SDMI Researchers Cancel Presentation After RIAA Threat

John Langford sent in the statement read by Dr. Edward Felten, a professor at Princeton University, who decided to skip presenting the paper he co-authored at a scientific conference due to legal threats made by the RIAA. The RIAA put out an open challenge in September 2000, requesting that researchers attack and crack the SDMI watermarking scheme, but demanded that anyone who researched the scheme suppress their results in order to be eligible for a cash prize. "Show off your skills", they said, but they didn't mean it. Felten and colleagues declined the cash prize and its accompanying restrictions, but have been threatened anyway - the RIAA would have brought a lawsuit claiming the research paper is a circumvention device forbidden by the DMCA, much like the DeCSS case.

Statement read by Edward W. Felten
Fourth International Information Hiding Workshop
Pittsburgh, PA
April 26, 2001

"On behalf of the authors of the paper "Reading Between the Lines: Lessons from the SDMI Challenge," I am disappointed to tell you that we will not be presenting our paper today.

Our paper was submitted via the normal academic peer-review process. The reviewers, who were chosen for their scientific reputations and credentials, enthusiastically recommended the paper for publication, due to their judgment of the paper's scientific merit.

Nevertheless, the Recording Industry Association of America, the SDMI Foundation, and the Verance Corporation threatened to bring a lawsuit if we proceeded with our presentation or the publication of our paper. Threats were made against the authors, against the conference organizers, and against their respective employers.

Litigation is costly, time-consuming, and uncertain, regardless of the merits of the other side's case. Ultimately we, the authors, reached a collective decision not to expose ourselves, our employers, and the conference organizers to litigation at this time.

We remain committed to free speech and to the value of scientific debate to our country and the world. We believe that people benefit from learning the truth about the products they are asked to buy. We will continue to fight for these values, and for the right to publish our paper.

We look forward to the day when we can present the results of our research to you, our colleagues, through the normal scientific publication process, so that you can judge our work for yourselves."

Re:Egads...

DeCSS fits that definition, for sure - download the software, and you can rip DVD's. (Disclaimer: I'm not at all agreeing that that should be illegal - I'm just saying that DeCSS is a real circumvention device.)

Yep, you're right! The compiled, executable program called 'DeCSS', when running, is an actual circumvention device. The source code, which could potentially be compiled into an executable and then potentially run, is NOT a circumvention device unless ACTUALLY COMPILED AND RUN. This is my opinion.

However some bent judge believes that those ASCII characters of DeCSS are actually circumvention devices. They're also circumvention devices when printed on a t-shirt. If I scrawl the CSS algorithim on a paper napkin, that's a circumvention device. I think that's rubbish, but perhaps you can see why the RIAA could claim a paper about their flawed challenge to be a circumvention device? They need only follow m'learned judge's thinking.

Well played! Now tell your congresscritter! MODUP

This was well played on their part. Everyone seems to have heard about how the evil RIAA is using the DMCA to block academic research. Heck, even my Mom has heard of it, and she doesn't know how to turn on a computer!

Now, we need to take the next step! Take 10 minutes and tell your Senators and Representatives how you feel about this!

You can find out who they are, and how to contact them, over at:

• Search For Senators by State
• Search For Representatives by State

Re:It is also akin to schools in the north saying.

As usual the facts fall by the wayside. All that is taboo in public schools WRT religion is forced participation. You can't herd the entire student body into the auditorium and have "prayer hour."

The school obviously can't (and doesn't want to) stop you from praying during homeroom, or discussing religion with your friends (as long as its at an appropriate time, ie, not during math class).

Hell, at my public school, there were student run bible study groups. They were allowed to meet in unused classrooms, and there were no problems, as long as participation was 100% voluntary.

I find it rather humorous how rich white suburban kids are trying to play persecuted because they aren't allowed to force all their classmates to pray with them every morning.

Freenet Mirror of paper

Yes:

freenet:KSK@sdmi-paper.html
or
freenet:KSK@sdmi-attack.htm

Only one thing left to do

Justice is dead and the law is in bed with big money, so you can either be ruled by the monied interests or kill them. How many lawyers would be willing to prosecute people for distributing DeCSS if they became walking targets? If there is any lesson to be learned from the knuckle-draggers who are opposed to anyone having an abortion, it is that threats to life and limb work. If you are not willing to fight for your rights, you have already given them up.

Do the presentation OUTSIDE the US.

DMCA is not world law. Look at all the "law breakers" hosting their porn sites in the haven that is the US just to get around Saudi anti-porn laws.

http://www.riaa.org/Freedom-Intro.cfm

"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances." First Amendment, ratified December 15, 1791 The Recording Industry Association of America (RIAA) takes an uncompromising stand against censorship and for the First Amendment rights of all artists to create freely. From the nation's capital to state capitals across the country, RIAA works to stop unconstitutional action against the people who make the music of our times--and those who enjoy it.

I Am A Lawyer, albeit a Canadian one...

...and this is a perfect example of the "chilling effect" that threatening litigation has in a country that doesn't provide that the losing side pay solicitor and his client full indemnity costs for the legal expenses and also punitive damages for malicious, baseless litigation.

Folks, it's time that Americans pass laws that penalize oppressive litigators - including, for repeat offenders, corporate or otherwise, needing leave of the court for bringing further motions and lawsuits.

I am a Canadian lawyer, but I wouldn't practice in California or New York State on a bet (and I have standing job offers in both places).

You get the political and legal system you deserve. Better a Canadian Supreme Court that I disagree with than a U.S. Supreme Court for sale.

Wake up, folks, it's too late when they're breaking down the door.

Re:I Am A Lawyer, albeit a Canadian one...

[Chris+Johnson]

This assumes that you can sue a large corporation. Whatever gives you that idea?

I support the Canadian lawyer's position (isn't this called 'Tort Reform'?) because I'm more or less resigned to the idea that I cannot sue a big corporation for anything. If I'm lucky, another big corporation might sue it- for instance, if it stole ideas of mine and tried to prohibit anyone else from using them, I certainly can't do anything about it but some other corporation that wished to use the ideas might choose to go to court.

The main thing is, these Big Corporations (tm) are obviously developing a real _zeal_ for suing individuals, college professors, magazines, EVERYBODY. It's not even about whether I can sue a big corp and win (not!) it's about whether the corp basically gets to legally destroy the life of anyone it feels like destroying, through legal action.

This process makes government and legal system the private police of the corporation, to be used punitively and subject to no limitation but mere whim: and we already have this situation. Ask the SDMI researchers, the subject of this very article.

It would be an awfully small concession, to give up the purely hypothetical capability to 'sue a corporation' in order to force them to drop the tactic of legal action as a financial and pragmatic club. If you really think you're on an equal footing under the law when bringing suit against a corporation- try it. Your money will run out before you accomplish anything.

Re:I Am A Lawyer, albeit a Canadian one...

[Pig+Hogger]

I am a Canadian lawyer, but I wouldn't practice in California or New York State on a bet (and I have standing job offers in both places).

If I am not mistaken, the Canadian Charter of Rights doesn't only apply to the governments (like the US constitution), but also private individuals, companies and institutions, right?

You get the political and legal system you deserve. Better a Canadian Supreme Court that I disagree with than a U.S. Supreme Court for sale.

This supreme court???

--

Re:I Am A Lawyer, albeit a Canadian one...

[Dirtside]

Here's a reply.

I've always thought that this kind of punishment -- punishing the loser in a civil case by forcing them to pay the opposing side's legal expenses -- is yet another method of giving more power to those who already have money and power.

If I (a small individual) have a legitimate claim against a large corporation, and I go against them in court, they can easily run up millions of dollars' worth of legal expenses, without it making a significant dent in their bottom line. And since they have millions of dollars with which to more or less buy a victory (let's face it, the legal system in the US is fairly unbalanced in favor of those who can afford lots of expert witnesses, expensive delays, etc. etc.), if I end up losing, then now I (small individual) end up owing millions of dollars to a large corporation.

This is a good thing? If I honestly thought I had a legitimate claim, but lost because of an unbalance?

This kind of thinking seems like it would give corporations *even more power*. If a big company sues a little guy like me, and I end up spending 50 grand on my legal defense, and they LOSE, oh no! They're out 50,000 whole dollars! Nevermind that they spent ten times that much on their OWN legal defense.

Re:That's a shame.

The saddest part is losing these freedoms to protect what is probably the least valuable, most disposable aspect of our culture: pop music. May your freedoms die so that the Spice Girls may live forever.

Paradox

[The+Man]

Tell me: if "circumvention devices" are prohibited by law, then why does the copy prevention scheme need to be secure? After all, the RIAA has convinced Congress to wield the force of the gun on its behalf against the citizenry. And, if copy prevention schemes were secure, why would a law against "circumvention devices" be needed? Surely, a proper implementation could not be "circumvented" anyway.

I realize, of course, that this is somewhat orthogonal to the other issue here, which is simply freedom of the press. As a reasonably intelligent non-lawyer, it seems obvious to me that the supreme court would find that this law and the first amendment are in direct opposition. What I can't understand is why nobody has brought one of these cases before it. And this one would be a great choice; it doesn't involve any element of evil on the part of the defendants.

Kickass anecdote from class today

[David+Price]

This just happened about an hour and a half ago. I'm sitting in Rice's COMP 314 programming class, taught by Dan Wallach, one of the authors of the paper. He's spent the first half of class giving us the rundown on his predicament, and moves on to the lecture topic for the second half of class.

In the middle of the lecture, something like this transpires (paraphrased):

"And so you see that there can be occurences when...oh, here's an occurence. My phone's ringing."
[answers his phone]
"Hello?"
"Actually, I can't talk right now. I'm sort of teaching a class."
[class laughs]
"Yeah, you can hear them laughing in the background?"
"Okay, I'll be in my office around 4."
[hangs up phone]
[to class] "That was John Markoff from the New York Times. He wants to have a chat with me."
[resumes lecture seamlessly]

This is why you should support the EFF!!!

[DAldredge]

Goto www.eff.org and become a member! The EFF and groups like the EFF are about the only hope we have to stop this trash...

EU Directive on Copyright

[acb]

The EU just passed a directive on copyright that is at least as draconian as the DMCA. It's very unlikely that this paper would be legal under it.

The UK hasn't passed it into local laws, but will in time. (Given that it's an EU directive, it would take much more than a noise from a few academics, penguinheads and Napatistas to derail the process.) The Reg is in the UK. Thus don't expect this paper to stick around forever.

Even when scientific papers are read...

[freeBill]

...they can be suppressed.

For instance, during the '70s and '80s as more and more researchers presented papers on the dangers of some popular oral contraceptives of the era, many of the publications which were supposed to be informing the OB-GYN community were strangely silent on the implied criticism of their drug-company advertisers. The research was seldom reported to the practitioners who most needed the data.

For instance, the medical news group of Cap Cities (owned for at least part of that time by ABC) repeatedly refused to publish stories written by its staff about the dangers documented in these papers, even though the drug companies had come up with safer alternatives.

Paradoxically, this meant the public heard about these problems anedoctally. The problems ended up worse than if the problems (and their solutions) had been better publicized. And the drug companies ended up with a bigger black eye than if the OB-GYN community had been notified.

All of this happened primarily because doctors are so used to getting their info as freebies that they won't pay for subscriptions. Interestingly, Steven Brill has pointed out recently that lawyers expect to pay for subscriptions to their journals. I suspect this produces much less distortion in their magazines.

Brill has argued that if the information-wants-to-be-free crowd wins on the Internet the result might be the same kind of misinformation that has plagued doctors. In other words, if Internet users continue to expect that they don't have to pay for content, the content they get may end up being worth less than they're paying.

My idealistic journalism professors back in college used to tell us that we shouldn't change our coverage or our news judgment to protect advertisers. They argued that what newspapers (or, by extension, other media) offer is the respect their audiences have for their impartiality. If you compromise that for advertisers' short term interests, the value of the advertising is decreased because readers do not associate the periodical with accuracy.

I have seen several instances of this kind of failure (where a newspaper was so completely in thrall to its advertisers that the advertising had no benefit and the paper went under) through the years. So, I suspect this is a case where the idealists' advice also turns out to be the pragmatists' observation.

Re:So basically what you're telling me...

[acroyear]

Of course, it could be argued that the founding fathers did not predict the existence of multi-national corporations whose stock value
exceeds the GNP of many countries.

Not really...by that point, Lloyds of London and the British East India Company were already far and away making more loot than anything Eastern Europian countries could have imagined...
--
You know, you gotta get up real early if you want to get outta bed... (Groucho Marx)

As the old saying goes...

[ocie]

When scientific research is outlawed, only outlaws will be performing scientific research.

Re:As the old saying goes...

[IronChef]

This is just a new facet of an existing problem. Our freedoms have been eroded in other ways prior to this. For example, for a while it's been illegal to build a radio that can receive about 800-950MHz -- because that's where cell phones are. They recently added cordless phones freqs, too.

It's insane, if you think about it. The right combination of elementary electronic components -- just a hardful of parts that is PASSIVE when powered up -- makes you a felon in the USA.

IMHO, if EM radiation is passing through my meatspace, I've got the right to intercept it, letter of the law be damned. If privacy is important, the phone companies should be using encryption, not legislation.

Re:NO!

[daw]

It's not actually that simple; if you read the threat letter from the SDMI people it mainly turns on a contract issue about the clickthrough agreement that was protecting the challenge files, not the DMCA circumvention device stuff.

At the little news conference, Felten said he honestly couldn't remember whether he actually clicked through the agreement personally or not, but pointed out that there would have been no need to since the material was widely available elsewhere.

felten

[daw]

One interesting thing Felten said in the little impromptu news conference when his paper was supposed to be read was when Declan McCullagh asked him if Princeton was not willing to back him up. Felten responded that Princeton had been very supportive of him and the other authors, but that there were lots of other people involved with the paper, and he wanted to go forward in a way that exposed fewer of them and their institutions. I took this as a hint that the real problem is that one of his coauthors is from Xerox and that a corporation is less willing than a university to expose itself to a lawsuit in the name of academic freedom.

Re:felten

[daw]

Oh yeah, and another interesting tidbit was that the leaked threat letter from the SDMI to him wasn't the only one -- he said that all of the authors, all of their institutions, the conference organizers and the conference sponsors, had all received lawsuit threats from the SDMI, the RIAA, and also Verance (the makers of one of the wicked lousy watermarking systems they cracked).

Declan's article (at http://wired.com/news/politics/0,1283,43353,00.htm l) also contains the interesting assertion that the Naval Research Laboratory (a cosponsor of the conference) had ordered the conference chair to ban the paper last week, but the program commitee refused.

Re:felten

[janpod66]

I took this as a hint that the real problem is that one of his coauthors is from Xerox and that a corporation is less willing than a university to expose itself to a lawsuit in the name of academic freedom.

