Slashdot Mirror
Money For Nothin' From The SDMI Hacking Contest
OS24Ever points to this CNN story, writing: "SDMI is announcing that they are paying two hackers $5000 each for breaking the encryption on their watermarking technology." And as the article points out, conspicuously ignoring the fact that independent researchers have broken four of the watermarking schemes without getting taking part in the official contest.
I hope you're only a freshman at MIT...the point of the watermark is to add analog encoded watermark information to the signals without compromising audio quality. The watermark is designed to hold up even after analog recording - such as through the output of your soundcard. Think of it as the opposite of mp3 encoding - mp3 uses a psycho-acoustical model to remove sounds that we won't perceive, SDMI uses a psycho-acoustical model to add sounds we won't perceive.
Scuttlemonkey is a troll
That is completely false. The watermark is imbedded in the ANALOG signal. There are several technologies that SDMI is proposing, and I'll be honest, I couldn't hear them all on the samples they provided with and without the watermarking. Some were audible, but perhaps those are the harder ones to break. The quality of the original works wasn't that great to begin with, so maybe that had something to do with it. I'd imagine that it'd be easier to bury a non-audible watermark in "busy" music than it would something that's soft and simple.
The watermark is designed to survive digital conversion and compression. And some of the technolgies do survive. I did some of my own testing of the "sample" files that SDMI made available. I subtracted the "watermarked" from the "unwatermarked" files leaving just the watermark. Then I compressed the files with various schemes (mp3 file compression to different bit rates), and again sutracted the watermarked from the unwatermarked files. This leaves behind a post-compression watermark. I then compared this to the uncompressed watermark. And in most cases, they were, both visually and audibly, similar enough that I could imagine that the watermark may have survived.
In theory perceptual coding (which .mp3 compression is) should get rid of non-audible parts of the files. The fact that the watermarks did remain to some extent shows that they are, at least in theory, audible.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
We're geeks. We don't need money. What happened to the chicks for free part?
People replying to my sig annoy me. That's why I change it all the time.
If the 'hackers' are SDMI employees or such, and this is simply an attempt to give credibility to a completely flawed process.
Perhaps they beleive that posing the contest as a legitimate, well executed test of the cryptographic properties of their watermarking systems will make the remaining UNBREAKABLE! cyphers seem bomb proof.
If they were to publish the attacks, complete with cryptanalysis and how the crack was discovered, I would have a bit more faith in the result.
P.S. I wonder how much they are going to charge to license these forced watermark encryption schemes...
Step one: connect line out from player to line in on recorder
Step two: press record
Step three: press play
Step four: enjoy your unwatermarked song
"The market alone cannot provide sufficient constraints on corporation's penchant to cause harm." -- Joel Bakan
No matter what, you can always record the lineout from your soundcard, then recompress into whatever you feel like (MP3, for example).
You may say "not many people would go through the trouble", but only ONE person has to, then they can share the MP3 just like we do now.
Nothing will stop this, so why are they bothering with all this encryption technology?
That a piece of music carries a watermark linking it to the person who purchased it raises certain important issues. For instance, certain problems arise when person X transfers his copy to person Y (permanently or otherwise). Imagine what happens if person Y pirates a copy of the song without person X's knowledge. Would person X be held responsable, given that X's identity is linked to the file? Companies seem to believe it's their right to track our every move, privacy be damned.
Of course they really don't want us to transfer our files to anyone else. Every sale is a "first sale" under their little scheme. Why should hackers help out a group whose only purpose is to limit our rights as consumers?
"In prison you just have to shut your eyes and take it. Here you have to shut your eyes and give it."
It won't work because, quite honestly, the RIAA and pals don't want it to work. Given their profits, it should be trivial to buy big number crunching machines (to watermark the music and house our public keys). Then they only have to do two things:
.1%-1% flawed discs. Expensive both in terms of replacement and PO'ed consumers.
First, put a terminal into Sam Goody, Coconuts, etc. that reads your ID (username/password or smartcard. The latter is cool and could be combined with a discount card) and then burns your disc.
