Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Security

SDMI Cracked Too Soon 387

Andrew Leonard writes "Two off-the-record members of the SDMI coalition have confirmed to Salon's Janelle Brown that all of the SDMI watermarks have been solidly broken." It's too bad this didn't happen in a year - because now it's been cracked before it was even released, and they'll delay even longer.
This discussion has been archived. No new comments can be posted.

SDMI Cracked Too Soon

Comments Filter:
  • WinAmp Plugin [vorbis.com]

  • by ewhac ( 5844 ) on Thursday October 12, 2000 @10:43AM (#710440) Homepage Journal

    and that is one of the [ ... ] most asinine things I've ever heard.

    Perhaps you haven't been paying close enough attention: They are out to screw you.

    They want to re-write the rules of retail sales, replacing title transfer with "end-user licenses" (just about any software package).

    They want to re-define lawful behavior, taking away your right to exercise your curiosity about the world around you (anti-reverse-engineering clauses).

    They want to take away your standalone computer and replace it with a "licensed networked digital media reception terminal," complete with credit card reader.

    They want to take away your right to do with your property as you please (:Cue:Cat).

    And they want to do this without soliciting your input or consent, and then make you pay through the nose for the privilege of being screwed.

    Now, perhaps those things aren't important to you. Perhaps you're not a terribly curious person, or perhaps you're of the opinion that, "I would never need or want to do those things." Perhaps you feel that The Law is The Law, regardless of whether there's a valid ethical foundation for it, or how or why or for whom the law was enacted. Or perhaps you're thinking, "That will never happen in this country." Well, fine, you don't think it's important.

    But in my book, this is tyranny, pal; it's damned important; and I will not sit still for it for one nanosecond. This is war, a war of ideas, a war for the digital society of the future. And the enemy has all the lawyers, guns, and money. (And no, this is not hyperbole. What is at stake here is nothing less than who will get to define the social and ethical framework by which we will conduct our lives in the digital universe.)

    We are not dealing with people here; we are dealing with corporations. They have no ethics, no morals, no conscience. They are amoeba. They respond to but a single stimulus: Money.

    Look at what they are doing. Think about the possible consequences (not just to yourself, but to your neighbors and family). I hope you will discover that the situation isn't as easily dismissed as you may currently believe.

    Schwab

  • Is the RIAA's strategy to simply litigate every non-SDMIing player into oblivion?

    They don't have to. They planned on using the same strategy as the MPAA. All legitimate downloaded music files from major labels would be in SDMI-encrypted format.

    You could still manufacture an ordinary MP3 player, but it wouldn't work with SDMI files. It would be like manufacturing a DVD player without licensing CSS. Sure you can do it, and you could have digital outputs and no macrovision, but it won't play store-bought DVDs, so no one does it.
  • they may well have been angling for this crack, in order to take advantage of some legal or PR leverage it would give them

    Yeah - a chill ran down my back as I was reading the Salon article. I imagined this conversation transpiring:

    Judge: "Why didn't you encrypt your music more strongly?"

    RIAA: "We tried, but every encryption and watermarking scheme we tried proved vulnerable. It turns out to be physically impossible to secure digital media. So we just went with ROT13 as our copy protection to limit costs."

    Judge: "Is this true? Is it impossible?"

    Geek: "Well, ummm... in a word, Yes... mmmm - mayven"

    Judge: "I see. Well, if it's impossible to protect the data, then any means of protection can be considered reasonable protection when applied to defend a copyright. [whack!] Rule in favor of the plaintiff."

  • by Mike1024 ( 184871 ) on Thursday October 12, 2000 @10:07AM (#710449)
    Hey,

    Here's how to crack your SDMI-campatible player:

    1) Download SDMI file
    2) Download compatible player
    3) Set your sound card input to 'What you hear' or whatever equivilent
    4) Start your choice .wav recorder, like 'Sound Recorder', free in Windows 3.1
    5) Press 'Record'
    6) Play SDMI file
    7) Wait until end of play
    8) Press stop
    9) Encode your .wav to an MP3, using your choice encoder
    10) Put on gnutella

    Or if you have a hardware player:

    1) Prepare player to play music normally
    2) Dismantle the player, until you get down to a loudspeaker. Cut off the two wires and solder them into a standard microphone audio jack from your local hardware store
    3) Start your choice .wav recorder and click 'record'
    4) Plug the new microphone jack into your sound card
    5) Play SDMI file
    6) Wait until end of play and click 'stop'
    7) Encode .wav file into MP3
    8) Put on gnutella

    Clever eh? I'll take my $10,000 in cash, sterling used notes please.

    Michael

    ...another comment from Michael Tandy.

  • by sulli ( 195030 )
    But as I recall you could link directly to the files made available for cryptanalysis. So if someone GOT the files but DID NOT agree to the NDA, could not that person, if a cryptographer, distribute independently the results? And if such a person were an AC on /., would not the results be pretty much untraceable?

    Just a thought, for all you SDMI h4x0rs out there.

    As for me, I wasn't going to buy it anyway, so fuck 'em.

  • Uh...I think that was meant to be parsed as "members of the programming community suspicious of the SDMI"
  • After all, it might have been a good idea to break it that soon. I work in speech coding (not that far from audio coding) and, though this is still subject to debate, I believe that watermark cannot work. An indication of this would be that (if I understood correctly) all the watermarking systems have been completly broken. If it had been only one, then they could have picked the strongest one (which would have been bad). If it had been only a detail, they could have fixed it...

    But maybe the answer is that it's not posible to have watermarking that really works. If this is true, the ones pushing SDMI have two choices:

    1) Come up with a new watermarking system every 6 months, have it all broken with 1-2 weeks, and be effectivly stalled for years. Even if they finally find something that works after 4 years, it would be way too late anyway.

    2) They could release something they know to be broken and play the same game the MPAA is playing with CSS. Only in that case, they'll get even less sympathy, because everybody will know that they knew from the start that their watermark was broken.
  • Right, but if you intercept someone's RSA-encrypted message, you don't get the key.

    SDMI would HAVE to provide you with the key, so that you could decrypt and listen to the music! I was incomplete before; what I should have said was, "They give you the encrypted data, the decryption algorithm, AND THE KEY".

  • by Anne Marie ( 239347 ) on Thursday October 12, 2000 @09:07AM (#710460)
    I thought we all agreed not to crack them, so they'd release the standard and we'd get lots of poorly protected audio floating around for us to grab. So which one of you did it?
  • by jms ( 11418 ) on Thursday October 12, 2000 @10:10AM (#710462)
    Divx (the circuit city product) was, as far as I know, never cracked. Of course, they went out of business so fast that no one even had a chance to try. :-)
  • The problem is that the RIAA probably has the necessary muscle to force SDMI products down consumers throats. As soon as the RIAA finds a way to make SDMI work, they will guarantee that it is impossible to by a new music player of any sort that doesn't honor their wishes.

    For now it is a trivial thing to make copies of your CDs, and rip MP3s to carry on your MP3 player, but in the future this will not be possible if the RIAA has there way.

    So it won't only be the idiots that lose their fair use rights, you will lose your rights as well. They will essentially be able to control where, when and how you may listen to music that you have paid for. Your music collection will also probably "expire" and require re-licensing.

    I am all for having SDMI fail in the marketplace, but I wouldn't feel sorry for a moment if someone "gave it a push." If the RIAA and their cronies had sunk billions of dollars into implementing SDMI and then had it broken, then we would definitely see it crash and burn.

  • After all...that just gives MP3's more of a chance.

    But the REAL question I have is whether or not those who broke the watermarks *TOLD* RIAA HOW THEY DID IT.

    Sorry dude...we, like know what the answer is..but we forgot to tell ya how we did it. Sorry.

  • First, assume the noise has to be identifiable as a watermark (or else their players won't refuse to play it.)

    This is not a safe assumption. And just because a compliant player can identify the watermark bits doesn't mean that you can

    Thus, any software player that can identify it can be disassembled to point out which bits of the stream are watermarks.

    Please support this assertion. You have never seen such a player have you? How do you know it can be dissasembled for any purpose? Is it inconcivable to build a player that cannot be disassembled?

    Remove those bits, and it's gone. The meanings of the bits are irrelevant.

    The point is to make the meaning of those bits relevant. If those bits are also meaningful to the data stream you can't remove them without altering the data.

    The goal of SDMI is to put the watermark in significant areas so that you can't remove them. Just like the security watermark on your paycheck. If you try to change the amount of the check you ruin the whole thing.