I don't see that as an obstacle. The Xerox author could have removed himself from the paper (and instead been moved into the acknowledgement section) and Xerox could have formally protested the publication. Felten could then have gone ahead and published it anyway. Formally, he might have been guilty of copyright violation, but Xerox is under no obligation to pusue that.

Technically, it was almost certain from the beginning that all these schemes could be broken. And once the preprint was published on their web site, the cat was out of the bag.

The whole participation of the Princeton group in the SDMI effort was a political statement from the beginning. The decision to withdraw the paper is likewise a political and strategic decision with no technical significance. Let's just hope those guys know what they are doing when it comes to politics and strategy, because, so far, it isn't clear to me where they are going with this.

Censorship and Naziism.

[Lemmy+Caution]

I am opposed to censorship, including censorship of unpopular, unpleasant, and even evil ideas.

But the great crime of Nazism, or even Fascism or Stalinism, wasn't censorship. Censorship was one of the relatively incidental tools they used (frankly, Mussolini's state for a while took some pains to avoid censorship - they believed in a strong corporatist state, but they still fancied themselves as progressive and avant-garde and, for some time, encouraged continued discussion. They didn't even kill Gramsci.) The great crime of Nazism was its doctrine of ethnic superiority and its policy of genocide, of identifying entire populations as suitable for extermination or slavery. This doesn't even require censorship per se - just a critical mass of a populace willing to carry out orders (and lest you claim that it could only be a populace indoctrinated in a censorious society, I would remind you of the openness of Weimar society.)

Do I think we're all that different? I see a lot of people who are willing to compromise their nominal principles for a steady paycheck and cheaper goods.

Exploiting our completely reasonable horror of genocide to induce comparable horror of censorship may be effective, but it's intellectually dishonest.

Re:Censorship and Naziism.

[debrain]

It is ironic that the tools of marginalization, suppression, and prohibition are all utilized by an elitist class. The will of the powerful is to suppress power, and power is knowledge (Foucault) - without the famed and widespread ignorance of the lackeys of the Nazi's (see Judgement at Nuremberg), who were in many cases moral people being repressed of their viewpoints, the prolific nature of antisemitism would have been much less in World War II. I do see a keen analogy between Nazi's repression and RIAA repression, but it is not just of speech - it is of actions, thoughts, beliefs, and even truths. The repression of speech merely accompanies the repression of ideas and freedoms and wills.

I believe there is a usenet law that states that all arguments degenerate to Nazi analogies. Anyone remember the name of that law?

Online copies?

[dschuetz]

So, does anyone have a copy online yet? Should that get "leaked" to, say, the Times, MSNBC, C-NET, etc.? I'm concerned that without a high-profile lawsuit, this will not get much media attention.

Or perhaps someone could sue RIAA, et al, for refusing to permit publication? There must be some way to use the system to the benefit of these researchers, even if they've decided to drop it for now.

Re:Online copies?

[cetan]

http://cryptome.org/sdmi-attack.htm

mirror early, mirror often.

Re:Online copies?

[jbridge21]

http://diddl.firehead.org/censor/hacksdmi.org/prin ceton-paper/
-----

Re:Online copies?

[Cockney]

This has been picked up by the BBC, you can read the article here.

additional clarification from scientists' FAQ

[dallen]

This Princeton FAQ makes the scientists' position a bit clearer, before they received the SDMI letter.

Q. What about the cash prize offered by SDMI?

SDMI did offer a small cash prize to be split among everybody who defeated at least one of the six technologies. However, to be eligible for the prize, researchers had to sign a confidentiality agreement that prohibited any discussion of their findings with the public. The terms of the challenge also allowed researchers to publish their findings if they decided to forgo the cash prize. We decided from the beginning that we were more interested in publishing our results than accepting any share of the cash prize.

Q. Didn't the Digital Millennium Copyright Act (DMCA) criminalize the study of these kinds of technologies in the United States?

Fortunately, the DMCA did not apply to this challenge, since SDMI granted explicit permission to study their technologies. We are not sure whether it would have been legal to study these technologies outside the context of this challenge. We think the DMCA, by criminalizing some kinds of study of important technologies, represents an "ignorance is bliss" approach to technological copyright enforcement, which will not work in the long run. We lobbied against certain aspects of the DMCA while it was before Congress, and we still consider it to be a seriously flawed law.

Above, we mentioned the important role of analysis in the design of security systems. The main problem with the DMCA is that it hinders this analysis, restricting it in order to provide an extra layer of legal protection for existing copyright systems. But this causes the scientific process to stagnate. Imagine a federal law making it illegal for anyone (including Consumer Reports) to purposefully cause an automobile collision. While this may be a well-intentioned attempt to stop road-rage, it also bans automobile crash-testing, ultimately leading to unsafe vehicles and the inability to learn how to make vehicles safe in general. The situation with the DMCA is analogous.

--
Q: What do you get when a Postmodernist joins the Mafia?

Re:That's a shame.

[FreeUser]

It is almost like we are going into another dark age, where knowledge is suppressed for financial gain, and ultimately lost.

We are not "heading into another dark age," we're already there. Many have argued for a long time that the cooperation between industry and academic instututions would undermine the independence of academia, and hence our entire intellectual foundation as a society. These dire predictions were being made in the 1980s when Reagan and his cronies gutted funding for our colleges and universities.

The result has been unambiguous: colleges and universities have turned more and more to private industry for funding, sacrificing their intellectual independence in the process. This example, where Xerox may likely have played the pivotol role in caving to the RIAA, is but one obvious example of what is happening over and over again on campuses everywhere.

Couple the erosion of our foundation of intellectual freedom by making our institutions financially beholden and in some cases even intertwined with corporate entities (which are easilly pressured by threats to revinue, licensing, and/or bad publicity) with laws which criminalize intellectual activities such as reverse engineering and certain applications of cryptographic mathematics and you have, by and large, successfully gutted independent thought in your society. The rest of the dominos will fall like clockwork, when and as they offend or run counter to the goals of those who set these destructive policies.

The "cranks" were right, and the foundation of our intellectual thought, and of dissent in general, are virtually gone.

Re:They chose their only option

[ethereal]

Apparently Felten said Princeton had been very supportive, but some of the researchers were from other organizations that would not have been so supportive.

Caution: contents may be quarrelsome and meticulous!

What we need is a new paper.

[BeBoxer]

The only one of the watermark systems that the SDMI folks care about is the Verance system. The others are almost childish in their simplicity, and were probably never serious contenders. On the other hand, the Verance watermark is apparently already in use. The question is, on what? I've heard DVD-Audio. Does this mean that all DVD-Audio discs have a Verance watermark? Or only some?

Given that it is possible to go and buy media with the Verance watermark, and that the same music is almost certainly available in other watermark-free formats, it should be possible to redo this work without any complications arising from the "Hack SDMI" agreement.

It sounds like Princeton is willing to stand behind Prof. Felton, but some of his collaborators' sponsers aren't so brave. By redoing the work with a Princeton-only crew and new media, those issues would disappear. A new paper could be written on the Verance watermark. Such a paper would clearly be legal, for many reasons. The Verance watermark tech is patented, which means cries of "trade secret" are BS. Not to mention that no devices on the market use the watermark to control "access", so right now code which removes the watermark could not be considered a circumvention device. After all, what is is circumventing? Nothing! Finally, even the corrupt DMCA is full of verbiage allowing academic research. The SDMI folks don't stand a chance in court.

This is silly

[rw2]

This isn't an interesting use of something the hackers owned. They agreed to a specific and narrow license as part of a contract. The paragraph from the RIAA covers this:

As you are aware, the Agreement covering the Public challenge narrowly authorizes participants to attack the limited number of music samples and files that were provided by SDMI. The specific purpose of providing these encoded files and for setting up the Challenge was to assist SDMI in determining which of the proposed technologies are best suited to protect content in Phase II products. The limited waiver of rights (including possible DMCA claims) that was contained in the Agreement specifically prohibits participants from attacking content protected by SDMI technologies outside the Public Challenge. If your research is released to the public this is exactly what could occur. In short, you would be facilitating and encouraging the attack of copyrighted content outside the limited boundaries of the Public Challenge and thus places you and your researchers in direct violation of the Agreement.

I say, just re-attack when the stuff is released and publish the results. There is little moral or ethical in agreeing to the terms that these people must have as part of the challenge and then turning around a violating those terms.

--
Poliglut

Re:This is silly

[jbridge21]

Click-Through Agreement for the SDMI Public Challenge

This Click-Through Agreement (the "Agreement") contains the terms and conditions applicable to participation in the SDMI Public Challenge. Please read it carefully.

Who Can Participate? The SDMI Public Challenge is open to everyone except that a proponent of a particular technology (and the proponent's present and former employees) or any person who has obtained confidential information under a confidentiality agreement applicable to a particular technology may not participate in the SDMI Public Challenge for such technology.

What is being tested? There are two different types of technologies that are available for testing: (1) four different watermark technologies that are designed to detect compression and (2) two additional technologies that are designed to ensure that under certain circumstances individual tracks of an album are not admitted into an SDMI domain without the presence of the original CD.

How do you test the watermark technologies? Participants in the SDMI Public Challenge may download several samples of digital music relating to the four different watermark technologies. The terms and conditions of this Agreement apply to each such technology. For each such technology, a set of music samples -- a "triplet" of digital music - will be provided. Each triplet contains three samples of music. Two of the samples in a triplet contain the same music, where one is encoded with a digital watermark and the other is a clean, unmarked version of the same music. The third sample in the triplet is encoded with the same digital watermark, but participants will not have access to an unmarked version of the same sample. Different music samples will be provided for each technology. The goal of the participant in the SDMI Public Challenge is to determine if the watermark can be removed from the entire sample without significantly reducing the sound quality of the digital music, i.e., degrading sound quality to below that of MP3 encoding at 64 Kbps for a stereo signal or a comparative analysis using PEAQ.

How do you test the two additional technologies? In order to test the two additional technologies, you must download files from the Download Page. Along with the downloaded files, participants are provided with instructions on the goals of the SDMI Public Challenge for those technologies.

How do you know if you've succeeded in the challenge? For each technology, submit the sample file(s) demonstrating that you have successfully challenged such technology to the SDMI Foundation "oracle," at www.hackSDMI.org. You must use the original file name of the sample when you submit it to the oracle. The oracle will automatically test your submission and may contact you seeking an explanation of what you did. In order to for your challenge to be deemed successful, your submission must be reasonably capable of being reproduced. If your submission regards one of the watermark technologies and appears successful, you will be provided with additional music samples, and will be asked to reproduce the results on those additional samples.

How do you become eligible to be compensated for a successful challenge? After preliminary review of your submission, you may receive notice requesting additional information. To receive compensation for the successful challenge, you must submit your name, date of birth, contact information, step-by-step details on how you conducted the successful challenge, and any source code and/or executables that you developed to carry out the attack. You will be responsible for any applicable taxes on any compensation you may receive.

Compensation of $10,000 will be divided among the persons who submit a successful unique attack on any individual technology during the duration of the SDMI Public Challenge. In exchange for such compensation, all information you submit, and any intellectual property in such information (including source code and other executables) will become the property of the SDMI Foundation and/or the proponent of that technology. In order to receive compensation, you will be required to enter into a separate agreement, by which you will assign your rights in such intellectual property. The agreement will provide that (1) you will not be permitted to disclose any information about the details of the attack to any other party, (2) you represent and warrant that the idea for the attack is yours alone and that the attack was not devised by someone else, and (3) you authorize us to disclose that you submitted a successful challenge. If you are a minor, it will be necessary for you and your parent or guardian to sign this document, and any compensation will be paid to your parent or guardian.

You may, of course, elect not to receive compensation, in which event you will not be required to sign a separate document or assign any of your intellectual property rights, although you are still encouraged to submit details of your attack.

The SDMI Foundation will also analyze the information you have submitted in detail to determine the reproducibility of your attack. To be clear, you will be eligible for compensation for reasonably reproducible attacks only if you have not disclosed the trade secrets in your submission to anyone other than the SDMI Foundation, have assigned all your intellectual property rights in your attack to the SDMI Foundation, and have kept your submission, and all information relating to your submission, confidential. All decisions relating to the success of your challenge, the timing of your submission and all other matters pertaining to the SDMI Public Challenge shall be within the discretion of the SDMI Foundation or its designee and shall be final and binding in all respects.

What else do I need to know? By releasing encoded digital music samples for attack and other digital files, the SDMI Foundation and the technology proponents are only providing permission, under U.S. or other applicable law, to attack those particular samples and files during the duration of this SDMI Public Challenge. No permission is granted to attack or make any other use of content protected by SDMI outside of this SDMI Public Challenge. In addition, neither the SDMI Foundation, copyright owners nor the proponent of the technology being attacked, waive any rights that it or they may have under any applicable law including, without limitation, the U.S. Digital Millennium Copyright Act, for any acts not expressly authorized by this Agreement. Moreover, no permission is granted to attack content encoded with any technology proponent outside of this SDMI Public Challenge. You are prohibited from reproducing, modifying, distributing, performing or making any other use of the samples other than as specifically authorized by this Agreement. A list of persons who have submitted successful attacks and received compensation therefor will be provided if you mail a self-addressed, stamped envelope to the SDMI Secretariat, c/o SAIC at 10260 Campus Point Drive, San Diego, California 92121 USA. We are not responsible for lost, incomplete or misdirected submissions. This offer is void where prohibited.

By clicking on the "I Agree" button below you agree to be bound by the terms of this Agreement.
-----

Re:This is silly

[RandomPeon]

No, Felten makes very clear those provisions would only apply if they took the cash prize, which they politely declined. And they're not "attacking content", they're explaining watermarking schemes a second-year math undergrad would understand.

The Paper itself from cryptome (ahh, /. archives)

[kyhwana]

RIAA Challenges SDMI Attack

20 April 2001. Thanks to Anonymous
From cryptome.org

[Letter, 3 pp.]

MATTHEW J. OPPENHEIM, ESQ.
Address illegible
RIAA

April 9, 2001

Professor Edward Felton
Department of Computer Science
Princeton University
Princeton, NJ 08544

Dear Professor Felten,

We understand that in conjunction with the 4th International Information Hiding Workshop to be held April 25-29, 2001, you and your colleagues who participated in last year's Secure Digital Music Initiative ("SDMI") Public Challenge are planning to publicly release information concerning the technologies that were included in that challenge and certain methods you and your colleagues developed as part of your participation in the challenge. On behalf of the SDMI Foundation, I urge you to reconsider your intentions and to refrain from any public disclosure of confidential information derived from the Challenge and instead engage SDMI in a constructive dialogue on how the academic aspects of your research can be shared without jeopardizing the commercial interests of the owners of the various technologies.

