label or the government, they did for themselves and released every single show from the summer tour straight from a soundboard source. Then they priced it to sell at $11 for each 2 CD concert. That way no bootlegger could keep up with the price or quality and the band actually makes a few bucks in the process. Damn, now isn't that clever? There are currently plans to release the complete fall tour after Christmas. Inside talk says that this will be a fixed pratice for all future PJ shows.

Most people that love music know that outright bootlegging will break artists and cause them to stop working. People would take action for themselves and stop dl'ing mp3 illegally if there was a cheap alternative. Instead the industry wants to spend millions on a system that won't work anyway and then upcharge you to pay for it when all they have to do to stop the problem is charge less in the first place.

Argh!

In a related note...

[leviramsey]

<a href="http://www.zdnet.com/zdnn/stories/news/0,458 6,2659221,00.html?chkpt=zdhpnews01">EMusic</ a> and Napstr are doing battle over EMusic's just unleashed acoustic fingerprinting, with EMusic monitoring Napster for trades of such MP3's.

IANA avid follower of events in this arena. Did EMusic publicize their fingerprints prior to unleashing them? Is EMusic's technique one of the ones that's part of SDMI?

Re:Is any encryption safe?

[siliconowl]

"Do *you* trust the NSA? Or MI6? Or GCHQ?"

Strictly speaking MI6 and GCHQ are very different organisations. MI6 is an espionage body while GCHQ is, if you like, an espionage service provider.

My understanding is that the NSA is similar. If you're going to inlucde MI6 you should probably include the CIA as well. If you're not going to include the CIA you probably shouldn't include MI6.

As to whether we can trust them, I trust them to do what they think is best for the country. However what they think is best and what I think is best may be two entirely different things.

Neuter the hardware

[VC]

It seems to me that the water mark is kind of like the region coding in DVD's or playstation games. (except 1 person = 1 region.)
And the way we got arround that one was to alter the playback device.
EG you chip your playstation, or install a region changer over you dvd software..

So wouldn't it be easier to just 'chip' your player? Or buy a cheap korean copy with a hidden option to turn watermark detection off?
I mean when was the last time you saw someone hacking away at playstation software to change the region in the code?

Re:Makes you wonder...Digital Snake Oil

[PhilHibbs]

I disagree, this kind of process has to rely on obscurity. The problem is that you'll have a box on your shelf that generate authentic signatures, and can authenticate signatures in the music. You can pull that box apart, and see how it works. With encryption, you don't have a box that can decrypt my email, 'cos only I have the decrypt key. When both keys are in the boxyou can't make it secure unless you put a man with a gun next to every box.

Re:idiots at large

[cyber-vandal]

Perhaps it's because control of the media by just a few individuals is just as bad as control by the government. Since the internet is about (among other things) openness, the above is anathema to many people that post here.

Re:Is any encryption safe?

[f5426]

> Yes, I enjoyed the movie "Sneakers" too.

You will probably not beleive me, but I never heard of 'Sneakers' before. Went to imdb, looks like the movie is exactly about this. Mmm. French name 'Les Experts'. I'll try to find it.

Thanks,

--fred

Simple Solution Folks

[gabrieltss]

Remember what Happened to the original DiVx?

If people refuse to buy the new SDMI compliant devices and refuse to buy the music that uses the SDMI watermarking it will die - Plain and simple.

The long term solution is for people to start mass putting out on the internet, sending letters etc.. recomendations to the artists and bands to start "doing it themselves" without the record labels. Tell them to set up their own wbe sites and sell the music in MP3 format - NON-Encrypted!

Yes, you will have folks that will distribute the Mp3's illigally - that they didn't pay for or did pay for. but like others have said "you can't stop piracy" PERIOD! You just have to deal with it. Just like we in the U.S. have to deal with a whiny ex-vice president and a political system full of A$$holes.

Some bands and artists are starting to "get it" and going to internet distribution already. Much of the countries outside the U.S. may not be as affected by all this as the U.S. is - yet.

Public opinion counts - heck just look at how the U.S. political system operates - they watch the polls! If enough public opinion shifts towards anti-RIAA, anti-MPAA - these groups will HAVE to rethink their positions - hopefully.... then again organized crime doesn't care about public opinion - they just enforce their will upon you.