    And this has nothing to do with getting rid of MP3's or tracking pirates. The point of SDMI is to be able to distribute digital music without worrying about piracy. SDMI prevents pirtacy the same way CSS prevents pirating of DVDs; not because the encryption is secure, but because you must play a DVD to copy it. Sure you could make a bitwise copy of a DVD and it would play in any DVD player, but to do so is prohibitivly expensive.

    As long as you must play music to copy it you (the vast majority of people) will not be able to make digital copies of it. And the music industry has never been very concerend with analog piracy of digital music.

  • by Nonesuch ( 90847 ) on Thursday October 12, 2000 @09:09AM (#710469) Homepage Journal
    If all of the candidate watermarks have been broken, what is their next step?

    The best possible result for SDMI would have been for at least one of the watermarks not to have been broken during the public examination period, then they could have released hardware and software knowing that it was better than any of the discarded watermarking solutions.

    This sort of test is silly- just because it can't be broken today, by people for whom $10K is a lot of money, doesn't mean it won't be broken the day after it is released.

    Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm.

  • by jafac ( 1449 ) on Thursday October 12, 2000 @11:45AM (#710475) Homepage
    Well, the boycott idea was stupid anyway.

    bocott coke, and maybe 20% of the people who agree with your cause will boycott it.
    That translates into a 20% drop in revenues (um, if Coke didn't own every other company in existence, and only produced just coke).

    but with this contest, if just one hacker doesn't boycott it, (and who wouldn't want an extra $10,000 for a few hours work?), then the boycott utterly fails. Y'all should've just gone for it.

    It would have been nice to see the wasted effort to mass-market this stuff and watch it be cracked. That would have been sweet. But it's also pretty satisfying to watch a hacker-boycott still crack the thing in a matter of weeks. If all the hackers had gone full-tilt into this, can you imagine how quickly it would have fallen? Might have saved them a little hubris.
  • I think you are trolling, but if not does this [loc.gov] count?

    Section 107:

    Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include-

    (1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;

    (2) the nature of the copyrighted work;

    (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and

    (4) the effect of the use upon the potential market for or value of the copyrighted work.

    The fact that a work is unpublished shall not itself bar a finding of fair use if such finding is made upon consideration of all the above factors.

    Or perhaps ; ;SONY CORP. v. UNIVERSAL CITY STUDIOS, INC., 464 U.S. 417 (1984) [findlaw.com] in which "Any individual may reproduce a copyrighted work for a "fair use"; the copyright owner does not possess the exclusive right to such a use".

  • yes. SDMI would have been a hard sell, until they "bundled" it with "better audio quality". It wouldn't have to sound better, they'd only have to bribe a few audiophile magazines, and run a small astroturf campaign, and it would BE better.

    But yeah, indie labels (using unprotected MP3 technology) *is* what we really, ultimately want.
  • by miracle69 ( 34841 ) on Thursday October 12, 2000 @10:55AM (#710481)
    Why use the proprietary Frau encoder when Lame has been proven to be not only faster, but of better
    quality [belgacom.net]?

    And regardless of where mp3 ends up legally, Ogg Vorbis will replace it if licensing becomes a huge issue.

  • Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm

    What's been broken is not about cryptography, it's the watermarking system. Watermarking means adding to the audio a message that the ear cannot hear, but that contains copyright information. Breaking the watermarking system means either removing that message (which is probably impossible) or, at least, changing it so it is not recognizable anymore.
  • Yes, the hackers *WERE* suspicious. They said "I don't trust this, it looks like a bad deal".

    "Suspicious" does not necessarily mean "worthy of suspicion".
  • The guys who came up with SDMI thought they could fool the RIAA companies into buying into this technology, and face it, they would have become incredibly wealthy, whether it failed or not. It was worth a try, eh?
  • I track the CVS a bit, and there's been a good deal of optimizations, at least in the XMMS arena, since beta1. CVS info is available at vorbis.com.

    However, if you're lazy like me,
    deb http://www.stud.uni-hannover.de/~ingo/vorbis ./
    deb-src http://www.stud.uni-hannover.de/~ingo/vorbis ./

    is a set of sources.list lines for your Debian box that have compiled CVS versions updated daily.
  • The buyer also has to appease the seller to some extent, or all the sellers will go play a different game.

    Yeah, SDMI sucks. I was just saying that no matter the alternative, I don't think much music will be released online without copy control. If some organization actually makes a large amount of money with MP3's, then the labels might sit up and listen. Until then, they want some form -- any form -- of copy control before they'll do music online.
    --

  • But DAT wasn't that well established yet.

    Computers are big. I think a lot of the manufacturers out there would have something to say about a tax like that.

    My lobbyist can beat up your lobbyist.
  • lame has NOT been proven to be better quality to my ears. firstly, there is NO free encoder that is even listenable (to me and most of my friends) at 128k. frau was my only choice - if disk savings is of importance (and with 35gig's so far, it has saved me a whole 2nd disk!)

    for 160 and above, lame is 'ok'; but for 128k, its never been demonstrated that even vbr j-stereo lame or blade or gogo can compare with frau.

    THAT's why I forked out my $200 linux license fee. I didn't want to - believe me - but it paid for itself in disk space (even though it was god-aweful inefficient in terms of compute time for encoding).

    --

  • Nobody would buy an SDMI player when an ordinary MP3 player delivers more functionality for less money. So this strategy would fail even if the technology worked. Sorry, RIAA!
  • Oh so clearly in the recent DeCSS case, the judge was just stupid, right? Did you read his paper? He most definitely understood the DMCA, and abided by it to the letter. A judge's job is to interperet laws, not to overturn them.
  • BTW: Once you convert it to analog you start losing quality, and they don't really care what you do after that.

    Once you go through lossy compression (i.e., MP3 compression), you start losing quality, and they sure as heck seem to care about that!

    -S

  • I agree with you that from the perspective of trying to preserve the ability to demolish SDMI's ciphers at a later time, it may have been foolish to break the codes now. Eric Raymond wrote a pretty entertaining letter on the matter commending the idea of luring the RIAA into a false sense of security, so that they would invest some real money in SDMI, foolishly getting NO security out of the deal, vulnerable to be badly scarred by the later serious attacks.

    On the other hand, the Salon article seems to indicate that the consortium that created SDMI is politically fragile. Which suggests a different set of outcomes:

    • An attack on the ciphers now whilst they are politically vulnerable to attack might knock the whole consortium down.

      Which leaves nobody there to agree on a "SDMI Mark II".

    • Not attacking the ciphers now allows the consortium to gather political stability, which leads to financial stability.

      Given financial stability, they might attain the funding to mount a legislative response to a later cipher attack.

    In effect, the hackers might attack now, while SDMI is weak, and destabilize it from a political perspective.

    It is possible that the scenarios I suggest are not representative, but if they are, which seems possible, this certainly paints a rather different picture.

  • Vorbis as a format is definitely there, but the software isn't there yet. The beta reference encoder is quite slow and the beta winamp decoder plugin is too CPU intensive (over 60% CPU usage on a PPro200, 96megs, Win98SE to decode a default quality (VBR up to 160kbps) file... while a similar quality VBR MP3 hovers around 12% CPU usage). I definitely suggest checking it out, but wait for the release version which will undoubtedly be much more optimizied.

    BTW - The beta encoder (for Windows, Linux x86 and BeOS) as well as plugins to winamp, xmms and sonique are available at www.vorbis.com [vorbis.com].


    --
  • It's impossible because DACs turn a specific digital value into an exact, corresponding analog value (+/- the error rating of the DAC) and an ADC turns a RANGE of analog values into a corresponding digital value. This means the result of ANY signal that undergoes an A->D->A or D->A->D conversion is not the original signal. It's close but the lowest bits of precision of each sample are slighty modified. The watermarking that SDMI proposes must be contained in those low bits or users would hear distorted audio. So if one uses this simple process on an SDMI compliant audio file, the watermark will become unrecognizable to an SDMI compliant player. The player will then be forced to assume the audio file is pre-SDMI and will play it fine because SDMI players are supposed to play ALL non-SDMI audio.
  • by FreezerJam ( 138643 ) <smith.vex@net> on Thursday October 12, 2000 @11:58AM (#710518)
    Yep - this is exactly right.

    The problem, as the post-Napster environment will show, is that the only people left to sue are your preferred customers.

    *This* is the bind - you don't need to protect the music from those who don't really care about the music, and you can't protect it from the people you want to please. And last time I checked, suing people doesn't usually make them happy.

    They want the impossible technical solution because they see it being practically impossible to protect it legally.

