Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Music Media

Money For Nothin' From The SDMI Hacking Contest 144

OS24Ever points to this CNN story, writing: "SDMI is announcing that they are paying two hackers $5000 each for breaking the encryption on their watermarking technology." And as the article points out, conspicuously ignoring the fact that independent researchers have broken four of the watermarking schemes without getting taking part in the official contest.
This discussion has been archived. No new comments can be posted.

Money For Nothin' From The SDMI Hacking Contest

Comments Filter:
  • They may already have a O(lg n) or O(n) factoring algorithm, where n is (respectively) the number or the number of digits in the number.

    They may already have broken discrete log.

    Yes, PGP can be broken.

  • The whole thing flys in the face of OpenSystems. When the printing press was invented, did they figure out how to prevent people from copying books by watermarking?

    This P.S. is the most distrubing part of the whole thing.

    If a watermarking scheme is required to play music, a free, open source player that had the code to check the watermark could easily be changed to play without the watermark. Then what about all the music out there that doesn't have watermarks. I.E. Don't delete this line of code. Kinda like the old police scanners that were illegal, but you could buy one that didn't work, then open the box and there was a diode (sometimes marked!!!) that you cut out. But then who cares about those silly open source freaks anyway :P

    If a watermarking scheme is used to prevent copying. Hah! If it's digital, it's copyable. Like your O.S. going to check on every write and make sure you don't do something you shouldn't. Hah!

    About the only use of a "watermark" is to insure downstream somewhere, that a file wasn't tampered with. Very useful.

    I think the P.S. here hits the nail on the head. SDMI stands to profit from selling digital snake oil to the music industry. The music industry suffers from the "cure" and drops the idea after funding several SDMI careers.
  • There is one way to solve all of these problems that a lot of people don't think about, and that is to publically subsidize the arts and nationalize the recording industry.

    Let's face it... corporatism has totally taken over the music industry, and the people are the victims. We must completely eliminate the greed and bring art back to where it belongs -- to the people.

    With only public ownership of art allowed, we wouldn't need any of these encoding schemes, and the greedy record industry would stop stealing from the people.


    --

  • In the end, as others have noted, you can simply make an analog recording of the music as it is played, giving you a non-watermarked, non-encrypted version of the music, which you can then copy/encode/whatever.

    There is only one way to make music 100% secure:

    1) Distribute music only in self-contained package (like a cartidge) that operates only in a particular type of device.

    2) Have it so that the package erases the music after a single use.

    3) Destory/Buy/Confiscate any other publically available means of playing music than said device.

    Number 3 is the real toughy, of course.

  • I think it's time for you to admit you don't know what you're talking about.
  • by Anonymous Coward
    ...that everyone has a crappy sound card, and wrongly so. I personally have an M-Audio Delta 1010 [m-audio.com] and let me assure you, it would make great copies. Supposing SDMI works like I assume it will and is computer based, I can make perfect digital copies. I simply play the music to one of the outputs on the Delta 1010, but have the Delta route it back to a port I can record, and do so using a seperate program. Bingo, a perfect (the internal routing is all digital), unencrypted copy. Then I just encode it using LAME at 256k/sec which has been proven [heise.de] to be CD-quality and I'm good to go. Suppose, though that they try to detect the recording and it won't play back if recording software is loaded. Still no problem, I just reroute the output to go to my S/PDIF port, and record that on to my Alesis Masterlink, then bring that back to the computer. Again, a perfect digital copy. Ok, well now suppose the files will only play on their own physical devices. Still no problem. If the device has a digital output I hook that in and record from it. Since the soundcard is classified as a professional device, it is exempt from having to obey SCMS (so it doesn't). Now even if they have no digital output, it's no problem. The Delta has 24-bit converters with specs far exceeding CD-quality and a good, low jitter crystal. I just make an analogue recording and encode that. It won't be a perfect copy, but I highly doubt you'd be able to hear any difference between it and the orignal.

    Basically, the point I'm trying to get at there is there really is nothing they can do to stop the copying of music. So long as I can listen to it, I can find a way to copy it. Also, going to analogue just once does not have a significant detriment on sound quality. Yes, if you record something from your portible CD-player with your SoundBlaster Live it is going to sound like crap, what do you expect? You are dealing with cheap consumer electronics with cheap converters, lots of noise and jitter on both ends. However there are some of us that do own real professional gear (you don't need a liscence or anything) and will use it. And of course once we have translated it and released, everyone can have it and believe me, we will.

    Posting AC for reasons that shoudl be apparant.

  • by FigWig ( 10981 ) on Wednesday November 29, 2000 @11:50AM (#593723) Homepage
    I hope you're only a freshman at MIT...the point of the watermark is to add analog encoded watermark information to the signals without compromising audio quality. The watermark is designed to hold up even after analog recording - such as through the output of your soundcard. Think of it as the opposite of mp3 encoding - mp3 uses a psycho-acoustical model to remove sounds that we won't perceive, SDMI uses a psycho-acoustical model to add sounds we won't perceive.

  • by sdo1 ( 213835 ) on Wednesday November 29, 2000 @11:51AM (#593724) Journal
    If you capture the analog output, there is no way that the watermark could be preserved

    That is completely false. The watermark is imbedded in the ANALOG signal. There are several technologies that SDMI is proposing, and I'll be honest, I couldn't hear them all on the samples they provided with and without the watermarking. Some were audible, but perhaps those are the harder ones to break. The quality of the original works wasn't that great to begin with, so maybe that had something to do with it. I'd imagine that it'd be easier to bury a non-audible watermark in "busy" music than it would something that's soft and simple.

    The watermark is designed to survive digital conversion and compression. And some of the technolgies do survive. I did some of my own testing of the "sample" files that SDMI made available. I subtracted the "watermarked" from the "unwatermarked" files leaving just the watermark. Then I compressed the files with various schemes (mp3 file compression to different bit rates), and again sutracted the watermarked from the unwatermarked files. This leaves behind a post-compression watermark. I then compared this to the uncompressed watermark. And in most cases, they were, both visually and audibly, similar enough that I could imagine that the watermark may have survived.

    In theory perceptual coding (which .mp3 compression is) should get rid of non-audible parts of the files. The fact that the watermarks did remain to some extent shows that they are, at least in theory, audible.

    -S

  • Yeah, but watermarks don't prevent copying. So what the hell is the difference if my friend just makes a copy of the perfect-sounding media file. I can play it to my heart's content without any degradation, and short of the RIAA storming my house, who would ever know??
  • By doing a bitwise comparison of two different "SDMI-approved" players, anyone of even moderate programming talent could identify the "new" watermark the players were adding and either eliminate it, or make it untracable by filling it with random data.

    SDMI provided .wav samples (44.1 KHz, 16 bit - Same as CD). A pair were exactly the same except one was watermarked. The challenge was to remove a watermark of the same watermarking technology from a 3rd piece of music.

    And believe me, it's NOT trivial. Many of the technologies are certainly beyond "anyone with even moderate programming talent".

    Furthermore, the watermark isn't just a couple of bits thrown in the file. It was an analog signal hidden with the music and it seemed to repeat, somtimes at random intervals, throughout the file. It's impervious to a "bit dropped here" or "a skip there". I don't think the "refuse to play" issue is an issue at all. If it sees the correct watermark throughout the file, it plays. If it sees that the file is filled with ones that it doesn't like, it doesn't play. I think it would be easy enough to keep it from barfing on the occasional "bad" watermark caused by dropped bits, scratches, or skips.

