SDMI Cracked Too Soon 387
Andrew Leonard writes "Two off-the-record members of the SDMI coalition have confirmed to Salon's Janelle Brown that all of the SDMI watermarks have been solidly broken." It's too bad this didn't happen in a year - because now it's been cracked before it was even released, and they'll delay even longer.
oh, here... (Score:2)
WinAmp Plugin [vorbis.com]
Re:Disappointing (Score:5)
Perhaps you haven't been paying close enough attention: They are out to screw you.
They want to re-write the rules of retail sales, replacing title transfer with "end-user licenses" (just about any software package).
They want to re-define lawful behavior, taking away your right to exercise your curiosity about the world around you (anti-reverse-engineering clauses).
They want to take away your standalone computer and replace it with a "licensed networked digital media reception terminal," complete with credit card reader.
They want to take away your right to do with your property as you please (:Cue:Cat).
And they want to do this without soliciting your input or consent, and then make you pay through the nose for the privilege of being screwed.
Now, perhaps those things aren't important to you. Perhaps you're not a terribly curious person, or perhaps you're of the opinion that, "I would never need or want to do those things." Perhaps you feel that The Law is The Law, regardless of whether there's a valid ethical foundation for it, or how or why or for whom the law was enacted. Or perhaps you're thinking, "That will never happen in this country." Well, fine, you don't think it's important.
But in my book, this is tyranny, pal; it's damned important; and I will not sit still for it for one nanosecond. This is war, a war of ideas, a war for the digital society of the future. And the enemy has all the lawyers, guns, and money. (And no, this is not hyperbole. What is at stake here is nothing less than who will get to define the social and ethical framework by which we will conduct our lives in the digital universe.)
We are not dealing with people here; we are dealing with corporations. They have no ethics, no morals, no conscience. They are amoeba. They respond to but a single stimulus: Money.
Look at what they are doing. Think about the possible consequences (not just to yourself, but to your neighbors and family). I hope you will discover that the situation isn't as easily dismissed as you may currently believe.
Schwab
Re:Still don't understand (Score:2)
They don't have to. They planned on using the same strategy as the MPAA. All legitimate downloaded music files from major labels would be in SDMI-encrypted format.
You could still manufacture an ordinary MP3 player, but it wouldn't work with SDMI files. It would be like manufacturing a DVD player without licensing CSS. Sure you can do it, and you could have digital outputs and no macrovision, but it won't play store-bought DVDs, so no one does it.
Re:... I think they did expect this ... (Score:3)
Yeah - a chill ran down my back as I was reading the Salon article. I imagined this conversation transpiring:
Judge: "Why didn't you encrypt your music more strongly?"
RIAA: "We tried, but every encryption and watermarking scheme we tried proved vulnerable. It turns out to be physically impossible to secure digital media. So we just went with ROT13 as our copy protection to limit costs."
Judge: "Is this true? Is it impossible?"
Geek: "Well, ummm... in a word, Yes... mmmm - mayven"
Judge: "I see. Well, if it's impossible to protect the data, then any means of protection can be considered reasonable protection when applied to defend a copyright. [whack!] Rule in favor of the plaintiff."
Crack SDMI-HOWTO (Score:5)
Here's how to crack your SDMI-campatible player:
1) Download SDMI file
2) Download compatible player
3) Set your sound card input to 'What you hear' or whatever equivilent
4) Start your choice
5) Press 'Record'
6) Play SDMI file
7) Wait until end of play
8) Press stop
9) Encode your
10) Put on gnutella
Or if you have a hardware player:
1) Prepare player to play music normally
2) Dismantle the player, until you get down to a loudspeaker. Cut off the two wires and solder them into a standard microphone audio jack from your local hardware store
3) Start your choice
4) Plug the new microphone jack into your sound card
5) Play SDMI file
6) Wait until end of play and click 'stop'
7) Encode
8) Put on gnutella
Clever eh? I'll take my $10,000 in cash, sterling used notes please.
Michael
...another comment from Michael Tandy.
NDA (Score:2)
Just a thought, for all you SDMI h4x0rs out there.
As for me, I wasn't going to buy it anyway, so fuck 'em.
Re:Wow...the Linux community really IS "the enemy" (Score:2)
Too soon? (Score:2)
But maybe the answer is that it's not posible to have watermarking that really works. If this is true, the ones pushing SDMI have two choices:
1) Come up with a new watermarking system every 6 months, have it all broken with 1-2 weeks, and be effectivly stalled for years. Even if they finally find something that works after 4 years, it would be way too late anyway.
2) They could release something they know to be broken and play the same game the MPAA is playing with CSS. Only in that case, they'll get even less sympathy, because everybody will know that they knew from the start that their watermark was broken.
Re:They didn't expect this? (Score:2)
SDMI would HAVE to provide you with the key, so that you could decrypt and listen to the music! I was incomplete before; what I should have said was, "They give you the encrypted data, the decryption algorithm, AND THE KEY".
Ok, so who did it (Score:5)
Re:Is This a Surprise? (Score:3)
Re:Disappointing (Score:2)
The problem is that the RIAA probably has the necessary muscle to force SDMI products down consumers throats. As soon as the RIAA finds a way to make SDMI work, they will guarantee that it is impossible to by a new music player of any sort that doesn't honor their wishes.
For now it is a trivial thing to make copies of your CDs, and rip MP3s to carry on your MP3 player, but in the future this will not be possible if the RIAA has there way.
So it won't only be the idiots that lose their fair use rights, you will lose your rights as well. They will essentially be able to control where, when and how you may listen to music that you have paid for. Your music collection will also probably "expire" and require re-licensing.
I am all for having SDMI fail in the marketplace, but I wouldn't feel sorry for a moment if someone "gave it a push." If the RIAA and their cronies had sunk billions of dollars into implementing SDMI and then had it broken, then we would definitely see it crash and burn.
Delays aren't necessary bad... (Score:2)
But the REAL question I have is whether or not those who broke the watermarks *TOLD* RIAA HOW THEY DID IT.
Sorry dude...we, like know what the answer is..but we forgot to tell ya how we did it. Sorry.
Re:cracked? (Score:2)
This is not a safe assumption. And just because a compliant player can identify the watermark bits doesn't mean that you can
Thus, any software player that can identify it can be disassembled to point out which bits of the stream are watermarks.