As you are aware, at least one of the technologies that was the subject of the Public Challenge, the Verance Watermark, is already in commercial use and the disclosure of any information that might assist others to remove this watermark would seriously jeopardize the technology and the content it protects.1 Other technologies that were part of the Challenge are either likewise in commercial use or could be could be utilized in this capacity in the near future. Therefore, any disclosure of information that would allow the defeat of those technologies would violate both the spirit and the terms of the Click-Through Agreement (the "Agreement"). In addition, any disclosure of information gained from participating in the Public Challenge would be outside the scope of activities permitted by the Agreement and could subject you and your research team to actions under the Digital Millennium Copyright Act ("DCMA").

____________________

1 The Verance Watermark is currently used for DVD-Audio and SDMI Phase I products and certain portions of that technology are trade secrets.

We appreciate your position, as articulated in the Frequently Asked Questions document, that the purpose of releasing your research is not designed to "help anyone impose or steal anything." Further more, you participation in the Challenge and your contemplated disclosure appears to be motivated by a desire to engage in scientific research that will ensure that SDMI does not deploy a flawed system. Unfortunately, the disclosure that you are contemplating could result in significantly broader consequences and could directly lead to the illegal distribution of copyrighted material. Such disclosure is not authorized in the Agreement, would constitute a violation of the Agreement and would subject your research team to enforcement actions under the DMCA and possibly other federal laws.

As you are aware, the Agreement covering the Public challenge narrowly authorizes participants to attack the limited number of music samples and files that were provided by SDMI. The specific purpose of providing these encoded files and for setting up the Challenge was to assist SDMI in determining which of the proposed technologies are best suited to protect content in Phase II products. The limited waiver of rights (including possible DMCA claims) that was contained in the Agreement specifically prohibits participants from attacking content protected by SDMI technologies outside the Public Challenge. If your research is released to the public this is exactly what could occur. In short, you would be facilitating and encouraging the attack of copyrighted content outside the limited boundaries of the Public Challenge and thus places you and your researchers in direct violation of the Agreement.

In addition, because public disclosure of your research would be outside the limited authorization of the Agreement, you could be subject to enforcement actions under federal law, including the DMCA. The Agreement specifically reserves any rights that proponents of the technology being attacked may have "under any applicable law, including, without limitation, the U.S. Digital Millennium Copyright Act, for any acts not expressly authorized by their Agreement." The Agreement simply does not "expressly authorize" participants to disclose information and research developed through participating in the Public challenge and such disclosure could be the subject of a DMCA action.

We recognize and appreciate your position, made clear throughout this process, that it is not your intention to engage in any illegal behavior or to otherwise jeopardize the legitimate commercial interests of others. We are concerned that your actions are outside the peer review process established by the Public Challenge and setup by engineers and other experts to ensure the academic integrity of this project. With these facts in mind, we invite you to work with the SDMI Foundation to find a way for you to share the academic components of your research while remaining true to your intention to not violate the law or the Agreement. In the meantime, we urge you to withdraw the paper submitted for the upcoming Information Hiding Workshop, assure that it is removed from the Workshop distribution materials and destroyed, and avoid a public discussion of confidential information.

Sincerely,

[Signature]

Matthew Oppenheim, Secretary
The SDMI Foundation

cc: Mr. Ira S. Moskowitz, Program Chair, Information Hiding Workshop, Naval Research Laboratory
Cpt. Douglas S. Rau, USN, Commanding Officer, Naval Research Laboratory
Mr. Howard Ende, General Counsel of Princeton
Mr. Edward Dobkin, Computer Science Department Head of Princeton

[Paper, 15 pp.]

Reading Between the Lines:
Lessons from the SDMI Challenge
Scott A. Craver1, John R McGregor1, Min Wu1, Bede Liu1,
Adam Stubblefield2, Ben Swartzlander2, Dan S. Wallach2,
Drew Dean3, and Edward W. Felten4 1 Dept. of Electrical Engineering, Princeton University
2 Dept. of Computer Science, Rice University
3 Computer Science Laboratory, Xerox Palo Alto Research Center
4 Dept. of Computer Science, Princeton University

Abstract. The Secure Digital Music Initiative is a consortium of parties interested in preventing piracy of digital music, and to this end they are developing architectures for content protection on untrusted platforms. SDMI recently held a challenge to test the strength of 4 watermarking technologies, and 2 other security technologies. No documentation explained the implementations of the technologies, and neither watermark embedding nor detecting software was directly accessible to challenge participants. We nevertheless accepted the challenge, and learned a great deal about the inner workings of the technologies. We report on our results here.

1 Introduction

The Secure Digital Music Initiative (SDMI), a consortium of music-industry companies, is working to develop and standardize technologies that give music publishers more control over what consumers can do with recorded music that they buy. SDMI has been a somewhat secretive organization, releasing little information to the public about its goals, deliberations, and technology.

In September 2000, SDMI announced a "public challenge" in which it invited members of the public to try to break certain data-encoding technologies that SDMI had developed [3]. The challenge offered a valuable window into SDMI, not only into its technologies but also into its plans and goals. We decided to use the challenge to learn as much as we could about SDMI. This paper is the result of our study.1 Section 2 presents an overview of the HackSDMI challenge. Section 3 analyzes the watermark challenges. Section 4 analyzes the non-watermark challenges. Finally, we present our conclusions in section 5.

____________________

1 The SDMI challenge offered a small cash payment to be shared among everyone who broke at least one of the technologies and was willing to sign a confidentiality agreement giving up all rights to discuss their findings. The cash prize amounted to the price of a few days of time from a skilled computer security consultant, and it was to be split among all successful entrants, a group that we suspected might be significant in size. We chose to forgo the payment and retain our right to publish this paper.

2 The SDMI Challenge

The SDMI challenge extended over roughly a three-week period, from September 15, 2000 until October 8, 2000. The challenge actually consisted of six sub-challenges, named with the letters A through F, each involving a different technology developed by SDMI. We believe these challenges correspond to submissions to the SDMI's Call for Proposals for Phase II Screening Technology [4]. According to this proposal, the watermark's purpose is to restrict an audio clip which is compressed or has previously been compressed. That is, if the watermark is present an audio clip may yet be admitted into an SDMI device, but only if it has not been degraded by compression. For each challenge, SDMI provided some information about how a technology worked, and then challenged the public to create an object with a certain property. The exact information provided varied among the challenges. We note, though, that in all six cases SDMI provided less information than a music pirate would have access to in practice.

2.1 Watermark Challenges

Four of the challenges (A, B, C, and F), involved watermarking technologies, in which subtle modifications are made to an audio file, to encode copyright control information without perceptible change in how the file sounds. Watermarks can be either robust or fragile. Robust watermarks are designed to survive common transformations like digital-to-audio conversion, compression and decompression, and the addition of small amounts of noise to the file. Fragile watermarks do not survive such transformations, and are used to indicate modification of the file. For each of the four watermark challenges, SDMI provided three files:

- File 1: an unwatermarked song;

- File 2: File 1, with a watermark added; and

- File 3: another watermarked song.

The challenge was to produce a file that sounded just like File 3 but did not have a watermark -- in other words, to remove the watermark from File 3.

SDMI provided an on-line "oracle" for each challenge. Entrants could email a file to the oracle, and the oracle would tell them whether their submission satisfied the challenge, that is, whether it contained no detectable watermark while still sounding like File 3. Entrants were given no information about how watermark information was stored in the file or how the oracle detected watermarks, beyond the information that could be deduced from inspection of the three provided files.

2.2 Challenges D and E

Challenge D concerned a technology designed to prevent a song from being separated from the album in which it was issued. Normally, every Compact Disc contains a table of contents, indicating the offsets and lengths of each audio track, followed by the audio data itself. Challenge D adds an "authenticator" track (approximately 50ms of very quiet audio,) a digital signature derived from the table of contents, which is supposed to be difficult to compute for an arbitrary CD. Challenge D is discussed in more detail in Section 4.1.

Challenge E involved a technology similar to D, but one which would be immune the obvious attack on technology D, in which one compiled an unauthorized CD with the same table of contents as an authorized one, for which the authenticator track is given. Unfortunately, this challenge was constructed in a way that made it impossible to even start analyzing the technology. SDMI provided an oracle for this challenge, but unfortunately provided no music samples of any kind, so there was no way to determine what the oracle might be testing for.

Given these facts, we decided not to analyze Challenge E. It is discussed briefly in Section 4.2.
3 The Watermarking Schemes

In this section, we describe our attack(s) on each of the four watermark challenges (A,B,C,F). Our success was confirmed by emails received from SDMI's oracles. Fig. 1. The SDMI watermark attack problem. For each of the four watermark challenges, Sample-1, sample-2, and sample-3 are provided by SDMI sample-4 is generated by participants in the challenge and submitted to SDMI oracle for testing.

Figure 1 provides an overview of the challenge goal. As mentioned earlier, there are three audio files per watermark challenge: an original and watermarked version of one clip, and then a watermarked version of a second clip, from which the mark is to be removed. All clips were 2 minutes long, sampled at 44.1kHz with 16-bit precision.

The reader should note one serious flaw with this challenge arrangement. The goal is to remove a robust mark, while these proposals appear to be Phase II watermark screening technologies [4]. As we mentioned earlier, a Phase II screen is intended to reject audio clips if they have been compressed, and presumably compression degrades a fragile component of the watermark. An attacker need not remove the robust watermark to foil the Phase II screen, but could instead repair the modified fragile component in compressed audio. This attack was not possible under the challenge setup.

3.1 Attack and Analysis of Technology A

A reasonable first step in analyzing watermarked content with original, unmarked samples is differencing the original and marked versions in some way. Initially, we used sample-by-sample differences in order to determine roughly what kinds of watermark- ing methods were taking place. Unfortunately, technology A involved a slowly varying phase distortion which masked any other cues in a sample-by-sample difference. We ultimately decided this distortion was a pre-processing separate from the watermark, in part because undoing the distortion alone did not foil the oracle.

The phase distortion nevertheless led us to attempt an attack in which both the phase and magnitude change between sample 1 and sample 2 is applied to sample 3. This attack was confirmed by SDMI's oracle as successful, and illustrates the general attack approach of imposing the difference in an original-watermark pair upon another media clip. Here, the "difference" is taken in the FFT domain rather than the time domain, based on our suspicions regarding the domain of embedding. Note that this attack did not require much information about the watermarking scheme itself, and conversely did not provide much extra insight into its workings.

A next step, then, is to compute the frequency response H(w) = W(w)/O(w) of the watermarking process for segments of audio, and observe both |H(w)| and the corresponding impulse response h(t). If the watermark is based on some kind of linear filter, whose properties change slowly enough relative to the size of a frame of samples, then this approach is ideal.

Figure 2 illustrates one frequency response and impulse response about 0.3 seconds into the music. These responses are based on FFTs of 882 samples, or one fiftieth second of music. As can be clearly seen, a pair of sinusoidal ripples are present within a certain frequency band, approximately 8-16Khz. Ripples in the frequency domain are indicative of echoes in the time domain, and a sum of sinusoids suggested the presence of multiple echoes. The corresponding impulse response h(t) confirms this. This pattern of ripples changes quite rapidly from frame to frame.

Thus, we had reason to suspect a complex echo hiding system, involving multiple time-varying echoes. It was at this point that we considered a patent search, knowing enough about the data hiding method that we could look for specific search terms, and we were pleased to discover that this particular scheme appears to be listed as an alternative embodiment in US patent number 05940135, awarded to Aris corporation, now part of Verance [5]. This provided us with little more detail than we had already discovered, but confirmed that we were on the right track, as well as providing the probable identity of the company which developed the scheme. It also spurred no small amount of discussion of the validity of Kerckhoffs's criterion, the driving principle in security that one must not rely upon the obscurity of an algorithm. This is, surely, doubly true when the algorithm is patented. Fig. 2. A short-term complex echo. Above, the frequency response between the watermarked and original music, taken over 1/50 second, showing a sinusoidal ripple between 8 and 16 KHz. Below, the corresponding impulse response. The sinusoidal pattern in the frequency domain corresponds to a pair of echoes in the time domain.
The most useful technical detail provided by the patent was that the "delay hopping" pattern was likely discrete rather than continuous, allowing us to search for appropriate frame sizes during which the echo parameters were constant. Data collection from the first second of audio showed a frame size of approximately 882 samples, or 1/50 second. We also observed that the mark did not begin until 10 frames after the start of the music, and that activity also existed in a band of lower frequency, approximately 4-8 Khz. This could be the same echo obscured by other operations, or could be a second band used for another component in the watermarking scheme. A very clear ripple in this band, indicating a single echo with a delay of about 34 samples, appears shortly before the main echo-hopping pattern begins.

The next step in our analysis was the determination of the delay hopping pattern used in the watermarking method, as this appeared to be the "secret key" of the data embedding scheme. It is reasonable to suspect that the pattern repeats itself in short order, since a watermark detector should be able to find a mark in a subclip of music, without any assistance initially aligning the mark with the detector's hopping pattern. Again, an analysis of the first second revealed a pattern of echo pairs that appeared to repeat every 16 frames, as outlined in figure 3. The delays appear to fall within six general categories, each delay approximately a multiple of 1/4 millisecond. The exact values of the delays vary slightly, but this could be the result of the phase distortion present in the music. Fig. 3. The hypothesized delay hopping pattern of technology A. Here two stretches of 16 frames are illustrated side-by-side, with observed echoes in each frame categorized by six distinct delays: 2, 3, 4, 5, 6 or 7 times 0.00025 sec. Aside from several missing echoes, a pattern appears to repeat every 16 frames. Note also that in each frame the echo gain is the same for both echoes.

The reader will also note that in apparently two frames there is only one echo. If this pattern were the union of two pseudorandom patterns chosen from six possible delay choices, two "collisions" would be within what is expected by chance.

Next, there is the issue of the actual encoded bits. Further work shows the sign of the echo gain does not repeat with the delay-hopping pattern, and so is likely at least part of an embedded message. Extracting such data without the help of an original can be problematic, although the patent, of course, outlines numerous detector structors which can be used to this end. We developed several tools for cepstral analysis to assist us in the process. See [2] for in introduction to cepstral analysis; Anderson and Petitcolas [1] illustrate its use in attacks on echo hiding watermark systems.

With a rapidly changing delay, normal cepstral analysis does not seem a good choice. However, if we know that the same echo is likely to occur at multiples of 16/50 of a second, we can improve detector capability by combining the information of multiple liftered2 log spectra.

____________________

2 in accordance with the flopped vocabulary used with cepstral analysis, "liftering" refers to the process of filtering data in the frequency domain rather than the time domain. Similarly, "quefrencies" are frequencies of ripples which occur in the frequency domain rather than the time domain.