    -S

  • Did these elite dudes also tell you how to MAKE MONEY FAST!!?
    Wow, you must have hacked my email server to know that. Tell me how you did it. I need to get back at K\/\/4k3_g4\/\/D and his crew for calling me a l4m3r.
    --Shoeboy
  • I've met over 65536 elite hackers on IRC who have become millionaires that way.

    So you've met exactly -1 hackers on IRC (by MS rules) :)
    O wait that's only 65535, I guess I will never be millionare :(

  • Well, karma burning time I guess. To quote Queensryche:

    I used to trust the media to tell us the truth, tell me the truth
    But now I see the payoffs, everywhere I look
    Who do you trust when everyone's a crook?

    Sorry, but I think the entire idea of "free" press is eventually going to lead to what we have in corporatized America. The only thing free about the press is the bidding process. Unless you got the cash to back you, the story will be told from the other guy's perspective. That's why hackers are still seen as "the big bad bogeymen" of the Internet.

  • "without getting taking part in the official contest."

    What in the hell does that mean?

  • 10 grand is pretty cheap to have your security tested by thousands of people.. plus, if they want the money, you need to give them an NDA, so basically, they improve their methods AND people don't find out how it was originally broken...
  • Hey bro, maybe he needs the 5,000$ to pay for college or to buy his family out of slavery or something ...

    the real pitty is they only gave them each 5gs ... shoulda been more like 50 ... I would have tried for 50 :) ... Winning 50g could change your life if you were smart with the money (pay off the mortage, invest the money you save ... divorce your wife and start dating 18 year olds ... etc :)

  • The shear beauty of this is that they essentialy made enemy's with the wrong people. They whine about infrigment of copywrites by geeks who converted their product into a freindly digital package (something they never thought was economicaly viable.) Then they ask for our help?

    What tops the cake though is that when they do release their technology there are hundreds of thousands of people that will be out to break it just simply on principle!

    Whatever encription, water mark etc they use it won't be good enough. Everything is breakable with the right equipment and time. (and geeks have both).

    Suck on that RIAA, MPA and anyone else who pisses off the geek community.
  • I think Metallica's concern is less that the trading is going on, and more that they are opposed to a company profiting (or trying to) without cutting them in. For instance, the band has always supported bootlegging of their shows, with the ability to trade them being implied. They have cracked down on stores that *sell* bootlegs. That is, I think, the distinction that is drawn between Napster/Scour and Gnutella/Freenet. As far as I can tell, Metallica have no objections to the latter two.
  • > SDMI is announcing that they are paying two hackers $5000 each for breaking the encryption on their watermarking technology." And as the article points out, conspicuously ignoring the fact that independent researchers have broken four of the watermarking schemes without getting taking part in the official contest.

    So? The money is for taking part in the contest.

    They didn't, so they can hardly be expecting to get paid any money.
  • by Jedi Alec ( 258881 ) on Wednesday November 29, 2000 @08:42AM (#593736)
    We're geeks. We don't need money. What happened to the chicks for free part?
  • modemboy says:
    if you can listen to it you can copy it. They'll never develop an effective copy protection scheme

    It all depends on the meaning of the word effective. It looks like Lumpy already brought up the macrovision example I was thinking of when I started this post. You can watch your video, and determined consumers can copy using older VCRs or special boxes that remove the crap from the retrace time. If effective means preventing absolutely all copies, then no, but I'd say that effective could mean causing lots of consumers to buy the tape or DVD for about $20 instead of renting for $3 and taking the time to copy onto a $2 blank.

    Macrovision only works because the VCR manufacturers use a faster response AGC circuit (than used in the TV). With the world of open source, it seems like it'll be a bigger problem to get all recording devices to respect a dont-copy-me signal, but again, if winamp, microsoft media player, and most of the hardware devices at best buy respect such a signal, perhaps it gets 95% of listeners to pay. Sure, anyone greedy would want the last 5%, but it becomes expensive, and any business man with a brain(or a cost accountant) will take the path that is most profitable.

    Part of my initial reaction, honestly, is more along the lines of "totally unprotected MP3 with p2p file sharing is just damn cool", followed by "it sucks that they're trying to foul it up". I suspect that's the emotional response behind a bunch of the "It'll never work, you dumb..." responses here and elsewhere on the net.

    Now the part that is "going too far", is an attempt to outlaw MP3 players without SDMI features. The RIAA has already tried to do this (and won in the first round, but ultimately lost against the Diamond Rio).

    As long as it's not illegal to make non-SDMI MP3 players, someone will. I know that to be an absolute fact, because I will! (trying really hard to resist a shameless plug/link to my website). As long as there are legal Free/Open-Source (GPL'd I hope) MP3 players, there will be relatively easy ways around SDMI protection.... but if these players are a small portion of the whole (mine's about as tiny as you can get, next to student projects), SDMI might be effective in allowing the recoding industry to continue its profitability, even if it's not at all effective at stopping anyone determined to copy.

  • No offense or anything, but you're being a tad naive. Look at what Bruce Scheiner said in his latest Cryptogram [counterpane.com]:

    2. Even if the contest was meaningful and the technology survived it, watermarking does not work. It is impossible to design a music watermarking technology that cannot be removed. Here's a brute-force attack: play the music and re-record it. Do it multiple times and use DSP technology to combine the recordings and eliminate noise. Almost always there is a shortcut technique to neutralize the watermark, but the brute-force attack always works.



    3. Even if watermarking works, it does not solve the content-protection problem. If a media player only plays watermarked files, then copies of a file will play. If a media player refuses to play watermarked files, then analog-to-digital copies will still work. If a watermark is designed to identify the legitimate owner of the file, it still doesn't prove who copied the file or provide the copyright owner with a party worth suing.


    You write "The song file will be viewable if you decode it with your private key." Well, just decode it with your private key and then distribute the decoded song to all your friends around the world, no real magic here.

  • Please point out the holes in the above arguments.
  • Actually, the money was awarded because the hackers followed the bizarre *rules* of the contest.

    What hacker worth his (or her) salt would follow rules set by some corporate entity?

    A whore hacker in search of a corporate pimp is who.
  • Funny, how many people register thier software today?

    How many would go through the trouble?

    And the best one of all........

    What happens if your player/system is stolen after it has been registered?

    GOD! I think I'm stupid but I just DO NOT get it!!!!

  • Is it me? Or has no one else lost, misplaced, and/or lent a CD to someone else.

    And DO NOT give me the argument of a player because they can be stolen, lost or misplaced.

    And since they can be stolen lost or missplaced, they can be used to make copies.

  • "I cracked SDMI, baby" isn't much of a pickup line.

    --
  • Well, you're mostly right here, sorta. But as Bruce Schneier pointed out, it still won't survive a brute force attack.

    See, you can either make the watermark as an audible signal, which most people won't accept, or you can bury it in the noise.

    If it's audible, most people won't even bother.

    If it's in the noise, a digital noise filter can potentially remove it. Or just get several differently watermarked files, and use a DSP to smooth over any differences, and then convert it to MP3/Ogg, or any other player that doesn't have a license restriction.

    It's not that SDMI will fly, it's that it won't even get off the ground.
  • I like your attitude. Now excuse me while I duck a hail of libertarian-hurled bricks, rocks, molotov cocktails and hand grenades. ;)

    *duck*

  • Hell, I could preserve it through running the output through my studio's mains and _miking_ it. The level of detail inherent in 16 bit 44.1 is _not_ very great. That's why real studios run 20 or 24 bit these days, and mix to a format that's higher-resolution than CD. I flat guarantee that with a bit of experimentation I could run CD-D/A-amp-speakers-air-mic-preamplification/compr ession-A/D-file and preserve the watermark. That's because I have a lot of very custom hotrodded gear that I build myself. However, _anybody_ could just run outs into ins and have the watermark preserved- if you're not showing off by running the whole recording chain, any old gear will do.