Please support this assertion. You have never seen such a player have you? How do you know it can be dissasembled for any purpose? Is it inconcivable to build a player that cannot be disassembled?
Remove those bits, and it's gone. The meanings of the bits are irrelevant.
The point is to make the meaning of those bits relevant. If those bits are also meaningful to the data stream you can't remove them without altering the data.
The goal of SDMI is to put the watermark in significant areas so that you can't remove them. Just like the security watermark on your paycheck. If you try to change the amount of the check you ruin the whole thing.
And this has nothing to do with getting rid of MP3's or tracking pirates. The point of SDMI is to be able to distribute digital music without worrying about piracy. SDMI prevents pirtacy the same way CSS prevents pirating of DVDs; not because the encryption is secure, but because you must play a DVD to copy it. Sure you could make a bitwise copy of a DVD and it would play in any DVD player, but to do so is prohibitivly expensive.
As long as you must play music to copy it you (the vast majority of people) will not be able to make digital copies of it. And the music industry has never been very concerend with analog piracy of digital music.
Did they not expect this? (Score:4)
The best possible result for SDMI would have been for at least one of the watermarks not to have been broken during the public examination period, then they could have released hardware and software knowing that it was better than any of the discarded watermarking solutions.
This sort of test is silly- just because it can't be broken today, by people for whom $10K is a lot of money, doesn't mean it won't be broken the day after it is released.
Their $10,000 would have been better spent on a few hours by a professional cryptographer in reviewing the algorythm.
Re:Excellent! (Score:3)
bocott coke, and maybe 20% of the people who agree with your cause will boycott it.
That translates into a 20% drop in revenues (um, if Coke didn't own every other company in existence, and only produced just coke).
but with this contest, if just one hacker doesn't boycott it, (and who wouldn't want an extra $10,000 for a few hours work?), then the boycott utterly fails. Y'all should've just gone for it.
It would have been nice to see the wasted effort to mass-market this stuff and watch it be cracked. That would have been sweet. But it's also pretty satisfying to watch a hacker-boycott still crack the thing in a matter of weeks. If all the hackers had gone full-tilt into this, can you imagine how quickly it would have fallen? Might have saved them a little hubris.
Re:????? (Score:2)
Section 107:
Or perhaps ; ;SONY CORP. v. UNIVERSAL CITY STUDIOS, INC., 464 U.S. 417 (1984) [findlaw.com] in which "Any individual may reproduce a copyrighted work for a "fair use"; the copyright owner does not possess the exclusive right to such a use".
Re:Excellent! (Score:2)
But yeah, indie labels (using unprotected MP3 technology) *is* what we really, ultimately want.
Re:Better idea: cheap mp3s (Score:3)
quality [belgacom.net]?
And regardless of where mp3 ends up legally, Ogg Vorbis will replace it if licensing becomes a huge issue.
Re:Did they not expect this? (Score:2)
What's been broken is not about cryptography, it's the watermarking system. Watermarking means adding to the audio a message that the ear cannot hear, but that contains copyright information. Breaking the watermarking system means either removing that message (which is probably impossible) or, at least, changing it so it is not recognizable anymore.
Meaning of "suspicious". (Score:2)
"Suspicious" does not necessarily mean "worthy of suspicion".
Re:They didn't expect this? (Score:2)
Re:Vorbis is cool, but not quite there. (Score:2)
However, if you're lazy like me,
deb http://www.stud.uni-hannover.de/~ingo/vorbis
deb-src http://www.stud.uni-hannover.de/~ingo/vorbis
is a set of sources.list lines for your Debian box that have compiled CVS versions updated daily.
Re:that isn't capitalism. (Score:2)
Yeah, SDMI sucks. I was just saying that no matter the alternative, I don't think much music will be released online without copy control. If some organization actually makes a large amount of money with MP3's, then the labels might sit up and listen. Until then, they want some form -- any form -- of copy control before they'll do music online.
--
Re:Of course.... (Score:2)
Computers are big. I think a lot of the manufacturers out there would have something to say about a tax like that.
My lobbyist can beat up your lobbyist.
Re:Better idea: cheap mp3s (Score:2)
for 160 and above, lame is 'ok'; but for 128k, its never been demonstrated that even vbr j-stereo lame or blade or gogo can compare with frau.
THAT's why I forked out my $200 linux license fee. I didn't want to - believe me - but it paid for itself in disk space (even though it was god-aweful inefficient in terms of compute time for encoding).
--
Right, but... (Score:2)
Re:This is nice - but what about other DRM systems (Score:2)
Re:Ok, so who did it (who cares?) (Score:2)
Once you go through lossy compression (i.e., MP3 compression), you start losing quality, and they sure as heck seem to care about that!
-S
When Cryptography Becomes a Political Attack... (Score:2)
On the other hand, the Salon article seems to indicate that the consortium that created SDMI is politically fragile. Which suggests a different set of outcomes:
Which leaves nobody there to agree on a "SDMI Mark II".
Given financial stability, they might attain the funding to mount a legislative response to a later cipher attack.
In effect, the hackers might attack now, while SDMI is weak, and destabilize it from a political perspective.
It is possible that the scenarios I suggest are not representative, but if they are, which seems possible, this certainly paints a rather different picture.
Vorbis is cool, but not quite there. (Score:2)
BTW - The beta encoder (for Windows, Linux x86 and BeOS) as well as plugins to winamp, xmms and sonique are available at www.vorbis.com [vorbis.com].
--
Re:Ok, so who did it (who cares?) (Score:2)
Re:... I think they did expect this ... (Score:3)
The problem, as the post-Napster environment will show, is that the only people left to sue are your preferred customers.
*This* is the bind - you don't need to protect the music from those who don't really care about the music, and you can't protect it from the people you want to please. And last time I checked, suing people doesn't usually make them happy.
They want the impossible technical solution because they see it being practically impossible to protect it legally.
What they've really got is that there will be no effective and usable protection either legally or technically.
Re:Better idea: cheap mp3s (Score:2)
it'll never happen. superior audio means nothing; its all inertia. the masses 'know' mp3 and that's all that exists. WMA, vorbis, shorten - all better than mp3 in one respect or another. but the Rio's and Empeg's out there speak mp3 and that's the standard. once its in hardware, its a done deal.
ogg is for geeks and software players. but that's probably 1% of the mp3 target population.
remember how long it took for cd's to become the popular defacto standard? has anything (dat, etc) dislodged it yet? (nope).
