The Empeg BBS's very own Dan S. Wallach was part of a nine-person research team that hacked the proposed SDMI watermarking scheme!

What's more, they had the integrity to publish their findings in an open research forum rather than sign an NDA under the terms of the "Hack SDMI" contest. This means that the SDMI consortium can not spin/censor their findings.

And, to deflect another potential subjective attack on their findings, they came up with an objective measurement of distortion that shows that removing the watermark does not introduce any more distortion than adding the watermark did in the first place!

The findings are written up here.

Sweet stuff, Dan! I work two blocks from the campus, so e-mail me at cpage@redsky.com if I can take you out for a Goode Company BBQ sandwich and a brewskie!

Corby
MK I SN#320, 6-Gig Blue

Wow!

That totally rocks. Impressive! Can anyone say "Buh-bye, SDMI"?

___________
Tony Fabris

Rob Schofield made an impressive post on this topic about nine months ago, one that I still rank as possibly the best single post ever placed on this bbs. Take a look here before you decide that copy protection is a dead issue.

tanstaafl.

"There Ain't No Such Thing As A Free Lunch"

Take a look here before you decide that copy protection is a dead issue.

I didn't say copy protection was a dead issue... The SDMI watermarking scheme is only a part of one possible copy protection system. The copy protection that Rob S. described is a completely different system and unrelated to SDMI.

The SDMI crack isn't the death knell for copy protection, but it's a great example of something that I've been saying all along: If you can run something with the copy protection in place, then there's also a way to run it with the copy protection removed. Whether that "something" is a dongle-protected piece of software, a copy protected computer game, a region-encoded DVD, a macrovision-protected video tape, or a watermarked/encrypted music file, there are always ALWAYS ways to circumvent copy protection.

This doesn't make copy protection a dead issue. There are many copy protection schemes which make it very difficult to pirate something. And that's all that the publishers are shooting for: making it difficult to make a casual copy. So copy protection definitely isn't going away any time soon.

The only reason I say that SDMI is going down is because of the wonderful way these folks handled the announcement of their crack: they refused the prize money and went public with it. If they'd signed the NDA and kept its details secret, then possibly the SDMI folks would have been able to lie to their potential customers, saying some marketing doublespeak like "SDMI is 99.99 percent secure". Now they can't keep it under wraps, and no one will back SDMI because it's already been cracked.

___________
Tony Fabris

Tony is absolutely right. At every step of the way, SDMI has schemed to keep this information from becoming publicly available.

First, as Dan's group pointed out, they set intellectually dishonest parameters for their "Hack SDMI" contest. Running the contest for three weeks (especially after they spent two years dragging their feet) without publishing any information about their algorithms is not consistent with industry practices for testing security models.

Then, they tried to paint Salon.com as a bunch of liars because Salon dared to publish interviews with SDMI's own technical experts saying that the watermarking technology is hackable.

Finally, they hoped to get all of the hackers that broke the watermarking scheme to sign NDA's. This way, SDMI could conduct months of "additional phases" of testing in private and eventually declare watermarking a success.

SDMI doesn't give a rat's ass that their algorithms aren't secure. Their goal is simply to get some sort of "security" standard adopted in a bunch of consumer electronics players, and then get it declared as a legal standard, just as VCR manufacturers are now legally required to employ Macrovision copy protection in all of their units. Then, the software and hardware manufacturers have to pay big licensing fees to SDMI to make a legal digital music player.

And if you don't think that our friends at Empeg would have been under enormous legal pressure to pay those licensing fees, then you haven't been paying attention.

Corby
MK I, SN#320, 6-Gig Blue

At every step of the way, SDMI has schemed to keep this information from becoming publicly available.

True, but you can't blame them for it. Security through obfuscation is still security. The only problem is that such methods eventually fall to reverse-engineering anyway. And for something like digital music, the incentive to reverse-engineer it would have been very strong with a great many people. The SDMI folks are lucky to have had this stuff aired before it got implemented in a bunch of expensive new hardware and then been embarassed about it.