    And the SDMI watermark _does_ screw up the music- what makes you think it doesn't? If it's going to be detectable after mp3 128K encoding, it's going to degrade the music _more_ than 128K encoding, and the degradation is cumulative.

    Actually, I love it. Go to it guys. Degrade your music all you want. It only makes it easier for indie guys like me to compete with you and kick your arses :)

  • by PureFiction ( 10256 ) on Wednesday November 29, 2000 @08:45AM (#593747)
    If the 'hackers' are SDMI employees or such, and this is simply an attempt to give credibility to a completely flawed process.

    Perhaps they beleive that posing the contest as a legitimate, well executed test of the cryptographic properties of their watermarking systems will make the remaining UNBREAKABLE! cyphers seem bomb proof.

    If they were to publish the attacks, complete with cryptanalysis and how the crack was discovered, I would have a bit more faith in the result.

    P.S. I wonder how much they are going to charge to license these forced watermark encryption schemes...

  • Because unless the decrypting and playback equipment is embedded within your skull, some enterprising hacker will simply find a way to take the decrypted audio stream and create a replayable file out of it.

    Your Working Boy,
  • All I know is that my shorts overflowed.
    um.
    That sounds kind of gross actually.
    sorry.
    --Shoeboy
  • When the printing press was invented, did they figure out how to prevent people from copying books by watermarking?

    When the printing press was invented, there was no way of copying the image of the printed book. You either got your own printing press and re-set the whole thing, or hired a bunch of monks. In a tortured music analogy, they are the equivalent of learning to play stairway to heaven yourself on your guitar, or telling someone to play you that song that goes da-da-da-daaaa-dada-dooo.

    (I agree with the rest of your post though :-) )
  • by GreenCrackBaby ( 203293 ) on Wednesday November 29, 2000 @09:16AM (#593751) Homepage
    Why won't something like this system work?

    Step one: connect line out from player to line in on recorder

    Step two: press record

    Step three: press play

    Step four: enjoy your unwatermarked song

  • by (eternal_software) ( 233207 ) on Wednesday November 29, 2000 @09:16AM (#593752)
    No matter what, you can always record the lineout from your soundcard, then recompress into whatever you feel like (MP3, for example).

    You may say "not many people would go through the trouble", but only ONE person has to, then they can share the MP3 just like we do now.

    Nothing will stop this, so why are they bothering with all this encryption technology?
  • It won't work because I can still post the UNENCRYPTED version of the music, thereby removing the inciminating evidence. The only way this would work is if there was a way to prevent us from writing a decryptor, and a player that can play the decrypted version...
  • Nothing like irony, huh? You spelled "idiots" wrong.
  • Technically, I don't see why it wouldn't

    In real terms - Who the hell would put up with it? Most people I know would say FU to the company.
  • Smashing Pumpkins did, and they published their most recent full album over the Internet in MP3 from their website.

    As for Metallica, I just don't understand why they're whining. Back in the middle of recording "Ride The Lightning", they had enough money to buy Dave Mustaine a one-way bus ticket and send him packing. They had enough money to rebuild after the tragic bus crash that took Cliff Burton's life. They had enough money to go out and get a haircut after "Load." They had enough patience to grow their hair back out after "Reload" bombed, and enough money to hook up with an orchestra for an entire album. So why can't they withstand the "loss of revenue" from a throng of audiophiles? Metallica survived among the death of other 80's metal bands, and rignt now each member is a millionaire, yet they're whining like babies about this.

    Lars, maybe you should stop beating on the batter head of the snare drum and start pounding on your forehead. It'd sure make us consumers feel a lot better.

  • To be truthful, the watermark is embedded in the digital representation of the analog signal.

    Once that digital representation is converted back to analog, all bets are off. Now you get into the so-called Signal to Noise ratio area. Is there enough signal in the Watermark to stick through the noise? I don't know.

    You can test this, hook a cable from the line-in to line-out of your sound card, and see if the watermark actually survives the digital-to-analog-back-to-digital process. You didn't mention if you actually did this, but I, and others would be interested in your results, if any.

  • Any high school student who's done a basic course in number theory can break RSA. The simplicity is part of the beauty of it.

    RSA and SDMI are not comparable though.

    SDMI is not an encryption scheme in the normal sense since every user with an sdmi enabled winamp can decrypt it. It is however a watermarking scheme - something which is immensly difficult to acheive.

    What SDMI is trying to achieve is roughly equivilent to trying to hide the message "BILL SUCKS DICKS" inside this posting - but so no-one could see or remove it - complex stuff.
  • I think the idea is to put a watermark that includes your name in all files that you purchase from the Big5. That way, if you made those songs available on the Internet to anonymous users they could find out that you were doing that and possibly get a court order to search your house. Then they would sue you for Copyright infringement, even though you didn't copy anything, because you were making it available on-line. That's what they are trying to do. So, if you only make it available to your friends that you know instead of to everyone in the world then you will probably be safe, unless your friends make it available on-line and then you're in the shit house again.

    A reprehensible tactic. Might as well all write numbers on our foreheads...

  • And play the unwatermarked copy on what? See point #3.
  • Yep, music, like all "intellectual property" is intangible. Musicians should make their money from performances and not on some intellectual property that they created 30 years prior. Yes, this is contrary to the laws of the United States of America, and probably most other countries, but that's my view. It's the "what have you done for me lately" perspective. Perhaps musicians should get paid more for performances so that they can invest their money to live off of in their elder years like the rest of us instead of collecting proceeds for copyrighted works for years on-end. The saddest part is that a lot of musicians don't even get any significant income, it all goes to the music companies.
  • My understanding is that SDMI will only trust hardware, not software. Hardware can be made very hard to reverse engineer; software can't. So, when SDMI sound cards become widespread, they'll probably release the specs so Open Source drivers can be written. It won't compromise SDMI because the access control decision will be made in the same chip that does the decryption and codec functions.
    If they license a single software player, their scheme will come crashing down immediately.
  • Rambling ends at D) with actual point.

    A) $120 gets you 7 minute full CD burn time on a $200 computer pre-pre-last generation computer. For something more commercial, it would take significantly longer than 30 minutes, my guess being somewhere in the vicinity of a moderately long checkout line.

    B) There would be 0% flaw. There is 0% flaw in home burner systems, given enough feed. CD burners are as reliable as floppy disk drives. With a dedicated system it wouldn't be difficult to include a quick full read to ensure it burned right.

    C) However, you miss utterly the whole "mass production" thing we got going from the industrial revoltion: Manufacturing in large quantities significantly reduces the cost. Right now a burned CD will run you upwards of 25 cents at least, while if you get 10,000 manufactured, the per-disk cost will be roughly 2 pennies. Manufactured CD's far outlast burned CD's -- think about it, you 'burn' a CD by etching information onto a special receptive surface using light (lasers), in levels that because they must be safe for home use are relatively low compared with commercial manufacting . Wouldn't you expect a light-sensitive medium to deteriorate over time as it is exposed to light, if it is activated by not that great a factor compared with everyday light conditions? A burned CD's life expectancy with use is 4 years before errors are expected to start cropping up.

    D) All of which is of course totally irrelevant: it is absolutely impossible under the way things work now, it is impossible to conclusively restrict who accesses information, once that information is made available to someone in private.