--
Unless your name is Valenti or Rosen (Score:2)
Yeh, it sucks. All the way to the bank.
--
Re:????? (Score:2)
Fair use is not a defense that allows you to break the law. Fair use is defined as being an exception to copyright. You have the right to make fair use of legal copies of copyrighted works. Whether you have the ability to do so is a different issue, and that's where the DMCA comes in -- the DMCA is designed to take away your ability to exercise fair use, but it does not affect your right to do so. The CSS lawsuits are not copyright infringement cases. The fact that you have the right to fair use is supported by decades of law.
um, sorry. here's your reality check... (Score:3)
*sigh* ... name one (except playback) involving nothing but Free Software.
The MP3 issues I was referring to have nothing to do with content; they have everything to do with licensing the Fraunhoffer patents.
From mp3licensing.com:
Oh yes, and LAME is not exempt... from the LAME page:
...and no, I don't have US$ 15,000 to throw around. Do you?
Re:Still don't understand (Score:3)
The CD would never be playable in a player you could digitally connect to a computer. They're talking about replacing everyone's CD player. Most likely with some digital memory type player.
Sounds like a hard sell, until that new Backdoor Boyz CD is ONLY available in SDMI. Possibly given away in some kind of promotion. Then all the kiddies run out and buy SDMI players. (or they give them away at McDonalds or something) Then, armed with those sales figures, the industry approaches the hardware manufacturers and sez "hey, this is profitable" cash flies under the table, a blowjob here, a blowjob there, (my embellishment), then there are more SDMI players out there, and they don't threaten their revenue by making MORE music SDMI-only. Soon, only non-RIAA companies sell non-SDMI music, and while this is a competitive advantage in an ideal market, RIAA propaganda, promotion, marketing, legal-dirty-tricks, drive the indies out of business.
Then, the RIAA bribes, er partners with Microsoft to provide free SDMI players in the ONLY web browser still available, that just happens to be on 90% of desktops - and breaks other plugins that play MP3s, only geeks will be able to download MP3s and get them to play.
Then, you could likely download SDMI files and listen to them on your computer, but no player (in theory) will allow you to decode the content, other than directly to the speakers.
Of course, where this fails is when someone comes up with their own decoder, or even a sound-card driver that dumps the sound data to a place that can be decoded, instead of to the speakers. Or if someone figures out a hack for the player to do raw digital-out, or something like that. Worst-case scenario, if SDMI is better than CD sound quality (it would almost have to be to sell, unless they sell for a reduced price, unless they could fool all of the poeple all of the time - which isn't really necessary, you only have to fool most of the people with most of the money), then output from the player is audio, you simply take some decent equipment, and re-encode it. Some loss, but free distribution of previously copy-protected works makes it worth it, as long as the quality is acceptable.
But then D:C would sue for using their patent! (Score:2)
--
Pitiful (Score:2)
Someone should have offered twice that for the codebreakers to keep their mouths shut.
Re:Excellent! (Score:4)
Not so excellent. If you read between the lines, the technology companies are hoping that they throw out watermarks and go with Digital Rights Management. DRM is a codeword for "end to end controlled encryption." It's like Kerberos for music, and it means that you have to use their software, special hardware, etc etc.
*sigh* ...naivete... (Score:2)
Nope, sorry, reread the LAME page [sulaco.org] again:
"Personal and commercial use of compiled versions of LAME (or any other mp3 encoder) requires a patent license in some countries."
Still nailed by patents.
Re:Delays aren't necessary bad... (Score:2)
It is a fundamental fact of information theory that you cannot securely transmit information from one party to another if the other party doesn't want it secure.
You can make it a total pain in the ass, which means in terms of time, effort, and hardware (all translatable into $), if the commodity isn't worth as much as it costs to crack it, then it won't be pirated on a large scale.
But the more they delay, the more MP3s get pirated.
Be wary of sour grapes (Score:2)
If I was able to do it, that money would undoubtedly look might attractive. It would be easy to say I would hold the moral high ground and hold off but I'm not in that position and so can't make that claim. I think it's something that people should think about before they start whinging about those who did crack it.
Rich
What benefit would SDMI yeild for ~5 years? (Score:2)
So... since they can't get rid of MP3 for another 5 years, why all the effort to come up with a perfect encryption and loose the opportunities here today?
I think all they need is a variation on current encryption schemes (different enough so they can seek protection from the DMCA for "circumvention") that locks your music files to a pass-pharse. That same pass-phrase will be linked to your credit card. Anyone you give your password too will be able to buy music on your account.
Grant it this does nothing to keep people from getting MP3s but it allows them to satisfy a market for online commercial quality music files in a way that doesn't put their product any more at risk for piracy then it already is.
Let's face it, most kids and bootleggers don't care enough about quality that good analog recording equipment won't satisfy them.
RANT ON
The amount of loss due to (quality) analog equipment pales in comparrison to what's lost in your typical 128 bit MP3. In the "old" days when cassettes were "Hi-Fi" - the main problem was tape transport noise of older/cheap units and hiss caused by poor quality tapes/heads. My $200 Kenwood Cassette player doesn't suffer from those problems today. My guess is that after MP3 encoding, 98% of the population couldn't tell the difference between an encoding whos ariginal source was a CD and one whos source was a cassette. (even a recoding I made from CD - I find that recordings I make are often better than those cassettes from the label)
/RANT
Sorry, I thknk this all turned into one long rant. I had a point but it got lost, I just find the lack of sense in the whole matter frustrating...
Re:Still don't understand (Score:2)
In the part where the RIAA bribes/partners with Microsoft,
Re:Better idea: cheap mp3s (Score:2)
the failure of dat was 3 things: expensive to build and buy mechanisms (mini vcr's inside), hard to find pre-recorded tapes (yeah, I know, why bother. sigh.); and unreliability unless meticulously maintained (which consumers would not do; many pros didn't either. I'm talking head cleanings every year).
but I agree that mp3 was a hit mostly due to its compression size and it was the right fit for where we are in the Inet today (in terms of spare b/w on personal Inet lines). in a few yrs from now when t1 is considered slow, maybe shorten or some other non-lossy compression scheme will be king.
--
Re:Excellent! (Score:2)
I disagreed with that article, because even if it was cracked AFTER they released it, they still wouldn't have anything to fall back on. Assuming they don't. If they do have something, they can use the results of the contest to eliminate possible cracks. So overall, I think cracking it before its release is a bad thing.