    What they've really got is that there will be no effective and usable protection either legally or technically.
  • Ogg Vorbis will replace it if licensing becomes a huge issue.

    it'll never happen. superior audio means nothing; its all inertia. the masses 'know' mp3 and that's all that exists. WMA, vorbis, shorten - all better than mp3 in one respect or another. but the Rio's and Empeg's out there speak mp3 and that's the standard. once its in hardware, its a done deal.

    ogg is for geeks and software players. but that's probably 1% of the mp3 target population.

    remember how long it took for cd's to become the popular defacto standard? has anything (dat, etc) dislodged it yet? (nope).

    --

  • What jobs these geniuses have! Imagine having a well paying job pretending to do an impossible job and knowing all the time that your paymasters are stupid enough to believe not only in the job itself but in what you claim to be doing.

    Yeh, it sucks. All the way to the bank.

    --
  • by jms ( 11418 )
    Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.

    Fair use is not a defense that allows you to break the law. Fair use is defined as being an exception to copyright. You have the right to make fair use of legal copies of copyrighted works. Whether you have the ability to do so is a different issue, and that's where the DMCA comes in -- the DMCA is designed to take away your ability to exercise fair use, but it does not affect your right to do so. The CSS lawsuits are not copyright infringement cases. The fact that you have the right to fair use is supported by decades of law.

  • by MenTaLguY ( 5483 ) on Thursday October 12, 2000 @10:22AM (#710533) Homepage

    I'm sorry, but there are perfectly legal ways to use MP3.

    *sigh* ... name one (except playback) involving nothing but Free Software.

    The MP3 issues I was referring to have nothing to do with content; they have everything to do with licensing the Fraunhoffer patents.

    From mp3licensing.com:

    mp3 Software Encoders

    (patents and object code developed by Fraunhoffer IIS)

    Fraunhofer IIS developed fast, efficient and high-quality implementations for mp3 encoding, supporting bitrates from 8 kbps to 320 kbps, samplerates from 8 kHz to 48 kHz, mono and stereo. Evaluation copies are available upon request, after signing an mp3 evaluation agreement. Please contact us for details.

    • US$ 5.00 per unit
    • US$ 15,000 annual minimum, payable upon signature and each following year in January, fully creditable against annual sales.

    mp3 Software Encoders

    (patents-only)

    If you have developed your own implementation of an mp3 encoder or if you have licensed such an implementation from a third party, you need a patent-only license.

    • US$ 2.50 per unit
    • US$ 15,000 annual minimum, payable upon signature and each following year in January, fully creditable against annual sales.

    Oh yes, and LAME is not exempt... from the LAME page:

    Personal and commercial use of compiled versions of LAME (or any other mp3 encoder) requires a patent license in some countries.

    ...and no, I don't have US$ 15,000 to throw around. Do you?

  • by jafac ( 1449 ) on Thursday October 12, 2000 @12:08PM (#710534) Homepage

    The CD would never be playable in a player you could digitally connect to a computer. They're talking about replacing everyone's CD player. Most likely with some digital memory type player.

    Sounds like a hard sell, until that new Backdoor Boyz CD is ONLY available in SDMI. Possibly given away in some kind of promotion. Then all the kiddies run out and buy SDMI players. (or they give them away at McDonalds or something) Then, armed with those sales figures, the industry approaches the hardware manufacturers and sez "hey, this is profitable" cash flies under the table, a blowjob here, a blowjob there, (my embellishment), then there are more SDMI players out there, and they don't threaten their revenue by making MORE music SDMI-only. Soon, only non-RIAA companies sell non-SDMI music, and while this is a competitive advantage in an ideal market, RIAA propaganda, promotion, marketing, legal-dirty-tricks, drive the indies out of business.

    Then, the RIAA bribes, er partners with Microsoft to provide free SDMI players in the ONLY web browser still available, that just happens to be on 90% of desktops - and breaks other plugins that play MP3s, only geeks will be able to download MP3s and get them to play.

    Then, you could likely download SDMI files and listen to them on your computer, but no player (in theory) will allow you to decode the content, other than directly to the speakers.

    Of course, where this fails is when someone comes up with their own decoder, or even a sound-card driver that dumps the sound data to a place that can be decoded, instead of to the speakers. Or if someone figures out a hack for the player to do raw digital-out, or something like that. Worst-case scenario, if SDMI is better than CD sound quality (it would almost have to be to sell, unless they sell for a reduced price, unless they could fool all of the poeple all of the time - which isn't really necessary, you only have to fool most of the people with most of the money), then output from the player is audio, you simply take some decent equipment, and re-encode it. Some loss, but free distribution of previously copy-protected works makes it worth it, as long as the quality is acceptable.
  • 10,000 bucks is a paltry amount of money. These codebreakers have saved the RIAA much, much, much more than a pitiful 10 grand.

    Someone should have offered twice that for the codebreakers to keep their mouths shut.

  • by DaveTerrell ( 923 ) on Thursday October 12, 2000 @11:16AM (#710538) Homepage

    Not so excellent. If you read between the lines, the technology companies are hoping that they throw out watermarks and go with Digital Rights Management. DRM is a codeword for "end to end controlled encryption." It's like Kerberos for music, and it means that you have to use their software, special hardware, etc etc.

  • the Reference Code (i.e. the patentable piece) has all been removed

    Nope, sorry, reread the LAME page [sulaco.org] again:

    "Personal and commercial use of compiled versions of LAME (or any other mp3 encoder) requires a patent license in some countries."

    Still nailed by patents.

  • There is no uncrackable protection.

    It is a fundamental fact of information theory that you cannot securely transmit information from one party to another if the other party doesn't want it secure.

    You can make it a total pain in the ass, which means in terms of time, effort, and hardware (all translatable into $), if the commodity isn't worth as much as it costs to crack it, then it won't be pirated on a large scale.

    But the more they delay, the more MP3s get pirated.
  • OK, I'm not saying that it wouldn't have been good for this not to have been cracked until after it was released properly but it's easy to say that noone should crack it when you don't have the skills to do it yourself.

    If I was able to do it, that money would undoubtedly look might attractive. It would be easy to say I would hold the moral high ground and hold off but I'm not in that position and so can't make that claim. I think it's something that people should think about before they start whinging about those who did crack it.

    Rich

  • Regular CDs that play on today's players are going to be sold for at least another 5 years. The consumer market just won't accept their new 200 CD jukeboxes being obsolete overnight.

    So... since they can't get rid of MP3 for another 5 years, why all the effort to come up with a perfect encryption and loose the opportunities here today?

    I think all they need is a variation on current encryption schemes (different enough so they can seek protection from the DMCA for "circumvention") that locks your music files to a pass-pharse. That same pass-phrase will be linked to your credit card. Anyone you give your password too will be able to buy music on your account.

    Grant it this does nothing to keep people from getting MP3s but it allows them to satisfy a market for online commercial quality music files in a way that doesn't put their product any more at risk for piracy then it already is.

    Let's face it, most kids and bootleggers don't care enough about quality that good analog recording equipment won't satisfy them.

    RANT ON
    The amount of loss due to (quality) analog equipment pales in comparrison to what's lost in your typical 128 bit MP3. In the "old" days when cassettes were "Hi-Fi" - the main problem was tape transport noise of older/cheap units and hiss caused by poor quality tapes/heads. My $200 Kenwood Cassette player doesn't suffer from those problems today. My guess is that after MP3 encoding, 98% of the population couldn't tell the difference between an encoding whos ariginal source was a CD and one whos source was a cassette. (even a recoding I made from CD - I find that recordings I make are often better than those cassettes from the label)
    /RANT

    Sorry, I thknk this all turned into one long rant. I had a point but it got lost, I just find the lack of sense in the whole matter frustrating...
  • I forgot one other angle;

    In the part where the RIAA bribes/partners with Microsoft, .NET figures in, because if all software is "rented", computers won't need CD players anymore, and since MS controls the manufacturers, CD players will become rare commodities. non standard items. Like ZIP disks.
  • but dat HAD the copy protection that the RIAA wanted. they HAD their way with that one. of course folks found ways to zero out the SCMS bits ...

    the failure of dat was 3 things: expensive to build and buy mechanisms (mini vcr's inside), hard to find pre-recorded tapes (yeah, I know, why bother. sigh.); and unreliability unless meticulously maintained (which consumers would not do; many pros didn't either. I'm talking head cleanings every year).

    but I agree that mp3 was a hit mostly due to its compression size and it was the right fit for where we are in the Inet today (in terms of spare b/w on personal Inet lines). in a few yrs from now when t1 is considered slow, maybe shorten or some other non-lossy compression scheme will be king.