    Do you think you could control the content on a book, limiting it to being read by a single person, by restricting the book somehow magically to only show letters in that person's house? Of course not. He could simply photocopy the information in the privacy of his own home, and then disseminate it. In the same way, if you allow a computer to play sound, then it is 'displayed'. Once it is displayed, it is free to be recorded.

    The only trade-off is quality: However, with present schemes, it is possible to have perfect quality, ie, the player playing the ripped content gets the same quality as the player playing the original. Because it is possible yet to keep everything digital while transferring to an unsecure medium (and if you allow an unsecure computer to be doing the unencrypting, this necessarily is allowed), right now no encryption can keep content from being distributed. The question is one of how much trouble it is for a hacker to rip it into a different format.

    It should be obvious that anything an eye can see, anything an ear can hear, a device with the same proportions can also access. This means it is futile to encrypt, as long as any hacker worth her salt will concern herself with unencrypting it.
    Further, the only way to restrict the quality is by having your own output system, as opposed to that of the user, much as a movie theater can keep you from copying a movie, while a VHS player cannot. Neither can encrypted DVD. If it is allowed to go unencrypted through a line, it is allowed to go into a separate medium without detriment.

    However, there is the small caveat: All this only applies to static content. I can rip someone's web site and disseminate it onto the world, but only if I can find every bit and their connection. With static content, this is easy. With dynamic content, much more difficult. How would you rip {xyz} company's site with a complex search engine? In the same way, how would you rip content that is dynamic, such as an encrypted DVD movie that displays things on the screen (as most do) besides content running beginning to end.

    It is at this point, once the "content" you're delivering is mixed with interaction with it, that encryption begins to play a key role. If you get root access to see {xyz} company's server, you can before too long rip their site.

    However, you need root access to their server. Interacting with their content isn't enough. In the same way, if you have a standalone player system, then it would be difficult to get at encrypted information (not just content) on whatever it's playing. It is difficult to make such a system, however, because once a piece of hardware is in someone's hands, it's difficult to hide how it functions. With dedicated hardware, though, it is certainly possible. No for the helluvit hacker has the resources to analyze what a gigahertz processer does internally, and in the same way if you make a piece of hardware complex enough, it can handle unencrypting content internally, feed it out, and handle interaction with it. It becomes virtually impossible to rip, just as {xyz} company's web site with it's complex search tools is, even though every page of /content/ on it is public.

    Once industry realizes that any content can be ripped, the focus will shift drastically to dynamic content, and to interaction. It is unclear how this would work for music. It is by nature static: and therefore, it is by nature prone to full interception bettween being played and being heard, whether it is a local computer running it, which makes such a task easy, or dedicated hardware, which makes it more difficult. Short of hooking up a piece of hardware that interacts directly with one and only one person's specific brain structure, music content will always be rippable. While this may dismay old-school groups such as Metallica. Let me reiterate. Old-school groups such as Metallica. Oh, how the world goes! Anyway, groups like Metallica might oppose such a movement (you catch my reference to their vehemently opposing napster, right?), younger upstarts will be sure to embrace dynamic content. And what does that mean? Can you say {annoying sex queen music star} stripping to your cursor? A little to the left, baby. That's it...Now bounce a little. ahhh....



    Flamers:
    No! Of course I mean stripping RJ-45 cables! Don't be perverted! Uh, did I say bouncing? I meant uh...{step step step...SLAM!}

  • No problem, just cast it to INT. O wait casting is baaad ;).

    Cheers,
  • And it will end up being cracked as well not long after it comes out. Face it, there is no such thing as a protection scheme, or security measure that cannot be cracked.

    Actualy, there is one that MAY be uncrackable... Lock up all the CD's and don't let anyone ever have one. But then, someone can always break into the warehouse and steal them. :)

    As for the hackers getting the money, more power to them. $5K would buy me a nice multi-alpha Linux box. I'd certainly not turn it down :)
  • It is when you pronounce it "I cracked sodomy"

  • Why should SDMI care? Under the abortion that is UCITA (yes, I know it's not passed hardly anywhere yet) they would not be responsible for the flaws even if they know about them.

    About the only way to get a software company to fix anything these days is to broadcast the bug or abuse as loud as possible so they have to fix it to avoid having every script kiddie in the world using the bug in question.

    And I agree, SDMI should look at the non-contest cracks as well. You'd think because it breaks their 'watermark' they would... no corp likes copyright/patent infringement, and this would let anyone with the crack make their own duplicates.

    Just my 2 shekels.

    Kierthos
  • What bothers me more than per-person encryption is per-device encryption, similar to GemStar (Rocket eBook) and Audible.com (audiobooks). When you purchase content, it could ONLY be used on a specific device. I really hope music does not go this way...
  • by Adrian Lopez ( 2615 ) on Wednesday November 29, 2000 @09:26AM (#593769) Homepage
    That a piece of music carries a watermark linking it to the person who purchased it raises certain important issues. For instance, certain problems arise when person X transfers his copy to person Y (permanently or otherwise). Imagine what happens if person Y pirates a copy of the song without person X's knowledge. Would person X be held responsable, given that X's identity is linked to the file? Companies seem to believe it's their right to track our every move, privacy be damned.

    Of course they really don't want us to transfer our files to anyone else. Every sale is a "first sale" under their little scheme. Why should hackers help out a group whose only purpose is to limit our rights as consumers?
  • once they start to license out the technology dont you think that all the independent test would prove it was truly unbreakable or not.

    That doesn't matter. Trying to remove the watermark is illegal. Heck, even _thinking_ about trying to remove the watermark is probably illegal. Do you want to face SDMI in court just because you "tested" the watermark?

  • I thought SDMI wasn't a file format, but some sort of watermarking (or "whatever we can do to stop those darn geeks") scheme. So even if you encode all of your music in MP3 (or OOG or whatever), if the music has a SDMI watermark buried in it and you try to copy it to your SDMI-restricted player, it's not going to work.
  • I think the idea is to put a watermark that includes your name in all files that you purchase from the Big5.
    I used to think that, but from reading SDMI's docs it seems they have a different plan, which doesn't involve customizing the data for each user. In SDMI, the watermark identifies the 'business rules' that apply to a recording. SDMI-compliant hardware won't perform an operation that violates the business rules. Non-compliant hardware won't be able to play the data at all.
  • Or just get several differently watermarked files, and use a DSP to smooth over any differences...
    I pretty much agree.

    If you assume that everyone ends up purchasing and downloading SDMI-formatted digital music online, and each track has a watermark in it that uniquely identifies the purchaser, then to remove the watermark, what you would do is get a whole bunch of people to buy the track. Then convert each of them into a standard 44 KHz .WAV file, and average them all together.

    However, if the watermark involves subtle changes in timing and pitch, then the process of "averaging" might be computationally expensive. You might also need a LOT of copies, each with different watermarks, in order to detect and remove all the changes.

    But with enough differently watermarked copies and sufficient computational power, you will be able to detect all the changes and remove them. When you are done, reencode the resulting .WAV file back to MP3 and distribute.

    Incidentally, I'm almost sure that the watermarking technology would use a combination of very subtle pitch shifting and timing changes in the music. Hiding information in the insignificant bits is useless - it would be trivial to remove. Adding inaudible sounds would also be useless - as another poster pointed out, the whole point of encoders like MP3 and Ogg Vorbis is to remove the sounds you can't hear anyway.

    So the only way I can see to watermark something would be to change pitches and timing. For example, a high-pitched note in a song might last for 0.5 seconds and be pitched at 9620 Hz. If that was changed to 9640 Hz, you wouldn't notice it was ever-so-slightly out of tune - but that change would survive encoding as MP3, and even being repeatedly run through DA/AD converters.