Because the music industry has appeared to be clueless up to this point, here's another possibility:
It really has been broken, and they really don't have anything to fall back on. So they DENY it's been broken, and release it anyway. Then it gets broken again after its release, and they pretend they weren't expecting it, along with playing stupid legal games.
I'm not sure if they are really this clueless. But it's possible.
Re:Can I point out... (Score:5)
Thank you!! An intelligent, incisive question, one worthy of conspicuous, public debate.
Speaking entirely on behalf of myself, you are correct that a cohesive vision of How Things Should Be has been absent from my rants. This is because I believe designing a successful, durable, workable, just system would require the efforts of a group of incredibly talented, wise people, the likes of which have not been gathered since the framing of the Constitution. I don't believe I possess such gifts.
I do have a few vague, disconnected ideas. To fully appreciate them, however, you need to understand the framework in which I developed them:
Axiom: When the ability to copy is ubiquitous, and when the incremental cost of copying is effectively zero, the effective value of any given copy -- including the "original" copy -- is zero. (I state this as axiomatic, but I'm willing to discuss its merits. And please note that this assertion says nothing about the effort/resources required to create the original in the first place.)
As a supporting argument, consider the universe presented in the TV show Star Trek. (This may seem silly, but Star Trek is a useful framework for comparison, as everyone's familiar with it.) In a world where everything, including physical objects, can be replicated at zero cost, what is the economic impact? I argue that the market-based economy collapses completely, since its fundamental supports (scarcity and inconvenience) have been eliminated.
I also believe that the social impact will be that casual copying will be seen as perfectly okay, and that the desire to not share copies will be seen as childish. After all, if anyone anywhere -- including artisans -- can copy anything at any time for nothing, then what, fundamentally, will be wrong with copying anything?
So, in a universe where copying everything is seen as perfectly okay, is there anything an artisan should still have control over? I contend that the most crucial aspect of creativity still needing strict controls is the artisan's reputation.
Consider: On a visit to the Enterprise, you see an object you quite like. Naturally, you ask, "Wow! Who made that?" Both you and the object's creator would like to be certain you receive an accurate answer. Note that the question of whether the object you saw was an original or a copy is irrelevant. You no longer care if an object is "genuine;" you want to know who did it. In other words, you want to know about their reputation. (After all, maybe they did other cool stuff, too.)
...Okay, so we don't live on the Enterprise (yet), and we all still have to pay the rent. However, I strongly believe the concept of reputation will be central to a re-design of economics and the concept of intellectual "property" in the digital universe. Reputation will become a chief scarce resource in the digital universe, because it is an artist's reputation that will guide you to their other scarce resource: their time. And it is their time that you will be paying for (no more doing stuff "on spec").
In terms of more immediate, concrete proposals, I've heard the following ideas floated:
For example, let's say John Carmack creates his latest game, qDuOaOkMe, and decides that, for all his efforts and that of his company, he wants to see $50 million. So he posts it to the site: "qDuOaOkMe: $50,000,000". People the world over pledge $25, $50, $100, whatever they feel it's worth toward the final price. When the price is reached, Carmack gets the money, and the game is released free to all. The entry is also kept open on the site so people who didn't bid can continue to throw tips. If the price is not met after a pre-set time, all pledges are returned to the bidders, and the game isn't released.
Other ideas are likely out there, and worthy of attention.
Also for immediate consideration, there should be some study into the use of digital watermarks for identifying the artist of a given work. Right now, all the discussion surrounding watermarks has been with an eye toward controlling proliferation of copies, which is unworkable. However, I believe even the most virulent opponent of copy protection would support using digital watermarks to identify the artist, thereby preserving -- wait for it -- their reputation.
Like I said, I don't think I have what it takes to completely design the new system. I've also completely avoided rather sticky issues, such Moral Rights (e.g. should an artist be able to enforce the declaration, "No, you can't use my painting in the background of a porno video"). But I do know that the current system will ultimately prove to be fundamentally unworkable, if for no other reason than the sheer numbers involved (how many copyrighted works will you need to test against to make sure you're not infringing?).
So, yes, you're right. We need to think about this, and it needs to be done rationally and publicly. Too bad the entertainment industry's using all that bandwidth to paint us all as criminals.
Schwab
Re:This is nice - but what about other DRM systems (Score:2)
A judge's job is to interperet laws, not to overturn them.
Unless they're inconsistent with other laws or the constitution.
Re:Better idea: cheap mp3s (Score:2)
The tools used to create these are readily available, and I'd love for you to run these tests and post the information on the web. Hell, I'd like an e-mail
miracle@nospammage.procyon.com
Re:Better now than later (Score:2)
There is nothing about SDMI that will strongarm you into buying new players or new collections, as I understand it. Your CD player will still work, your current CD's will still work, and music will still continue to be sold in the CD format for many years to come.
I believe one of the theories behind SDMI is that the player requires no decoding software, it just plays the music as it is written.
SDMI detection is part of the recording process. Presumably to limit the number of copies of a song that can be made. i.e. you can make a copy from the original, but not from a copy of a copy.
The DVD-Audio format is being held up for this technology, along with an improved CSS like implementation to encode the digital bits.
Actually music has been available on DVD discs for a couple of years now. It's not been terribly popular, however, because few recording studios support it and it hasn't gained widespread acceptance for fear a new format that is just around the corner.
Even when DVD-Audio comes into being, again you will not be forced to go out and buy new collections. The DVD-Audio players will play older CD media, just as current DVD players do. In fact I suspect you'll just see the DVD-Audio spec wrapped into DVD players such that you'll have a device capable of playing several different audio and video formats.
There seems to be a lot of confusion and frankly, FUD, being spread by the anti-music-industry groups.
I don't care about copy protection, as long as it doesn't get in my way. Unfortunately the macrovision on video, and this new SDMI both corrupt the purity of the source and affect the potentional enjoyment.
Re:????? (Score:2)
An uncompressable audio track would be very atypical. I've used the shorten program on many different music tracks, ranging from soundboards to concert recordings. I've never found one that doesn't compress, and they all compress to approximately 2:1.
Even if there were music files that were uncompressable, SDMI would still be on a collision course with uncompressed audio. It would just be 1:1 instead of 2:1.