    --

  • However this article points out a lot of things that seem to be coming true and mentioned in the article that is the focus of this slashdot item, that basically the music company executives didn't expect it to be broken, don't have anything to fall back on, and the SDMI may in fact fall apart now that two years of their work have been effortlessly cut into shreds! Which is EXCELLENT news!

    I disagreed with that article, because even if it was cracked AFTER they released it, they still wouldn't have anything to fall back on. Assuming they don't. If they do have something, they can use the results of the contest to eliminate possible cracks. So overall, I think cracking it before its release is a bad thing.

    Because the music industry has appeared to be clueless up to this point, here's another possibility:

    It really has been broken, and they really don't have anything to fall back on. So they DENY it's been broken, and release it anyway. Then it gets broken again after its release, and they pretend they weren't expecting it, along with playing stupid legal games.

    I'm not sure if they are really this clueless. But it's possible.
  • by ewhac ( 5844 ) on Thursday October 12, 2000 @02:49PM (#710555) Homepage Journal

    I see plenty of direct-action "break the codes and set them free" type talk on /., talk about fighting for the digital future and our rights. Wholly absent from the debate seems to be a coherent vision of what the future should be, how corporations can survive in the digital age and still make money from their efforts.

    Thank you!! An intelligent, incisive question, one worthy of conspicuous, public debate.

    Speaking entirely on behalf of myself, you are correct that a cohesive vision of How Things Should Be has been absent from my rants. This is because I believe designing a successful, durable, workable, just system would require the efforts of a group of incredibly talented, wise people, the likes of which have not been gathered since the framing of the Constitution. I don't believe I possess such gifts.

    I do have a few vague, disconnected ideas. To fully appreciate them, however, you need to understand the framework in which I developed them:

    Axiom: When the ability to copy is ubiquitous, and when the incremental cost of copying is effectively zero, the effective value of any given copy -- including the "original" copy -- is zero. (I state this as axiomatic, but I'm willing to discuss its merits. And please note that this assertion says nothing about the effort/resources required to create the original in the first place.)

    As a supporting argument, consider the universe presented in the TV show Star Trek. (This may seem silly, but Star Trek is a useful framework for comparison, as everyone's familiar with it.) In a world where everything, including physical objects, can be replicated at zero cost, what is the economic impact? I argue that the market-based economy collapses completely, since its fundamental supports (scarcity and inconvenience) have been eliminated.

    I also believe that the social impact will be that casual copying will be seen as perfectly okay, and that the desire to not share copies will be seen as childish. After all, if anyone anywhere -- including artisans -- can copy anything at any time for nothing, then what, fundamentally, will be wrong with copying anything?

    So, in a universe where copying everything is seen as perfectly okay, is there anything an artisan should still have control over? I contend that the most crucial aspect of creativity still needing strict controls is the artisan's reputation.

    Consider: On a visit to the Enterprise, you see an object you quite like. Naturally, you ask, "Wow! Who made that?" Both you and the object's creator would like to be certain you receive an accurate answer. Note that the question of whether the object you saw was an original or a copy is irrelevant. You no longer care if an object is "genuine;" you want to know who did it. In other words, you want to know about their reputation. (After all, maybe they did other cool stuff, too.)

    ...Okay, so we don't live on the Enterprise (yet), and we all still have to pay the rent. However, I strongly believe the concept of reputation will be central to a re-design of economics and the concept of intellectual "property" in the digital universe. Reputation will become a chief scarce resource in the digital universe, because it is an artist's reputation that will guide you to their other scarce resource: their time. And it is their time that you will be paying for (no more doing stuff "on spec").

    In terms of more immediate, concrete proposals, I've heard the following ideas floated:

    • Mass-Market Buskware [boswa.com], or the "tipping jar" model. Many question whether such a system can work on a large scale. So far, author Stephen King seems to be doing rather well by it with his free offering, The Plant. However, it's probably worth noting the primary reason he's doing so well is largely due to -- drumroll, please -- his reputation.
    • Pre-Release Mass Auction (preBay?). This is a system whereby software/music/whatever is made available for a flat price, and bidders can contribute whatever amount they wish toward that price.

      For example, let's say John Carmack creates his latest game, qDuOaOkMe, and decides that, for all his efforts and that of his company, he wants to see $50 million. So he posts it to the site: "qDuOaOkMe: $50,000,000". People the world over pledge $25, $50, $100, whatever they feel it's worth toward the final price. When the price is reached, Carmack gets the money, and the game is released free to all. The entry is also kept open on the site so people who didn't bid can continue to throw tips. If the price is not met after a pre-set time, all pledges are returned to the bidders, and the game isn't released.

    • Shareware. This model has met with mixed success in the past, mostly due to the relative inconvenience of sending in the requested fees. "Impulse" buying, until recently, hasn't been easy. Fortunately, services like Kagi [kagi.com] and PayPal [x.com] may well rejuvenate this idea.
    • Automatic Micropayments. This is certainly an idea worthy of exploration, but I have concerns about the implications for privacy.

    Other ideas are likely out there, and worthy of attention.

    Also for immediate consideration, there should be some study into the use of digital watermarks for identifying the artist of a given work. Right now, all the discussion surrounding watermarks has been with an eye toward controlling proliferation of copies, which is unworkable. However, I believe even the most virulent opponent of copy protection would support using digital watermarks to identify the artist, thereby preserving -- wait for it -- their reputation.

    Like I said, I don't think I have what it takes to completely design the new system. I've also completely avoided rather sticky issues, such Moral Rights (e.g. should an artist be able to enforce the declaration, "No, you can't use my painting in the background of a porno video"). But I do know that the current system will ultimately prove to be fundamentally unworkable, if for no other reason than the sheer numbers involved (how many copyrighted works will you need to test against to make sure you're not infringing?).

    So, yes, you're right. We need to think about this, and it needs to be done rationally and publicly. Too bad the entertainment industry's using all that bandwidth to paint us all as criminals.

    Schwab

  • A judge's job is to interperet laws, not to overturn them.


    Unless they're inconsistent with other laws or the constitution.

  • Respectfully, I believe you've been blinded by your $200 licensing fee. The Lame versions sound much better than Frau at 128 and beyond. It is possible that your version of Frau isn't equivalent to the one displayed [belgacom.net] but I find it hard to believe that Frau has improved to a point where their 256k version can compete [belgacom.net] with the 128k version of lame.

    The tools used to create these are readily available, and I'd love for you to run these tests and post the information on the web. Hell, I'd like an e-mail

    miracle@nospammage.procyon.com

  • Hmm, I think you might be a little bit confused.

    There is nothing about SDMI that will strongarm you into buying new players or new collections, as I understand it. Your CD player will still work, your current CD's will still work, and music will still continue to be sold in the CD format for many years to come.

    I believe one of the theories behind SDMI is that the player requires no decoding software, it just plays the music as it is written.

    SDMI detection is part of the recording process. Presumably to limit the number of copies of a song that can be made. i.e. you can make a copy from the original, but not from a copy of a copy.

    The DVD-Audio format is being held up for this technology, along with an improved CSS like implementation to encode the digital bits.

    Actually music has been available on DVD discs for a couple of years now. It's not been terribly popular, however, because few recording studios support it and it hasn't gained widespread acceptance for fear a new format that is just around the corner.

    Even when DVD-Audio comes into being, again you will not be forced to go out and buy new collections. The DVD-Audio players will play older CD media, just as current DVD players do. In fact I suspect you'll just see the DVD-Audio spec wrapped into DVD players such that you'll have a device capable of playing several different audio and video formats.

    There seems to be a lot of confusion and frankly, FUD, being spread by the anti-music-industry groups.

    I don't care about copy protection, as long as it doesn't get in my way. Unfortunately the macrovision on video, and this new SDMI both corrupt the purity of the source and affect the potentional enjoyment.

  • by jms ( 11418 )
    That's like claiming that "zip" is useless because I can make you a file that does not compress at all. Well, yeah ...

    An uncompressable audio track would be very atypical. I've used the shorten program on many different music tracks, ranging from soundboards to concert recordings. I've never found one that doesn't compress, and they all compress to approximately 2:1.

    Even if there were music files that were uncompressable, SDMI would still be on a collision course with uncompressed audio. It would just be 1:1 instead of 2:1.
  • by Anonymous Coward on Thursday October 12, 2000 @11:22AM (#710562)
    Ummm - not quite. Digital-Analog-Digital conversion is an obvious attack, and watermarks are designed to withstand this sort of thing. Image watermarking schemes, for example, are often tested against a print-scan cycle. For a simple example in audio - echo manipulations within audio streams withstand DAD conversion.