(yes, I know this part may be a bit offtopic)
I think it is high time that the people of the world start to get together and say in one voice " we have had it with how corporations are operating, and tired of how our governments are treating us!" We all want an ideal world, some would say it isn't possible - and it might not be. But if the founding fathers of the U.S. constitution could get quite a bit right - why not take what they did and learn from all the mistakes of the U.S. government, and all the other forms of government in the world and design a "better moustrap" - it could be done.
Within the hacker community there used to be a unwritten ethic that all were equal regardless of race, creed, color, or religion - whatever happend to this?

Yeah, that'll work

[John+Jorsett]

The only possible way to encrypt any sort of content that is intended for mass-distribution is by encrypting it on a per user basis. Each user must be given a key. Every song file must be encrypted using public/private key encryption tailored to a specific user.

"Thank you for purchasing 'Simply Irresistable' by Robert Palmer. Enclosed is your custom key which you will need to program into every playback device you own in order to listen to your purchase. Be sure to keep it safe, alongside your other 683,426 keys, as the music is unplayable without it, and we cannot furnish a replacement. You might consider storing your new key with all of your unique website, brokerage, and ATM passwords which you change regularly."

Frequently Asked Questions about SDMI.

[TheFlu]

Found this, which is actually a very interesting read, as I wasn't aware of some of these facts:

Here are some answers to commonly asked questions about SDMI.

Q. What are the differences between current MP3 players and SDMI-compliant devices?
A. Current MP3 players can only play MP3 content. SDMI-compliant devices will play content originating from both SDMI-compliant and non-compliant sources.

Q. Can SDMI-compliant devices play MP3 files?
A. Yes. SDMI-compliant devices will be able to play both protected and unprotected formats; it is up to the manufacturer of each device to choose which particular formats to support. The only content SDMI-compliant devices will not play is illegally copied new music with SDMI technology (beginning in Phase 2). Unlike non-SDMI devices, SDMI devices can also be upgraded to play new music released in the future in new SDMI-compliant formats. And many SDMI portable devices will be able to play music that is digitally downloaded in new, protected formats right away.

Q. Is it true that, in order to play MP3 files, SDMI-compliant software and devices will disable MP3 files after converting them into SDMI-compliant files?
A. No. SDMI-compliant devices will translate MP3 files into a format acceptable for that device. The exact form will depend on the device. The original MP3 file will remain intact on the computer.

Q. Why does the SDMI framework allow both protected and unprotected formats?
A. SDMI members agree that protected formats enable the growth of electronic music distribution by protecting the rights of artists. Members also recognize that there are many legitimate uses for unprotected formats. As a result, SDMI supports both.

Q. Will consumers still be able to copy their CDs onto their personal computers?
A. Yes. The specification allows consumers to copy (rip) their CDs onto their computers for personal use (on their PC, on their portable devices, on their portable media, etc.). In fact, the specification enables consumers to do so as many times as they wish - as long as they have the original disk.

Q. Will it be possible to have content that plays on multiple platforms - PCs, car stereos,portable devices, etc.?
A. Yes. The 1.0 Specification is intended for portable devices and supporting PC software, but future specifications will address other devices such as car stereos. Existing requirements that relate to portable media (e.g. flash-RAM cards) were written with portability and multiple platform support in mind.

Q. Will it be possible to have content that plays on portable devices from multiple vendors?
A. Yes. The SDMI Portable Device specification is a framework for security that promotes interoperability and allows content to be converted from one format to another. The specification allows, but does not require, manufacturers to create systems that are interoperable. There are now a number of different music players and systems on the market that are not compatible with each other. And the initial SDMI offerings also will not offer widespread compatibility across devices at this time. Given the extremely short time frame for producing the portable device specification, it wasn't possible to achieve this goal now. But SDMI is working towards that goal and eventually, we hope that all SDMI-compliant devices will be able to play all SDMI-compliant content.

This way to the egress > The Linux Pimp

Re:The only way you can encrypt music

[jovlinger]

Actually, I believe that the watermarks are supposed to be robust enough to withstand some signal processing -- optimally any signal processing that retains the song's enjoyability should also retain the watermark, but that is infeasable.

Actually implementing the signal processing manually is kinda perverse, if you ask me, but that would be one way of doing it. It's really just a battle of who can withstand more quality loss: you or the watermark.

Computationally unwise...