Re:Crack SDMI-HOWTO (Score:5)
If you are actually interested in learning something about this, get Information Hiding: techniques for steganography and digital watermarking by Katzenbeisser and Petitcolas and read the proceedings of the Information Hiding conferences, called Information Hiding I and II (maybe a III by now), published by springer.
Actually, I recommend reading the Information Hiding conference procecedings for everyone - they present a number of techniques that will appeal to those with interests in privacy, cryptography, information theory, steganography, watermarking, biometrics, covert channels, etc.
One of my favorites in the proceedings covers designing biometric authentication tokens that are anonymous, non-transferable, and privacy protecting.
This is going to be really redundant (Score:4)
They should be using CueCat XOR encryption (tm) for their watermarks.
Mike
"I would kill everyone in this room for a drop of sweet beer."
Re:Suspicious members of the programming community (Score:2)
"The hacker boycott of SDM organized by suspicious members of the programming community has turned out to be irrelevant."
lol. I didn't read the article, but if they really said that, then they REALLY have problems. The boycott is anything BUT irrelevant. If the watermarking scheme was cracked without the help of the hackers, then imagine how fast it would be broken if it weren't being boycotted.
-----
"People who bite the hand that feeds them usually lick the boot that kicks them"
Re:Ok, so who did it (who cares?) (Score:2)
BTW: the 'who cares?' is in the spirit of Starstruck.
---
too lazy. but here's a link anyway: (Score:2)
OGG Vorbis [vorbis.org]
Actually, it really would have been common courtesy of me to include more links. Sorry.
To paraphrase Ian Clarke (Score:3)
-josh
Re:Ok, so who did it (Score:2)
There's a difference in saying someone shouldn't hack/reverse engineer something and saying that they can't, particularly when that can't is backed by the threat of state violence.
I'm worried too... (Score:2)
So am I - that's why I'm voting Nader [votenader.com] on November 7th.
-------
Do market powers apply any more? (Score:5)
But then I thought about it. I believe that the music industry has enough power over the users that they'll take what they can get. I don't think the market _could_ realisticly fight the will of these companies. They have little competition, because all the "competing" companies have all globbed together in the form of RIAA.
I don't see a peaceful end to this, because there is a lot of money at stake, and whenever there is money, there is also a rabid foaming-at-the-mouth mob of greedy bastards willing to trample anybody in their way to get at it.
So maybe we should not worry so much about this standard being cracked, because if it was, it'd work just like the DeCSS fiasco, but maybe they'd learn from the mistakes of the MPAA's lawyers. What we need to start worrying about is a way to break loose from this feudalism where the consumer no longer has the power to change things in their favor (partly because most of the consumers are not informed enough to fight back, and there is a lot of money going to PR to keep it that way). Consumers are now Serfs, and large media companies are now lords. I imagine eventually there will be something like a revolution, moving us along the line towards democracy in the information world, but it'll take a while =:-(
Re:This is nice - but what about other DRM systems (Score:2)
Windows Media - ASFRecorder (google it)
Shoutcast/Icecast MP3 - Streamripper [bigfreakinserver.com]
-Jon
Better idea: cheap mp3s (Score:5)
an easier route (Score:3)
1. lobby congress to legalize murder.
2. hire disenfranchised serbian death squads.
3. locate any person with an IQ above 90.
4. kill all persons with an IQ above 90.
This will have two impacts. It will mean that they'll finally be able to sell Backdoor Boyz to EVERYONE, and that nobody smart enough to crack SDMI will be left alive.
That would be MUCH easier and cheaper than developing a crack-proof protection scheme.
Oh wait, I forgot, there's always DONGLES!
Technology's no solution. The problem's more basic (Score:3)
The problem is one of economic distribution. How to get money from the consumers into the pockets of the producers in some fair and equitable way.
One model which almost works is ASCAP. They're in charge of charging radio stations and other broadcasting media, based on their market penetration numbers, some money for every piece of material the boadcasters, uh, broadcast, (ASCAP IS Big Brother,:-) and then they shovel that money into the pockets of the "authorities of record" who can claim to be the producers of the material that was broadcast. (That's how artists still get screwed today. NEVER, ever, give away your copyright.)
One model which would work in the "Age Of Napster" is to use micro-payment to charge a published sum from the recipient of a file, if the transmission is not declined, regardless of the content or the size of the file, for every transmission of the file over the internet.
Purely local transmission of the file can be presumed to be fair use, back-ups, change of media etc. Re-transmission over the internet would kick-in the micro-payment scheme which would insure that the Metallica's of the world can please just shut up!
This could even be applied to establishing connections for streaming media.
By the way that leaves the RIAA, the MPAA and other neo-Luddites out in the cold. Let those parasites get real jobs.
Re:Ok, so who did it (who cares?) (Score:2)
Sure there's something wrong with it. It's giving the record industry free assistance in their attempts to increase their control over digital music, just as the movie industry is trying to do for digital video. Helping them acheive their goals is, IMO, wrong because those goals are wrong. Of course, obviously not everyone shares my opinion, or at least they are using some different logic to justify assisting the record industry by cracking SDMI.
The MP3 encoding ought to take care of it. (Score:2)
Of course, given that watermarks are far less than perfect (you can hear them) in order to be a bit more robust, you could D-to-A-to-D several distinct copies of the secure music, 'average' them, and then encode. With a sufficiently high number of sufficiently different copies of the music, the watermark will eventually be destroyed. This has the added benefit that the noise from the D-A-D conversion will tend to neither add nor cancel, but the signal will tend to add during the recombination phase, improving quality.
In any case, so long as I can buy my digital music anonymously with cash (at a brick+mortar store), what do I care if the watermark is still there? So the music has a serial number? That doesn't necessarily correlate with anything in the real world.
Excellent! (Score:5)
I was initially 'with' everyone here and in the community on the issue of boycotting the challenge, because I thought it would 'punish' the proponents of SDMI if they went to the trouble of commercializing it only to have it quickly broken. I presumed that breaking it now would help the SDMI.
However this article [salon.com] points out a lot of things that seem to be coming true and mentioned in the article that is the focus of this slashdot item, that basically the music company executives didn't expect it to be broken, don't have anything to fall back on, and the SDMI may in fact fall apart now that two years of their work have been effortlessly cut into shreds! Which is EXCELLENT news!