Three detector structures are shown in figure 4. In all three, a collection of frames are selected for which the echo delays are believed to be the same. For each, the liftered log of an FFT or PSD of the frame is taken. In the first two structures, we compute a cepstrum, for each frame, then either average their squared magnitudes, or simply their squares, in hopes that a spike of the appropriate quefrency will be clear in the combination. The motivation for merely squaring the spectral coefficients comes from the observation that a spike due to an echo will either possess a phase of theta or theta + pi for some value theta. Squaring without taking magnitudes can cause the echo phases to reinforce, whilst still permitting other elements to combine destructively. Fig. 4. Three cepstral detector structures. In each case we have a collection of distinct frames, each believed to possess echoes of the same delay. The first two compute cepstral data for each frame, and sum their squares (or squared magnitudes) to constructively combine the echo signal in all frames. The third structure illustrates a method for testing a hypothesized pattern of positive and negative gains, possibly useful for brute-forcing or testing for the presence of a known "ciphertext."

In the final structure, one cepstrum. is taken using a guess of the gain sign for each suspect frame. With the correct guess, the ripple should be strongest, resulting in the largest spike from the cepstral detector. Figure 5 shows the output of this detector on several sets of suspect frames. While this requires an exponential amount of work for a given amount of frames, it has a different intended purpose: this is a brute-forcing tool, a utility for determining the most probable among a set of suspected short strings of gain signs as an aid to extracting possible ciphertext values. Fig. 5. Detection of an echo. A screenshot of our CepstroMatic utility shows a combination of 4 separate frames of music, each a fiftieth of a second long, in which the same echo delay was believed to exist. Their combination shows a very clear ripple on the right, corresponding to a clear cepstral spike on the left. This is a single echo at a delay of 33 samples, the delay suggested for these intervalus by the hypothesized delay-hopping pattern.

Finally, there is the issue of what this embedded watermark means. Again, we are uncertain about a possible signalling band below 8Khz. This could be a robust mark, signalling presence of a fragile mark of echoes between 8 and 16 KHz. The 8-16KHz band does seem like an unusual place to hide robust data, unless it does indeed extend further down, and so this could very easily be hidden information whose degredation is used to determine if music has already been compressed.

Of course, knowledge of either the robust or fragile component of the mark is enough for an attacker to circumvent the scheme, because one can either remove the robust mark, or repair or reinstate the fragile mark after compression has damaged it. As mentioned earlier, this possible attack of repairing the fragile component appears to have been ruled out by the nature of the SDMI challenge oracles. One must wait and see if real-world attackers will attempt such an approach, or resort to more brute methods or oracle attacks to remove the robust component.

3.2 Attack on Challenge B

We analyzed samp1b.wav and samp2b.wav using short-time FFT. Shown in Fig. 6 are the two FFT magnitudes for 1000 samples at 98.67 sec. Also shown is the difference of the two magnitudes. A spectrum notch around 2800Hz is observed for some segments of samp2b.wav and another notch around 3500Hz is observed for some other segments of samp2b.wav. Similar notches are observed in samp3b.wav. The attack fills in those notches of samp3b.wav with random but bounded coefficient values. We also submitted a variation of this attack involving different parameters for notch description. Both attacks were confirmed by SDMI oracle as successful. Fig. 6. Technology-B: FFT magnitudes of samp1b.wav and samp2b.wav and their difference for 1000 samples at 98.67 sec.

3.3 Attacks on Challenge C

By taking the difference of samp1c.wav and samp2c.wav, bursts of narrowband signal are observed, as shown in Fig. 7. These narrow band bursts appear to be centered around 1350 Hz. Two different attacks were applied to Challenge C. In the first at- tack, we shifted the pitch of the audio by about a quartertone. In the second attack, we passed the signal through a bandstop filter centered around 1350Hz. Our submissions were confirmed by SDMI oracle as successful. In addition, the perceptual quality of both attacks has passed the "golden ear" testing conducted by SDMI after the 3-week challenge. Fig. 7. Challenge-C: Waveform of the difference between samp1c.wav and samp2c.wav.

3.4 Attack on Challenge F

For Challenge F, we warped the time axis, by inserting a periodically varying delay. The delay function comes from our study on Technology-A, and was in fact initially intended to undo the phase distortion applied by technology A. Therefore the perceptual quality of our attacked audio is expected to be better than or comparable to that of the audio watermarked by Technology-A. We also submitted variations of this at- tack involving different warping parameters and different delay function. They were confirmed by SDMI oracle as successful.
4 The Non-Watermark Technologies

The HackSDMI challenge contained two "non-watermark" technologies. Together, they appear to be intended to prevent the creation of "mix" CDs, where a consumer might compile audio files from various locations to a writable CD. This would be enforced by universally embedding SMDI logic into consumer audio CD players.

4.1 Technology D

According to SDMI, Technology D was designed to require "the presence of a CD in order to 'rip' or extract a song for SDMI purposes." The technology aimed to accomplish this by adding a 53.3 ms audio track (four blocks of CD audio), which we will refer to as the authenticator, to each CD. The authenticator, combined with the CD's table of contents (TOC), would allow a SDMI device to recognize SDMI compliant CDs. For the challenge, SDMI provided 100 different "correct" TOC-authenticator pairs as well as 20 "rogue tracks". A rogue track is a track length that does not match any of the track lengths in the 100 provided TOCs. The goal of the challenge was to submit to the SDMI oracle a correct authenticator for a TOC that contained at least one of the rogue tracks.

The oracle for Technology D allowed several different query types. In the first type, an SDMI provided TOC-authenticator combination is submitted so a that user can "understand and verify the Oracle." According to SDMI, the result of this query should either be "admit" for a correct pair or "reject" for an incorrect pair. When we attempted this test a SDMI-provided pair, the oracle responded that the submission was "invalid." After verifying that we had indeed submitted a correct pair, we attempted several other submissions using different TOC-authenticator pairs as well as different browsers and operating systems3. We also submitted some pairs that the oracle should have rejected; these submissions were also declared "invalid." Though we alerted SDMI to this problem during the challenge, the oracle was never repaired. For this reason, our analysis of Technology D is incomplete and we lack definitive proof that it is correct. That having been said, we think that what we learned about this technology, even without the benefit of a correctly functioning oracle, is interesting.

____________________

3 Specifically, Netscape Navigator and Mozilla under Linux, Netscape Navigator under Windows NT, and Internet Explorer under Windows 98 and 2000.

Analyzing the Signal Upon examination of the authenticator audio files, we discovered several patterns. First, the left and right channels contain the same information. The two channels differ by a "noise vector" u, which is a vector of small integer values that range from -8 and 8. Since the magnitude of the noise is so small, the noise vector does not significantly affect the frequency characteristics of the signal. The noise values appear to be random, but the noise vector is the same for each of the 100 provided authenticator files. In other other words, in any authenticator file, the difference between the left and right channels of the ith sample is a constant fixed value u[i]. This implies that the noise vector u does not encode any TOC-specific information.

Second, the signal repeats with a period of 1024 samples. Because the full signal is 2352 samples long, the block repeats approximately 1.3 times. Similarly to the left and right channels of the signal, the first two iterations of the repeating signal differ by a constant noise vector v. The difference between the ith sample of the first iteration and the ith sample of the second iteration differ by a small (and apparently random) integer value v[i] ranging from -15 to 15. In addition, v is the same for each of the provided authenticator files, so v does not encode any TOC-specific information.

Third, the first 100 samples and last 100 samples of the full signal are faded in and faded out, respectively. This is illustrated in Figure 8. The fade-in and fade-out are meaningless, however, because they simply destroy data that is repeated in the middle of the file. We conjecture that this fade-in and fade-out are included so that the audio signal does not sound offensive to a human ear. Fig. 8. In a Technology D Authenticator, the signal fades in, repeats, and fades out.

Extracting the Data Frequency analysis on the 1024 sample block shows that almost all of the signal energy is concentrated in the 16-20kHz range, as shown in Figure 9. We believe this range was chosen because these frequencies are less audible to the human ear. Closer examination shows that this l6-20kHz range is divided up into 80 discrete bins, each of which appears to carry one bit of information. As shown in Figure 10, these bits can be manually counted by a human using a graph of the magnitude of signal in the frequency domain. Fig. 9. Magnitude vs. Frequency of Technology D Authenticator

Fig. 10. Individual Bits From a Technology D Authenticator

Close inspection and pattern matching on these 80 bits of information reveals that there are only 16 bits of information repeated 5 times using different permutations. using the letters A-P to symbolize the 16 bits, these 5 permutations are described in Figure 11. ABCDEFGHIJKLMNOP
OMILANHGPBDCKJFE
PKINHODFMJBCAGLE
FCKLGMEPNOADJBHI
PMGHLECAKDONIFJB Fig. 11. The encoding of the 16 bits of data in Technology D

Because of the malfunctioning oracle, we were unable to determine the function used to map TOCs to authenticators, but given an actual SDMI device, it would be trivial to brute force all 216 possibilities. Likewise, without the oracle, we could not determine if there was any other signal present in the authenticator (e.g., in the phase of the frequency components with nonzero magnitude).

For the moment, let us assume that the hash function used in Technology D has only 16 bits of output. Given the number of distinct CDs available, an attacker should be able to acquire almost, if not all, of the authenticators. We note that at 9 kilobytes each, a collection of 65,536 files would fit nicely on a single CD. Many people have CD collections of 300+ discs, which by the birthday paradox makes it more likely than not that there is a hash collision among their own collection.

Our results indicated that the hash function used in Technology D could be weak or may have less than 16 bits of output. In the 100 authenticator samples provided in the Technology D challenge, there were 2 pairs of 16-bit hash collisions. We will not step through the derivation here, but the probability of two or more collisions occurring in n samples of X equally likely possibilities is:

If the 16-bit hash function output has 16 bits of entropy, the probability of 2 collisions occurring in n = 100 samples of X = 216 possibilities is 0.00254 (by the above 1.5 equation). If X ~ 211.5, the chances of two collisions occurring is about even. This suggests that either 4 bits of the 16-bit hash output may be outputs of functions of the other 12 bits or the hash function used to generate the 16-bit signature is weak. It is also possible that the challenge designers purposefully selected TOCs that yield collisions. The designers could gauge the progress of the contestants by observing whether anyone submits authenticator A with TOC B to the oracle, where authenticator A is equal to authenticator B. Besides the relatively large number of collisions in the provided authenticators, it appears that there are no strong biases in the authenticator bits such as significantly more or less 1's than 0's.

4.2 Technology E

Technology E is designed to fix a specific bug in Technology D: the TOC only mentions the length of each song but says nothing about the contents of that song. As such, an attacker wishing to produce a mix CD would only need to find a TOC approximately the same as the desired mix CD, then copy the TOC and authenticator from that CD onto the mix CD. If the TOC does not perfectly match the CD, the track skipping functionality will still work but will only get "close" to track boundaries rather than reaching them precisely. Likewise, if a TOC specified a track length longer than the track we wished to put there, we could pad the track with digital silence (or properly SDMI-watermarked silence, copied from another valid track). Regardless, a mix CD played from start to end would work perfectly. Technology E is designed to counter this attack, using the audio data itself as part of the authentication process.

The Technology E challenge presented insufficient information to be properly studied. Rather than giving us the original audio tracks (from which we might study the unspecified watermarking scheme), we were instead given the tables of contents for 1000 CDs and a simple scripting language to specify a concatenation of music clips from any of these CDs. 'Me oracle would process one of these scripts and then state whether the resulting CD would be rejected.

While we could have mounted a detailed statistical analysis, submitting hundreds or thousands of queries to the oracle, we believe the challenge was fundamentally flawed. In practice, given a functioning SDMI device and actual SDMI-protected content, we could study the audio tracks in detail and determine the structure of the watermarking scheme.
5 Conclusion

In this paper, we have presented an analysis of the technology challenges issued by the Secure Digital Music Initiative. Each technology challenge described a specific goal (e.g., remove a watermark from an audio track) and offered a Web-based oracle that would confirm whether the challenge was successfully defeated.

We have reverse-engineered and defeated all four of their audio watermarking technologies. We have studied and analyzed both of their "non-watermarking" technologies to the best of our abilities given the lack of information available to us and given a broken oracle in one case.

Some debate remains on whether our attacks damaged the audio beyond standards measured by "golden ear" human listeners. Given a sufficient body of SDMI-protected content using the watermark schemes presented here, we are confident we could refine our attacks to introduce distortion no worse than the watermarks themselves introduce to the the audio. Likewise, debate remains on whether we have truly defeated technologies D and E. Given a functioning implementation of these technologies, we are confident we can defeat them.

Do we believe we can defeat any audio protection scheme? Certainly, the technical details of any scheme will become known publicly through reverse engineering. Using the techniques we have presented here, we believe no public watermark-based scheme intended to thwart copying will succeed. Other techniques may or may not be strong against attacks. For example, the encryption used to protect consumer DVDs was easily defeated. Ultimately, if it is possible for a consumer to hear or see protected content, then it will be technically possible for the consumer to copy that content.

References

1. R. J. ANDERSON, AND F. A. P. PETITCOLAs. On the limits of steganography. IEEE Journal of Selected Areas in Communications 16,4 (May 1998),474-481.

2. R. P. BOGERT, M., AND J. W. TUKEY. The quefrency alanysis of time series for echoes: Cepstrum, pseudo-autocovariance, cross-ceptsrum and saphe-cracking. In Proceedings of the Symposium on Time Series Analysis (Brown University, June 1962), pp. 209-243.

3. R. PETROVIC, J. M. WINOGRAD, K., AND E. METOIS. Apparatus and method for encoding and decoding information in analog signals, Aug. 1999. US Patent No 05940135 http://www.delphion.com/details?pn=US05940135__.

4. SECURE DIGITAL MUSIC INITIATIVE. Call for Proposals for Phase II Screening Technology, Version 1.0, Feb. 2000. http://www.sdmi.org/download/FRWG00022401-Ph2_CFPv 1.0.PDF.

5. SECURE DIGITAL MUSIC INITIATIVE. SDMI public challenge, Sept. 2000. http://www.hacksdmi.org.

Re:Best possible result

[Quarters]

Your statement only holds true if the mainstream press picks up on the story.

They won't.

Until CNN, Fox News, NBC, ABC, CBS, Newseek, The New York Times, et. al... publish about this all it does is expose the DMCA for what it is - "a crude weapon intended to bully and threaten" to the people that already understand this.

The fact that a lot of academics and Slashdot readers now know that the DMCA is broken won't contribute towards any significant amount of change.

I would like to thank...

[Khan]

1) The RIAA for their endless pursuit of Justice and the American Way.

2) To Hillary for being such a caring and loving human being when it comes to protecting the rights of "artists".