[Bostik]

probably infeasible as well. First of all, to make this proposal work, it would require that

1. Each user was assigned an asymmetric key.
2. The files would have to be INDIVIDUALLY "watermarked" as a file once decrypted is just plain data, with nothing to identify from whom it has originated.
3. There would have to be practically unlimited resource of CPU time. The computation required for doing DH/RSA/ECC on a large file is both really slow and very, very heavy.

Especially because of the second point, I don't believe it would work. Please, find some references on asymmetric/symmetric hybrid encryption and you understand why third point is unmeaningful.

As this "challenge" proved, watermarking can be removed. Tagging mp3 frame headers with pseudorandom data would be trivial to circumvent. You just can't earmark music that way.

Smashing Pumpkins fight the RIAA

[vectus]

"MACHINA II/the Friends & Enemies of Modern Music" is the pumpkins' final album, the followup to "MACHINA/the Machines of God". It is a limited pressing of only 25 (twenty-five) copies on hand-cut, hand-numbered, non-lacquered acetate (aka vinyl, aka records), consisting of 3 10" EPs and a double 12" LP, 5 discs & 25 songs total. The 25 copies were given to close friends of the band, a few of whom happen to be online, and whom were instructed to circulate the new material as quickly as possible, since the band plans on playing some of the new material on the European tour.

For more detailed info, see: SPFC

Since there were only 25 copies on vinyl, unless you were one of the lucky 25, you can't get the original pressing. But since the band instructed some of the recipients to circulate and distribute the material, you will be able to get copies of it- consider it an "official bootleg". Currently, the only source available is mp3. Since none of the 3 known online recipients had access to an ultra-high-end audiophile turntable (the tube kind that cost thousands), one of them used what they had and made mp3s so that the new songs could be distributed immediately. There are plenty of web/ftp sites and mirrors hosting the new songs, as well as people sharing files via napster, AIM, etc. Look around a bit, the info has been posted in many places many times.

Virgin was not interested in releasing a followup to Machina, so rather than pack up their gear and go home, they recorded and released it themselves. It will not and cannot be officially released on CD, as their contract with Virgin includes a non-compete clause, which prevents them from releasing anything Virgin holds rights to under another label for 1 year. Since the material was partially recorded while still under the Virgin contract, they are legally prohibited from releasing it on another label or in any other way.

To download, or for more information, go to Machina2

Re:Makes you wonder...Digital Snake Oil

[dasunt]

Ignoring the fact that SDMI is crackable, and ignoring the reports that digital watermarking does interfere with the sound quality of certain music genres (such as jazz, I'm told), what's left - nothing!

Doesn't matter if they try to sell it or not, they will fail. Its simple, there are already good music formats out there, such as everyone's favorite - mp3. Encryption might allow SDMI to be able to sell to the PHBs, but John Q. Public will stick with mp3s, because mp3 is the defacto music compression scheme. There *is* no market for SDMI. If electronic music was the only means of distribution then it might be possible to keep music in a proprietary format (and I doubt it even then, due to the fact that it all has to be turned into sound), but with the big labels releasing music on CDs, its just one step away from being ripped to mp3. The only chance SDMI had to take ground away from mp3s was if the compression was better, say, 1/2 the size of an equivelant mp3. But since they decided to spend their money on implimenting a half-assed watermarking scheme, they are going to crash and burn, simple as that. I'm not going to rip all my cds again just for watermarking, neither is 99.999% of the people, and the mp3 traders won't, so who's left?

Re:idoits at large

[Wah]

following this...

is that why it seems on slashdot that all big media comapnies are "boogeymen"? Is it all just a matter of perspective?
--

Re:The only way you can encrypt music

[Cullpepper]

Not much to stop someone from using their legitimate key to de-crypt the song, and then re-save it as .mp3 or whatever, and post it annonymously to the net. While it's in that de-crypted form, it is vounerable to copying. (Even if something as low-quality as holding a microphone up to me speakers...)

The whole problem with any encryption/decryption scheme is eventually the content has to be de-crypted so the end user can see/hear/read it.

This is the same reason DVD encryption is essentially flawed and whole De-css issue is the mess that it is.

Re:Is any encryption safe?

[Bobzibub]

Perhaps the NSA can factor primes fast.
It would be irresponsible to release such info because if word got out, so much of finance and commerce depends upon it there would be chaos. There would have to be a popular alternative in use already.
Even if they used the ability on occation, somebody would say: But I encrypted this! How could you know? Rumours would spread.