    The averaging process to remove the watermark wouldn't be done in the space of "16 bit samples, 44K times per second", though. You would have to use a Fourier transformation to convert everything to some sort of frequency / time domain, and do the averaging in that space. But no sweat - that's how MP3 does compression anyway.

    Torrey Hoffman (Azog)
  • The only possible way to encrypt any sort of content that is intended for mass-distribution is by encrypting it on a per user basis.
    What about DVD? They only need one public/private key pair per player manufacturer. Yes it was cracked, but a version of this scheme in tamper-resistant hardware would be hard to crack. The idea of one key per user is only necessary if users control their hardware. If the content cartel controls the hardware, they have no theoretical need for more than 1 key. However they'll create a bunch so that if one device is cracked they can stop including that key in future recordings.
  • It's hardly DIVX, which was an invasion of privacy. With DIVX, information about what you watched and when was transmitted back to a central server. DIVX felt like Big Brother was watching. Nobody wanted to leave the player plugged in to their phone line.

    DIVX also caused discs that had been purchased, to not play just two days after the initial viewing. Consumers rejected having to pay twice, and not being allowed to play a disc that they had already paid (admittedly very little) for. Consumers buy a piece of media, they expect to own it and use it as much as they like whenever they like.

    People may not like registering their players, but if it's easy (like activating a cell phone), they'll probably just do it and forget about it. It won't feel like they're been spyed upon, like DIVX. SDMI won't make the discs you've purchased stop playing, like DIVX did. They may not like not being allowed to play a copy on their friend's player, but it won't feel like they're being cheated out of something they paid for with their own money, as DIVX did.

    If SMDI works like "sdo1" described, I doubt it'll even be important to have all the players registered. As long as the output from one won't play on any others, it'll put enough barrier in front of most consumers that they'll just go pay for a legit copy. If non-SDMI software exists, but portable hardware doesn't, it may be the best situation, as consumers could sample on their PCs, but not listen on any SDMI-compliant CD player, thereby causing them to pay for when they've already got for free (illegally) on the computer! If the registration step isn't required, it's unlikely most consumers will even notice until they try to copy with their friends... both of whom already own the SDMI-compliant players at that point.

    As far as getting consumers to boycott SDMI, it's be a lot harder sell than the invasion-of-privacy (Big Brother is watching) and cant-play-your-own-disc (they're ripping you off) and hassle (your house has a phone jack next to the TV, right?) associated with DIVX.

  • >If SDMI comes out like this, people won't buy players for it

    ... assuming people know/care about that part. Many manufacturers and retailers are advertising SDMI support as a feature that will let you do cool things like "play music from major labels."

    It's all about marketing. (and being able to get the mass media to take your side). I read about something called DataPlay [dataplay.com] today. 500 MB in a $5 recordable disc the size of a Canadian toonie. Support already announced by Eiger [yahoo.com] and Diamond [zdnet.com]. I thought this would be the ultimate flash-killer, until I read their corporate overview [dataplay.com], detailing their vision of essentially making digital rights management part of the filesystem. (Note "digital rights management" always means "corporate rights management") It's an entirely proprietary system. Any content stored on the disc may require a key to access. Keys can be purchased online and can timeout after a given interval. You can transfer data to your friends, but they will require their own key. If all music was distribured this way, Napster wouldn't exist.

    (They go on to claim that they essentially invented the CD-R.)

    The thing is, they manage to make the whole system sound like it's the best thing since TCP/IP. Do I not put enough faith in people's ability to spot evil? (I always thought DIVX failed in large part because it required a phone line.)
  • Your logical chain is good until the last link. That's where I have a doubt:
    And of course once we have translated it and released, everyone can have it and believe me, we will.

    You're going to put an mp3 on the internet that is the cleanest possible encoding of the song given that it's already been through a different codec and the player's cheap D/A conversion. (No, I don't see the music industry allowing an unencrypted digital output!) I could play your mp3 on my soundblaster awe64 and probably be happy. There's a watermark in there, but I can't hear it and my hardware doesn't read it.
    But when SDMI-compliant soundcards become the norm, Joe Schmoe who bought his computer at Circuit City will find your mp3 impossible to play. Over time, this is meant to marginalize and eventually destroy mp3.
    Also, the strength of the current mp3 scene is that ripping/encoding is easy and doesn't require special equipment or skills. If the percentage of the "mp3 community" producing mp3's is drastically reduced, we'll have a lot less mp3s and it will be easier to demonize and shut down the remaining workers.
  • Yea, that was the point of my post.


    Refrag
  • Once that digital representation is converted back to analog, all bets are off

    I disagree. Some of the technologies that SDMI presented are certainly "in the noise", but others not.

    For some, after subtraction, the remaining watermark file was in the -65db (average RMS) range (technology C and technology F), one was about -42db (technology B), and one was about -31db (technology C). FWIW, the original music sample was about -12db.

    Certainly ones like A and B will be harder to get rid of, but they are likely the most audible (especially A which seemed to use a scheme of phase-change in which to bury the watermark. It sounded OK in stereo mode, but the presense of the watermark completely messed up Dolby Pro-Logic surround steering on it).

    -S

  • Insofar as SDMI players playing only "clean" originals, that would make SDMI players far to costly to build. Consumer-level hardware just isn't reliable enough to "refuse to play" because you have some tiny skip in the CD-ROM readback. It simply happens too frequently.

    Too costly.... here's a little reality check, in case you haven't been keeping up with technology for the last several years...

    You can afford to design in a 40 second playback buffer (at 174 kbytes/sec, that's about 7 megs), and in the case of MP3, a DSP capable of the 32 multiply/accumulate operations per sample for the polyphase filter, and even more for the IMDCT, and lots of data shuffling and other code for the complexity of the MP3 bitstream. That's at least 3M MACs/sec for 44.1 kHz stereo sampling. In practice, DSP's running at about 25 MHz seem to be about the lower limit for MP3 playback. If you've got enough computational power to decode MP3 (remember, in the PC world that's at least a faster 486)... you've probably got plenty of hardware to check a watermark. We can't know for sure, since they haven't published the algorithms, but even if the watermark takes a lot more CPU power, you can do the work before you start decoding.... the user expects a second or two of silent time between tracks anyways, and they'll wait a bit longer if needed.

    Tiny skips in the stream from the CD hardly seem like a problem... you've got memory for buffering, and you can always read it again, since deciding wether to play is not a real-time process like maintaining in-progress playback. Watermarks are designed to be resiliant to attack.... they can certainly withstand small gaps in the audio, due to scratches or skips.

    In the event there is no watermark, playback is allowed, so the failure mode is "safe". (apparantly the wont-play condition is the custom watermark added by a different player) Even if it fails 30% of the time (allowing playback of otherwise restricted input), 70% success is plenty to annoy the holder of the (presumably illegal) to spend some effort to get a cleaner copy, or maybe buy an original.

  • The real crime is the 26 companies who presented watermark solutions to the SDMI that were ruled ineligible either because they didn't make their proposals in the bureaucratically approved format, or didn't get their proposal in on time (keeping in mind that the judging occurred over 3 months later than anticipated and that several "insider" companies were allowed to propose late because of their connections). The SDMI is surely representative of the ugly big five labels that founded it - they will never come up with a solution because it is time to phase them out.

    1. humor for the clinically insane [mikegallay.com]
  • It won't work because, quite honestly, the RIAA and pals don't want it to work. Given their profits, it should be trivial to buy big number crunching machines (to watermark the music and house our public keys). Then they only have to do two things:

    First, put a terminal into Sam Goody, Coconuts, etc. that reads your ID (username/password or smartcard. The latter is cool and could be combined with a discount card) and then burns your disc.