3) The legion of lobbyists for pursuing our Congressmen and showing them that "this is the right thing for the American people"

..and finally to the entire American Congress for passing one of the broadest, most unfucking believable pieces of crap legislation (DMCA) I have seen in a LONG time and essentially selling out the American public to Corporate America. Thanks. I feel like a better American now that I have these types of laws protecting my rights.

Seriously

[KFury]

First a decryptor is a circumvention device, then a program that makes a decryptor is a corcumvention device, then a paper detailing techniques that could be used to create such a program is a circumvention device.

How much further would it have to go before the RIAA declared the human brain to be a 'circumvention device'?

Everyone with an IQ above 120, please report to either the lobotomy room or the courtroom.

Kevin Fox
--

Re:Seriously

[pjrc]

KFury comments:

...then a paper detailing techniques that could be used to create such a program is a circumvention device.

The DMCA goes much further than just to prohibit "devices". Here's a list of some other forbidden acts:

(b) ADDITIONAL VIOLATIONS- (1) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof...

Of course, we all know there's supposed to be an exception for encryption research. At the risk of making this post entirely too long, here's the full text of the encryption research exception:

(g) ENCRYPTION RESEARCH-

`(1) DEFINITIONS- For purposes of this subsection--

`(A) the term `encryption research' means activities necessary to identify and analyze flaws and vulnerabilities of encryption technologies applied to copyrighted works, if these activities are conducted to advance the state of knowledge in the field of encryption technology or to assist in the development of encryption products; and

`(B) the term `encryption technology' means the scrambling and descrambling of information using mathematical formulas or algorithms.

`(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if--

(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;

(B) such act is necessary to conduct such encryption research;

(C) the person made a good faith effort to obtain authorization before the circumvention; and

(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

(3) FACTORS IN DETERMINING EXEMPTION- In determining whether a person qualifies for the exemption under paragraph (2), the factors to be considered shall include--

(A) whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;

(B) whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; and

(C) whether the person provides the copyright owner of the work to which the technological measure is applied with notice of the findings and documentation of the research, and the time when such notice is provided.

(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES- Notwithstanding the provisions of subsection (a)(2), it is not a violation of that subsection for a person to--

(A) develop and employ technological means to circumvent a technological measure for the sole purpose of that person performing the acts of good faith encryption research described in paragraph (2); and

(B) provide the technological means to another person with whom he or she is working collaboratively for the purpose of conducting the acts of good faith encryption research described in paragraph (2) or for the purpose of having that other person verify his or her acts of good faith encryption research described in paragraph (2).

(5) REPORT TO CONGRESS- Not later than 1 year after the date of the enactment of this chapter, the Register of Copyrights and the Assistant Secretary for Communications and Information of the Department of Commerce shall jointly report to the Congress on the effect this subsection has had on--

(A) encryption research and the development of encryption technology;

(B) the adequacy and effectiveness of technological measures designed to protect copyrighted works; and

(C) protection of copyright owners against the unauthorized access to their encrypted copyrighted works.

The report shall include legislative recommendations, if any.

It would be interesting to hear what effect on encryption research was actually reported.

Shrewd move?

[Black+Parrot]

They withdrew their paper, and...

• it has already permeated the internet, and...
• the story of the RIAA's threat against academic researhers is all over the mainstream media.

Brilliant move, RIAA. What is you SDMI worth now? Where are the anti-DMCA crowd going to turn for PR, and what are they going to mention the next time we have congressional hearings or a court case involving the DMCA? And which side of the fence do you think any remaining waverers are going to come down on?

--

Re:So basically what you're telling me...

[Moofie]

That won't help. Say I go up against RIAA with a competent, reasonably priced lawyer. I incur legal expenses of $50,000, and she's going to be paid on a contingency basis (zero out-of-pocket cost to me unless I win. Fine.) RIAA comes to the table with five wickedly high-priced lawyers. They incur legal expenses of $2,000,000. My lawyer, outnumbered and outgunned, loses. I am now a wage slave. That's NOT a chance I'm willing to take.

The bottom line is that legal expenses, win or lose, are trivial for these large corporations, and disastrous for any but the wealthiest private citizen.

I can't believe Princeton nellied out on this one! That's what colleges are FOR...

It's too bad they didn't press the issue

[Squirrel+Killer]

This would have made a wonderful test case for the courts to rule on the applicability and Consitiutionality of the DCMA. Certainly going to court is always risky, but as I understand it, the courts have generally upheld reverse engineering. Additionally, I think that most judges would laugh the RIAA out of the courtroom based on the facts of the case - "You mean you asked them to crack/reverse engineer your encryption and now want to gag them?!?"

In addition to preventing the ever-increasing definition of "circumvention device", there's an important free speech issue at stake here. If they had pressed the issue, they could have reeled in the RIAA a bit.

-sk

My letter:

[da0g]

Dear ...,

I would like to complain about the Digital Millennium Copyright Act.

I find it disturbing that I can go to jail, and/or be fined, for the crime of trying to watch a DVD I have legally purchased.

I find it disturbing that works I create: poetry, humor, fiction; Can be banned on the grounds that they can be mathematically combined to produce DVD decrypting software.

There is a distinction between a copyright holder being entitled to compensation if someone reproduces their work without permission, and the copyright holder being entitled to control what works others may create, and how their works may be used after a sale has taken place.

The most recent travesty goes too far. The RIAA has successfully utilized the DMCA to suppress the presentation and publication of an academic research paper. The paper, by Dr. Edward Felten, a professor at Princeton University, and others, was to be presented at the Pittsburgh Information Hiding Workshop conference earlier today.

In a statement, read earlier today, Dr. Felten said:

On behalf of the authors of the paper "Reading Between the Lines: Lessons from the SDMI Challenge," I am disappointed to tell you that we will not be presenting our paper today.

Our paper was submitted via the normal academic peer-review process. The reviewers, who were chosen for their scientific reputations and credentials, enthusiastically recommended the paper for publication, due to their judgment of the paper's scientific merit.

Nevertheless, the Recording Industry Association of America, the SDMI Foundation, and the Verance Corporation threatened to bring a lawsuit if we proceeded with our presentation or the publication of our paper. Threats were made against the authors, against the conference organizers, and against their respective employers.

Litigation is costly, time-consuming, and uncertain, regardless of the merits of the other side's case. Ultimately we, the authors, reached a collective decision not to expose ourselves, our employers, and the conference organizers to litigation at this time.

We remain committed to free speech and to the value of scientific debate to our country and the world. We believe that people benefit from learning the truth about the products they are asked to buy. We will continue to fight for these values, and for the right to publish our paper.

We look forward to the day when we can present the results of our research to you, our colleagues, through the normal scientific publication process, so that you can judge our work for yourselves.

This tragedy only serves to highlight the problems with our existing legal DMCA framework.

The truth is far more frightening. We have an industry that is being dragged, kicking and screaming, into the 21st century. They are trying to retain outdated and outmodeled technological approaches.

The truth is that there are alternatives to technological and legal barriers to copyright violation with digital media. Alternatives that provide superior protection, and enhance revenues.

Please do something about this atrocious piece of legislature called the Digital Millennium Copyright Act. It only serves to block progress while providing monopoly status for a select few.

Sincerely,

...

Reminds me of a Quote from Alpha Centauri

[C.+Mattix]

This reminds me of a quote from the game Alpha Centauri. I believe Pravin Lal says is: "Beware he who would deny you access to information, for in his heart he sees himself your master." Just a random observation...

Re:NO!

[Mignon]

it mainly turns on a contract issue about the clickthrough agreement

Then Dr. Felten's OK, since Amazon will be suing SDMI for breach of patent on the "I Agree" button.

Also available at Cryptome

[Stavr0]

Reading Between the Lines: Lessons from the SDMI Challenge In HTML or mirror-able ZIP file.
---

There is a huge upside to this!

[werdna]

DMCA can only be defeated in two ways:

1) Judicially neutering it, either by judicial construction of its provisions that broaden its scope to permit free discussion and disclosure of the technology, or by finding broad constructions unconstitutional absent fair use provisions; or

2) Politically, by getting the Congress to change its mind and send RIAA home without its supper.

In view of the decreasing credibility of RIAA outside its spin rooms, and increasing interest by the public in Napster and its progeny, Congressmen and Senators are beginning to publicly suggest a substantial "rethink" of its provisions.

Until recently, folks have been pooh-poohing the alleged downside of the Act, suggesting that only the pirates or collaborators are getting nicked, and this has held sway in the halls of power; and in the halls of justice. The suggestion that mere enforcement of (or threats of enforcement of) DMCA provisions doesn't chill freedom of speech or sound academic freedoms (pointing to the so-called "research exception") has been set aside in the broader interest of "protecting artist incentives."

This can no longer occur without a substantial rebuttal.

Sure, I would have far preferred Professor Felton to cock a snoot at them, fight the good fight and win in the Supreme Court a great victory for us all. (Ultimately, I believe he must prevail on the merits -- his argument is even stronger than the one Kathleen Sullivan is going to make before the Second Circuit in the DeCSS case).

But this is just as well. Good lord, a Princeton professor being squelched from delivering a pure research paper already published and readily available on the internet? This is of enormous political advantage -- it will overwhelm the spinners, and perhaps be more valuable than anything else that could happen.

This is because it makes it enormously harder for folks to hand-wave the first amendment issues, and to show how ludicrously broader the DMCA is than any sound basis for Copyright incentives can justify.

In recent years, no good has ever occurred when the legislature has tried to "catch up" IP law to the present -- every time it has reduced to a handout to the politically powerful media lobbies. The formerly powerful library lobbies were bought off with express excemptions, and the traditional academic forces and liberal civil liberties organizations have not been so effective lobbying the increasingly Republican-controlled legislatures.

Now, there is real ammunition. New, more powerful constituencies are realizing their commercial well-being is being affected by the overbearing and overreaching exploitation of these laws well beyond the bounds of reason. And traditional civil liberties organizations are begining to make more sense to the public because of the "realness" of losing Napster, and the pretty decent story that Felton would make.

What's more, by complying with the law as outrageously asserted here, Felton can NEVER be cast as a pirate. He will be a poster-child for DMCA reform far more powerful than any limited victory he could win in court -- at best just a finding that a research scientist performing crypto research falls within the crypto research suggestion. That syllogism wouldn't be as big a win as the repeal or political neutering of DMCA.

So, despite the emotional letdown I feel, this is probably a Really Good Thing.(R) RIAA probably lost more by winning than they would have by losing.

University Students: write your professors!

[CoughDropAddict]

This should catch the attention of any academic researcher -- do your part to help raise awareness in the academic community! Below is a letter I sent to my math advisor:

Dr. ******,

As you could probably guess, there are many political issues about which
I have strong feelings for whatever reason, especially in the realm of
computers and cyberspace. While it is normally most appropriate to keep
these to myself, an issue has come about which I believe has a very
direct impact on you and on other professors with respect to the
academic research you regularly conduct. This is why I am writing to you
today.

In September of 2000, the Secure Digital Music Initiative (SDMI)
announced an open contest to the computer community
(http://www.sdmi.org/pr/OL_Sept_6_2000.htm), inviting people to try and
break a watermarking scheme they had developed for digital sound files.
They challenged anyone to remove the watermark present in several audio
samples they published on their web site, without noticeably degrading
the quality of the signal. The reward was to be up to $10,000 in
exchange for non-disclosure of the solution.

A group of researchers from Princeton University led by Dr. Edward
Felten decided to take on the challenge and found several successful
methods for removing the watermark. The researchers decided against
accepting the prize money with the attached requirement that they keep
their research secret, and instead authored a paper titled _Reading
Between the Lines: Lessons from the SDMI Challenge_. It was their
intention to present it today at the 4th annual International
Information Hiding Workshop in Pittsburgh
(http://www.cert.org/IHW2001/).

However, on April 9th, they received a letter from the Recording
Industry Association of America (RIAA) threatening a lawsuit if they
presented the paper as planned, claiming that the contest agreement did
not "'expressly authorize' participants to disclose information and
research developed through participating in the Public challenge.

As a result, Dr. Felten made a public statement today that he and his
colleagues would not be presenting the paper as planned. "Litigation is
costly, time-consuming, and uncertain, regardless of the merits of the
other side's case," he announced. "Ultimately we, the authors, reached
a collective decision not to expose ourselves, our employers, and the
conference organizers to litigation at this time."

His statement, the letter from the RIAA threatening litigation, and the
paper itself can be viewed at (http://cryptome.org/sdmi-attack.htm).

I believe this is a frightening precedent, and a major blow to academic
freedom and the research community. Felten's crime was conducting
research that was seen as threatening by the business community--what
research will they decide they don't like next time? What can be said of
"academic freedom" when a rich company need only write threatening
letters to suppress troublesome knowledge?

If you agree that this is relevant and pertinent information, I would
appreciate it if you would forward this e-mail to any of your colleagues
who might be interested.

Sincerely,

Joshua Haberman

--

Turn The Tables On Them

[frenchs]

I say the researchers should turn the tables and sue.. ($1+ lawyer fees seems like a good penalty) the RIAA for infringing on their first ammendment right to freedom of speech.

And what I think what they should do is take a page from the DeCSS proceedings and introduce the research paper itself into evidence... therefore making it public. heheh

Steve

Re:Turn The Tables On Them

[Fesh]

Sadly, I believe that the First Amendment only applies to government restraint of speech. A corp can do anything it damn well pleases as long as it doesn't run afoul of pertinent regulations, none of which apply to corporate silencing of someone not employed by them. In fact, as far as the wording of the First Amendment goes, it only says that Congress can't make any laws that abridge individual speech. Which means that the rest of the government can do just about anything it wants to as well.

Fun stuff! I'd like my totalitarianism with a mega-sized order of fries and a 64-oz Coke(tm), please!

--Fesh

Re:Have Corporations replaced Religions?

[cr0sh]

Ok, this time it is lawyers instead of torture. But, I don't see that much difference, really.

trentfoley, I fully support your opinion and ideas on this whole thing - you are most certainly correct that the corps are acting in a similar way as the Catholic Church did so long ago...

But to say a horde of lawyers is anything like torture only belittles the actual hell that torture is.

Want an eye-opening experience?

Go to the Museum of Man in Balboa Park in San Diego, California (USA). They currently have an exhibit (or at least they did when I was there in February) on torture, the Inquisitions, and the machines/devices used.

Oh sure, they have your standard rack and Iron Maiden (actually an 18th century period-repro of the original), guillotene (sp?) and thumbscrews. But there are other devices there - some reproductions, some actual devices that were once used. All with descriptions detailing how they were used, why (ie, the "crimes") and when. The horrors one used to (and in some regions today, still have to) have to endure just for being a woman, or being a "fool" (or a loudmouth, or similar) are sobering, to say the least.

And disgusting.

I entered into that exhibit with curiosity - I exited ashamed of being human.

Worldcom - Generation Duh!

NO!

[MartinG]

claiming the research paper is a circumvention device

NO!