The ability would be used only in rare occasions which were critical to a government's national security.

In essence, if there is a crack, most of us are still safe.

Re:The only way you can encrypt music

[Cyberdyne]

3) (optional) The song is encrypted as well as watermarked. You can play with the key given in step #1. This prevents distribution, and if also watermarked as above, means even if you distribute the unenctypted version, you are tagged.

Wrong. If the song is encrypted, I must have the decryption key to play it - at which point, I can decrypt it, so I can record the plaintext and distribute it.

You suggest putting the watermark in "the low order bits", if I understand you correctly. This is trivial to defeat: I just change the low order bits randomly myself! If you can change them without affecting the music, so can I.

More sophisticating ways of hiding the watermark are also doomed: you must be changing the music itself very slightly (otherwise, simply changing format will destroy the watermark!). Each subsequent watermark will corrupt previous ones, since there is only a finite (and small) area of data they can affect without their watermark being trivial to remove.

I can just take a watermark reader and a watermark writer. I add my own watermark - random data - then try to read the watermark back from the music. Perhaps some of my ID is still there? No problem - add another random watermark. Rinse, repeat. Compress, Opennap.

Re:Makes you wonder...Digital Snake Oil

[jayhawk88]

Like your O.S. going to check on every write and make sure you don't do something you shouldn't. Hah!

I can think of a certain Redmond-based company who might be interested in developing an OS that did this for their own reasons...

never gonna happen

[modemboy]

It's music for christ's sake, if you can listen to it you can copy it. They'll never develop an effective copy protection scheme, so give up already...

Re:never gonna happen

[Lumpy]

The point is to detect it electronically. I.E. This is not blessed so your cd player will not play it. If they get their way it will work in about 10 years, about the time everyone has thrown away their permiscuious cd players and have bought the nice new safe ones...

It will happen, it just will sneak in over the next decade or so.
Look at VCR's, it used to be easy to defeat macrovision in a vcr, now you have to use an external box, and the first DVD's didn't add the macrovision....

Re:The only way you can encrypt music

[Hard_Code]

So then it's all about making hardware manufacturer pay high fees to license the SDMI technology so they are "allowed" to play the media. Wow...that sounds familiar...

Obligatory

[billybob2001]

SDMI in Dire Straits comment.

Re:Obligatory

[dmatos]

I love that band! But why is SDMI in them? If this is some kind of weird, kinky sex thing, I don't want to know about it.

Re:This is DIVX Part 2 - Audio Edition

[StevenMaurer]

The challenge was to remove a watermark of the same watermarking technology from a 3rd piece of music. And believe me, it's NOT trivial.

I believe you. However, that is not the "nightmare scenario" that was originally posited.

The original scenario was that each player would place a different watermark on the same piece of music to aid tracking down just who took an SDMI song and ripped to MP3.

This means the encoding algorithm would have to be stored in each consumer player, and presumably would have a different identifying seed for each one. That won't happen.

Too convoluted

[JCCyC]

Wouldn't it be simpler just to pass a law that says everybody not in the upper caste of 10,000 or so people owes an infinite amount of money to the caste, period?

Trusted Hardware

[crucini]

Please don't take the following as a description of how SDMI works. Rather, it's a skeletal frame to show that the 'trusted hardware' concept is feasible.

1. Bob downloads a protected song from Alice, the content owner. The song is encrypted and Bob doesn't have the key. To him, the song is just random bits. Bob would like to play the song on a software player. He can't.
2. Bob transfers the song to a hardware Player, which has been approved by Alice. The Player decrypts and plays the song when Bob tells it to.
3. The key storage, decryption, and rights management are performed on a single chip in the Player. Bob would like to extract the keys. He can't. Bob would like to intercept the decrypted audio before rights management decisions are made on it. He can't.

...there is no way SDMI can tell the difference between a hardware player and a software player.

The issue isn't really hardware vs software. It's 'trusted host' vs 'anyone else'. Alice trusts the Player because she thinks Bob can't take apart a chip.

What they are trying to do, decrypt something securely on someone else's system, can't be done without control of the hardware.

Given sufficient resources in Bob's hands, this is true. But there's only one hacker who can reverse engineer a VLSI chip for a great many who can reverse engineer a program. If tamper-resistance is built into the chip, as the NSA did with Clipper, reverse engineering could become enormously expensive and hard.

