Boycott of Music Industry's Hacker Challenge Urged

phu170n writes "Don Marti, technical editor for the Linux Journal, has called for a boycott of the hacker challenge recently announced by the music industry's SDMI collective. Looks like principle can be worth something (more than $10,000, at least) these days."

All watermarks are detectable

No matter how you slice it, in order to add additional information to any file, you have some bits somewhere.

If all SDMI wanted to do was mark a piece as authentic, every piece would have the same mark and there wouldn't be much incentive to break it. "Heh, this POS is by Britney Spears. I know because it's watermarked." "Couldn't you tell that by tinny, teenage voice singing about her life ending because her teenage boyfriend dissed her." "Ummmm..."

But authenticity marking isn't what they're after. SDMI is looking for encryption and user identification. This means each unit would get a different watermark. Breaking it is then a simple matter of buying 5 copies and doing a binary diff of the output of "mpg123 -s britney.mp3 > tempfile". Build a bogus watermarked file by pulling the first byte from file one, the second from file two, ...the sixth from file one, ...etc, and run lame on the result to get 'unmarkedBritney.mp3'

Am I in trouble now?

Re:Prize money isn't guaranteed

I didn't catch that-- good point.

Frankly, if our software engineering skills are worth only $10k to them, they obviously don't need this too much.

I can just picture a bunch of arrogant marketting types sitting together:

"Yeah, let's use these hackers to make our product better! We'll dare the kids to break our product, and then they'll work for us."

"But wait, why would they do that. They hate us."

"Yeah, but so what? Remember, these guys may be real computer whizzes, but they're naive. Most of them are just kids-- they're doing this because they can't play football and don't have dates. They don't have the savvy, the talent, the raw creative spirit to be in marketting. After all, if they did, they'd being doing this, right?" Everyone nods thoughtfully, except for Todd, the exfootball star, who is suddenly lost in his glory days.

"So we invite them to crack our system! And then, when they find the hole in it, we'll hire some techies to fix it, and we're done! We can even offer a prize! We'll jack up CD costs."

"Sounds great!! And just think, we're doing this right here, in Hollywood!"

And just think, people like these gave $5 million to the vice president last night...

Re:This is what we wanted, right?

Exactly what we wanted, assuming we want only the most popular songs and wish to pay exorbient fees. These guys need to wake up, I'll gladly pay a monthly fee to a record company for access to their entire cataloug. I don't want just the hit of the day, I want those old delta blues tracks that haven't been released in decades, some cool pre-war european jazz, and a lot of out of print LA punk.

As usual it is a matter of control and short-sightedness. The record corps figure that the old stuff that just a few people want can't generate enough revenue to make having it available worthwhile. And they are right when you look at current distribution models, but on the net they can offer a subscription service where that old Skip James tune just takes up a few megabytes on a server and doesn't require pressing, shipping, etc. That way they make money from the millions of vapid Britteny Spears fans as well as the fans of older/obscure artists. Hey RIAA, that is more money, not less.

Hypocrites

Isn't this the same industry that is pushing real hard to make it illegal to hack and publish ways to break commercial encryption schemes. Sure they are offering $10,000 now to anyone who can hack and break it, but what happens after it ships? My guess is that their tone will change and anyone who hacks it will be hunted down and persecuted.

So hack this puppy all you want, just don't publish what you find until after it has been released and is widely used :)

Contest Illegal?

Has anyone checked to see if SDMI is legally allowed to "encourage the circumvention" of the technology? Isn't this inciting people to breaking the DMCA?

What does happen if somebody cracks their protection? Do they go back to the drawing board, or do they buy the rights to the crack for $10,000, patent it, and then refuse to publish it?

My advide to anyone who thinks about taking up the challenge is to read the agreement very carefully. My hunch is that they will try to buy the rights to the crack.

Goal of SDMI != End copying

A lot of people seem to forget that the idea behind this SDMI scheme is not to stop Joe Sixpack from writing the audio to a file, or use a loopback recording scheme with his soundcard, but to be able to point the finger at him later.

Go ahead! Buy a Britney song online and download it in SDMI format. Sure, toss it in your Napster share directory! Hack away at it too, and re-record it all you want...