The paper is (among other things) a description of how to go about making a circumvention device. Not a device in itself. Big difference. cf. "bombs" vs "list of bomb ingredients."

Re:NO!

[MaxVlast]

I've been pretty neutral on this whole issue -- I think the DeCSS case is pretty braindead on the part of the MPAA, but figured there wasn't a whole lot at stake.

I was wrong. When the same proerpty-protection is used to suppress two independent academic efforts devoted to the creation of knowledge and ability, I'm piqued.

As a student at a research-heavy institution (the home of Dr. Touretzky) I now must fear that the research that my colleagues and I pursue may unwittingly stumble onto the front lawn of a capitalist industry association with a shotgun and a vengeance. That's not just un-academic, that's unconstitutional.

To the ramparts, troops!


--
Max V.

Re:NO!

[RandomPeon]

The paper contains pseudocode-like descriptions of how to retain your rights. It's a "device" under the DMCA

That's the whole problem, if source code, a very precise and computer-centric format for describing a process is a device, translating the "device" into a less precise and more human-centric format means it's still a "device".

Re:has anyone noticed

[trixillion]

Oh, yeah noticed it right off the bat. The paper was a funny read for anyone with a background in signal processing. The SDMI should definitely be worried. While it took some ingenuity to determine what scheme was being employed. Most undergrad EE's and some CE's armed with this paper could write the necessary filters to remove the watermarks.

Good Tactics

[bwt]

Folks, this is a big league PR move, and it's quite well-timed.

The oral arguments for the DeCSS case happen May 1. Given the critical decision the 2nd Circuit will be making in the next few days, the goal should be to bring the anti-DMCA sentiment to a crescendo, and Felton's action should help achieve that. By withdrawing his paper, some very negative press should be aimed at the DMCA by major news organizations.

People should keep in mind that the anti-DMCA push is very well orgainized, and that Felton has already participated in it. I have no doubt that the paper will be published in a few weeks (not counting that it has already been leaked!). Meanwhile, major media organizations have a great reason to run "The DMCA is draconian" stories soon, citing Felton's case.

The timing of this is supurb, and it's frankly a sharp tactical move. Felton will probably publish this paper in a few weeks. Hell, more people will read it because of the suspense. IMHO, he's on very sound DMCA footing as he clearly qualifies for 1201(g).

RTFFaq

[jacobm]

Your claim that the researchers were just helping out the RIAA has been made to the researchers many times.

From the faq:

Q. By participating in the challenge, weren't you helping the record companies impose restrictive technology on music lovers?

and...

Q. By participating in the challenge, weren't you helping pirates steal copyrighted music, impoverishing musicians and songwriters?

We believe our success against all four watermarking technologies, and our sharing of those results with other researchers, will not help anyone impose or steal anything.

On the one hand, this information cannot be used to make restrictive technology. If anything, it suggests that all of the proposed technology is incapable of being restrictive.

On the other hand, this information cannot be used by pirates if the technologies are never deployed. This is why it is best to perform analysis on a security system before it is released.

Q. Still, wouldn't it have been better for SDMI had you not analyzed their system?

SDMI invited the public to analyze their technologies (to "crack them" said their invitation,) setting up a web site and hiring people to assist. Also, any weaknesses in SDMI's technology would have existed even if we hadn't looked for them---analysts do not create flaws, but merely detect them---and if the SDMI system had been deployed as is, pirates would have found and exploited those weaknesses, regardless of our actions.

The study of information security is based on two equally important components: the design of security systems, and the analysis of (attempts to break) those security systems. One occasionally encounters the misconception that analysis is destructive and evil, and that people performing analysis are attackers who wish to exploit those systems. Rather, analysis is a critical component of the development process. Without it, one would never know if systems were well-designed, and one would never learn how to design better systems.

Q. Still, wouldn't it have been better for opponents of SDMI if you let SDMI go ahead and deploy a flawed technology, so music lovers could teach them a lesson by copying music despite the technology?

Of course not. This is scientific research: it is not our goal to engage in tactics such as tricking the industry into choosing a flawed system. Our goal is simply to analyze security systems and share our results openly with the scientific community.

Again, researchers who crack cryptosystems and security systems are not motivated by a desire to exploit these flaws later. They are merely subjecting systems to analysis, motivated instead by a desire to increase the existing body of knowledge about security systems.

Secondly, if the technology is cracked in deployment, rather than on the drawing board, everyone loses to some extent. The recording industry obviously, device manufacturers most certainly, but even opponents of SDMI. Even pirates! To an opponent of SDMI, even a broken, circumventable SDMI system is worse than no SDMI system at all.

--
-jacob

Having their cake and eating it, too...

[Noryungi]

Like many others, I can't help feeling disgusted by all this.

It's one thing to attack everytime someone does something that may be used to circumvent intellectual property rights, but, come on! Threatening someone because he took up a challenge you made?

What I would like to know is this:

• would it be possible for ACLU (for insance) to publish this paper and get sued instead of Pr Felten?
• Would it be possible to translated and/or publish this paper in a country with a saner legal framework?

This being said, I am almost certain any judge reviewing this case would just throw it out. Suing the SDMI challengers is almost as stupid as suing Galileo for saying the Earth is round and not flat...

Re:Having their cake and eating it, too...

[dachshund]

Would it be possible to translated and/or publish this paper in a country with a saner legal framework?

Well, there's really no point in doing that, as the paper is available online. Translating it into Spanish and publishing it in Cuba would hardly be much of an improvement.

Which makes it even more galling! The RIAA knows that the paper is not a secret, and has already been released to the whole word. Therefore, by going after Felten they're not really trying to prevent someone from using the techniques described, they're simply trying to intimidate academics. There's no other explanation than that, and I'm really really sorry that Professor Felten let them get away with it. I understand that he has other people to consider, but it will be miserable if these actions are allowed to stand.

Mirrored:

[LocalYokel]

This probably isn't the only one:
http://www.theregister.co.uk/extra/sdmi-attack.htm .

Is it out on Freenet yet?

--

Re:Well

[Technik~]

This is why when someone brings a law suit against someone else and looses[sic], they should not only compensate that person/company, but should do so 100X the costs it took to defend themselves. Then the RIAA would have to reconsider next time it was to use terrorism and its bought Senators to push researchers around.

This is a truly awful idea and I'm ashamed that it got modded up to '5'. Who benefits most from a situation where a failed lawsuit can rebound and cost the plaintiff 100x the cost of defense? Big companies, the same big companies you rail against. Little guys with solid cases against big businesses will be pressed to the wall to justify a lawsuit when they tally up the $250-$500/hour that a lawyer costs and multiply by 100.

Does anyone believe that a scheme like this would be anything but a lever used by well-funded entities to cow the aggrieved into settling and pervert the legal process? Right. It will stop frivolous lawsuits by guaranteeing that they are not brought by any group that can't pony up an escrow of a few million dollars per month as the suit drags on.

So basically what you're telling me...

[Greyfox]

Is that a corporation, with the mere threat of a lawsuit, can silence any individual or academic group because win or lose that person or group will be bankrupted by the legal expenses.

I don't think this is what the founding fathers had in mind.

Re:So basically what you're telling me...

[Fractal+Law]

That's basically it.

Of course, it could be argued that the founding fathers did not predict the existence of multi-national corporations whose stock value exceeds the GNP of many countries.

The anti-trust laws (though severely outdated) and class action lawsuits give some protection against certain abuses of power by corporations but that does not include protecting individuals from legal bullying.

The apathy of the majority of the American population on the matters of corporate influence in Washington, reduction of first amendment rights, and the reduction of fair use rights seems to preclude any new laws properly addressing these problems.

If the situation gets bad enought then maybe there will be enough public pressure to enact some changes but things will have to get pretty bad.

As long as people just sit around complaining about the current state of affairs without actually doing anything then nothing will ever change. Donate to the EFF and ACLU, write your congressperson, attend the various demonstrations that are often organized when one of the cases gets to trial.

Re:So basically what you're telling me...

[leviramsey]

That's the operative principle behind most lawsuits. Drive the cost of defense (or prosecution) up so much that they throw in the towel. It's a war of attrition, basically.

The solution, at least in the most frivolous cases, is loser pays. I would imagine that most courts would find against the RIAA at this point. If loser pays, then the RIAA would have to pay the legal expenses of these researchers.

Mirror of SDMI contest site (not the paper)

[Seth+Finkelstein]

There's an interesting mirror of what was on the "HackSDMI" site: http://diddl.firehead.org/censor/hacksdmi.org/

This is the site set up by SDMI for the challenge, not the researcher's paper.

It's a general miror site, part of http://diddl.firehead.org/censor/

shit shit shit

[jbridge21]

I have a paper done by two French dudes who hacked it. I am currently getting what I hope is a copy of the paper in question for this article.

All of this stuff, as well as the original watermarked files, can be found here.
-----

I know how to solve the problem.

[bmajik]

Step 1: Collect RIAA Lawyers and executives

Step 2: Dress them in football and cheerleader uniforms

Step 3: Round up all the kids that wrote "me too" geek persecution stories for Jon Katz's book

Step 4: Lock them all in a small room with lots of video walls.

Step 5: Pipe footage of DOOM and ROBOCOP onto said video walls for a few hours

Step 6: Toss in the handguns and run

Actually, they did the right thing.

[gfxguy]

Now, more people than ever are going to have access to this paper than there would have been otherwise. It's also drawing a lot of publicity and showing the RIAA and SDMI in a negative light.

After the accusations of marketing music with "mature" content on it to kids (pretty bogus, but amusing nonetheless), the RIAA has been getting a lot of bad publicity lately.

Good.

Free Speech - Reason

[xant]

Reason is the tool to use to change opinions?not censorship. [ . . . ] if the government censors you today, I could be next tomorrow, perhaps for an entirely different reason. That?s why it is so important to uphold the principle, even when in practice it is difficult to do so. There?s no challenge involved in defending someone you agree with; the stretch is standing up for your opponent?so that everyone?s rights are preserved.

This could even go further, in my mind. It's not just that we must defend our own rights by defending someone else's. Free speech gives rise to reason. Nobody knows the full story; it is only through hearing those who disagree with you that you come to understand the flaws in your own argument, and reconcile them. Free speech, and the ability to hear those who you disagree with and disapprove of, isn't just the companion of reason; it is the origin of reason.
--

i love the subtlety!

[thelaw]

check this out:

"Litigation is costly, time-consuming, and uncertain, regardless of the merits of the other side's case. Ultimately we, the authors, reached a collective decision not to expose ourselves, our employers, and the conference organizers to litigation at this time."

"regardless of the merits of the other side's case." in other words, even though they have no legal grounds for threatening us, they still might win so we're not going to try it.

jon

Great. Brilliant. (SARCASM)

[Fesh]

Wonderful. I know this is going to get buried under the heap of like sentiments, but I'm going to say it anyway.

Justice is dead.

So is science, art, and practically any other advancement that we can make as a civilization. When the sheer cost of litigation even when you know that the other side has their heads up their collective asses dissuades people from engaging in "Science and the useful arts", there's nothing more to be said. It's over folks. Enjoy the plunge.

--Fesh

Re:TAKE THE CASE!!

[Fesh]

Why, oh why, did they have to word it like that? Is it just me, or is the phrase "PERMISSIBLE ACTS OF...RESEARCH" inherently sickening? Yes, I had to add an ellipsis in there to make my point, but can anybody look at that phrase in that light and not be nauseated by the fact that an entire branch of research is pursuable only at the sufferance of large corporate interests?

--Fesh

Copy of the pape on my website w/ an FAQ

[mecredis]

Grab the paper here.
I also included a nifty FAQ.

Feel free to correct me on any of my silly ramblings in the FAQ...


--Fred

has anyone noticed

[roman_mir]

When I was reading the SDMI challenge attack schemes, I noticed that the people involved into the attacking have a great sence of humour:

Thus, we had reason to suspect a complex echo hiding system, involving multiple time-varying echoes. It was at this point that we considered a patent search, knowing enough about the data hiding method that we could look for specific search terms, and we were pleased to discover that this particular scheme appears to be listed as an alternative embodiment in US patent number 05940135, awarded to Aris corporation, now part of Verance [5]. This provided us with little more detail than we had already discovered, but confirmed that we were on the right track, as well as providing the probable identity of the company which developed the scheme. It also spurred no small amount of discussion of the validity of Kerckhoffs's criterion, the driving principle in security that one must not rely upon the obscurity of an algorithm. This is, surely, doubly true when the algorithm is patented.

The stick has two ends to it. On one hand a corporation wants to patent technology that prohibits use/copy circumvention, on the other hand, the same patent can be used as a FAQ for an attacker to circumvent the anti-circumvention mechanism. Of-course, in this case the patent information was not used by the attackers, they only recognized it after the 'oracle' let them know they have won.

Free speech?

[mybecq]

We remain committed to free speech and to the value of scientific debate to our country and the world.

In what way is that commitment evidenced? You only are committed to free speech when no one threatens you with litigation? Sounds like someone else is calling the shots.

We will continue to fight for these values, and for the right to publish our paper.

Looks like the towel is in the ring (at least for this round)...
FWIW, I don't really care what they do -- it's their call. But this kind of rhetoric doesn't hold much water...

Paper Trails

[Wintermancer]

Wow. A paper as a circumvention device? The DMCA is just stretching things too far.

It has be said before, but really now, what will it take for the DMCA to be overturned?

Cut to: Business Street - Day
"Citizen! You are under arrest!"
"For what?"
"You are in possesion of an illegal circumvention device!"
"What the fsck are you talking about?"
"You have a manual, paper, or other printed material describing how to circumvent, illegally, copyrighted or other intellectually protected material."
"You mean this!?"
"Yes, now put the decss t-shirt down and stand away!"

Big Brother ain't got nothin' on Big Corporations.

Thank God I live in Canada

NOOOO! Fight it!

[lowe0]

Don't back down! The DMCA doesn't cover security research! This is an opportunity for a young lawyer (does Princeton also have a good law school?) to make a great case that just might break the DMCA.

If anyone has the specific part of the DMCA covering research, please post it.

Re:Absurd!

[Tassach]

The first question I have is, besides being run by big-ass corporations with large sums of cash, how does the RIAA have any real power?

You said it yourself: large sums of cash. Money = Power. If you have the cash to hire an army of lawyers, you can use the legal system to bully anyone into submission, unless they happen to have (and are willing to expend) sums of cash on the same order of magnitude. This is why tort reform is so desperately needed, so that megacorporations (and governments) cannot use the mere threat of a (baseless) lawsuit to pummel an oppenent into submission.

Been there, done that, US Congress didn't like it.

[oddityfds]

Some people in Sweden (where I live) tried that with the secrets of Scientology. The information was available for a while, until the US Congress pressured the swedish government a bit... Sigh.

