SDMI was cracked, and is doomed: count on it
Bury it quietly...
Analysis Has SDMI been cracked? Last week Salon claimed that the 'Hack SDMI' challenge had resulted in an embarrassingly complete whitewash for the digital music protection system. This was followed up swiftly by a denunciation of the Salon story by SDMI executive director Leonardo Chiariglione, speaking exclusively and expletively to Inside.
Salon nevertheless sticks to its story, citing inside sources, while the Chiariglione line is that "results of the hack-off will not be known until after the November meeting" (a meeting of the SDMI working group plenary body scheduled for 8-10th November, where a report on the challenge will be presented). So a stand-off on the hack-off? Perhaps - but there are pointers in both the Salon story and the Inside riposte that suggest that SDMI probably has egg on its face.
The challenge itself was kicked off in September, when the SDMI working group issued an "Open Letter to the Digital Community" challenging them, it or whatever to try to crack any or all of six technologies being proposed for SDMI Phase II. SDMI itself is intended to provide a secure watermarking systems for digital music, the gag at Phase II being that SDMI-compliant music will only be playable on SDMI-compliant systems, and SDMI systems won't play pirated music. So producing an uncrackable system is kind of important to SDMI, even if rational people find it difficult to grasp that uncrackable systems can actually exist.
Despite a boycott effort mounted on the basis that open source-minded types didn't see why they should help SDMI build its padlocking system, Chiariglione claims that 450 files and descriptions of the methods used were submitted by the time the contest closed on October 7th. The Salon piece, published on October 12th, said that all six technologies had gone under. Salon says that three "off the record"* sources confirmed this, and that "one insider" said all the hacks were "technically solid."
The Salon story as a whole however provides one of the two main indicators that SDMI's efforts may all be toast - it has too much detail in it for it to be plausible that someone, somewhere had just made the claims up. The other indicator, of course, is Chiariglione's bizarre insistence that nobody can possibly know until after November 10th - if he believes this, and is sure nothing will leak out beforehand, he's been around recording industry PRs for way too long. The author of the Salon piece, Janelle Brown, actually undermined this anyway in an earlier article published while the challenge was still running, on October 3rd. "One SDMI member" is quoted as saying: "From what we're hearing, it sounds like the technologies that have been broken so far are using fairly easy means, [like] audio software that's easily available for download. This isn't rocket science."
That indicates that information on entries, as you might expect, has been available since they started coming in - contrary to Chiariglione's claims to Inside. These claims overall are somewhat difficult to credit.
The exec's tale
Chiariglione argues first that nobody knows whether SDMI has been successfully hacked or not. "We have about 450 files... our testing managing committee started working on this Wednesday [the day before the Salon article, and eight days after Brown first reported breakages] morning, and it's simply impossible to say whether this is true or this is false. Nobody knows! And when I say nobody, I mean nobody, because it's 450 music files that have yet to be tested."
They might not have been entirely through the SDMI full and formal test and evaluation process, but it's extremely difficult to conceive of nobody knowing. How much time does it take to spot a probable hack?
According to Chiariglione's story, it takes a month. The SDMI plenary body met on Friday 13th October to give "instructions to the committee that will study the submissions and prepare a report of their findings for the next meeting in Washington, DC, on Nov. 8 through 10." This is not a description of a testing process, we might note - this is a committee structure.
SDMI says that tests will check "whether the proposed technologies were affected in such a way as to avoid the intended effect, whether the results can be replicated, and whether in attacking the technology the music quality was degraded." That opens a crack which could potentially be wide enough for a truck to drive through, because it exposes (appropriately enough) the analogue sliding scale factor that has to be built into the tests. Technologically the watermarks (which include an audio component intended to survive in analogue recordings) could be ripped out, but in doing so you may degrade audio quality unacceptably.
Therefore, it is perfectly possible for SDMI to have 450 hacks, all of which successfully break the protection, but to bluster about Salon being "completely off the mark." Obviously, if SDMI hasn't listened to the product of all the results yet, it can insist that nobody knows. That would allow Chiariglione to denounce the Salon story without the story being necessarily untrue. Face can be saved by insisting that sound quality was unacceptably degraded by removal of watermarks, so nobdy cracked it, honest - right?
The journalist's tale
Brown's story claimed that an SDMI meeting last week was due to discuss the results, and that although "a core group of participants" knew the results, the membership as a whole had yet to be informed. An emergency meeting had already been held, and "SDMI members and the press will likely be informed Friday, several sources said."
It's unlikely that SDMI members were informed Friday, given the lack of leaks, and the press certainly weren't. But rather than meaning Brown had an entirely bum steer here, the more likely explanation is that there was a party within the SDMI that wanted to run up the white flag on Friday, but that its effort failed. In an earlier article Brown had plausibly portrayed the SDMI as a nightmare snakepit, where computer industry techies oppose what they see as futile recording industry efforts to achieve total control of their copyright. According to Brown many of the techies wanted SDMI to be smashed, forcing a more sensible approach, or the death of the whole scheme.
It's plausible that they saw the early results, figured they'd won, and pushed for the surrender. IT industry commonsense suggests that if they lost this time, they'll win in the end, anyway.
Brown also (remember this piece was published two days before Chiariglione's retaliatory strike) puts forward a possible alternative scenario: "One SDMI participant predicted: 'They are going to try to keep it quiet - the official word will be that the testing company is still analyzing the results. They will try to skate out of this without releasing the information that it's all broken.' Others believe the RIAA will try to keep the news 'close to the vest' until it has an alternate solution it can announce to the world at large."
There's a compelling prescience to this. Chiariglione's outburst to Inside is entirely consistent with this, and by a bizarre and miraculous coincidence the RIAA announced it was starting development of its own digital ID system on the day of the SDMI plenary meeting that did/didn't discuss the results of the tests. So is Chiariglione in the position of moving increasingly imaginary army corps around the map while the RIAA tries to salvage something from the wreck? We think so.
* We at The Register continue to note with dismay the creeping misuse of "off the record." If somebody tells you off the record that something is true, then you can be more sure than before that it is true, but you can't actually mention them. Even if you don't saying who they are. If they say the information is "non-attributable," then you can say what they said, but you can't say who they are. Right? Pull your socks up Salon - apart from that you're great.
Related reading list:
Salon claims SDMI cracked
Leonardo fires back in Inside
Earlier Salon piece with interesting stuff on internal SDMI battles
The original Hack SDMI challenge
Further info from SDMI, explaining why it's not horrible really
Where the Electronic Frontier Foundation thinks the SDMI can stick its challenge
This music will self destruct in 5 plays: RIAA looks to the future
Sponsored: Hyper-scale data management