    If you are actually interested in learning something about this, get Information Hiding: techniques for steganography and digital watermarking by Katzenbeisser and Petitcolas and read the proceedings of the Information Hiding conferences, called Information Hiding I and II (maybe a III by now), published by springer.

    Actually, I recommend reading the Information Hiding conference procecedings for everyone - they present a number of techniques that will appeal to those with interests in privacy, cryptography, information theory, steganography, watermarking, biometrics, covert channels, etc.

    One of my favorites in the proceedings covers designing biometric authentication tokens that are anonymous, non-transferable, and privacy protecting.

  • by dizee ( 143832 ) on Thursday October 12, 2000 @09:13AM (#710563) Homepage
    But hey, I couldn't resist beating a dead horse some more.

    They should be using CueCat XOR encryption (tm) for their watermarks.

    Mike

    "I would kill everyone in this room for a drop of sweet beer."
  • "The hacker boycott of SDM organized by suspicious members of the programming community has turned out to be irrelevant."

    lol. I didn't read the article, but if they really said that, then they REALLY have problems. The boycott is anything BUT irrelevant. If the watermarking scheme was cracked without the help of the hackers, then imagine how fast it would be broken if it weren't being boycotted.


    -----
    "People who bite the hand that feeds them usually lick the boot that kicks them"
  • I don't think they've got any hope of DA->AD->DA resistant watermarking that a moron couldn't defeat. As far as I'm concerned, they'll be holding these contests until they give up. They won't -ever- come up with anything difficult to defeat. I promise.

    BTW: the 'who cares?' is in the spirit of Starstruck.
    ---
  • OGG Vorbis [vorbis.org]

    Actually, it really would have been common courtesy of me to include more links. Sorry.

  • by joshv ( 13017 ) on Thursday October 12, 2000 @10:32AM (#710578)
    "If your business model is selling water in the desert and it starts to rain, you'd better find a different business model."

    -josh
  • It's a little silly for us to talk about how people should be allowed to reverse engineer things and then get upset when they do it to something we don't want them to....

    There's a difference in saying someone shouldn't hack/reverse engineer something and saying that they can't, particularly when that can't is backed by the threat of state violence.

  • I'm not so worried about how big the RIAA's share of the market is. I'm worried about how big the RIAA's share of *congress* is...

    So am I - that's why I'm voting Nader [votenader.com] on November 7th.


    -------

  • by drenehtsral ( 29789 ) on Thursday October 12, 2000 @09:16AM (#710585) Homepage
    I was about to post a comment along the lines of "so what! If they delay longer, and release something harder to crack (even for the sake of argument, impossible to crack), the market can just refuse to use it, and keep using MP3s and other such unencumbered technoligies...
    But then I thought about it. I believe that the music industry has enough power over the users that they'll take what they can get. I don't think the market _could_ realisticly fight the will of these companies. They have little competition, because all the "competing" companies have all globbed together in the form of RIAA.
    I don't see a peaceful end to this, because there is a lot of money at stake, and whenever there is money, there is also a rabid foaming-at-the-mouth mob of greedy bastards willing to trample anybody in their way to get at it.
    So maybe we should not worry so much about this standard being cracked, because if it was, it'd work just like the DeCSS fiasco, but maybe they'd learn from the mistakes of the MPAA's lawyers. What we need to start worrying about is a way to break loose from this feudalism where the consumer no longer has the power to change things in their favor (partly because most of the consumers are not informed enough to fight back, and there is a lot of money going to PR to keep it that way). Consumers are now Serfs, and large media companies are now lords. I imagine eventually there will be something like a revolution, moving us along the line towards democracy in the information world, but it'll take a while =:-(
  • RealAudio - StreamBox Ripper, Now illegal due to law suits, but still lurking in warez sitz

    Windows Media - ASFRecorder (google it)

    Shoutcast/Icecast MP3 - Streamripper [bigfreakinserver.com]

    -Jon
  • by ShortSpecialBus ( 236232 ) on Thursday October 12, 2000 @09:16AM (#710588) Homepage
    Regardless of what format they use (SDMI or whatever) it will be cracked somehow. DECSS comes to mind. That was supposed to be very secure and it was cracked because Xing messed up. Any two way hash can be decrypted, and it will be in this case with music pirates dying to get their hands on music. What the RIAA should focus on is selling it cheap enough that people would actually buy it. I would personally be willing to spend 25 or 50 cents a song for mp3 music, and I think that actually most people would be willing to do that. The whole problem with the RIAA is that they say that prices need to be higher because of piracy, but piracy happens mostly because of high prices. They should run an experiment and have mp3s for download for $0.25 each or something like that, and see what the response is.
  • by jafac ( 1449 ) on Thursday October 12, 2000 @12:31PM (#710594) Homepage
    I guess if the music industry wants it's garganuan profits now, it will need to do the following:

    1. lobby congress to legalize murder.
    2. hire disenfranchised serbian death squads.
    3. locate any person with an IQ above 90.
    4. kill all persons with an IQ above 90.

    This will have two impacts. It will mean that they'll finally be able to sell Backdoor Boyz to EVERYONE, and that nobody smart enough to crack SDMI will be left alive.

    That would be MUCH easier and cheaper than developing a crack-proof protection scheme.

    Oh wait, I forgot, there's always DONGLES!
  • by crovira ( 10242 ) on Thursday October 12, 2000 @11:27AM (#710595) Homepage
    Encryption's cute but its only encryption. Todays algorithms are tomorrow's object lessons in how not to do it.

    The problem is one of economic distribution. How to get money from the consumers into the pockets of the producers in some fair and equitable way.

    One model which almost works is ASCAP. They're in charge of charging radio stations and other broadcasting media, based on their market penetration numbers, some money for every piece of material the boadcasters, uh, broadcast, (ASCAP IS Big Brother,:-) and then they shovel that money into the pockets of the "authorities of record" who can claim to be the producers of the material that was broadcast. (That's how artists still get screwed today. NEVER, ever, give away your copyright.)

    One model which would work in the "Age Of Napster" is to use micro-payment to charge a published sum from the recipient of a file, if the transmission is not declined, regardless of the content or the size of the file, for every transmission of the file over the internet.

    Purely local transmission of the file can be presumed to be fair use, back-ups, change of media etc. Re-transmission over the internet would kick-in the micro-payment scheme which would insure that the Metallica's of the world can please just shut up!

    This could even be applied to establishing connections for streaming media.

    By the way that leaves the RIAA, the MPAA and other neo-Luddites out in the cold. Let those parasites get real jobs.
  • Sure there's something wrong with it. It's giving the record industry free assistance in their attempts to increase their control over digital music, just as the movie industry is trying to do for digital video. Helping them acheive their goals is, IMO, wrong because those goals are wrong. Of course, obviously not everyone shares my opinion, or at least they are using some different logic to justify assisting the record industry by cracking SDMI.

  • It being the watermark. If you have an ideal watermark (it cannot be heard) and an ideal lossy encoder (it dumps everything you can't hear), well, your watermark should go bye bye.

    Of course, given that watermarks are far less than perfect (you can hear them) in order to be a bit more robust, you could D-to-A-to-D several distinct copies of the secure music, 'average' them, and then encode. With a sufficiently high number of sufficiently different copies of the music, the watermark will eventually be destroyed. This has the added benefit that the noise from the D-A-D conversion will tend to neither add nor cancel, but the signal will tend to add during the recombination phase, improving quality.

    In any case, so long as I can buy my digital music anonymously with cash (at a brick+mortar store), what do I care if the watermark is still there? So the music has a serial number? That doesn't necessarily correlate with anything in the real world.
  • by ckedge ( 192996 ) on Thursday October 12, 2000 @09:18AM (#710606) Journal

    I was initially 'with' everyone here and in the community on the issue of boycotting the challenge, because I thought it would 'punish' the proponents of SDMI if they went to the trouble of commercializing it only to have it quickly broken. I presumed that breaking it now would help the SDMI.

    However this article [salon.com] points out a lot of things that seem to be coming true and mentioned in the article that is the focus of this slashdot item, that basically the music company executives didn't expect it to be broken, don't have anything to fall back on, and the SDMI may in fact fall apart now that two years of their work have been effortlessly cut into shreds! Which is EXCELLENT news!

    I really wish that the article quoted above had been written earlier and had come to our attention earlier, for it is quite a valid and compelling counter to the "rah rah let's boycott the challenge" idea.

    Basically, maybe we were all wrong, and cracking it quickly and effortlessly will not help the SDMI, but actually destroy it! Go crackers!