But when the RIAA then scans Napster files, it will be very easy to find out whose copy it is that is floating around there (providing the watermark is still discernible). You did pay for your original download with your credit card, didn't you? Who's 31337 now, when they charge a gazillion bucks in damages to you?

In a way, this is just like DeCCS: the watermark will not prevent copying, but is supposedly meant to stop piracy, while in reality pirates will circumvent it. All it will do will be limiting users choice (eg. no Linux player).

Why bother "boycotting"?

Microsoft put Win2k on the net and we all gleefully pounded on it (for the short periods it was up). Then they released. Is it any good? No.

Same with SDMI--they don't want to improve the product, they want to prove it uncrackable. If no breaks it, that will be evidence (to a person versed in using fallacies in place of logic) that SDMI will Make Money Fast For Artists. This gives them credibility and power.

Here's my recommendation: Hack it, but good. Hack it so good it can't be fixed. For instance, connect your soundcard "out" to your "in" and record--there's no getting around that. Alternatively you could hack it so good they have to go back to the drawing board for a year or two--giving MP3 (and Ogg Vorbis!) time to spread even further. If you haven't broken the rules (why are there rules in a hacking contest?) collect the $10k. If you have broken the rules, just post the results to lower their credibility.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/

intrinsically flawed contest

As much as I hope nobody even so much as tries this, I just know there will be some 733t cr4ck3rz out there that won't be able to resist the money and the ego of the whole thing. Sad.

What's worse, they're shooting themselves in the foot. The "contest" (hereafter referred to as "The Sham") runs from Sept. 15 until Oct. 7th. Why that window? Do you REALLY think that if someone is dedicated to cracking whateverthehell it is they're proposing, they'll give up after 3 weeks? Hell no - they'll pick away at it month by month until it's split wide open. Three weeks isn't going to do them a damn bit of good, IMNSHO.

There is an effective response

Find a demonstratable flaw in their system, but refuse to reveal how it works until the RIAA donates $10 million to the Electronic Frontier Foundation. The publicity it would generate for the issues at stake would be worth far more than the actual money.

The more I think about it, the curiouser I get

Just how is SDMI supposed to work? I understand (somewhat) digital watermarking, but how does that apply? It's not like I have to break the encryption or anything (like forging someone's signature)--I just have to remove it (like erasing the signature). Could I run through an SDMI file and randomly add or subtract 1 from every byte? Shouldn't affect the sound but will destroy any watermark.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/

Re:Why bother "boycotting"?

The challenge says you can collect UP TO $10,000, not necessarily that you will be paid $10k for success. Winning $1 still qualifies as "up to $10,000." Why sink to the level of the recording industry? If you crack their encryption for greed, they're going to screw you, and we all will suffer. KEEP UP THE BOYCOTT.

Prize money isn't guaranteed

Apart from anything else, I'm very wary of the wording in the open letter:

If you can remove the watermark or defeat the other technology on our proposed copyright protection system, you

may earn up to $10,000.

So it looks like they trick people into checking their security for them, and then don't have to give them the cash anyway. Personally, I'd like to see someone remove the watermark and not tell them how it was done. Sure, they'd be forfeiting the possible prize money, but they'd also be delaying the introduction of SDMI. Like Don Marti, I don't copy music from others. And yes, protecting my fair use copying is worth more than $10K to me anyway.

Does it really matter?

The issue with this software, as I understand it, is similar to the issue with DVD - ie, you can have the files, but you have to play them with the "approved" software.

Now from where I'm sitting, that means that breaking the encryption really isn't of much relevance; the issue is of making player-software available cross platform. This could be done by cracking the encryption, but lets face it: it's a whole lot easier just to reverse-engineer the player-software that is released, which is exactly what was done for DVDs.

Okay, so the powers that be don't especially like that tactic either, but in truth it's better for them too.

Re:give it away now

Well, simple watermarking is a fantastic idea. It means that people aren't going to be doing a napster and share music with everyone and his dog, but they're going to be able to lend music to their friends etc. And, assuming it doesn't change the music itself, it shouldn't affect fair use rights. The only problem I have with this (seemingly) rosy picture is that I'ld be amazed if their watermarks were very a) hard to find and b) robust. If they're not robust, then diddling a bit with the sound could destroy them. If they are easy to detect then they can be stripped out.