OR, cheaper still, let you enter your username/password and dl the music to your machine. While cooler, and while it would be a 'legitimate' method of selling emusic, it also would let you make a copy to a cd.
But, since THEY want you to buy a copy for the CD, a copy for the computer, a copy for your RIO, etc, they won't do the second option. At least not for so much money that we are right back where we started (CD's too expensive, so rip 'em off)
The former plan won't work: it takes too long to burn a disc (no, not really, but after you pay your money, are you gonna wait for 30 minutes to get a copy of Britney98SyncAguilera? No, you gotta go show it off to your friends.) There is also the issue of coasterization. I imagine there are essentially zero flawed discs coming from the music makers' plants. Even in a well designed system, in store burners might turn out
It is a good idea, and one that I think all parties SHOULD be able to live with. Problem is, it takes away enough freedom from the consumer, and enough profit from the manufacturer to make it unlikely to happen.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Here are some answers to commonly asked questions about SDMI.
Q. What are the differences between current MP3 players and SDMI-compliant devices?
A. Current MP3 players can only play MP3 content. SDMI-compliant devices will play content originating from both SDMI-compliant and non-compliant sources.
Q. Can SDMI-compliant devices play MP3 files?
A. Yes. SDMI-compliant devices will be able to play both protected and unprotected formats; it is up to the manufacturer of each device to choose which particular formats to support. The only content SDMI-compliant devices will not play is illegally copied new music with SDMI technology (beginning in Phase 2). Unlike non-SDMI devices, SDMI devices can also be upgraded to play new music released in the future in new SDMI-compliant formats. And many SDMI portable devices will be able to play music that is digitally downloaded in new, protected formats right away.
Q. Is it true that, in order to play MP3 files, SDMI-compliant software and devices will disable MP3 files after converting them into SDMI-compliant files?
A. No. SDMI-compliant devices will translate MP3 files into a format acceptable for that device. The exact form will depend on the device. The original MP3 file will remain intact on the computer.
Q. Why does the SDMI framework allow both protected and unprotected formats?
A. SDMI members agree that protected formats enable the growth of electronic music distribution by protecting the rights of artists. Members also recognize that there are many legitimate uses for unprotected formats. As a result, SDMI supports both.
Q. Will consumers still be able to copy their CDs onto their personal computers?
A. Yes. The specification allows consumers to copy (rip) their CDs onto their computers for personal use (on their PC, on their portable devices, on their portable media, etc.). In fact, the specification enables consumers to do so as many times as they wish - as long as they have the original disk.
Q. Will it be possible to have content that plays on multiple platforms - PCs, car stereos,portable devices, etc.?
A. Yes. The 1.0 Specification is intended for portable devices and supporting PC software, but future specifications will address other devices such as car stereos. Existing requirements that relate to portable media (e.g. flash-RAM cards) were written with portability and multiple platform support in mind.
Q. Will it be possible to have content that plays on portable devices from multiple vendors?
A. Yes. The SDMI Portable Device specification is a framework for security that promotes interoperability and allows content to be converted from one format to another. The specification allows, but does not require, manufacturers to create systems that are interoperable. There are now a number of different music players and systems on the market that are not compatible with each other. And the initial SDMI offerings also will not offer widespread compatibility across devices at this time. Given the extremely short time frame for producing the portable device specification, it wasn't possible to achieve this goal now. But SDMI is working towards that goal and eventually, we hope that all SDMI-compliant devices will be able to play all SDMI-compliant content.
This way to the egress > The Linux Pimp
--It's Pimptastic!--
Likewise, with music piracy, what is the company going to say? "Yes, we know people are pirating our music. No, we're not going to do anything about it." It would be suicide for all those execs making money off of their stock. Instead, they come up with crap like this to placate their shareholders.
"The question of whether a computer can think is no more interesting than that of whether a submarine can swim" -EWD
Do you think the general public can understand what the challenge is truly about? Most will probably miss the point of the story all together and be abashed that someone would pay a hacker for doing anything. I just think a story like this doesn't belong on cnn because a majority of the readers are too technically inept to grasp the point. I dont want to say these people don't deserve to get the information but they simply miss or misunderstand anything that the media tries to report to them. Of course, who trusts the media anyway.
www.droppingdimes.com
Whether the independent researchers get any money is not the point. Rather, SDMI is ignoring the fact that four watermarking schemes have been broken, instead focusing on the results of the silly contest.