I really wish that the article quoted above had been written earlier and had come to our attention earlier, for it is quite a valid and compelling counter to the "rah rah let's boycott the challenge" idea.
Basically, maybe we were all wrong, and cracking it quickly and effortlessly will not help the SDMI, but actually destroy it! Go crackers!
Suspicious members of the programming community?!? (Score:2)
What the heck do they mean by this? I'm quite amused that some SDMI members are finally facing the reality that it might not be possible to protect music.
could this be a ruse? (Score:2)
Cracking SDMI gives the RIAA enough excuse to go running to the governement for even more backing than they got in the DMCA.
They already are asking for all TVs to have anti-copy protection in them, how soon will they be asking for trusted hardware for audio as well?
The assertion that SDMI has been cracked may well come from SDMI members who know that trusted hardware is the next step, and not from disgruntled hacker-anarchists in their midst.
Trust nothing that comes out of this process - there are billions at stake, not to mention hot and cold running blowjobs in the back of limousines.
Re:cracked? (Score:2)
> be disassembled?
We're talking about software players here, so yes, it's inconceivable. I'll bet my PhD on it.
Some of the best CS theory profs around have given some thought to what it would mean for a program to be effectively "undisassemblable". They've had a hard time coming up with a definition that doesn't just reduce to the empty set. AFAIK, their current best definition hasn't yet been shown to reduce to the empty set, but no-one's been able to construct an undisassemblable program either.
Irony (Score:2)
The gold isn't in the music itself. The gold is there for the taking, but no one is moving to take it: it's Napster's gazillion user e-mail addresses.
Why isn't Napster dangling their databases more "publically" in front of the RIAA and MPAA. Why aren't they saying: Screw the content. We've got something better. We've got gazillions of users with e-mail addresses who crave your product??
Re:Ok, so who did it (Score:2)
<PROPOGANDA>So, my poor attempt at humour yields the philosophical question, Would a Real Hacker(tm), knowing that the system he disagrees with is faulty, help that system persist by informing it of it's inherent weakness? Or, would this hypothetical hacker just keep his mouth shut until the faulty design was finalized, henceforth guaranteeing the complete Freedom of the information in question? </PROPOGANDA>
Feel free to rephrase the question in a less biased manner. =P
Re:Did they not expect this? (Score:2)
Those who believe in such a thing as uncrackable encryption are either poorly misinformed, or have no imagination.
For some reason, money seems to gravitate towards such individuals. .
... and they didn't even half try (Score:2)
Now after the RIAA chose to ignore all advice by the developpers they paid (in total) some million US$ and who must have told them that it wouldn't work, will they finally listen to some hackers who did it for cheap (hell if they hired some decent experts the RIAA 'd have spent $10.000 just to draw up a contract) and dump SDMI?
Obviously not, they will come up with some new watermarks (probably worse than the first batch because it's really urgent now before MP3 is so widely accepted even they can't stop it) and when it's cracked we'll see the DeCSS case all over again. Meanwhile players will hog the shelves because customers don't want to be screwed (we saw it all with DAT tapes) until it leaks out that with one player copy protection can be turned off, at which point "without copyprotection" will become a salesargument for players.
If the RIAA just wants to ignore the fact that digital information can be copied, they should buy earprotectors and blindfolds for their members, but maybe that costs more than $10K
Time for Fairtunes (Score:4)
I hope artists also move to fore -- popular artists (those whose recording contracts permit) should release a song or three (or an album) in all mp3, and just take payment if you keep it. Say, 24 hours trial period, if you keep it longer, you have to pay. Obviously, its all voluntary, but who would balk at paying $3 to $6 for an ablum from an artist they like? I think the honest users of such a service would vastly outway any thieves.
Here lies the earthly remains... (Score:2)
Re:Ok, so who did it (who cares?) (Score:4)
Because the fundamental premise is obviously self contradictory. In order to have a truly effective watermark, the sound must be damaged to the tolerance of an ordinary listener when it's removed. In order to have a publically acceptable watermark, the sound must be unchanged to the most sensitive listener when it's added. The result is that you should always be able to create a procedure that mangles the sound at above the level at which the watermark exists, but below the level where an average listener will care. Doing so may damage the sound for true audiophiles, but won't mean anything to the casual listeners who constitute the lion's share of the market.
Sucks to be the RIAA (Score:5)
Re:Delays aren't necessary bad... (Score:4)
Delays are better than an uncrackable SDMI implemented tomorrow, but the best possible outcome would have been for the RIAA and their hardware cronies to dump billions into hardware and software with big holes in it. As an added bonus many of their customers would have found their draconian stance on IP to be too restrictive, and sales would have dropped. Simply because the "pirated" versions were easier to use.
The RIAA isn't going to learn unless the lesson is painful. I am all for the RIAA making money from their copyrighted material, but not at the expense of my fair use rights.
Oh, and by the way, hopefully this will give Ogg Vorbis more of a chance. MP3s aren't bad but Ogg is better!
Vorbis! Does noone here remember Vorbis? (Score:5)
Ahem, leaving SDMI for MP3 is just leaving the DMCA Swamp for the Patent Quagmire. Out of the frying pan, into the fire.
Why don't we go for the option that doesn't involve breaking the law (and has nice fringe benefits -- MP3 is old tech now), when we can?
And, by the way, the Vorbis [vorbis.org] format is finalized and has been for some time. bps limitations of current encoders are only a result of the encoding software, not of limitations of the underlying format. Not to mention that .ogg seems to be sounding better than higher-bitrate .mp3s as the encoders improve...
This does it, I'm re-encoding[1] all the music on my site to .ogg when I get the chance. I need the space savings anyway.
---[1] that is -- encoding new .oggs from pristine audio, not "converting" the existing .mp3s.
"converting" among lossy formats is always going to sound bad.
Re:Did they not expect this? (Score:5)
The ONLY possible result was to have their watermarking broken. As I mentioned above, it's not possible to secure it.
What you describe as their best possible result would actually be the penultimate nightmare scenario for SDMI. Ramping up production of new hardware and media is an incredibly expensive undertaking. Not to mention the risk of public rejection (for a primo example of this, learn the lessons of DIVX.) To get $2 billion down that path, only to be shot down by hackers. At this point, they're only out a few million. The $10K prize was a spit in the bucket.
As to your last point, professional cryptographers have been telling them this is impossible and a huge waste of money. People with money don't believe in "impossible." They don't understand technology, they understand money. And in their world, money can buy the impossible. They don't live in our world, where code can always do the possible.