    OR, cheaper still, let you enter your username/password and dl the music to your machine. While cooler, and while it would be a 'legitimate' method of selling emusic, it also would let you make a copy to a cd.

    But, since THEY want you to buy a copy for the CD, a copy for the computer, a copy for your RIO, etc, they won't do the second option. At least not for so much money that we are right back where we started (CD's too expensive, so rip 'em off)

    The former plan won't work: it takes too long to burn a disc (no, not really, but after you pay your money, are you gonna wait for 30 minutes to get a copy of Britney98SyncAguilera? No, you gotta go show it off to your friends.) There is also the issue of coasterization. I imagine there are essentially zero flawed discs coming from the music makers' plants. Even in a well designed system, in store burners might turn out .1%-1% flawed discs. Expensive both in terms of replacement and PO'ed consumers.

    It is a good idea, and one that I think all parties SHOULD be able to live with. Problem is, it takes away enough freedom from the consumer, and enough profit from the manufacturer to make it unlikely to happen.
  • Saying the researchers should get the cash even though they're not in the contest is like saying I should win prizes because I played along with Wheel of Fortune.
  • If a watermarking scheme is required to play music, a free, open source player that had the code to check the watermark could easily be changed to play without the watermark.

    Wrong. The whole point is that if the system were truly secure, you could know everything about the encryption etc. and you still wouldn't be able to remove it. Does having the source code to PGP mean you can read encrypted mail without the key? Of course not. Similarly, if SDMI depends on security through obscurity, it is insecure.

    If it is truly secure, the SDMI people should give us the source and all the information you have; if not, they should go away and learn about basic security.

  • Because unless the decrypting and playback equipment is embedded within your skull, some enterprising hacker will simply find a way to take the decrypted audio stream and create a replayable file out of it.

    Exactly. They will never succeed at this, because what they are trying to do is an oxymoron: they want a watermarking system which cannot be removed, yet cannot be detected by the human ear. Meanwhile, audio codecs are designed to remove everything which cannot be heard by the human ear (which will include a successful watermark).

    Either they produce a watermark which ruins the music, so they fail - or they produce a watermark which can't be heard, and is promptly deleted from the music when you compress it.

    Then, there's the simple DoS attack: take their watermarked track with your unique ID in - and add a couple of other inaudible watermarks at random, using the same method. After a couple of tries, the original watermark will have been corrupted by all the other "fake" watermarks you added.

  • I disagree, this kind of process has to rely on obscurity. The problem is that you'll have a box on your shelf that generate authentic signatures, and can authenticate signatures in the music. You can pull that box apart, and see how it works. With encryption, you don't have a box that can decrypt my email, 'cos only I have the decrypt key. When both keys are in the boxyou can't make it secure unless you put a man with a gun next to every box.
  • Perhaps it's because control of the media by just a few individuals is just as bad as control by the government. Since the internet is about (among other things) openness, the above is anathema to many people that post here.
  • > Yes, I enjoyed the movie "Sneakers" too.

    You will probably not beleive me, but I never heard of 'Sneakers' before. Went to imdb, looks like the movie is exactly about this. Mmm. French name 'Les Experts'. I'll try to find it.

    Thanks,

    --fred
  • The only possible way to encrypt any sort of content that is intended for mass-distribution is by encrypting it on a per user basis. Each user must be given a key. Every song file must be encrypted using public/private key encryption tailored to a specific user.

    "Thank you for purchasing 'Simply Irresistable' by Robert Palmer. Enclosed is your custom key which you will need to program into every playback device you own in order to listen to your purchase. Be sure to keep it safe, alongside your other 683,426 keys, as the music is unplayable without it, and we cannot furnish a replacement. You might consider storing your new key with all of your unique website, brokerage, and ATM passwords which you change regularly."

  • by TheFlu ( 213162 ) on Wednesday November 29, 2000 @09:38AM (#593805) Homepage
    Found this [riaa.com], which is actually a very interesting read, as I wasn't aware of some of these facts:

    Here are some answers to commonly asked questions about SDMI.

    Q. What are the differences between current MP3 players and SDMI-compliant devices?
    A. Current MP3 players can only play MP3 content. SDMI-compliant devices will play content originating from both SDMI-compliant and non-compliant sources.

    Q. Can SDMI-compliant devices play MP3 files?
    A. Yes. SDMI-compliant devices will be able to play both protected and unprotected formats; it is up to the manufacturer of each device to choose which particular formats to support. The only content SDMI-compliant devices will not play is illegally copied new music with SDMI technology (beginning in Phase 2). Unlike non-SDMI devices, SDMI devices can also be upgraded to play new music released in the future in new SDMI-compliant formats. And many SDMI portable devices will be able to play music that is digitally downloaded in new, protected formats right away.

    Q. Is it true that, in order to play MP3 files, SDMI-compliant software and devices will disable MP3 files after converting them into SDMI-compliant files?
    A. No. SDMI-compliant devices will translate MP3 files into a format acceptable for that device. The exact form will depend on the device. The original MP3 file will remain intact on the computer.

    Q. Why does the SDMI framework allow both protected and unprotected formats?
    A. SDMI members agree that protected formats enable the growth of electronic music distribution by protecting the rights of artists. Members also recognize that there are many legitimate uses for unprotected formats. As a result, SDMI supports both.

    Q. Will consumers still be able to copy their CDs onto their personal computers?
    A. Yes. The specification allows consumers to copy (rip) their CDs onto their computers for personal use (on their PC, on their portable devices, on their portable media, etc.). In fact, the specification enables consumers to do so as many times as they wish - as long as they have the original disk.

    Q. Will it be possible to have content that plays on multiple platforms - PCs, car stereos,portable devices, etc.?
    A. Yes. The 1.0 Specification is intended for portable devices and supporting PC software, but future specifications will address other devices such as car stereos. Existing requirements that relate to portable media (e.g. flash-RAM cards) were written with portability and multiple platform support in mind.

    Q. Will it be possible to have content that plays on portable devices from multiple vendors?
    A. Yes. The SDMI Portable Device specification is a framework for security that promotes interoperability and allows content to be converted from one format to another. The specification allows, but does not require, manufacturers to create systems that are interoperable. There are now a number of different music players and systems on the market that are not compatible with each other. And the initial SDMI offerings also will not offer widespread compatibility across devices at this time. Given the extremely short time frame for producing the portable device specification, it wasn't possible to achieve this goal now. But SDMI is working towards that goal and eventually, we hope that all SDMI-compliant devices will be able to play all SDMI-compliant content.

    This way to the egress > The Linux Pimp [thelinuxpimp.com]

  • probably infeasible as well. First of all, to make this proposal work, it would require that

    1. Each user was assigned an asymmetric key.
    2. The files would have to be INDIVIDUALLY "watermarked" as a file once decrypted is just plain data, with nothing to identify from whom it has originated.
    3. There would have to be practically unlimited resource of CPU time. The computation required for doing DH/RSA/ECC on a large file is both really slow and very, very heavy.

    Especially because of the second point, I don't believe it would work. Please, find some references on asymmetric/symmetric hybrid encryption and you understand why third point is unmeaningful.

    As this "challenge" proved, watermarking can be removed. Tagging mp3 frame headers with pseudorandom data would be trivial to circumvent. You just can't earmark music that way.