The fact that the researchers are being ignored, and SDMI is focusing on the hackers is telling; they know the researchers have done serious work that could compromise the system.
I want my...
I want my...
I want my MP3.
---
Good judgment comes from experience.
Experience comes from bad judgment.
I think a lot of people here are missing the point. They're not going to encrypt every CD with a unique number, but they WILL make you register your SDMI compliant play-back device (hardware or software).
.mp3, or whatever) and then pass it around the internet... and BAM! They've gotcha!
Now maybe the original work you bought at the store has a watermark in the music. If your SDMI compliant device does not see said watermark, it won't play.
And if it DOES see the watermark, an ADDITIONAL watermark containing your unique registration information is added to the OUTPUT device, be it a digital out or analog out.
Now you capture that output (record it to tape, rip it to
From that file, they'll be able to read the watermark (assuming you haven't done a credible job destroying it while still maintaining the sound quality of the music) and they know EXACTLY who's equipment the file was produced on... and since you've registered that equipment (or software), they know exactly who YOU are.
Now go back to my 2nd paragraph. To make this even more ugly, maybe your SDMI compliant playback device will only play "clean" originals or copies from your own SDMI compliant devices. Try to play back some song that you copied from a buddy and his registration code is buried in the watermark. Bzzzzt. Invalid code. Will not play.
This is evil, evil technology. The way to stop it is the same way we stopped DIVX. Educate your friends and family. And don't buy SDMI compliant devices (hardware AND software).
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
Thats why the SDMI goons are using watermarks. They're trying to hide your idenity in the music file so if you give the song away, they can nail you. Aside from the obvious problem that all of the watermarking schemes were totally defeated, defeating the ability of the RIAA to track down the person that is distributing it, there is also the "so what?" problem. Simply explained it boils down to the fact that watermarks prove nothing.
Even if the watermark is intact, the information contained in it is not trusted for a whole host of reasons. If the watermark is trivial to forge, then it proves nothing. If the watermark can be overwritten with another watermark, it proves nothing. If the watermark isn't using a digital signature, validating its authenticity, it proves nothing. If the implementation of the signature scheme is flawed in any way (ie it can be forged), it proves nothing. If the keys are ever stolen (if the watermarking scheme is even using watermarks!), the watermarks prove nothing. The list goes on and on, but the bottomline here is that there are serious serious technical problems with watermarking. But it gets worse for the SDMI folks!
Even if the watermark survives all the technical and implementation attacks against it, it still doesn't prove anything. There is no trust in the model to absolutely verify the identity of the person that bought the music, short of a police state. What if your creditcard was stolen to by the music online? What if the person buying the music, in person, has a fake ID with your name and address on it? Furthermore, whats to say the song wasn't stolen? That your box wasn't broken into and so on. Or, what if you bought the song and gave it someone as a gift? The list goes on. The bottomline here is thats its circumstantial evidence at best.
What the SDMI folks are trying to create is a false sense of security in their constituency. And frankly, I think SDMI is rapidly becoming a set of technologies in search of a problem to solve. SDMI simply does not do what its creators claim it does, and the SDMI folks are too embarrassed to admit that they have wasted millions of dollars of the consitutencies money pursuing a ridiculously flawed idea.
--
Python
Python
The only possible way to encrypt any sort of content that is intended for mass-distribution is by encrypting it on a per user basis. Each user must be given a key. Every song file must be encrypted using public/private key encryption tailored to a specific user. The song file will only be viewable if you decode it with your private key. Ok, this method has its flaws. Notably, customizing songs for each person will be a tedious task. (But, it's feasible) Another problem, why not just give your key out to your friends or post it on the net? Well, they can determine your identity from your key, and they will probably go after you for copyright violation of some sort. Why won't something like this system work?