John
This is nice - but what about other DRM systems (Score:5)
OK there's the little issue of the DMCA which would make such things illegal in the US.
I wouldn't be surprised if some of the SDMI breaks came from Microsoft to help promote their DRM server based technology.
Terrific! (Score:3)
Your observations about identifying the artist are right on- that's why I for one am very excited about one of the 'fingerprinting' technologies being developed. Basically it will be possible to do net searches in the future on snippets of unlabelled digital audio and return the artist's current website/information. This is incredibly important in a world where the information flows so freely- an example, if you use Napster you'll find all sorts of utterly unrelated bands uploaded mistakenly as They Might Be Giants. This is great for TMBG but unhelpful for the real artists- with the sort of fingerprinting we're talking about this would be trivially fixed, and anyone could track down the true creator's identity easily- again, _reputation_ is the key concept. It will become possible to accurately associate a positive musical experience with a specific name no matter how obscure and non-mainstream: compare this with the days of broadcast radio where you had to first fight just to get _on_ the radio and then pray/pay for the DJ to actually announce your name in association with it! This sort of gatekeeper will become a thing of the past- though it'll still have a place, with the new type of DJ being someone of known good taste and ability to audition more new stuff than most people have.
I can relate an anecdote of stuff that's still going on, that illustrates your point. I used to have music on mp3.com (before they turned their contract towards the Dark Side ;) ). It's not mainstream at all- in fact some of it is rather user-hostile, for instance a strange marimba-driven track named Bone Dragon. None of this brought me pop stardom, understandably- but I know my way around a mixing desk and build a lot of radical, high-performance equipment that goes against the habitual sonic dreck people inflict upon their recordings these days (see Britney Spears...), and I attracted some attention from some iconoclasts, and in fact I built *REPUTATION* as someone who could get a sound, an impressively professional sound. This has led me to the point where I'm seriously contemplating doing sound engineering work for a startup (not RIAA) that I've been talking to, and in fact already have a sale of commercial rights for a piece of my music waiting for when the deals are finalised (I'm also making extensive use of my sharpness and paranoia in relation to the contract that people will end up seeing- another area of reputation getting involved). And the first piece of music to find a home in this new context is... 'Bone Dragon'. Yes! The totally uncommercial, peculiar one! *g*
The point is- reputation is fscking _gold_ man. It is substantially more important than immediate cash. The fact that 'Bone Dragon' is out there as lots of mp3s, with my blessing upon their further noncommercial copying, does _not_ make it licensed for commercial use. If someone wants to run that in an advertisement they have to talk to _me_! (If they want to add cheesy singing munchkin jingles to it they'd better be offering a LOT of money, and I mean a LOT. Background use or use under narration does not tend to destroy the soul of the music so readily.) And if they want something else that's like that- again, they have to talk to me. Commercial interests can't legally copy and use the free music I have out there being copied under fair use- and _nobody_ can copy what hasn't been performed yet.
It all reminds me of some of the tenets of the Progressive Party (for which I'll do some voting this November). They are not big fans of inherited wealth, or of wealth derived from high lofty positions. If you think about that a bit you see that what they're advocating is a much tighter link between WORK and wealth- and that speaks for me, very much. Trouble is, I'm a musician (among other things) and that industry is utterly fixated on the creation of intellectual property which is expected to go on earning money _without_ me, for longer than I live. Frankly, I can't see the logic behind this. Okay, supposing I write a hit song and record it wonderfully- certainly that's worth being paid for. Once it's been recorded- then what? Where is the justification that I should be _entitled_ to never work again based on having done really great work once upon a time?
I don't see it, so I am essentially unperturbed by the idea of tossing my music and work out there for the world to scavenge and copy back and forth unpayingly. If I'm any good at it, there'll be people who like what I do- like it well enough that they _ask_ for more, or want me to spend my time engineering _their_ music or some such activity. "Shut up and play your guitar!" "Mix my album!" "Do more ambient!" And the answer is of course "What's it worth to you?". My ability to earn a living wage ought to be tied to my willingness to _keep_ _working_ and producing stuff to benefit people.
For this reason I completely and totally disrespect the RIAA and everything they stand for, and have total contempt for SDMI. It's just more attempts to impose a price on something that was once rare and has become a commodity too cheap to meter- art. Instances of art in the digital domain are too cheap to meter, they are free, there's no sense even _trying_ to mess around with micropayments and that crap (you'll be nickel-and-dimed to death!). Art is free. ARTISTS ARE EXPENSIVE. Think commissions, 'patrons'. If you can imagine a sort of art you _can_ get someone to produce it- what's it worth to you?
Of course.... (Score:4)
"You see?" they'll say. "Evil nasty hackers destroyed our benevolent effort to release music to the masses before we could even bring it to market. They've proved there's no way to distribute music in an open model."
The solutions they'll offer, of course, are:
- a hardware tax on everything, including computers, that can play or create audio files; and
- mandatory hardware-based encryption for CD players.
Don't laugh. No one thought they'd get the same requirements passed on DAT, which was heralded as all that and a plastic Jesus.Disappointing (Score:4)
While I'm pleased to see that SDMI was so trivially cracked, I'm disappointed that the individuals mounting the successful attack chose to inform the recording industry. As any military intelligence officer will tell you, you don't brag to the enemy that you've broken their codes. Just ask the British government officials from World War II what their policy was when the German Enigma was cracked.
The idea here is to cause the enemy to commit time and resources to a futile exercise. If the crackers had waited until SDMI had been fully deployed in the marketplace, it would have cost the recording industry and anyone else foolish enough to follow their example at least a few billion dollars; enough money to make them seriously reconsider the whole misguided notion of copy protection as too costly to pursue. As it is, it's only cost them one or two million in research, plus the paltry $10K for the "prize".
I would like to see Slashdot invite the SDMI crackers for an interview, so that we can get an insight into their ethical framework, and why they chose to save the recording industry's lunch.
Schwab
Comment removed (Score:3)
"Suspicious" hackers (Score:3)
This word came from the Salon writer, not the music industry.
But one possible outcome from this would be that the music industry blames "hackers" for preventing them from introducing digital content for consumers. Then they go to Congress to get a bill even stronger than the DMCA to lock up music and lock up "hackers".