Functionality and free expression

[gunner800]

Judge Kaplan, who "banned" DeCSS as a circumvention device, said that source code is not entitled to First Amendment protection because it is "functional". An academic paper is not functional, it is purely expressive. An academic paper is protected expression. Even the most crack-brained judges don't question this.

The RIAA might be able to successfully sue the researchers for circumventing the protection at all (since they didn't exactly enter the contest) but the paper itself is still legal. Even Kaplan (collective boo's, hisses) would give the paper protection.


My mom is not a Karma whore!

Write your congressperson (addresses)

[startled]

Yeah, yeah, same thing every story, but I find it useful, so here are the links:

Write your Senator.
Write your Representative.
Remember, snail mail only-- e-mail really doesn't do shit. And include that return address everywhere, so they know you're in their district. And finally, if your state is considering other similarly draconian measures such as UCITA, write your state government as well (site at www.[two letter state code].gov).

Re:Write your congressperson (addresses)

[leviramsey]

Actually, the state sites are: of the form http://www.state.{two letter abbreviation}.us

Damn commie academics!

[EschewObfuscation]

...trying to deploy Weapons of Math Instruction!

(email addr is at acm, not mca)
We are Number One. All others are Number Two, or lower.

Re:TAKE THE CASE!! -- AND LOSE!

[nick_danger]

`(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if--

...

IANAL either, but it seems to me that the RIAA has standing in this. The bit you quoted merely says that a researcher can in good faith circumvent an encryption method, but it does NOT grant the researcher the right to discuss those circumvention methods with her or his peers. They met all the requirements of (2)(A)-(D) when they broke the encryption. That much was legal. Presenting a paper to tell the world how they did it is not permitted under this law.

No, boys and girls, they made the right call. Its not likely that they would have prevailed in court. The RIAA's pockets are far, far deeper, and they're in a much better position to kill resistance through litigation. The battle over the DMCA must be chosen wisely, and this case just aint the grail.

Re:Well

[Mr.+Barky]

This is why when someone brings a law suit against someone else and looses, they should not only compensate that person/company, but should do so 100X the costs it took to defend themselves. Then the RIAA would have to reconsider next time it was to use terrorism and its bought Senators to push researchers around

I bet the corporations would love that. Nobody would ever bring suit against them again. It would be way too risky.

Re:They chose their only option

[Decimal]

Secondly, even if your university doesn't support you you should at least fight for what's right. I'm disappointed that the scientists gave up the fight without making more noise. I guess the career means more to them than the truth. Ok, unlike me they're established scientists and "can't afford" to lose their status, but still...

But still what ? If they can't afford the social damage, the stress, the time, potentially losing their jobs and especially not the price of the legal battle, what do you really expect them to do?

Why don't you become the martyr you'd like them to be? You consider all of these things to be less important than the truth, right? Crack the same codes on your own and have your results published. All of us here at Slashdot will be singing your praises while you're in court.

Re:This is a purely American viewpoint.

[Fat+Rat+Bastard]

Only morally and socially acceptable speech should be fully allowed to be spoken freely

...and there in lies the rub. Who decideds what's "morally and socially acceptable speech?" The great irony of your statement is that Hitler did exactly what you propose. He surpressed speech that didn't adhear to his vision of what was "moral and socially acceptable." This is EXACTLY the reason the first amendment is fought for tooth and nail here.

If you don't have anything nice to say, say it often.

How about this ...

[John+Jorsett]

We get a friendly congressbeing to insert DeCSS, the Princeton research, and anything else being threatened by the RIAA, MPAA, CIA, NAACP, et al into the Congressional Record. Then let these groups take on the federal government if they dare. Not only will it be entertaining, it'll let the legislature find out what it's like to be on the receiving end of one of their laws. It might even get the Congress to decide what they really meant in the DMCA.

That's a shame.

[Wordsmith]

It would have been really great to see a legitimate challenge here. The issues at stake are almost identical to those in the DeCSS case, but having professors fight the good fight means a lot more to judges and the public than the free-speech claims of a few hackers.

Re:That's a shame.

[haplo21112]

I agree, this is akin to schools in the bible belt saying you can't teach evolution. These scholars(of course we are too, most of the stuff I do because I want to learn, and see if it can be done, I just don't do it for a school), should be allowed to publish this paper with out reprisal! I believe they have a fundamental right to do so. Knowledge should be free, and the DMCA is toliet paper, that oughta get brought up as being unconsitutional and thrown out in anycase.

Re:That's a shame.

[Joffrey]

The irony here is that the RIAA claims to support freedom of speech. What hypocrites.

From the RIAA's site: RIAA's Freedom of Speech Page

The First Amendment of the Bill of Rights to the U.S. Constitution guarantees four freedoms: freedom of religion, speech, press and assembly. The Bill of Rights was ratified on December 15, 1791. Since that time, those freedoms have been discussed, debated, fought and died for. Since that time, millions of immigrants have come to America to secure those freedoms. The Founding Fathers knew what they were doing. They believed in the power of ideas and debate, not censorship.

The freedom of speech concept came from England. During the Glorious Revolution of 1688, King James II was overthrown, then William and Mary were installed as joint monarchs. The following year, the English Parliament secured a Bill of Rights from William and Mary that granted "freedom of speech in Parliament." One hundred years later our founding fathers were wise enough to expand that principle to everyone, not just members of Parliament.

In his 1801 inaugural address, President Thomas Jefferson reaffirmed the principle of free speech saying, "If there be any among us who would wish to dissolve this Union or to change its republican form, let them stand undisturbed as monuments of the safety with which error of opinion may be tolerated where reason is left free to combat it." Reason is the tool to use to change opinions--not censorship.

During World War II, addressing Congress, FDR expressed the hope that the four freedoms would be embraced the world over. He said, "We look forward to a world founded upon four essential human freedoms. The first is freedom of speech and expression--everywhere in the world." Clearly we are not there yet. Freedom of speech is not a right in every country in the world. Yet, just as clearly, it is a freedom desired in every corner of the world.

Most students recognize Voltaire's defense of free speech...

"I disapprove of what you say, but I will defend to the death your right to say it."

The underlying premise is, if the government censors you today, I could be next tomorrow, perhaps for an entirely different reason. That's why it is so important to uphold the principle, even when in practice it is difficult to do so. There's no challenge involved in defending someone you agree with; the stretch is standing up for your opponent--so that everyone's rights are preserved.

For as long as the First Amendment has protected our right to free speech and expression, elements have tried to undermine that right. Censorship often raises its ugly head during trying times when our nation faces difficult, seemingly insoluble problems. That is why Justice Louis Brandeis opined in Whitney v. California in 1927, "Fear of serious injury cannot alone justify suppression of free speech and assembly. Men feared witches and burned women. It is the function of speech to free men from the bondage of irrational fears." Brandeis knew what Jefferson knew--reason and free speech, not fear and censorship, should prevail.

The Supreme Court reaffirmed this position in its 1997 decision on the Communications Decency Act (CDA) that sought to limit material placed on the Internet. RIAA was active in a broad coalition of industry and civil liberties groups that opposed the CDA. The high court struck down the law. In an opinion written by Justice John Paul Stevens, the high court decided, "Notwithstanding the legitimacy and importance of the congressional goal of protecting children from harmful materials, we agree with the three-judge district court that the statute abridges the freedom of speech protected by the First Amendment."

Best possible result

[arkansas]

Seriously, this is the best result anybody interested opposed to the DMCA could possibly have hoped for. It exposes the DMCA for what it is - a crude weapon intended to bully and threaten. There are very few things that could attract as much attention as the thought that purely academic research is being suppressed. Felton's letter will sqay opinions strongly against the tools used to threaten these researchers. I, for one, welcome this as the critical step in the road to seeing these laws repealed (or at least completely rewritten).

Re:Best possible result

[Dokta_C]

It's already on the front page of bbc news online.

At the very bottom though...

Re:Sad, Sad, Sad........

[GungaDan]

Sad (x3) but true. When a physician/researcher contracts with a pharmaceutical sponsor, that sponsor typically includes a clause stating that all information derived from the research is the property of the sponsor, and that the researcher must seek sponsor's permission to publish, or even discuss, the research findings. Researchers have been sued for publishing findings derived from pharmco-sponsored research that were unflattering, or contradictory to the sponsor's always-cheery findings.

Importantly, very recently a British scientist by the name of David Healy, who had been invited to work at the University of Toronto, had the invitation rescinded because he gave a presentation critical of Prozac and its tendency to arouse suicidality in patients who were not previously suicidal. Dr. Healy stated in his presentation that Prozac may have been responsible for 1 suicide for each day it's been on the market. Eli Lilly, the manufacturer, didn't appreciate the comments, and also happens to be the single largest donor to/supporter of the University of Toronto's medical teaching center. UT officials deny that Lilly had a role in the shooing-away of Dr. Healy, as do Lilly's lawyers. Interestingly, Lilly did the same thing to Healy last year, when he sought to publish a similar article in a Hastings Center publication.

Point is, academic freedom has been sold out to PhRMA and the legal drug cartels for years. Still, I'm disappointed to see the RIAA (and other 4-letter words) getting in on the action of stealing our public knowledge/awareness/safety in the name of profits and IP. Shameful.

They should've called their bluff

[AnalogDiehard]

Had the RIAA actually gone ahead with the threat, they would've crossed the battle line and in time dug their own grave.

Read here:

http://www.law.cornell.edu:80/constitution/const it ution.billofrights.html#amendmenti

The first amendment says that Congress shall pass no law abridging the freedom of the press (read: the presentation paper) or the freedom of speech (read: the formal presentation).

The DMCA was made into law by Congress. It doesn't matter whether the RIAA or whoever lobbied for its passure. Only Congress has the power to make law, not the lobbyists. Therefore if the DMCA can be used to diminish the freedom of the press or freedom of speech, then a court would've declared the DMCA unconstitutional.

It has happened before. The EPA was deriled by the courts when their severe restrictions placed on wetlands that belonged to private owners was found to have violated the fourth amendment's rights against unreasonable seizure of private property.

Re:They chose their only option

[Peter+Dyck]

I can't believe this.

As a scientist this disappoints me on two fronts.

Firstly, apparently Princeton decided not to defend their scientists. This most disappointing and signals how modern universities are dependent on the external funding.

Secondly, even if your university doesn't support you you should at least fight for what's right. I'm disappointed that the scientists gave up the fight without making more noise. I guess the career means more to them than the truth. Ok, unlike me they're established scientists and "can't afford" to lose their status, but still...

Ok. This matter is political all the way, so I might as well say this: this is what we'll all end up with if WTO gains more ground. Please remember, that his is not just a US issue.

Isn't the point moot, though?

[2nd+Post!]

If the challenge has been met, by these researchers, then it means it can be met again and again(the whole point of scientific process and such)

Which means any player or device that uses any of these technologies can be hacked or cracked or tampered with (or not, depending on what the research conclusions were) reliably and consistently.

Which means *not* publishing is actually fraud and lying to the various stock holders and people in charge of the music industry who may otherwise never know that they are about to pull another 'CSS'

Right?

Geek dating!

RIAA Intimidation? Fight back!

[Wrangler]

C'mon, people! We're Americans! They restrict *our* freedoms, we restrict theirs! This should be enough for everyone to get started. Write. Call. Mailbomb. Make 'em sorry that they f**ked with other peoples' liberty!

Registrant:
Recording Industry Association of America
(RIAA2-DOM)
1330 Connecticut Ave., NW #300
Washington, DC 20036
US

Domain Name: RIAA.ORG

Administrative Contact, Billing Contact:
McCaffrey, Howard (HM66) hmccaffrey@RIAA.COM
Recording Industry Association of America, Inc.
1330 Connecticut Ave., NW Suite 300
Washington, DC 20036
202-857-9618 (FAX) 202-775-7253
Technical Contact:
Dean, Christopher (CD7268) cdean@RIAA.COM
Recording Industry Association of America, Inc.
1330 Connecticut Ave., NW #300
Washington , DC 20036
202-857-9616 (FAX) 202-775-7253

Record last updated on 27-Feb-2001.
Record expires on 09-Jan-2003.
Record created on 08-Jan-1997.
Database last updated on 25-Apr-2001 23:27:00 EDT.

Domain servers in listed order:

PDNS1.ISC.CW.NET&nbs p; 208.134.245.2
PDNS3.ISC.CW.NET&nbs p; 208.134.245.10
NS4.CW.NET&nbs p; 204.70.4 9.234

slashdot % traceroute -n 208.134.245.2
traceroute to 208.134.245.2 (208.134.245.2), 30 hops max, 40 byte packets

...
17208.134.242.20989.558 ms90.012 ms95.870 ms
18208.134.242.11095.463 ms !X94.116 ms !X89.937 ms !X
Oh, look!A firewall!Guess they're safe, huh?

Well

[Auckerman]

"Litigation is costly, time-consuming, and uncertain, regardless of the merits of the other side's case. Ultimately we, the authors, reached a collective decision not to expose ourselves, our employers, and the conference organizers to litigation at this time."

This is why when someone brings a law suit against someone else and looses, they should not only compensate that person/company, but should do so 100X the costs it took to defend themselves. Then the RIAA would have to reconsider next time it was to use terrorism and its bought Senators to push researchers around. "We remain committed to free speech and to the value of scientific debate to our country and the world. We believe that people benefit from learning the truth about the products they are asked to buy. We will continue to fight for these values, and for the right to publish our paper."

I like the language he chose here: "We believe that people benefit from learning the truth about the products they are asked to buy.". This sums up the nature of the music industry as it exists today. All of the weathy labels have united to form a monolopy over artists. These artists are forced to release their copyright, or they don't get the large resources of the Labels promotional firm at thier disposal. As a result of this, these companies hold the copyrights to the majority of the popular music in the United States and work togethor, with hardware makers, to force on the public any format the RIAA wants. If they wanted to switch to an "encrypted" cd format in the next 5 years, just like MPAA did with DVD's, they could. Then when "DeCSS" for music comes out so people can encode mp3s, or listen to there "AudioDVDs" on Linux, the RIAA could sue some kid into the ground for breaking their equivalent of ROT26 encryption.

Fucking bullshit, I tell you. I no longer fear my govt, I fear the companies the Senators are giving the power too. Before you pass me off as some "Rage against the Machine" fanatic, I'm not. I'm just pissed that the RIAA has more control over the Senators and Represenatives that I voted for, that my fellow citizens and I.

I say publish the damned paper, break all of their encryptions, and take a piss on the steps of the steps to the RIAA's lawyers.

Have Corporations replaced Religions?

[trentfoley]

It really wasn't that long ago that scientists were persecuted by the Roman Catholic Church. Some may argue that it continues to do so to this day. But back when, if you said that the Earth revolved around the Sun, you were a heretic. And, when The Church declared people to be heretics, it was fair game to go after them in the eyes of the fearful public.