Now we're back to the root of the problem which is that the current distribution medium for music (Audio CDs) is unencrypted. SDMI hoped to implement a system that could continue ot use CDs as a primary distribution medium. Audio watermarking was promising, it's too bad they couldn't make it work. I think this proves that, in order to truly copy protect music, you need a completely different method of transport and distribution. Something heavily encrypted that requires licensed hardware to decode. DVDs took a decent stab at it, but the encryption key wasn't strong enough and they didn't police their licensees closely enough, hence DeCSS...

___________
Tony Fabris

I haven't logged in here lately; we've been awfully busy. Our FAQ answers most questions you might want to ask if you aren't conversant with Fourier Transforms. Meanwhile, there's been something of a PR battle raging where the SDMI folks claim our attacks damage the sound quality beyond their subjective quality standards. We're preparing an appropriate response that may be succintly summarized as "put up or shut up".

Watermarking is actually a really nifty technology, but (as far as we can tell) they're using it in a relatively unintelligent manner. They appear to be embedding a single bit of information in the music ("SDMI was here"), where the detector for this bit will be replicated in every single CD player, MP3 player, and heaven knows what else. Since the detector is replicated, that means a single attack can defeat the watermark for every single player. You'd think they wouldn't do it that way, but they appear to be focusing not so much on MP3 music but on traditional CD players. They want a vaguely backward compatible standard that will allow SDMI CDs to play on old CD players, old CDs to play on new SDMI players, but to make it "hard" for a user to burn a new CD with SDMI content that will play in an SDMI CD player. It's all quite strange.

Anyway, Goode Co. Barbeque is always a good thing. I'll be travelling all next week, but maybe afterward. E-mail me privately (dwallach@cs.rice.edu) and we'll figure something out.

Comments?

Yeah. I'm glad that C|Net reported it properly, stating that in fact all five had been broken, despite what the SDMI group said. I hope that other news sources report it in a similar fashion.

DWallach: Is your group going to raise any sort of a stink about it? For instance, seeking out news agencies who didn't report both sides of the story (if any) to set them straight?

___________
Tony Fabris

For instance, seeking out news agencies who didn't report both sides of the story (if any) to set them straight?

Hmm, on second thought, it looks like you might not have to. I did some quick searches, and every place it's reported, it's just reprints of the original C|Net article. Cool.

I especially liked how the C|Net article prints the SDMI group's defenses in such a way that it sounds like they're doing damage-control. SDMI can't get mad because their defensive statements are printed just fine-- it's just that in the context of the article they sound like the crew of the Titanic claiming that the ship is unsinkable even as it's taking on water.

Dontcha just love it when the spin doctors are on your side?

___________
Tony Fabris

Hmm, on second thought, it looks like you might not have to. I did some quick searches, and every place it's reported, it's just reprints of the original C|Net article. Cool.

This is quite common. The first journalist writes an article with whatever particular bias. The other lemmings^H^H^H^H^H^H^H^Hjournalists follow suit with the original. Obviously, for larger stories (e.g., major elections, wars, changes to the Coke formula) you tend to find a handful of journalists doing original research. For everything else, particularly in technology journalism, if you think you've got news to break, it's really important to pick the most competent journalist you can find and convince them to write your story.

Another effect going on here is you're seeing a reaction against the P.R. generated by SDMI. When an organization is spewing forth P.R. about how bananas are blue and all the finest bananas in the world are all blue, which of course makes the journalists suspicious but, well, they've never seen a banana before and blue sounds like a reasonable color, and suddenly along comes somebody saying "umm, you know, bananas are truly yellow, see here's one right now," the yellow bananas story is bigger news because it runs counter to the prevailing blue banana spin.

At any rate, we are in the process of writing a true and proper technical paper for submission to a conference describing our findings. I'll post something here when it's available.

Dan (purveyor of only the finest yellow bananas)

Truer words were never spoken.

___________
Tony Fabris