Re: Is any encryption safe?

[Matheology]

Doesn't the "NP=P? Problem" essentially boil down to the question: "What 'network characteristics' can be observed, measured and encoded in an algorithm, apriori, such that, at run time, we: (a) pre-empt a hopeless combinatorial explosion AND (b) mitigate processing time with satisfactory, if not optimal, results?" If so, wouldn't it be most fruitful to use some combination of linear programming and similar stochastic methods? If not, what am I missing here?

Is any encryption safe?

[Kiss+the+Blade]

This shows that even the schemes of multinational corporations can be thwarted by amateurs.

So what about PGP, the encryption we rely on daily? Let there be no doubt that the NSA and other national bodies are spending billions and throwing the brightest minds at these encryption schemes. They may have been broken already, and we don't know anything about it.

Do you trust the NSA? Or MI6? Or GCHQ?

KTB:Lover, Poet, Artiste, Aesthete, Programmer.

Re:Is any encryption safe?

[f5426]

> They may already have a O(lg n) or O(n) factoring algorithm, where n is (respectively) the number or the number of digits in the number.

> They may already have broken discrete log.

I often think about this. I wonder what they would do in such a case. Shoting the guy that invented the factorisation stuff would be an obvious start, then hiring everyone on a path to the solution and making them work in such a way that they never find it. And probably killing the coders that implemented the cracking algorithms.

I mean, this would be the one of the most protected secret ever. I can't even imagine what security level would be needed for this one...

Cheers,

--fred

Re:Is any encryption safe?

[ryanr]

I often think about this. I wonder what they would do in such a case. Shoting the guy that invented the factorisation stuff would be an obvious start, then hiring everyone on a path to the solution and making them work in such a way that they never find it. And probably killing the coders that implemented the cracking algorithms.

Yes, I enjoyed the movie "Sneakers" too.

If one invents a method to factor numbers in less than NP time (or prove P=NP) then post it to Bugtraq or Slashdot. The feds could never stuff it back in the bag, then.

Analogue???

[Elgon]

Many people have pointed out that MP3 is good: I agree.

Many people have pointed out that any form of encryption is hackable (apart from perhaps one time pads): I agree.

Other people have said that if you can get the audio, and I hasten to add that it is difficult to listen to music without it, then you can copy it: I agree.

My final point is this: CD is not a huge improvement over vinyl IOCMHO (dynamic range is better, 'accuracy' is maybe better, sound isn't) so given a sufficiently good analogue setup it is easy to copy this kind of stuff and get a pretty good copy. Okay, not good enough to satisfy the industry's 'ears' maybe but then again if I want to listen to Metallica at volume 10 then this is hardly an issue.

Elgon

Watermarking != encrypting

[saider]

The whole purpose of a watermark is to embed data within an audio or video stream without affecting the sound and/or video quality. A good watermarking system will retain the watermarking information (ie your username) through A/D and D/A conversions. A good watermarking system would adversely affect the sound output if the watermark were forcibly removed. Your solution will only work for an encrypted stream, not a watermarked one.

Ah the irony...

[Arker]

Those who called for the boycott thought that it would be better for them (SDMI) to go ahead and waste a ton of money implimenting this technology before it was cracked. I happen to agree with them. But look what's happened. Even though some people didn't honour the boycott, and the "crackability" of their technology has been demonstrated prematurely, the boys in charge seem set on denying reality and pushing it to market anyway.

This is priceless. Go SDMI! After the media companies throw a few billion dollars down the drain on this snake oil, maybe the suits will finally start to realise they have to adapt to reality, not the other way around.

Re:The only way you can encrypt music

[sqlrob]

Encryption can be used in watermarking. What's wrong with this scheme:

1) You buy a "license" from the music company that in reality consists of a key pair. You get the public key (maybe, but not required)

2) The download is encrypted with the private key and the result stored in low order bits or by some other mechanism. This would give a couple of advantages - each song is watermarked differently and can be traced back. Comparing different songs for the watermark won't work, because it is different.

3) (optional) The song is encrypted as well as watermarked. You can play with the key given in step #1. This prevents distribution, and if also watermarked as above, means even if you distribute the unenctypted version, you are tagged.

Of course, this still has the same original problem that anything you can hear can be recorded. Does prevent naive distribution though.