  • "The hacker boycott of SDM organized by suspicious members of the programming community has turned out to be irrelevant."

    What the heck do they mean by this? I'm quite amused that some SDMI members are finally facing the reality that it might not be possible to protect music.
  • by Anonymous Coward
    Anonymous sources say that its been cracked - no evidence for that, why should anyone involved in this whole scheme be trusted, and why should any information leaked out be trusted?

    Cracking SDMI gives the RIAA enough excuse to go running to the governement for even more backing than they got in the DMCA.

    They already are asking for all TVs to have anti-copy protection in them, how soon will they be asking for trusted hardware for audio as well?

    The assertion that SDMI has been cracked may well come from SDMI members who know that trusted hardware is the next step, and not from disgruntled hacker-anarchists in their midst.

    Trust nothing that comes out of this process - there are billions at stake, not to mention hot and cold running blowjobs in the back of limousines.
  • > Is it inconcivable to build a player that cannot
    > be disassembled?

    We're talking about software players here, so yes, it's inconceivable. I'll bet my PhD on it.

    Some of the best CS theory profs around have given some thought to what it would mean for a program to be effectively "undisassemblable". They've had a hard time coming up with a definition that doesn't just reduce to the empty set. AFAIK, their current best definition hasn't yet been shown to reduce to the empty set, but no-one's been able to construct an undisassemblable program either.
  • The irony of this mess is this: Napster's user list -- containing e-mail addresses -- is probably worth more than the RIAA or MPAA or Jackie Valenti is willing to admit.

    The gold isn't in the music itself. The gold is there for the taking, but no one is moving to take it: it's Napster's gazillion user e-mail addresses.

    Why isn't Napster dangling their databases more "publically" in front of the RIAA and MPAA. Why aren't they saying: Screw the content. We've got something better. We've got gazillions of users with e-mail addresses who crave your product??
  • lol, I was trying to make a joke...sorry if I offended you. But, please remember that if you take your example to the extreme, (as if there really is a single true Hacker Ethic), logically, a hacker would know that telling the RIAA that their security measures were cracked at this stage would simply lead to them trying to create even more elaborate ways to keep their digital property from being free (Speech, not Beer.)

    <PROPOGANDA>So, my poor attempt at humour yields the philosophical question, Would a Real Hacker(tm), knowing that the system he disagrees with is faulty, help that system persist by informing it of it's inherent weakness? Or, would this hypothetical hacker just keep his mouth shut until the faulty design was finalized, henceforth guaranteeing the complete Freedom of the information in question? </PROPOGANDA>

    Feel free to rephrase the question in a less biased manner. =P

  • you make the best possible point.

    Those who believe in such a thing as uncrackable encryption are either poorly misinformed, or have no imagination.

    For some reason, money seems to gravitate towards such individuals. . .
  • I mean, the guys who cracked this where probably some folks who thought $10K was a lot of money and didn't mind about giving their work away for that really cheap price, hey, the record industry doesn't even acknowledge their work and downplays it all.

    Now after the RIAA chose to ignore all advice by the developpers they paid (in total) some million US$ and who must have told them that it wouldn't work, will they finally listen to some hackers who did it for cheap (hell if they hired some decent experts the RIAA 'd have spent $10.000 just to draw up a contract) and dump SDMI?

    Obviously not, they will come up with some new watermarks (probably worse than the first batch because it's really urgent now before MP3 is so widely accepted even they can't stop it) and when it's cracked we'll see the DeCSS case all over again. Meanwhile players will hog the shelves because customers don't want to be screwed (we saw it all with DAT tapes) until it leaks out that with one player copy protection can be turned off, at which point "without copyprotection" will become a salesargument for players.

    If the RIAA just wants to ignore the fact that digital information can be copied, they should buy earprotectors and blindfolds for their members, but maybe that costs more than $10K ...
  • by MattW ( 97290 ) <matt@ender.com> on Thursday October 12, 2000 @09:19AM (#710625) Homepage
    It's time for the record companies to get with the program. The _smart_ thing to do would be to just start releasing albums and songs on their own sites. Let people download whatever they want, and pay for it if they keep it. I'd be all over it. Naturally, I'd expect it to cost less than a CD, but not a ton less.

    I hope artists also move to fore -- popular artists (those whose recording contracts permit) should release a song or three (or an album) in all mp3, and just take payment if you keep it. Say, 24 hours trial period, if you keep it longer, you have to pay. Obviously, its all voluntary, but who would balk at paying $3 to $6 for an ablum from an artist they like? I think the honest users of such a service would vastly outway any thieves.
  • SDMI never had a chance. Though there are many things wrong with the concept, the biggest seems to me that it is no big deal to hack SDMI once an SDMI-compliant players come out. If the player can read the watermark, YOU can read the watermark and figure out how to remove it. Technically, there is nothing stopping you from going crazy Napster style. Thus, the only thing to protect SDMI is the fact that hacking it is illegal. Drugs, gambling, and listening to MP3s you didn't pay for are also illegal. RIP SDMI.
  • by rgmoore ( 133276 ) <glandauer@charter.net> on Thursday October 12, 2000 @12:58PM (#710627) Homepage
    Please explain why you believe it's impossible. Is it because they haven't done it yet?

    Because the fundamental premise is obviously self contradictory. In order to have a truly effective watermark, the sound must be damaged to the tolerance of an ordinary listener when it's removed. In order to have a publically acceptable watermark, the sound must be unchanged to the most sensitive listener when it's added. The result is that you should always be able to create a procedure that mangles the sound at above the level at which the watermark exists, but below the level where an average listener will care. Doing so may damage the sound for true audiophiles, but won't mean anything to the casual listeners who constitute the lion's share of the market.

  • by ErikTheRed ( 162431 ) on Thursday October 12, 2000 @09:19AM (#710628) Homepage
    Could you imagine how depressing it must be to spend years of your life engaged in a hopelessly Quixotic struggle against advancing technology? Of course, it couldn't happen to nicer people...
  • by Jason Earl ( 1894 ) on Thursday October 12, 2000 @09:20AM (#710637) Homepage Journal

    Delays are better than an uncrackable SDMI implemented tomorrow, but the best possible outcome would have been for the RIAA and their hardware cronies to dump billions into hardware and software with big holes in it. As an added bonus many of their customers would have found their draconian stance on IP to be too restrictive, and sales would have dropped. Simply because the "pirated" versions were easier to use.

    The RIAA isn't going to learn unless the lesson is painful. I am all for the RIAA making money from their copyrighted material, but not at the expense of my fair use rights.

    Oh, and by the way, hopefully this will give Ogg Vorbis more of a chance. MP3s aren't bad but Ogg is better!

  • by MenTaLguY ( 5483 ) on Thursday October 12, 2000 @09:20AM (#710638) Homepage

    After all...that just gives MP3's more of a chance.

    Ahem, leaving SDMI for MP3 is just leaving the DMCA Swamp for the Patent Quagmire. Out of the frying pan, into the fire.

    Why don't we go for the option that doesn't involve breaking the law (and has nice fringe benefits -- MP3 is old tech now), when we can?

    And, by the way, the Vorbis [vorbis.org] format is finalized and has been for some time. bps limitations of current encoders are only a result of the encoding software, not of limitations of the underlying format. Not to mention that .ogg seems to be sounding better than higher-bitrate .mp3s as the encoders improve...

    This does it, I'm re-encoding[1] all the music on my site to .ogg when I get the chance. I need the space savings anyway.

    ---

    [1] that is -- encoding new .oggs from pristine audio, not "converting" the existing .mp3s.

    "converting" among lossy formats is always going to sound bad.

  • by plover ( 150551 ) on Thursday October 12, 2000 @09:21AM (#710661) Homepage Journal
    A couple of points: First, there is no next step. It is not mathematically possible to secure data in a non-trusted non-secured HARDWARE environment. Can't be done, mathematically provable (wish I could offer the URL of a decent proof here, oh well, that's what google's for, right?) Physically provable also, as well evidenced by this announcement.

    The ONLY possible result was to have their watermarking broken. As I mentioned above, it's not possible to secure it.

    What you describe as their best possible result would actually be the penultimate nightmare scenario for SDMI. Ramping up production of new hardware and media is an incredibly expensive undertaking. Not to mention the risk of public rejection (for a primo example of this, learn the lessons of DIVX.) To get $2 billion down that path, only to be shot down by hackers. At this point, they're only out a few million. The $10K prize was a spit in the bucket.

