SDMI hacking and haranguing: we're bad and wrong

Strangely calm, intelligent and thoughtful pieces to Reg rant

[We ran a story in which we lambasted the macho stance of "hackers" replying to the SDMI's challenge to crack its music watermarks for $10,000. We said: "Either take it on or walk away." Then, itching for an interesting battle, we cried: "Get stuck in!" Those waving their balls about didn't bother getting in touch, but plenty of others did, pointing out the advantages to ignoring the SDMI altogether. PS By the way, we've pulled all the names off emails on this one]

So-called hackers: please grow up

Hey, I like the


, and I get useful information there, but your little screed "So-called hackers: please grow up" betrays a woeful inability to think much further than your next visit to the loo.

It might be fun (for me) to engage in some flaming about the British <temperment/educational system/fill in the blank> based on your article, and that seems to be standard operating procedure in your letters section, but one piss-filled expression of laddishness is no proof of terminal stupidity.

I was glad to see your article today.

This is exactly how I feel about the SDMI "challenge". What a bunch of babies.

The following is a mandate listed by Pendragon. This is in reference to the challenge to hackers made by SDMI. We appologize for the blacked out portions. But we have our reasons. This letter is unchanged except the blacked out portions.

Secure Digital Music Initiative has announced a challenge to all hackers on the web page This consortium has issued a $10000 bounty on the hacked code and will award it to the person who can hack the watermark and encryption coding.

Two outcomes may occur...

A) the online underground community can hack the code and provide it with the source on how to accomplish the so called insurmountable feat, thus probably eliminating the further threat of an easy hack. B) Or the online underground community can boycott the hack and thus force SDMI to figure out it's own flawed music security.

Both accomplishments are flawed...

A) 1) All information about the hacker will be collected thus providing both corporate america and the government of region which the hack is in, with a list of hackers and online underground sources. 2) The further chances of hacking the source is greatly decreased.

B) 1) The boycott can not be unanimous therefore someone somewhere will attempt to collect the bounty and thus expose himself and anyone he knows. 2) The online underground community will look to be "all bark and no bite" thus plunging us further into obscurity and myth.

Two proposed solutions...

A) Any hack performed by the elite few of the Online Underground must be anonymous, (Original Portion Blacked Out)

B) The boycott must be unanimous among the few elite thus not providing anyone info on any other people in the online underground. Also anonymous listing of reasons and this mandate (With Blacked Out Portion Excluded) to any and all news sources must be provided so as not to further hinder our standing in the press and force further attacks on the hacking community.

Posted By Pendragon...


Nice try - let's help them build an uncrackable encryption system by debugging it before it has been fully implemented, used by the millions and is too late to be changed...

Ok, if the technology does not give better quality than MP3 then there is no issue, but if it turns out that there could be wads of "better than MP3" quality tracks that become freely available after 6 months due to the encryption system being subsequently hacked, then cool!

I mean - what would have happened if DeCSS had hit the net before the DVD systems reached critical mass - the standard would have changed and all the early takers would by now be upgrading their kit.

I agree that most of the comments seem to be puerile at best, but given the anarchic orientation of many of the truly skilled coders out there (this challenge is more programming than hacking) wouldn't you expect any methods for circumvention to be kept confidential until AFTER the SDMI are committed to the (possibly) flawed model on offer?

As you say "i t would be a sweet victory to all those that talk so passionately about MP3s and the Internet's freedom." - but it would be sweeter if the corporate monsters were already tied in before the 'horse' is allowed to bolt

I appreciate that your "Flame of the week" section has been lacking of decent abuse recently but I don't think that insulting large numbers of the hacker community is going to attract much laughable matter.

I refer, of course, to your "So-called hackers: please grow up" slur, posted last Friday afternoon (presumably after a typically over-enthusiastic "business luncheon") in which you equated a bold political statement on behalf of the hacker community with you and your colleagues' procrastination.

I'm afraid that most such hackers exhibit rather more objective qualities than a bunch of lard-ass Sunday writers who can't find the motivation to go to the fitness gym occasionally. This includes having better ways to spend our time than doing somebody elses security audits.

I doubt that the SDMI challenge would have had much attention anyway, but this was a clear statement to the SDMI that we don't want their protocol.