Re:The more I think about it, the curiouser I get

> Could I run through an SDMI file and randomly add or subtract 1 from every byte? Shouldn't
> affect the sound but will destroy any watermark.

No, that isn't going to work.

The watermark is a particular set of frequencies, repeated at particular times. It doesn't have to be audible. It certainly won't be removable by just twiddling bits--- anything that doesn't affect the sound won't affect it.

It's possible to use cryptography to hide the watermark, even if you reveal the algorithim for creating it. Any random set of sounds could be a watermark, but only if you know the correct key will you know what the watermark means.

Correctly implemented, there is no way to detect or remove it. However, from what I've read, the SDMI idiots appear to be rather clueless. They want the watermark detection to be built into every player, so that it will refuse to play even analog copies of watermarked material. Of course, this means that all you have to do is reverse engineer one of the millions of players they will be selling, and you know exactly how to find the watermark-- and how to remove it.

This is what we wanted, right?

As the RIAA has gone after Napster, everyone has been talking about how they would buy digital music if is was available. Well, that's what they are trying to do. They are trying to make music available online, and to make it secure. They simply cannot release the music in an unsecure format. The only thing that would accomplish to make the music easy to put on Napster (or whatever). Someone would buy the music, and the first thing they would do is put it in with all of their other MP3s, shared on Napster. Then everyone else finds it on Napster, and has no need to buy it (and this is especially true for digital music, as you have exactly what you would be purchasing). So the only way to offer music online and to have a chance to make any profit is to offer it is some kind of either encrypted or watermarked format. If you want music available for download (legally), there is no other way.

Why Boycott

The best reason not to attempt to crack the protection scheme is that it tells these people WHO YOU ARE.

That is the real reason for the 'hacking contest'. Much in the way that the real reason for registration of firearms is to make the later collection of those weapons from the law abiding easier - so is the real purpose of this contest to allow the music industry to collect information on who is interested in trying to crack their copy protection scheme. Anything you do in this 'contest' may be used against you in a court of law at a later time and date.

Re:There is an effective response :

Any news from the site : because here it is 09:13, Sept 15 (Us&Canadian eastern time), and nothing worth the trouble is showing on http://www.hacksdmi.org/. And like someone pointed out, they have a like to their site into their own site that will create an interesting Escher-like "Recursive Frame stack fault" into you Browser.
As for the boycott : they are clearly trying to avoid a DECSS-like failure.
Maybe they have the same level of confidence for their crypto technical than for their www one ?

This shows that DECSS teached some lessons.

But like usual, thos BIG-CORPORATE-FAT--ETC guys understood the teaching the wrong way, because if their "new" system is not cracked it three weeks, it's going to be cracked in four, five... until the sun blows. And even if the crack is declared illegal their will be a part of the world whete someone will sell it, and the bootleging-vox populi will do the rest.

For every better lock, there will be a better thief ! Hey guys, instead of focusing on the lock, please look at the door design.

On the other hand, like every #$$^#@#$ marketing guys, they gave the delays, blissly disregarding the rules of the game. And like usual the requirements seems to be late.

Bu I will advise for the boycott, because their goal is not clear. Apparently they are going to put a bunch of differents technologies under public scrunity. They seemed to learn at that principle of free software : the most testers you have, the better the product. But testing FOR them will be against our interests. Let them test, and if they cannot get people competent enough to point the flaws in their systems, it means they did not deserve that.

This quote sums up the flaw in this plan.

DISCLAIMER: Its long!

Basically they believe that the gaol of these hackers (if they find any) will be for the money or fame. After the three weeks they will give up and go home and never think about it again. However they are just going to end up giving these contestants a taste of flesh and they aren't going to stop. I'm just not that good with words so here are someone else's:

They are fools that think that wealth or women or strong drink or even drugs can buy the most in effort out of the soul of a man. These things offer pale pleasures compared to that which is greatest of them all, that task which demands from him more than his utmost strength, that absorbs him, bone and sinew and brain and hope and fear and dreams -- and still calls for more.

They are fools that think otherwise. No great effort was ever bought. No painting, no music, no poem, no cathedral in stone, no church, no state was ever raised into being for payment of any kind. No parthenon, no Thermopylae was ever built or fought for pay or glory; no Bukhara sacked, or China ground beneath Mongol heel, for loot or power alone. The payment for doing these things was itself the doing of them.