    As to your last point, professional cryptographers have been telling them this is impossible and a huge waste of money. People with money don't believe in "impossible." They don't understand technology, they understand money. And in their world, money can buy the impossible. They don't live in our world, where code can always do the possible.

    John

  • by szyzyg ( 7313 ) on Thursday October 12, 2000 @09:24AM (#710679)
    I'm amazed that nobody has published code to break the DRM (or at least capture unencoded data) on other established formats like Liquid Audio, Blue Matter (basically Real Audio) and everyone's Favourite - Windows Media.

    OK there's the little issue of the DMCA which would make such things illegal in the US.

    I wouldn't be surprised if some of the SDMI breaks came from Microsoft to help promote their DRM server based technology.

  • by Chris Johnson ( 580 ) on Thursday October 12, 2000 @05:36PM (#710695) Homepage Journal
    Terrific! Your posts here are inspiring, Schwab- brilliant thinking. I'd like to add another concept or two to your arsenal: commissions should not be overlooked. Your example for Carmack is like "I am making X, give me this much or I'll refuse to release it". I think that's a bad bluff to attempt- what if someone leaks it? Consider, instead, someone going to Carmack and saying "Hey, I really want Y." "Well, that's great, but I'm making X." "But I really want Y! Can you do Y instead?" "What's it worth to you?" That's commissions.

    Your observations about identifying the artist are right on- that's why I for one am very excited about one of the 'fingerprinting' technologies being developed. Basically it will be possible to do net searches in the future on snippets of unlabelled digital audio and return the artist's current website/information. This is incredibly important in a world where the information flows so freely- an example, if you use Napster you'll find all sorts of utterly unrelated bands uploaded mistakenly as They Might Be Giants. This is great for TMBG but unhelpful for the real artists- with the sort of fingerprinting we're talking about this would be trivially fixed, and anyone could track down the true creator's identity easily- again, _reputation_ is the key concept. It will become possible to accurately associate a positive musical experience with a specific name no matter how obscure and non-mainstream: compare this with the days of broadcast radio where you had to first fight just to get _on_ the radio and then pray/pay for the DJ to actually announce your name in association with it! This sort of gatekeeper will become a thing of the past- though it'll still have a place, with the new type of DJ being someone of known good taste and ability to audition more new stuff than most people have.

    I can relate an anecdote of stuff that's still going on, that illustrates your point. I used to have music on mp3.com (before they turned their contract towards the Dark Side ;) ). It's not mainstream at all- in fact some of it is rather user-hostile, for instance a strange marimba-driven track named Bone Dragon. None of this brought me pop stardom, understandably- but I know my way around a mixing desk and build a lot of radical, high-performance equipment that goes against the habitual sonic dreck people inflict upon their recordings these days (see Britney Spears...), and I attracted some attention from some iconoclasts, and in fact I built *REPUTATION* as someone who could get a sound, an impressively professional sound. This has led me to the point where I'm seriously contemplating doing sound engineering work for a startup (not RIAA) that I've been talking to, and in fact already have a sale of commercial rights for a piece of my music waiting for when the deals are finalised (I'm also making extensive use of my sharpness and paranoia in relation to the contract that people will end up seeing- another area of reputation getting involved). And the first piece of music to find a home in this new context is... 'Bone Dragon'. Yes! The totally uncommercial, peculiar one! *g*

    The point is- reputation is fscking _gold_ man. It is substantially more important than immediate cash. The fact that 'Bone Dragon' is out there as lots of mp3s, with my blessing upon their further noncommercial copying, does _not_ make it licensed for commercial use. If someone wants to run that in an advertisement they have to talk to _me_! (If they want to add cheesy singing munchkin jingles to it they'd better be offering a LOT of money, and I mean a LOT. Background use or use under narration does not tend to destroy the soul of the music so readily.) And if they want something else that's like that- again, they have to talk to me. Commercial interests can't legally copy and use the free music I have out there being copied under fair use- and _nobody_ can copy what hasn't been performed yet.

    It all reminds me of some of the tenets of the Progressive Party (for which I'll do some voting this November). They are not big fans of inherited wealth, or of wealth derived from high lofty positions. If you think about that a bit you see that what they're advocating is a much tighter link between WORK and wealth- and that speaks for me, very much. Trouble is, I'm a musician (among other things) and that industry is utterly fixated on the creation of intellectual property which is expected to go on earning money _without_ me, for longer than I live. Frankly, I can't see the logic behind this. Okay, supposing I write a hit song and record it wonderfully- certainly that's worth being paid for. Once it's been recorded- then what? Where is the justification that I should be _entitled_ to never work again based on having done really great work once upon a time?

    I don't see it, so I am essentially unperturbed by the idea of tossing my music and work out there for the world to scavenge and copy back and forth unpayingly. If I'm any good at it, there'll be people who like what I do- like it well enough that they _ask_ for more, or want me to spend my time engineering _their_ music or some such activity. "Shut up and play your guitar!" "Mix my album!" "Do more ambient!" And the answer is of course "What's it worth to you?". My ability to earn a living wage ought to be tied to my willingness to _keep_ _working_ and producing stuff to benefit people.

    For this reason I completely and totally disrespect the RIAA and everything they stand for, and have total contempt for SDMI. It's just more attempts to impose a price on something that was once rare and has become a commodity too cheap to meter- art. Instances of art in the digital domain are too cheap to meter, they are free, there's no sense even _trying_ to mess around with micropayments and that crap (you'll be nickel-and-dimed to death!). Art is free. ARTISTS ARE EXPENSIVE. Think commissions, 'patrons'. If you can imagine a sort of art you _can_ get someone to produce it- what's it worth to you?

  • by plastickiwi ( 170800 ) on Thursday October 12, 2000 @09:24AM (#710700)
    .... this will just allow the RIAA to lobby Congress for appliance taxes the way they did with DAT.

    "You see?" they'll say. "Evil nasty hackers destroyed our benevolent effort to release music to the masses before we could even bring it to market. They've proved there's no way to distribute music in an open model."

    The solutions they'll offer, of course, are:

    • a hardware tax on everything, including computers, that can play or create audio files; and
    • mandatory hardware-based encryption for CD players.
    Don't laugh. No one thought they'd get the same requirements passed on DAT, which was heralded as all that and a plastic Jesus.

  • by ewhac ( 5844 ) on Thursday October 12, 2000 @09:26AM (#710704) Homepage Journal

    While I'm pleased to see that SDMI was so trivially cracked, I'm disappointed that the individuals mounting the successful attack chose to inform the recording industry. As any military intelligence officer will tell you, you don't brag to the enemy that you've broken their codes. Just ask the British government officials from World War II what their policy was when the German Enigma was cracked.

    The idea here is to cause the enemy to commit time and resources to a futile exercise. If the crackers had waited until SDMI had been fully deployed in the marketplace, it would have cost the recording industry and anyone else foolish enough to follow their example at least a few billion dollars; enough money to make them seriously reconsider the whole misguided notion of copy protection as too costly to pursue. As it is, it's only cost them one or two million in research, plus the paltry $10K for the "prize".

    I would like to see Slashdot invite the SDMI crackers for an interview, so that we can get an insight into their ethical framework, and why they chose to save the recording industry's lunch.

    Schwab

  • by account_deleted ( 4530225 ) on Thursday October 12, 2000 @09:27AM (#710705)
    Comment removed based on user account deletion
  • by EricEldred ( 175470 ) on Thursday October 12, 2000 @01:42PM (#710714) Homepage

    This word came from the Salon writer, not the music industry.

    But one possible outcome from this would be that the music industry blames "hackers" for preventing them from introducing digital content for consumers. Then they go to Congress to get a bill even stronger than the DMCA to lock up music and lock up "hackers".

    If the SDMI members who represent computer companies and not music companies will step forward and explain what has happened, that SDMI volunteered this test, then the "hackers" will get a fair showing. They should even join us in calling for the music industry to produce open source products at a reasonable price.

    If not, then this whole episode is another trap for Free Software people and genuine cryptanalysts to get excoriated in the press and their freedoms threatened. Which is it going to be?

  • by none2222 ( 161746 ) on Thursday October 12, 2000 @09:27AM (#710726)
    Show me a copy-protection scheme that hasn't been broken, and I might be suprised.

    What is the RIAA thinking? All moderately popular music is available in MP3 format; and those MP3s aren't going to suddenly all disappear. My understanding is that SDMI was supposed to allow record companies to sell music via download. Why not simply sell music in MP3 format, and forego copy-protection?

    People who want to trade music will continue to do so even if the RIAA somehow manages (magically) comes up with unbreakable copy-protection. People will always be able to rip CDs. SDMI and similar efforts are pointless, and a waste of money.