Re:idoits at large

[talesout]

I think the perspective of the media companies being "boogeymen" is far more realistic than the idea that all "hackers" are boogeymen. But you're right in a way. It is just perspective. I'm quite sure that the people in charge of the large media conglomerates go home at night utterly convinced that "hackers" should all be shot for not liking them. After all, without their humanitarian efforts at brainwashing, er, educating us, we would all be stupid wandering neanderthals. It's only through their power and money that we have the ability to stand upright.

*****WARNING*****
sarcasm above
*****WARNING*****

Hehe, isn't perspective great;-).

They're publicly owned

[Galvatron]

This is the problem with all publicly owned companies. They do mind numbingly stupid things because their shareholders demand it. One of the reasons we have these boom-bust cycles in the economy is because publicly owned companies always have to be growing faster than the economy, or their shareholders will abandon them. They know they can't grow that fast, but no one wants to say anything, because they'll be accused of just covering for their own incompetence.

Likewise, with music piracy, what is the company going to say? "Yes, we know people are pirating our music. No, we're not going to do anything about it." It would be suicide for all those execs making money off of their stock. Instead, they come up with crap like this to placate their shareholders.

Re:idoits at large

[Refrag]

Yea, I was telling my friends about a position I saw for one of the banks in town. The job description said they were looking for a "linux kernal hacker" and that the person would be working on the security team. I thought the job sounded damn cool, which is why I was telling my friends about it. My friends' responses?

"Hacker?!? Why would they want to hire a hacker?"


Refrag

Re:The only way you can encrypt music

[sqlrob]

Wrong. If the song is encrypted, I must have the decryption key to play it - at which point, I can decrypt it, so I can record the plaintext and distribute it.

Which is why the watermark is still there, regardless of the encryption state

You suggest putting the watermark in "the low order bits", if I understand you correctly. This is trivial to defeat: I just change the low order bits randomly myself! If you can change them without affecting the music, so can I.

That would depend on the player as well. What if the player required those bits to be intact? You already have to have a custom player to do the encryption

More sophisticating ways of hiding the watermark are also doomed: you must be changing the music itself very slightly (otherwise, simply changing format will destroy the watermark!). Each subsequent watermark will corrupt previous ones, since there is only a finite (and small) area of data they can affect without their watermark being trivial to remove.

Actually, there would be an infinite amount of data space. There are also all the frequencies too high to hear, as well as subtle changes in the timing (let's shift this beat by a microsecond, for example)

I can just take a watermark reader and a watermark writer. I add my own watermark - random data - then try to read the watermark back from the music. Perhaps some of my ID is still there? No problem - add another random watermark. Rinse, repeat. Compress, Opennap.

Depends on the watermark. The shifting mentioned above would be harder to erase, but still possible. I think a lot of the goal of the RIAA is to make it as inconvenient as possible. There will ALWAYS be pirates that can distribute copies. I don't think there is any technological way around it. You can make it inconvenient and or expensive though.

Are we missing the point?

[bjohn]

It is my understanding that this is a "watermark" form of encryption. That being said, recording the audio through the line-out of your sound card would not remove the digital signature. It would still be detected as copyrighted by a SDMI capable device... So I ask you... Can the watermark be removed without sacrificing the audio quality?

Re:Money for Nothin'

[psin+psycle]

At TwistedTunes.com
Listen to the mp3 on a fat pipe or a small pipe

Full Lyrics
I Want My MP3

music for nothin (i want my mp3)

look at that computer that's the way to do it
you play your music on the mp3
that ain't stealin', everybody's doin it
get your music for nothing and your hits for free


maybe it's stealin, but everybody's doin it
let me tell you them kids ain't dumb
they don't give a rip about their favorite singer
they just keep on ripping off their songs


we got to install mp3 players
labels bitchin their losin royalties
we got to download then maybe later
we gonna burn a dozen cd's

Thousands?

[maddogsparky]

The two challengers emerged from a field of 447 submissions as the only ones able to remove the protection systems and successfully disable one of five technologies currently under consideration for SDMI screening technology, the group said.

I know more people probably tried and didn't submit anything, but I'd say there are a lot more than 447 people with the skills and interest to try cracking these schemes. If that is all the submissions they got, I'd say the boycott was a success.

idoits at large

[magnum32]

Do you think the general public can understand what the challenge is truly about? Most will probably miss the point of the story all together and be abashed that someone would pay a hacker for doing anything. I just think a story like this doesn't belong on cnn because a majority of the readers are too technically inept to grasp the point. I dont want to say these people don't deserve to get the information but they simply miss or misunderstand anything that the media tries to report to them. Of course, who trusts the media anyway.