  • "MACHINA II/the Friends & Enemies of Modern Music" is the pumpkins' final album, the followup to "MACHINA/the Machines of God". It is a limited pressing of only 25 (twenty-five) copies on hand-cut, hand-numbered, non-lacquered acetate (aka vinyl, aka records), consisting of 3 10" EPs and a double 12" LP, 5 discs & 25 songs total. The 25 copies were given to close friends of the band, a few of whom happen to be online, and whom were instructed to circulate the new material as quickly as possible, since the band plans on playing some of the new material on the European tour.

    For more detailed info, see: SPFC [spfc.org]

    Since there were only 25 copies on vinyl, unless you were one of the lucky 25, you can't get the original pressing. But since the band instructed some of the recipients to circulate and distribute the material, you will be able to get copies of it- consider it an "official bootleg". Currently, the only source available is mp3. Since none of the 3 known online recipients had access to an ultra-high-end audiophile turntable (the tube kind that cost thousands), one of them used what they had and made mp3s so that the new songs could be distributed immediately. There are plenty of web/ftp sites and mirrors hosting the new songs, as well as people sharing files via napster, AIM, etc. Look around a bit, the info has been posted in many places many times.

    Virgin was not interested in releasing a followup to Machina, so rather than pack up their gear and go home, they recorded and released it themselves. It will not and cannot be officially released on CD, as their contract with Virgin includes a non-compete clause, which prevents them from releasing anything Virgin holds rights to under another label for 1 year. Since the material was partially recorded while still under the Virgin contract, they are legally prohibited from releasing it on another label or in any other way.

    To download, or for more information, go to Machina2 [cjb.net]

  • following this...

    is that why it seems on slashdot that all big media comapnies are "boogeymen"? Is it all just a matter of perspective?
    --

  • > No matter what, you can always record the
    >lineout from your soundcard, then
    > recompress into whatever you feel like (MP3,
    >for example).

    Right. The 16bit sample, and the noise from the
    analog stream is enough of an aberration that the
    record companies don't really care. The people who use this approach to copy digital music are
    polluting the mp3 community with their unlistenable crap.

    Anyone who encodes a crappy mp3 should be shot.

  • 3) (optional) The song is encrypted as well as watermarked. You can play with the key given in step #1. This prevents distribution, and if also watermarked as above, means even if you distribute the unenctypted version, you are tagged.

    Wrong. If the song is encrypted, I must have the decryption key to play it - at which point, I can decrypt it, so I can record the plaintext and distribute it.

    You suggest putting the watermark in "the low order bits", if I understand you correctly. This is trivial to defeat: I just change the low order bits randomly myself! If you can change them without affecting the music, so can I.

    More sophisticating ways of hiding the watermark are also doomed: you must be changing the music itself very slightly (otherwise, simply changing format will destroy the watermark!). Each subsequent watermark will corrupt previous ones, since there is only a finite (and small) area of data they can affect without their watermark being trivial to remove.

    I can just take a watermark reader and a watermark writer. I add my own watermark - random data - then try to read the watermark back from the music. Perhaps some of my ID is still there? No problem - add another random watermark. Rinse, repeat. Compress, Opennap.

  • It's music for christ's sake, if you can listen to it you can copy it. They'll never develop an effective copy protection scheme, so give up already...
  • So then it's all about making hardware manufacturer pay high fees to license the SDMI technology so they are "allowed" to play the media. Wow...that sounds familiar...
  • SDMI in Dire Straits comment.
  • This shows that even the schemes of multinational corporations can be thwarted by amateurs.

    So what about PGP, the encryption we rely on daily? Let there be no doubt that the NSA and other national bodies are spending billions and throwing the brightest minds at these encryption schemes. They may have been broken already, and we don't know anything about it.

    Do you trust the NSA? Or MI6? Or GCHQ?

    KTB:Lover, Poet, Artiste, Aesthete, Programmer.

  • > They may already have a O(lg n) or O(n) factoring algorithm, where n is (respectively) the number or the number of digits in the number.

    > They may already have broken discrete log.

    I often think about this. I wonder what they would do in such a case. Shoting the guy that invented the factorisation stuff would be an obvious start, then hiring everyone on a path to the solution and making them work in such a way that they never find it. And probably killing the coders that implemented the cracking algorithms.

    I mean, this would be the one of the most protected secret ever. I can't even imagine what security level would be needed for this one...

    Cheers,

    --fred
  • The whole purpose of a watermark is to embed data within an audio or video stream without affecting the sound and/or video quality. A good watermarking system will retain the watermarking information (ie your username) through A/D and D/A conversions. A good watermarking system would adversely affect the sound output if the watermark were forcibly removed. Your solution will only work for an encrypted stream, not a watermarked one.

  • So what you're saying is that they should let people "steal" their music because they can afford it? I can afford a new TV, but if someone walks into my house and takes it away, I'm going to be pissed, I'm going to report them to the police, and if they are caught I'm going to press charges.

    The legality of copyright is not and should not be dependent upon the copyright holder's financial situation. Debate all you want about the legitimacy of their claim, but don't try to justify illegal behavior by saying the victim can afford it.

  • by Galvatron ( 115029 ) on Wednesday November 29, 2000 @10:24AM (#593833)
    This is the problem with all publicly owned companies. They do mind numbingly stupid things because their shareholders demand it. One of the reasons we have these boom-bust cycles in the economy is because publicly owned companies always have to be growing faster than the economy, or their shareholders will abandon them. They know they can't grow that fast, but no one wants to say anything, because they'll be accused of just covering for their own incompetence.

    Likewise, with music piracy, what is the company going to say? "Yes, we know people are pirating our music. No, we're not going to do anything about it." It would be suicide for all those execs making money off of their stock. Instead, they come up with crap like this to placate their shareholders.

  • Wrong. If the song is encrypted, I must have the decryption key to play it - at which point, I can decrypt it, so I can record the plaintext and distribute it.

    Which is why the watermark is still there, regardless of the encryption state

    You suggest putting the watermark in "the low order bits", if I understand you correctly. This is trivial to defeat: I just change the low order bits randomly myself! If you can change them without affecting the music, so can I.

    That would depend on the player as well. What if the player required those bits to be intact? You already have to have a custom player to do the encryption

    More sophisticating ways of hiding the watermark are also doomed: you must be changing the music itself very slightly (otherwise, simply changing format will destroy the watermark!). Each subsequent watermark will corrupt previous ones, since there is only a finite (and small) area of data they can affect without their watermark being trivial to remove.

    Actually, there would be an infinite amount of data space. There are also all the frequencies too high to hear, as well as subtle changes in the timing (let's shift this beat by a microsecond, for example)

    I can just take a watermark reader and a watermark writer. I add my own watermark - random data - then try to read the watermark back from the music. Perhaps some of my ID is still there? No problem - add another random watermark. Rinse, repeat. Compress, Opennap.

    Depends on the watermark. The shifting mentioned above would be harder to erase, but still possible. I think a lot of the goal of the RIAA is to make it as inconvenient as possible. There will ALWAYS be pirates that can distribute copies. I don't think there is any technological way around it. You can make it inconvenient and or expensive though.

  • I often think about this. I wonder what they would do in such a case. Shoting the guy that invented the factorisation stuff would be an obvious start, then hiring everyone on a path to the solution and making them work in such a way that they never find it. And probably killing the coders that implemented the cracking algorithms.

    Yes, I enjoyed the movie "Sneakers" too.