If the SDMI members who represent computer companies and not music companies will step forward and explain what has happened, that SDMI volunteered this test, then the "hackers" will get a fair showing. They should even join us in calling for the music industry to produce open source products at a reasonable price.
If not, then this whole episode is another trap for Free Software people and genuine cryptanalysts to get excoriated in the press and their freedoms threatened. Which is it going to be?
Is This a Surprise? (Score:3)
What is the RIAA thinking? All moderately popular music is available in MP3 format; and those MP3s aren't going to suddenly all disappear. My understanding is that SDMI was supposed to allow record companies to sell music via download. Why not simply sell music in MP3 format, and forego copy-protection?
People who want to trade music will continue to do so even if the RIAA somehow manages (magically) comes up with unbreakable copy-protection. People will always be able to rip CDs. SDMI and similar efforts are pointless, and a waste of money.
... I think they did expect this ... (Score:5)
They had professional cryptographers working on this, and I expect the cryptographers told them as much, which is why this gives me the willies.
My gut feeling says that they may well have been angling for this crack, in order to take advantage of some legal or PR leverage it would give them.
One way or another, the successful crack is a worth a lot more than $10k to them...
We'll have to wait and see...
Boycott still in effect? (Score:3)
The contest stipulated that you had to divulge HOW you cracked their security to get your share of the $10000. If someone cracked them all, submitted them for analysis, but didn't tell anyone what they did or how they did it, I'd say that action is still inline with the boycott. After all, the RIAA knows nothing more than they're up shit creek now.
In fact, this might have been the most humane way to do this. Crack it before the contest deadline, that way:
- SDMI doesn't get implemented (yet)
- "secure" music seems all the more unlikely
- hardware manufacturers aren't screwed by having to produce SDMI-compatible hardware (at significant cost) just to have the whole thing blow up in their faces
In any case, not much we can do about it now.Re:????? (Score:3)
However, this raises an interesting point. What if I agree to buy a watermarked version of the song, then decide to sell it? I will either have to sell it through a SDMI-licensed broker (can you say monopoly?), or reselling it will be forbidden. (You don't "buy" a song, you "license" it for your own use, for ever. Licensing terms subject to change without notice.)
Re:????? (Score:3)
(1) four different watermark technologies that are designed to detect compression and
(2) two additional technologies that are designed to ensure that under certain circumstances individual tracks of an album are not admitted into an SDMI domain without the presence of the original CD.
SDMI is designed as a "Napster Killer." Here's their strategy:
1) Apply a watermark to all CDs. This watermark takes the form of deliberate digital distortion, and is designed so that "most" people won't notice it.
2) Make all SDMI MP3 players scan MP3 files for the remnants of that watermark, and reject them. Hence, MP3s made from ripped CDs won't work anymore on new players. Napster is dead.
3) To allow people to download their own CDs into their SDMI MP3 players, provide special SDMI ripping software that allows the creation of an SDMI-encrypted MP3 from watermarked CDs, but associate these encrypted MP3s with the computer of the person who did the rip, so that they can download them onto their portable player, but if someone downloads this file from Napster, it won't work for them, because it wasn't made on their computer. The SDMI ripping software would look for the watermark, and make sure that the watermark is intact, signifying an original CD. This is so that you can't download an MP3, uncompress it into a CD, and run the SDMI ripping software on it. This is the purpose of the "two additional technologies."
The "detect compression" part is the fundamental mistake. The entire SDMI initiative is based on a basic misconception about the future of digital music and the reason why people use MP3s in the first place.
The only reason that people use lossy MP3 encoding is because it makes the files smaller by a factor of about 10:1. However, there are lossless encoding schemes that can compress by a factor of about 2:1.
Even if SDMI had worked, it would only have bought the industry a year or two, before DSL, or whatever faster technology replaces DSL makes downloading an uncompressed file as fast as downloading an MP3 is today, and before hard drive prices fall to the point where no one cares that their music files are 5 times as large.
Cracking SDMI now is a good thing.
Watermarking introduces deliberate distortion into the audio signal. By cracking the watermarking scheme before it was ever introduced to the market, we have avoided a scenario where all CDs would have included deliberate distortion, to no one's benefit.
This is A Good Thing(tm)! (Score:4)
Of course we will break the code - any new code is inevitably broken, especially one tied to hardware like SDMI. Many have talked about the prospects for breaking the code, and most agree - it will be possible in most forms, due to fundamental flaws in the architecture.
Don't worry about breaking any potential codes - it will happen regardless. Look at the massive support for Napster and you can see why SDMI won't work. On the other hand, look at the RIAA's coalition now: fractured, broken. Will they EVER be able to repair it? I hope not.
What WAS SDMI? CSS for Audio! (Score:3)
Better than the Boycott? (Score:3)
I think the bad PR will constitute a serious blow to the SDMI (unless they somehow manage to downplay or spin it), and I think the lost time will be even more crippling to the initiative.
This means no SDMI players by christmas... meanwhile, more and more MP3 players will emerge and gather market share. If, by the time they come out with a new, improved SDMI, millions of people have mp3 products (especially non-technophile people), it will be much, much harder to pitch it to the average consumer. Hopefully at that point SDMI will go the way of DivX (the pay-per-view DVD, not the compression).
Re:Disappointing (Score:3)
If they accept the prize, it will be clear that the answers are, respectively: "Money is good," and "about $10k."
Let them delay it... forever... (Score:4)
Re:Better idea: cheap mp3s (Score:3)
at home, I have a ripping farm (well, if 4 boxes is a farm) of mp3 encoders. they're all k7-800 class boxes. and it STILL took me over 2 months to r/e/t my whole 500 cd collection (with the frau encoder, at --qual=9. this is with 800mhz k7 systems! a lot of folks have this kind of HP but most probably don't.
a friend of mine who has 'only' a k6-2/300 system waited 24 hrs of constant machine mp3 encode time just for one album. would he pay 50cents for properly (like with Frau.) encoded and labelled mp3's? you can sure bet he would!
riaa: make mp3's cheap and just TRY the online sales thing. and promise us that you keep just enough cash to 'get by' and that the lion's share goes to the artists (that you CLAIM you exist for) and lets just see how well that experiment works.
will they try it? nah - they're too busy suing everyone and his brother. reminds me of the monty python movie where the knight is being defeated one hacked-off arm and a leg at a time; yet still won't give up the fight.
--