Re:idoits at large

[david614]

Not to criticize your friends....

But they need to get a clue.

SDMI: Is it "Unbreakable" or just acting?

[WillSeattle]

Let's face it, SDMI is not the Bruce Willis of watermarking schemes. But, the RIAA wants people to believe that it's nigh-invulnerable, so it's not in their interest to admit that every single one of their tests has been broken, shattered, and held up to the light to show the large bullet holes in it.

But you won't read about this in the media, since they are controlled by the same companies which comprise RIAA, so they don't want you to know that it's a stupid idea, badly implemented, that will just make it harder for consumers to do what they have the right to do anyway.

Kind of like Bush - big hat, no cattle.

Re:SDMI: Is it "Unbreakable" or just acting?

[magnum32]

would would be the purpose of just acting like it was unbreakable. It could fall the other way, and no one actually hacked it and it was a publicity stunt. But i dont think all this effort would go to just make people think it was unbreakable. there is no reason to do so. once they start to license out the technology dont you think that all the independent test would prove it was truly unbreakable or not.

Only that ?

[cookieman]

I think that they deserved more than 5000$ each, don't they ?
For that monney I would'nt even participate in the contest. But for fun? That's something else...
Before you start flamming me, go read the article.

Money for Nothin'

[Dannon]

I want my...
I want my...
I want my MP3.
---

This is DIVX Part 2 - Audio Edition

[sdo1]

I think a lot of people here are missing the point. They're not going to encrypt every CD with a unique number, but they WILL make you register your SDMI compliant play-back device (hardware or software).

Now maybe the original work you bought at the store has a watermark in the music. If your SDMI compliant device does not see said watermark, it won't play.

And if it DOES see the watermark, an ADDITIONAL watermark containing your unique registration information is added to the OUTPUT device, be it a digital out or analog out.

Now you capture that output (record it to tape, rip it to .mp3, or whatever) and then pass it around the internet... and BAM! They've gotcha!

From that file, they'll be able to read the watermark (assuming you haven't done a credible job destroying it while still maintaining the sound quality of the music) and they know EXACTLY who's equipment the file was produced on... and since you've registered that equipment (or software), they know exactly who YOU are.

Now go back to my 2nd paragraph. To make this even more ugly, maybe your SDMI compliant playback device will only play "clean" originals or copies from your own SDMI compliant devices. Try to play back some song that you copied from a buddy and his registration code is buried in the watermark. Bzzzzt. Invalid code. Will not play.

This is evil, evil technology. The way to stop it is the same way we stopped DIVX. Educate your friends and family. And don't buy SDMI compliant devices (hardware AND software).

-S

Re:This is DIVX Part 2 - Audio Edition

[tietokone-olmi]

Psst. Software SDMI player + wine/{free,v}mware + a competent cracker (like they were in the 1980s and early 1990s) + a case of jolt -> SDMI format decoder that spits out the actual encoding instead of either the encrypted crap or the raw PCM output.

Just you wait.

Re:This is DIVX Part 2 - Audio Edition

[StevenMaurer]

An interesting scenario, but one unlikely to actually work.

By doing a bitwise comparison of two different "SDMI-approved" players, anyone of even moderate programming talent could identify the "new" watermark the players were adding and either eliminate it, or make it untracable by filling it with random data.

Insofar as SDMI players playing only "clean" originals, that would make SDMI players far to costly to build. Consumer-level hardware just isn't reliable enough to "refuse to play" because you have some tiny skip in the CD-ROM readback. It simply happens too frequently.

You don't need to "educate" anybody. If SDMI comes out like this, people won't buy players for it. Period.

Re:This is DIVX Part 2 - Audio Edition

[ditsara]

If you capture the analog output, there is no way that the watermark could be preserved. Once you convert your digital music, no matter what format it is stored in, into something that the human ear can recognize it simply becomes wave of variable frequency / magnitude. If some form of digital information, such as a SDMI watermark, was stored in an analog signal, it would screw up the actual music.

