Feeds

SDMI hack: the ‘golden ears’ ride to the rescue

Did you know the music companies use real people to measure things? Wow...

  • alert
  • submit to reddit

3 Big data security analytics techniques

SDMI executive director Leonardo Chiariglione's denunciation of the claims that the "Hack SDMI" challenge resulted in a complete whitewash of the music protection and identification system is looking increasingly shaky. Salon, which claimed earlier this month that all of the proposed technologies were successfully hacked, has come up with a lot more information from one of its sources, and The Register has received information that supports Salon's claims.

Chiariglione himself has taken advantage of a 'right of reply' offered him by Salon, but as far as we can see his response tends, if anything, to offer some support to the original pitch. A week ago he said: "our testing managing committee started working on this Wednesday morning, and it's simply impossible to say whether this is true or this is false." That is, as testing had hardly started, nobody could possibly know whether any of the hacks had been successful or not, so the Salon story is rubbish. Or slander, as Chiariglione erroneously described it.*

But words are weasels, and we should note that Chiariglione was actually talking about the testing managing committee, not the testing as such. Now he says: "It is simply impossible for anybody to have carried out the checks necessary to verify that watermarking had indeed been removed without damage to the music between the time the Testing Management Committee received information and the publication of the Salon.com article."

Our emphasis, and that's the crux of the matter. Note that there's now space in what he says to include the possibility that the watermarks were completely removed. But damage to the music is a subjective matter, so as we suggested a few days ago it's perfectly feasible (actually, now we'd say it's highly probable) for all of the watermark technologies to have been removed by the hacks without Chiariglione having to concede that SDMI was dead in the water. The question of whether or not the end product is listenable means there doesn't have to be an actual, embarrassing surrender. Instead, optimistic noises can be made, plans can be revised, and a bloody defeat can be steadfastly denied.

Salon senior technology writer Janelle Brown has however acquired considerably more ammunition. In a second installment which includes a substantial contribution from one of the original sources, the testing process is described in some detail. Says the source: "All four technologies in the public test had successful attacks submitted against them. The key is how 'success' is defined. In this case, the attacked samples have been 1) run through a watermark detector to ensure that the watermark was removed, and 2) subjected to preliminary listening tests performed by 'golden ears' listeners to ensure that each attacked sample still sounded better than a 64 kbps MP3 file."

The four technologies in question are rival watermarking technologies, and if all of these fail, SDMI has a problem. It's important here however to note that the source makes it clear that the "golden ears" have already been scampering around the stuff. So the preliminary listening tests must suggest that the hacks worked. Later listening tests might not, for reasons one might speculate on. (We at The Register, by the way, were initially baffled by this golden ears stuff, but conclude that these things must be attached to real people - doesn't the music business have machines to do this kind of stuff?)

One source who contacted The Register works for one of the four companies offering competing watermarking systems, and says that "in all likelihood SDMI was cracked." He then goes on to confirm that there are camps within SDMI who want the challenge to have succeeded: "With any luck, three systems based on digital watermarking were cracked, and the three systems weren’t ours. This doesn’t reflect negatively on SDMI phase 2 in any way; it just means that they know they have one system that is extremely difficult to crack, and three that are not so difficult. So, even if SDMI was cracked, that doesn’t bode poorly for SDMI. As in all things, the last man standing wins."

That's a little bit different from the pitch that the IT side within SDMI wants it to be cracked so they can build something that isn't specced by music business crazies, but it does support the analysis that the whole thing is a political snakepit. "My company," he says, "(probably just like the other SDMI phase 2 competitors) was actually hoping that someone would win the Hack SDMI challenge." But crossing its fingers its own system would survive.

Probably, they've got a point here. If the reality is a bad whitewash, SDMI is still going to have to come up with a way forward. The company that did least worst is therefore likely to be a part of that way forward, with lots more development bucks available to get it right next time.

We've also been referred to a copy of the 'you have failed' email sent out to challenge entrants prior to the ending of the contest. The fact that this exists makes it clear that entries were evaluated as they came in, and the substance suggests that SDMI has been keeping the goalposts nicely vague: "Unfortunately, our analysis indicates that your challenge did not succeed. As you may recall, in order to be successful an effort had to disable the proposed copyright protection system without adversely affecting the underlying music. Your effort was not able to meet these tests."

The phrasing "without adversely affecting the underlying music" leaves latitude way beyond the "64 kbps MP3 file" benchmark Salon's informant claims is the standard.

But according to Chiariglione, there are still 450 entries that can't have received the reject letter, and that must surely be more promising. It's still possible for these too to be rejected on the basis of audio degradation, and it surely wouldn't be particularly surprising if this happened. Salon's source points to the music industry's ultimate control of the "golden ear" process (this must be one weird job), and although he/she/it doesn't say so, the implication must surely be that the ears could be induced to rule pretty much as political factors dictate.

There's one last thing that suggests that Salon has it on the button here. In the latest piece the source claims that a member of the testing committee was blamed for leaks to Salon, that this member resigned, and that RIAA counsel Matt Oppenheim subsequently apologised to that individual. Now, Oppenheim also gets to speak his piece in Salon, and covers the matter of leaking a little: "Either somebody has leaked information to you which they shouldn't, or logically they are telling you something of which they have no idea. I happen to know that there are very limited numbers of people who have the complete data, and none of those people with complete data have talked to you."

But he doesn't cover the matter of witch-hunt and apology. He's obviously right that somebody has leaked information they shouldn't, and he's probably also right that no one person could have complete data. But he's wrong if he seriously thinks complete data can't be assembled from multiple sources. This, we think, is a music business attitude that's going to be fun to watch. Granted, if you want to interview Madonna, you do precisely what the PRs say, and you don't cause trouble. But it's a different business here - we're not interviewing Madonna. ®

* Here we are noting with some regret again. Chiariglione's riposte appeared in Inside, but since we checked that story out last weekend it seems to have been moved to a "members only" enclosure. Not only that, an Inside follow up piece on the latest Salon piece (incest in the press? We got it...) seems to be members only too. But we're sure we've just got a problem with our browser, and are resisting the temptation to describe this as a cheap gag to bump up registered reader numbers.

Related stories:
Salon returns to the attack
SDMI was cracked, and is doomed: count on it
This music will self destruct in 5 plays: RIAA looks to the future

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.