To wield onself -- to use oneself as a tool in one's own hand -- and so to make or break that which no one else can build or ruin -- THAT is the greatest pleasure known to man! To one who has felt the chisel in his hand and set free the angel prisoned in the marble block, or to one who has felt sword in hand and set homeless the soul that a moment before lived in the body of his mortal enemy -- to those both come alike the taste of that rare food spread only for demons or for gods."

-- Gordon R. Dickson, "Soldier Ask Not"

I Propose a new Challenge

Go to the HackSDMI Website [hacksdmi.org]. Click on the link to www.hacksdmi.org [hacksdmi.org], and continue recursively. The person who can get the most cascaded frames before their browser crashes wins.

Before one learns to fly, one must first learn to walk. Before one learns to develop a secure framework for digital music, one must first learn to use the target attribute.

Re:Better late than never...

10K is a large amount, but how much money would the RIAA have to pay real programmers and security technicians come in and take apart SDMI? I assure you, it would cost a lot more than 10K. What is going on here is an attempt to gain publicity (see, the hacker community can't break it, it is good) or if it is broken they reap the benefits that would have cost them a lot.

It is far better to take SDMI, not find the holes, let them institute it, and then flood the market with the methodology to crack it, forcing them to scrap the entire project and walk away with egg on thier faces.

Re:give it away now

Well, simple watermarking is a fantastic idea. It means that people aren't going to be doing a napster and share music with everyone and his dog

Do you really believe that a company or organization will ever be able to do anything to protect their music, video, or software from piraters if they really want it?

The music industry simply needs to be concerned about making it easy for consumers to buy and use digital music. If they do this, they might be just as successful as the software market.

-thomas


"Extraordinary claims require extraordinary evidence."

Re:Prize money isn't guaranteed

Guaranteed or not, it's peanuts if you do get it.

How much time of a professional crypto expert's time would that buy in the real world? A week if they're feeling charitable.

The people behind the SDMI collective spend $10K on lunch. The prize money is more an insult to the value of cryptographic analysis than anything.

Re:Prize money isn't guaranteed

Oh come on, with such a sparse site, the only thing you can comment on is what the did say, not what they didn't say.

Notice they don't say what copy-protection/watermark methods there are to crack? Or what exactly a successful crack consists of?

It looks like the site requires a major update before the contest can start, and I imagine the legal details will be spelled out more thoroughly at that time. (If ever... the site was built on imagecafe and has dangling links to default pages and has a problem with its frames. It looks as if the only people who worked on it was the PR team.)
--

Don't Boycott; Show Their Futility

Boycotting the hacker challenge is just one extreme. I'd rather have us "hackers" show the Borg-like SDMI collective that their motives are futile.

How can this be done? I'm no expert on watermarking, so I'll leave that one to someone else. But, for conventional means of copy protection, I have some ideas. If you can hear it, it can be recorded. Better yet, if its digital and your sound card plays it, then its driver is being sent the raw, unencoded, unencrypted data.

How about a fake sound driver? If someone wrote a sound driver (preferably for Windows so the collective would see the impact more plainly) that acted like a regular asound driver but instead recorded the raw audio data to a file, the "protected" songs would be available in an "unprotected" form.

So, how about it? Or do you think the SDMI would just have a law passed to make all Audio Card manufacturers adhere to SDMI specs and encrypt the data down to the DAC?

Re:The more I think about it, the curiouser I get

DMCA.

Under the DMCA any player which does NOT use the watermark is a device which is 'bypassing digital copy protection means' and is thus ILLEGAL.

Not only will all new players be forced, by law, to use the copy protection scheme; but you can be imprisoned for 5 years by using your old CDROM or sound card once the new copy protection scheme is on the market. Like DeCSS any device which can be used to copy protected music IS ILLEGAL under the DMCA.

For example a PC which has a current CDROM burner would be illegal. We can assume that Microsoft will put the music copy protection scheme into a future version of Windows - thus making illegal all current operating systems which do not have that code in them.

The DMCA is not about copy protection; it is about controlling what YOU can do with digital technology.