Re:Makes you wonder...Digital Snake Oil

[ChadN]

But this is the difference between encryption and watermarking. If the music were encrypted, it couldn't be played without decryption (everything would sound like white noise). Here, the watermarked music is essentially still in plaintext, and can be played by any program that understands the music format. The watermarking may hide an ID that COULD allow a player to discern information "hidden" in the music, but it doesn't obscure the music itself.

In theory, a closed source player could refuse to play the music, but another program that doesn't check for watermarks would. so the watermarking is really an attempt to track the music, or identify the creator (or the watermarker). It cannot effectively prevent playback without encryption, however.

I'd like to know what happens if additional watermarks are added to an already watermarked piece of music. Do they somehow add linearly, or do they interact destructively, making the watermark useless? Are different watermarking algorithms orthogonal (ie. don't affect each other too badly), or can noise be added to any watermarking scheme (without too badly affecting the signal)? If watermarking is immune to such tampering (which I doubt), it makes sense to try and keep the specific technique secret. However, as many have pointed out, watermarking seems inherently defeatable (assuming you can live with an imperfectly reconstructed signal).

Re:The only way you can encrypt music

[Python]

Simply because you don't need the keys to play the music!. Once you decrypt the music, you don't need a key, and its the decrypted music that you can give to your friends. Thats why a personally encrypted music file buys you nothing. Eventually the music has to be decrypted, and once its decrypted you don't need the key anymore - and if thats what you use to identify the pirate, you're sunk.

Thats why the SDMI goons are using watermarks. They're trying to hide your idenity in the music file so if you give the song away, they can nail you. Aside from the obvious problem that all of the watermarking schemes were totally defeated, defeating the ability of the RIAA to track down the person that is distributing it, there is also the "so what?" problem. Simply explained it boils down to the fact that watermarks prove nothing.

Even if the watermark is intact, the information contained in it is not trusted for a whole host of reasons. If the watermark is trivial to forge, then it proves nothing. If the watermark can be overwritten with another watermark, it proves nothing. If the watermark isn't using a digital signature, validating its authenticity, it proves nothing. If the implementation of the signature scheme is flawed in any way (ie it can be forged), it proves nothing. If the keys are ever stolen (if the watermarking scheme is even using watermarks!), the watermarks prove nothing. The list goes on and on, but the bottomline here is that there are serious serious technical problems with watermarking. But it gets worse for the SDMI folks!

Even if the watermark survives all the technical and implementation attacks against it, it still doesn't prove anything. There is no trust in the model to absolutely verify the identity of the person that bought the music, short of a police state. What if your creditcard was stolen to by the music online? What if the person buying the music, in person, has a fake ID with your name and address on it? Furthermore, whats to say the song wasn't stolen? That your box wasn't broken into and so on. Or, what if you bought the song and gave it someone as a gift? The list goes on. The bottomline here is thats its circumstantial evidence at best.

What the SDMI folks are trying to create is a false sense of security in their constituency. And frankly, I think SDMI is rapidly becoming a set of technologies in search of a problem to solve. SDMI simply does not do what its creators claim it does, and the SDMI folks are too embarrassed to admit that they have wasted millions of dollars of the consitutencies money pursuing a ridiculously flawed idea.

--
Python

Morons

[Shoeboy]

You can make a lot more than $5000 by cracking the security on a major ecommerce website and making off with the credit cards.
I've met over 65536 elite hackers on IRC who have become millionaires that way.
--Shoeboy

The only way you can encrypt music

[aim4min]

The only possible way to encrypt any sort of content that is intended for mass-distribution is by encrypting it on a per user basis. Each user must be given a key. Every song file must be encrypted using public/private key encryption tailored to a specific user. The song file will only be viewable if you decode it with your private key. Ok, this method has its flaws. Notably, customizing songs for each person will be a tedious task. (But, it's feasible) Another problem, why not just give your key out to your friends or post it on the net? Well, they can determine your identity from your key, and they will probably go after you for copyright violation of some sort. Why won't something like this system work?

wow,

[canning]

I can't believe that these 'hacker's' got paid $5,000! They're set for life!! What would the world be like without the generosity towards the high tech industry by such big companies as Seagram Co Ltd.'s Universal Music, Bertelsmann AG's BMG, Sony Corp.'s Sony Music,Time Warner's Warner Music Group and EMI Group's EMI Music. Time Warner is the parent company of CNN.com. Especially if they has to keep paying security experts to troubleshoot their system.

We should all feel blessed.

They got off cheap.