You were the last people to complain when the entire country gets held up to ransom by bored truckers, yet you insult hackers for their peaceful boycott on a monopoly that affects almost everyone.

Then again, you've got your flame. I hope that I didn't take up too much of your vegetation time by posting this.

First of all - anyone can run around finding stupid quotes and putting them up in order to make it look like a whole community is stupid. Trailer parks soon after tornado hits, shown on the news, are proof.

Secondly - you don't know what you are talking about. You are not thinking right about what that 'boycott' is supposed to do. You compare a boycott to no action at all - that is untrue. A boycott by the hackers that CAN do something is pretty important - for self-respect.

It IS a very small prize given the talent and time it takes to do what is asked. Also, to really thrash SDMI (since you are equating all this to violence) you need to NOT play by their rules - and they HAVE rules... in hacking?? It is stupid AND it is nothing more than PR. That, and it'll work either way - so why be a part of it?

SDMI is also asking a lot of people to encourage something that is against their beliefs. That doesn't sit well with me - and it shouldn't sit well with you either. So if YOU understand the hackers point of view so well, why don't YOU just hack that sucker. If you can, more power to you, but it doesn't change a thing in the end.

I disagree with your editorial about the SDMI cracker challenge. You seem to believe that SDMI loses if someone claims the prize money and wins if no one does. I think the opposite is the case.

If SDMI is told about vulnerabilities, the algorithms will be replaced. As Chiariglione said and your publication quoted, ``by successfully breaking the SDMI protected content you will play a role in determining what technology SDMI will adopt.'' So...if [crackers] do break the codes and tell SDMI, they've only succeeded in making it more difficult for themselves to break them when they actually matter; when they are protecting lots of content. There is the $10,000, of course, but that's a value judgement.

If crackers do successfully break the codes but do not tell SDMI, they've won. SDMI will use the weak technologies and crackers will be able to defeat this technology with easy.

If crackers do not successfully break the codes, SDMI has won. That much I agree with.

I am not a music pirate; I just want to be able to play my legal music uninhibited. I'm a supporter of the DeCSS team; what they did made open-source Linux DVD player software possible. Otherwise, this would have been impossible with RIAA's overly restrictive licensing. I believe that in the end, despite RIAA's legal gorillas, our legal system will find that their actions were entirely legal.

At first glance, it appears that the format supported by the SDMI does not inhibit my ability to do so. I downloaded their and successfully played the WAV files inside, without needing to remove the watermark. The quality wasn't terribly high, but this was the case with both the watermarked and clean versions; probably more the fault of my beta sound card drivers and cheap headphones than their encoding. So...I hope the SDMI does win this round. I want widely available music in a format which allows consumers the freedom to listen to it with whatever software they choose. If SDMI manages to include their watermarks without this, I'm all for it.

As World Spokesperson for the Programming Elite I hereby inform:

Take it easy. These hackers need these little rants against these little challenges. It's a lot like lion cubs playing: their play is later used in hunting. Wouldn't you agree that more programming hunters are needed? Especially when there are companies patenting unbelievably simple "technologies", and laws being passed to restrict the programmer's rights to free speech.

So the Programming Elite has huge challenges ahead. If they want to get together to boycott Grandma Jenna's Quilting Homepage for Retired Nuns then I say, "Great!" Just as long as they're practising, and improving. But who determines if they're improving or not? I do, of course. But you can too. Anyone who has the initiative to commend a boycott when it was well done can be the person who determines the real direction of the Programming Elite. Things use to be worse, remember? The SDMI site would have been brought to its knees a few years ago. A thread would have been started on a newsgroup or IRC room denouncing the website and, whether they used a DoS attack, or brute force take-over, something would have happened to make the Programming Elite look horrible even when they thought they were showing their stuff.

Embrace this, man. As world spokesperson I beg you to commend the Programming Elite for what tact they did show. Point out how it can be done better. And then keep giving them little causes to come together on. This isn't about SDMI it's about us - the Programming Elite. You 63tt3rr3COGniz3.

[We got plenty plenty more emails - most of which pointed the advantage of waiting until SDMI's kit was on the market - but it takes ages to filter, cut and paste, and this selection covers most of the viewpoints. So there you go]

Sponsored: 5 critical considerations for enterprise cloud backup