  • by MenTaLguY ( 5483 ) on Thursday October 12, 2000 @09:30AM (#710734) Homepage

    Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm.

    They had professional cryptographers working on this, and I expect the cryptographers told them as much, which is why this gives me the willies.

    My gut feeling says that they may well have been angling for this crack, in order to take advantage of some legal or PR leverage it would give them.

    One way or another, the successful crack is a worth a lot more than $10k to them...

    We'll have to wait and see...

  • by mr.ska ( 208224 ) on Thursday October 12, 2000 @09:31AM (#710745) Homepage Journal
    The article claims that the boycott was rendered pretty much worthless, but is this in fact the case?

    The contest stipulated that you had to divulge HOW you cracked their security to get your share of the $10000. If someone cracked them all, submitted them for analysis, but didn't tell anyone what they did or how they did it, I'd say that action is still inline with the boycott. After all, the RIAA knows nothing more than they're up shit creek now.

    In fact, this might have been the most humane way to do this. Crack it before the contest deadline, that way:

    1. SDMI doesn't get implemented (yet)
    2. "secure" music seems all the more unlikely
    3. hardware manufacturers aren't screwed by having to produce SDMI-compatible hardware (at significant cost) just to have the whole thing blow up in their faces
    In any case, not much we can do about it now.
  • by dwyn ( 144031 ) on Thursday October 12, 2000 @09:36AM (#710760) Homepage
    No, they cannot be on CDs, for economical reasons. CDs are mass-produced; the same CD image is used for tens of thousands (maybe millions) of CDs. Watermarking individual copies is not feasible.

    However, this raises an interesting point. What if I agree to buy a watermarked version of the song, then decide to sell it? I will either have to sell it through a SDMI-licensed broker (can you say monopoly?), or reselling it will be forbidden. (You don't "buy" a song, you "license" it for your own use, for ever. Licensing terms subject to change without notice.)

  • by jms ( 11418 ) on Thursday October 12, 2000 @09:46AM (#710761)
    The point of the watermarking system, as claimed on their web site before they shut it down was:

    (1) four different watermark technologies that are designed to detect compression and

    (2) two additional technologies that are designed to ensure that under certain circumstances individual tracks of an album are not admitted into an SDMI domain without the presence of the original CD.


    SDMI is designed as a "Napster Killer." Here's their strategy:

    1) Apply a watermark to all CDs. This watermark takes the form of deliberate digital distortion, and is designed so that "most" people won't notice it.

    2) Make all SDMI MP3 players scan MP3 files for the remnants of that watermark, and reject them. Hence, MP3s made from ripped CDs won't work anymore on new players. Napster is dead.

    3) To allow people to download their own CDs into their SDMI MP3 players, provide special SDMI ripping software that allows the creation of an SDMI-encrypted MP3 from watermarked CDs, but associate these encrypted MP3s with the computer of the person who did the rip, so that they can download them onto their portable player, but if someone downloads this file from Napster, it won't work for them, because it wasn't made on their computer. The SDMI ripping software would look for the watermark, and make sure that the watermark is intact, signifying an original CD. This is so that you can't download an MP3, uncompress it into a CD, and run the SDMI ripping software on it. This is the purpose of the "two additional technologies."

    The "detect compression" part is the fundamental mistake. The entire SDMI initiative is based on a basic misconception about the future of digital music and the reason why people use MP3s in the first place.

    The only reason that people use lossy MP3 encoding is because it makes the files smaller by a factor of about 10:1. However, there are lossless encoding schemes that can compress by a factor of about 2:1.

    Even if SDMI had worked, it would only have bought the industry a year or two, before DSL, or whatever faster technology replaces DSL makes downloading an uncompressed file as fast as downloading an MP3 is today, and before hard drive prices fall to the point where no one cares that their music files are 5 times as large.

    Cracking SDMI now is a good thing.

    Watermarking introduces deliberate distortion into the audio signal. By cracking the watermarking scheme before it was ever introduced to the market, we have avoided a scenario where all CDs would have included deliberate distortion, to no one's benefit.

  • by iElucidate ( 67873 ) on Thursday October 12, 2000 @09:47AM (#710763) Homepage
    I am very excited about this. Want to know why? Because not too long ago, I read this article [salon.com] in Salon.com. It stated:
    Is the SDMI boycott backfiring? Programmers don't want to help the recording industry test its new security "solution." But the technology insiders behind the system say hackers could kill it once and for all by participating.
    The SDMI coalition is falling apart. The electronics companies hate the tactics the record companies are employing, and are on the verge of splitting off of the group. The final release specs for SDMI were the last draw - if someone cracked this system, it could mean the end of the coalition.

    Of course we will break the code - any new code is inevitably broken, especially one tied to hardware like SDMI. Many have talked about the prospects for breaking the code, and most agree - it will be possible in most forms, due to fundamental flaws in the architecture.

    Don't worry about breaking any potential codes - it will happen regardless. Look at the massive support for Napster and you can see why SDMI won't work. On the other hand, look at the RIAA's coalition now: fractured, broken. Will they EVER be able to repair it? I hope not.

  • by d.valued ( 150022 ) on Thursday October 12, 2000 @09:50AM (#710767) Journal
    The main restriction that CSS, err.. SDMI would impose is that would mandate that hardware and software MP3 solutions would have to convert to SDMI only within a short timespan. Now, if you read the article, it says one thing that none of us would have expected: Many SDMI members think there isn't [another solution to watermarking] -- and that this could mean that SDMI will now implode for lack of any plausible ideas for how to meet the recording industry's demands for secure music. Maybe this means that there won't be an SDMI for a technological century! (Or six years ;)
  • by crushinator ( 212593 ) on Thursday October 12, 2000 @09:39AM (#710775)
    I was pro-boycott from the start - I didn't want to do dirty work for the RIAA, serving to strengthen their algorithm which they would eventually use against me. But in spite of my reservations, a successful, across-the-board crack this early may be a good thing.

    I think the bad PR will constitute a serious blow to the SDMI (unless they somehow manage to downplay or spin it), and I think the lost time will be even more crippling to the initiative.

    This means no SDMI players by christmas... meanwhile, more and more MP3 players will emerge and gather market share. If, by the time they come out with a new, improved SDMI, millions of people have mp3 products (especially non-technophile people), it will be much, much harder to pitch it to the average consumer. Hopefully at that point SDMI will go the way of DivX (the pay-per-view DVD, not the compression).

  • by MenTaLguY ( 5483 ) on Thursday October 12, 2000 @09:45AM (#710798) Homepage

    ...an insight into their ethical framework, and why they chose to save the recording industry's lunch.

    If they accept the prize, it will be clear that the answers are, respectively: "Money is good," and "about $10k."

  • by itripn ( 208746 ) on Thursday October 12, 2000 @10:01AM (#710804)
    An opposing strategy to the boycott would be for the community to crack everything they release to be tested. This will a) delay boneheaded schemes from hitting the market, and b) demonstrate that the community can and will crack anything they come up with, showing the futility of encrypted music. No, we need new and bold business models to distribute the music such that the ARTISTS get the bulk of the proceeds, not the good ole boys. So let them keep coming up with stuff, and let's keep cracking it until they figure it out. itripn
  • by TheGratefulNet ( 143330 ) on Thursday October 12, 2000 @10:36AM (#710819)
    you have my vote as well: make it cheap and the amount of work it takes to either rip/encode/tag your own mp3's or to break the watermark will be more than the cost of just buying legit files.

    at home, I have a ripping farm (well, if 4 boxes is a farm) of mp3 encoders. they're all k7-800 class boxes. and it STILL took me over 2 months to r/e/t my whole 500 cd collection (with the frau encoder, at --qual=9. this is with 800mhz k7 systems! a lot of folks have this kind of HP but most probably don't.

    a friend of mine who has 'only' a k6-2/300 system waited 24 hrs of constant machine mp3 encode time just for one album. would he pay 50cents for properly (like with Frau.) encoded and labelled mp3's? you can sure bet he would!

    riaa: make mp3's cheap and just TRY the online sales thing. and promise us that you keep just enough cash to 'get by' and that the lion's share goes to the artists (that you CLAIM you exist for) and lets just see how well that experiment works.

    will they try it? nah - they're too busy suing everyone and his brother. reminds me of the monty python movie where the knight is being defeated one hacked-off arm and a leg at a time; yet still won't give up the fight.

    --

"Conversion, fastidious Goddess, loves blood better than brick, and feasts most subtly on the human will." -- Virginia Woolf, "Mrs. Dalloway"

Working...