    If one invents a method to factor numbers in less than NP time (or prove P=NP) then post it to Bugtraq or Slashdot. The feds could never stuff it back in the bag, then.
  • by magnum32 ( 171166 ) on Wednesday November 29, 2000 @08:51AM (#593842) Homepage
    Do you think the general public can understand what the challenge is truly about? Most will probably miss the point of the story all together and be abashed that someone would pay a hacker for doing anything. I just think a story like this doesn't belong on cnn because a majority of the readers are too technically inept to grasp the point. I dont want to say these people don't deserve to get the information but they simply miss or misunderstand anything that the media tries to report to them. Of course, who trusts the media anyway.
  • by EvlG ( 24576 ) on Wednesday November 29, 2000 @08:52AM (#593845)
    Whether the independent researchers get any money is not the point. Rather, SDMI is ignoring the fact that four watermarking schemes have been broken, instead focusing on the results of the silly contest.

    The fact that the researchers are being ignored, and SDMI is focusing on the hackers is telling; they know the researchers have done serious work that could compromise the system.
  • by Dannon ( 142147 ) on Wednesday November 29, 2000 @08:55AM (#593847) Journal
    I want my...
    I want my...
    I want my MP3.
    ---
  • by sdo1 ( 213835 ) on Wednesday November 29, 2000 @10:46AM (#593849) Journal
    I think a lot of people here are missing the point. They're not going to encrypt every CD with a unique number, but they WILL make you register your SDMI compliant play-back device (hardware or software).

    Now maybe the original work you bought at the store has a watermark in the music. If your SDMI compliant device does not see said watermark, it won't play.

    And if it DOES see the watermark, an ADDITIONAL watermark containing your unique registration information is added to the OUTPUT device, be it a digital out or analog out.

    Now you capture that output (record it to tape, rip it to .mp3, or whatever) and then pass it around the internet... and BAM! They've gotcha!

    From that file, they'll be able to read the watermark (assuming you haven't done a credible job destroying it while still maintaining the sound quality of the music) and they know EXACTLY who's equipment the file was produced on... and since you've registered that equipment (or software), they know exactly who YOU are.

    Now go back to my 2nd paragraph. To make this even more ugly, maybe your SDMI compliant playback device will only play "clean" originals or copies from your own SDMI compliant devices. Try to play back some song that you copied from a buddy and his registration code is buried in the watermark. Bzzzzt. Invalid code. Will not play.

    This is evil, evil technology. The way to stop it is the same way we stopped DIVX. Educate your friends and family. And don't buy SDMI compliant devices (hardware AND software).

    -S
  • But this is the difference between encryption and watermarking. If the music were encrypted, it couldn't be played without decryption (everything would sound like white noise). Here, the watermarked music is essentially still in plaintext, and can be played by any program that understands the music format. The watermarking may hide an ID that COULD allow a player to discern information "hidden" in the music, but it doesn't obscure the music itself.

    In theory, a closed source player could refuse to play the music, but another program that doesn't check for watermarks would. so the watermarking is really an attempt to track the music, or identify the creator (or the watermarker). It cannot effectively prevent playback without encryption, however.

    I'd like to know what happens if additional watermarks are added to an already watermarked piece of music. Do they somehow add linearly, or do they interact destructively, making the watermark useless? Are different watermarking algorithms orthogonal (ie. don't affect each other too badly), or can noise be added to any watermarking scheme (without too badly affecting the signal)? If watermarking is immune to such tampering (which I doubt), it makes sense to try and keep the specific technique secret. However, as many have pointed out, watermarking seems inherently defeatable (assuming you can live with an imperfectly reconstructed signal).
  • by Python ( 1141 ) on Wednesday November 29, 2000 @10:59AM (#593852)
    Simply because you don't need the keys to play the music!. Once you decrypt the music, you don't need a key, and its the decrypted music that you can give to your friends. Thats why a personally encrypted music file buys you nothing. Eventually the music has to be decrypted, and once its decrypted you don't need the key anymore - and if thats what you use to identify the pirate, you're sunk.

    Thats why the SDMI goons are using watermarks. They're trying to hide your idenity in the music file so if you give the song away, they can nail you. Aside from the obvious problem that all of the watermarking schemes were totally defeated, defeating the ability of the RIAA to track down the person that is distributing it, there is also the "so what?" problem. Simply explained it boils down to the fact that watermarks prove nothing.

    Even if the watermark is intact, the information contained in it is not trusted for a whole host of reasons. If the watermark is trivial to forge, then it proves nothing. If the watermark can be overwritten with another watermark, it proves nothing. If the watermark isn't using a digital signature, validating its authenticity, it proves nothing. If the implementation of the signature scheme is flawed in any way (ie it can be forged), it proves nothing. If the keys are ever stolen (if the watermarking scheme is even using watermarks!), the watermarks prove nothing. The list goes on and on, but the bottomline here is that there are serious serious technical problems with watermarking. But it gets worse for the SDMI folks!

    Even if the watermark survives all the technical and implementation attacks against it, it still doesn't prove anything. There is no trust in the model to absolutely verify the identity of the person that bought the music, short of a police state. What if your creditcard was stolen to by the music online? What if the person buying the music, in person, has a fake ID with your name and address on it? Furthermore, whats to say the song wasn't stolen? That your box wasn't broken into and so on. Or, what if you bought the song and gave it someone as a gift? The list goes on. The bottomline here is thats its circumstantial evidence at best.

    What the SDMI folks are trying to create is a false sense of security in their constituency. And frankly, I think SDMI is rapidly becoming a set of technologies in search of a problem to solve. SDMI simply does not do what its creators claim it does, and the SDMI folks are too embarrassed to admit that they have wasted millions of dollars of the consitutencies money pursuing a ridiculously flawed idea.

    --
    Python

  • Psst. Software SDMI player + wine/{free,v}mware + a competent cracker (like they were in the 1980s and early 1990s) + a case of jolt -> SDMI format decoder that spits out the actual encoding instead of either the encrypted crap or the raw PCM output.

    Just you wait.

  • An interesting scenario, but one unlikely to actually work.

    By doing a bitwise comparison of two different "SDMI-approved" players, anyone of even moderate programming talent could identify the "new" watermark the players were adding and either eliminate it, or make it untracable by filling it with random data.

    Insofar as SDMI players playing only "clean" originals, that would make SDMI players far to costly to build. Consumer-level hardware just isn't reliable enough to "refuse to play" because you have some tiny skip in the CD-ROM readback. It simply happens too frequently.

    You don't need to "educate" anybody. If SDMI comes out like this, people won't buy players for it. Period.

  • You can make a lot more than $5000 by cracking the security on a major ecommerce website and making off with the credit cards.
    I've met over 65536 elite hackers on IRC who have become millionaires that way.
    --Shoeboy
  • by aim4min ( 100897 ) on Wednesday November 29, 2000 @08:58AM (#593859)
    The only possible way to encrypt any sort of content that is intended for mass-distribution is by encrypting it on a per user basis. Each user must be given a key. Every song file must be encrypted using public/private key encryption tailored to a specific user. The song file will only be viewable if you decode it with your private key. Ok, this method has its flaws. Notably, customizing songs for each person will be a tedious task. (But, it's feasible) Another problem, why not just give your key out to your friends or post it on the net? Well, they can determine your identity from your key, and they will probably go after you for copyright violation of some sort. Why won't something like this system work?
  • I can't believe that these 'hacker's' got paid $5,000! They're set for life!! What would the world be like without the generosity towards the high tech industry by such big companies as Seagram Co Ltd.'s Universal Music, Bertelsmann AG's BMG, Sony Corp.'s Sony Music,Time Warner's Warner Music Group and EMI Group's EMI Music. Time Warner is the parent company of CNN.com. Especially if they has to keep paying security experts to troubleshoot their system.

    We should all feel blessed.

    They got off cheap.

Ummm, well, OK. The network's the network, the computer's the computer. Sorry for the confusion. -- Sun Microsystems

Working...