Now, I have always felt that organized religion was the most effective method of mind control, with the bonus of making a profit. But, now I see that organized religion was nothing more than a precursor to the corporations that are now controlling the masses, and making huge profits. The corporations are the ones now declaring people as heretics, by calling them hackers. These same corporations dictate what science is suitable for publication using the same fear techniques the Church used: fear of persecution. Ok, this time it is lawyers instead of torture. But, I don't see that much difference, really.

My question is: Who will be the next Martin Luther?

Thanks, I'm feeling much better now.

Real or Imaginary?

[not_the_resurrection]

In the world of animal experiments it's not unheard for a group to publish papers under the name of one person in the group. This person is typically paid danger money to compensate their risk from animal extremists.

Would somebody be prepared to stand up and publish papers written by somebody else to deal with the SDMI extremists? Would we be prepared to pay them danger money?

Another alternative might be to publish under a pseudonym. The Student's T-test is named after the statistician Gossett who published in the name "Student". Student worked for the Guinness brewery, but they didn't allow publication to be associated with the brewery. (The "drink guiness makes you smart" slogan didn't go down well :-)

Re:This makes NO sense...

[HiNote]

No, it makes perfect sense. The SDMI is threatening a lawsuit because their watermarking techniques were never _really_ meant to provide security. They were meant to provide the facade of security so that they can claim it "adequately" protects their music and sue the pants off anyone who tries to break it. It's all been carefully crafted. Last fall they opened their watermarking algorithms to the "hacker" community for a month to see if they could break it. 1 month. Which they thought wouldn't be enough time. Part of the _legal_ restrictions of the "contest" were that if you cracked it, you couldn't tell anyone how. Another part of the _legal_ restrictions of the contest was that trying to crack the watermarks the day after the contest ended was a violation of the DMCA. The contest was a complete success, for the SDMI anyway, and now they have proof that the watermarks are "adequate." This adds beef to their claim that the DMCA applies to their watermarks and can do what they have been wanting to do all along: sue (or threaten to) everyone and anyone who pisses them off. Say, for instance Dr. Felten

Egads...

[RareHeintz]

I seem to remember Bruce Schneier and others railing against the DMCA and its proposed variants before the U.S. Congress passed them, claiming that it would impair their ability to do legitimate research into security. At the time, they were written off as cranks (at least, by Congress), but it now appears to have come to pass - corporations have purchased (from elected officials who are supposed to be working for the citizenry, no less) the right to censor scientific and technical knowledge that threatens their outdated business models.

And how does the paper represent a "circumvention device"? DeCSS fits that definition, for sure - download the software, and you can rip DVD's. (Disclaimer: I'm not at all agreeing that that should be illegal - I'm just saying that DeCSS is a real circumvention device.) But there is no way to combine the paper and a piece of encrypted music and get unencrypted music out. One must first complete the non-trivial task of creating software or hardware that acts upon the knowledge in the paper - in short, the device has yet to be created (at least for widespread distribution).

Time to write my representatives again...

OK,
- B
--

Re:That's what Jon Johansen thought

[imipak]

True (AFAIK). However, that was the point at which deCSS mirrors mushroomed all over the world. I got an RIAA nastygram theatening email in January, 2000 - so far I haven't heard back from them. The day when Californian state law has jurisdiction in London, UK, IU'll pull the mirror. Until them I'll happy to make a small contribution towards trying to preserve a bit of freedom.
--
If the good lord had meant me to live in Los Angeles

Re:TAKE THE CASE!!

[Andux]

IANAL, but unless the case winds up in front of our good old buddy, the honorable Judge Lewis "Link Nazi" Kaplan, I think it should be fairly easy to win. Quoth the DMCA:

`(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH- Notwithstanding the provisions of subsection (a)(1)(A), it is not a violation of that subsection for a person to circumvent a technological measure as applied to a copy, phonorecord, performance, or display of a published work in the course of an act of good faith encryption research if--

`(A) the person lawfully obtained the encrypted copy, phonorecord, performance, or display of the published work;

`(B) such act is necessary to conduct such encryption research;

`(C) the person made a good faith effort to obtain authorization before the circumvention; and

`(D) such act does not constitute infringement under this title or a violation of applicable law other than this section, including section 1030 of title 18 and those provisions of title 18 amended by the Computer Fraud and Abuse Act of 1986.

Oops

[fibonacci8]

"You may, of course, elect not to receive compensation, in which event you will not be required to sign a separate document or assign any of your intellectual property rights, although you are still encouraged to submit details of your attack." They're encouraging the submission of details of a successful attack. Unfortunately they didn't say to whom they encourage it to be submitted. *mischievous grin* I'd recommend submitting it to several major news sources per the agreement.

Dear Mr. Successful-Security-Consultant

[Gruneun]

Last week, after paying an outrageous sum of money for an ADT security system, I posted a sign outside of my house. The sign offered my DVD player to anyone who could find a way into my house.

I have come to find out that you realized I left my window open. I know you spent a long time studying my house and its security system. It is a feat to be proud of. While I understand you don't really want my DVD player and you were not attempting to steal additional items, I must ask that you do not reveal the open window to anyone else. While it may protect others from similar security flaws, revealing this could cause others to steal things from my house.

Perhaps, I should have studied the house more or asked you to look at it before I moved my belongings inside, but that is immaterial and I will sue to protect my interests

Sincerely,
Mr. Cocky-Ass-Caught-With-My-Pants-Down

Re:Wrong icon

[Zeinfeld]

There may have been threats, or implied threats, yes. But no one stopped them from publishing their material

Censorship is any attempt to control publication of information. In this case the threats were successfull, it would have been a censorship issue regardless.

The fact that it is a threat of a civil lawsuit is irrelevant. One of the oldest censorship laws still in operation is the English Libel law which was expressly intended as an effective means of censoring the press.

Self censorship is still censorship. The audience at the conference was prevented from hearing the paper.

Strategies

[Zeinfeld]

At this point the key strategy should be to encourage SDMI members to resign.

This is not as hard as it may appear since most of the members are technology companies looking to hawk their technology. Those whose watermarks etc. have not been choosen are thus likely to be looking for an excuse to withdraw on principled grounds.

If an industry standards group is not going to endorse my technology then it is not exactly in my interests to continue to endorse them but resigning for that reason is going to look kind of bad. Give such folk an excuse to dis SDMI without looking bad and they will be out.

Another group that might well be detached is the second tier of device manufacturers. Sony is the only company to have tried to deliver an SDMI compliant device, an MP3 player that was a spectacular failure until the SDMI component was disabled.

The plain fact is that the record labels have not lived up to their side of the deal, they have not made their content available to download even if you do implement SDMI.

Another company that might be detachable is Microsoft. They have their own DRM package which works pretty well without the SDMI schemes. If Microsoft were to leave SDMI it would effectively be dead.

The fact is that SDMI has met none of the goals it set out to meet. The technology missed what the promoters admitted was the critical market window. We are now in the post Napster period in which the RIAA and labels are getting complacent about the net again, believing that the court case will kill Napster. The court case probably will kill Napster but the replacements will be even harder to deal with.

Having failled to come up with a secure scheme and having resorted to threats of lawsuits to supress discussion of the flaws in the scheme it is going to be very hard for SDMI to credibly claim that it will deliver a security scheme good enough to entice the labels to permit their content to be sold over the net. Without that key belief SDMI is nothing. Chiariglione would not be stepping aside as director if SDMI was coasting along to a huge success.

SDMI surrenders

[Zeinfeld]

From Salon On Thursday, Oppenheim released a backpedaling statement: "The Secure Digital Music Initiative Foundation (SDMI) does not -- nor did it ever -- intend to bring any legal action against Professor Felten or his co-authors.

A blatantly untrue statement. Or rather it is true to the extent that the creep does not claim that they did not threaten legal action, merely claiming that the threats made were unfounded. However as the Salon article points out the RIAA realized it had screwed up big time.

With the first ammendment implications of the DMCA being debated next week the last thing the RIAA needs is a proof that the act is unconstitutional and being used to chill free speech.

Proof that the RIAA and SDMI folk are not as smart as the cryptographers. Which is pretty much as expected. I mean if you are going to pick stupid fights best not choose folk whose entire mindset is attack and counter measure to six or seven degrees out.

Re:RIAA didn't do anything

[dachshund]

If I ask you to do something, and threaten to take away your job, home and all of your posessions (and I've demonstrated that I've got the means and the will to do it), how is that not coercion?

Answer? It is.

Why aren't we boycotting the RIAA and MPAA yet?

[cryptochrome]

Dear Slashdot users and moderators,

Why aren't we formally boycotting the RIAA and MPAA yet? We talk alot about legal arguements and political wrangling, but let's face it, the corporations definitely have the edge there. But as consumers, we ultimately have control over the almighty dollar. We should show them who's boss.

It's not like we don't have a reason, what with all the bullying, monopolizing, and litigation they jerk us around with. It's not like their business models aren't totally outdated. And it's not like geeks don't have influence - particularly slashdot. We're some of their biggest consumers. Make enough of a ruckus, hit 'em in the pocketbook, and they'll bend. Hell, we might even be able to take them out and give control back to the artists.

Love 'n Stuff,
cryptochrome

P.S. And just something to consider - years ago there was this big corporate squabble between VHS and Betamax. Everyone said it was stupid and expensive to have two standards, which is why a single DVD standard was settled on early. Then they split it up into 8 standards (aka "Region codes"), meaning you can't watch movies from foreign countries without a new player. Jerks.

P.P.S. And now would be a great time to hurt the film and TV industry, what with the double whammy of writers and actors strikes.

TAKE THE CASE!!

[allknowing]

I seriously think a "Johnny Cochran" of some sort should take this case pro-bono. I know it would mean endless hours, weeks , months or even years to finally finish this case and maybe win but just think of the potential precedent here.
It would mean so much to free speech.

More here...: http://www.ramdac.org

They chose their only option

[Anonymous+Admin]

In our legal system, where a person may be sued for any reason whatsoever, You have no hope of winning unless you can outspend your opponents. Otherwise, under a mountain of motions, you will simply lose by default.

Re:It is also akin to schools in the north saying.

[Rick+the+Red]

It is also akin to schools in the north saying you can't teach creationism (or at least acknowledge that some people believe that) - schools seems to repress Christianity which can be damaging to children whose culture is based around Christianity.

What nonsense! As a Christian, this offends me. Christianity is not a culture, it's a religion. Many people try to label their bias and prejudice as "christianity" and defend it with the banner of religious freedom but it's all redneck asshole intolerance to me. You may come from a culture of intolerance, but don't call that "christianity". True Christianity is all about tolerance (Love your neighbor as yourself and all that).

"Creationism" is not science, it's religious belief foisted upon school boards in a cloak of psudo-science in an attempt to get around the First Amendment. Next time you want to force everyone in your community to pray to your god, think how you'd feel if someone else tried to make you pray to their god.

Finally, this (the RIAA legal threats) is nothing like the example you site. It's more like if, say, you wished to teach a class in comparitive religion and the Scientologists sued you for using their copyrighted materials. For that reason alone your post is not at all "insightful" (more like "inciteful") and should have been modded down as Flamebait.

Re:It is also akin to schools in the north saying.

[Rick+the+Red]

Christianity is not a culture, it's a religion.
I did not say it was a culture; I said my culture is based on Christianity

That's where we fundimentally differ. If I agree to this point, then I agree to all your other points. But I don't. I don't believe your culture is based upon Christianity. I do believe it is based upon someone's idea of what they think Christianity is, but it's not my idea of Christianity.

Many people try to label their bias and prejudice as "christianity" and defend it with the banner of religious freedom but it's all redneck asshole intolerance to me.
Racial slurs aside (must be a part-time-attend-Easter-and-Christmas-only-Christi an), my arguement is about freedom for all.

It wasn't a racial slur, it was a geographic one. My mistake; instead of 'redneck' I should have said 'cracker'.

You may come from a culture of intolerance, but don't call that "christianity". True Christianity is all about tolerance (Love your neighbor as yourself and all that).
Since you don't know me, I don't know how you came up with that conclusion.

You said "Northern schools" and then went on about how you were prevented from sharing your "culture" with your classmates because it was a "christian-based" culture. I believe you were prevented from sharing your religious beliefs with your classmates, and to me you apparantly equate proselytizing with "sharing your culture." That is what makes me think that your "culture" is one of intolerance (typically found within the "bible belt" as the earlier post put it). Consider the example of the Methodist family from Wisconsin who moved to (I believe it was) Alabama, and were called Devil Worshipers by the Baptist town. This is intolerance, and it's ingrained in their (the Baptist's) culture, but it certainly is NOT based on Christianity. Sharing this "culture" would certainly involve telling everyone else that they are damned to Hell if they don't change their evil ways and do as the majority, and your post sounded like that's what you were trying to do. If you believe that culture is "christ-based" then you may have a point, but I believe that culture is intolerance-based, and that your teachers were correct in preventing you from "sharing" it with your non-Christian classmates.

IP carried to its illogical extreme

[r_j_prahad]

Lest we offend those holding intellectual property rights in the form of registered trademarks, we should replace the plaque at the base of the Statue of Liberty with one that more accurately portrays the current climate of liberty and freedom in the U.S.

"The New (1)" by (2) (3)

"(4) (5) your tired, your poor, Your (6) (7) yearning to (8) (9), The (10) (11) of your (12)ing (13). (14) these, the homeless, (15)-(16) to (5). (17) (18) (19) (20) beside the (21) (22)."

1. Trimble Navigation Ltd. 2. Seattle Lab Inc. 3. Michael D'Aigle (indiv) 4. Give Music Group 5. Mancini Enterprises 6. Mark Mandzick (indiv) 7. Mass USA Inc. 8. Love and Beauty LLC 9. Andrew Suttner (indiv) 10. David Bascom (indiv) 11. Jay Thaxton (indiv) 12. Pepsi Cola Corp. 13. SD&M AG Corp. 14. Benjamin Slotznick (indiv) 15. Applied Materials Inc. 16. American Restaurant Corp. 17. Net Apparel LLC 18. Lift Apparel 19. Marble Sportswear Inc. 20. Lightsand Communications Inc. 21. Samuel Kevin Price (indiv) 22. Storefront Door Service, Inc.

Withdraw DMCA

[gbender]

I just send an email to the RIAA asking them to contact their congressmen to have DMCA withdrawn. Hopefully this will take care of everything.

Is reading the paper danagerous

[actiondan]

If I read the paper and have the knowledge it contains, does that make ME an illegal circumvention device?

Well done RiAA

[actiondan]

What a great way to publicise the findings of this paper. Without the threat of legal action, its presentation would probably have been largely unnoticed outside its field.

Now that free speech is involved however...

When will large organisations learn that trying to suppress information just leads to its wider distribution?