Feeds

Uni team claims SDMI cracked, and ‘inherently vulnerable’

Hackers say they'll tell us how they did it RSN...

  • alert
  • submit to reddit

3 Big data security analytics techniques

SDMI now looks comprehensively hacked, with the release of a report by a group of security and digital watermarking researchers claiming that they successfully beat the Hack SDMI challenge.

Amusingly, the team members are heavily Princeton University, one being none other than Edward Felten, whose previous greatest hit was ripping Internet Explorer out of Win98 for the prosecution in the Microsoft trial.

There's also a guy from PARC - one last go at stopping other people inventing technology and then selling it before they call us off? An unworthy thought...

The researchers haven't - yet - explained how they did it. That's promised for a technical paper to be released next month. But what they've published so far seems fairly convincing, and fairly damning of the future of the application of watermarking technology in the music business.

They participated in the SDMI challenge, "analysed the clips watermarked with the four technologies, and successfully modified them so that the watermarks could no longer be detected, while maintaining a level of audio quality satisfactory to SDMI."

They've no absolute proof that they managed the latter, but there's a nasty little barb that illustrates their confidence, and suggests SDMI is on a hiding to nothing: "As for our standard of audio quality, we have reason to believe that some modifications we performed were no more damaging than the watermarking methods themselves. If consumers consider those modifications too damaging to music, then they might feel the same way about the watermarks."

As we pointed out earlier today, the SDMI has people engaged in trying to detect imperfections in sound caused by watermarks, in addition to the ones involved in checking degradation associated with watermark removal. Sure, Felten & Co probably aren't golden ears, but they should surely have a fair idea.

One possible weakness in their case is that they claim that the SDMI automated systems ("oracles," apparently) told them so. "The oracle would email the submitter if the attack appeared to have rendered the mark undetectable, without significantly damaging the audio quality in the process. SDMI's oracles told us that our attacks have succeeded on all four watermarking technologies."

Previous evidence we've seen suggested that audio quality wouldn't be measured in detail until after that stage of the test. SDMI certainly appears to be relying on the expert "golden ears" to make the final call.

But it does seem clear they passed the first stage, because they know about the shadier stage two of the challenge. In stage two entrants were given additional tracks to defeat, but there was no oracle, so the results were entirely in SDMI's hands. "The SDMI requested that participants send the results of their watermark removal tools along with technical details of how the watermarks were removed. Following this, the SDMI would then offer participants the chance to sign a non-disclosure agreement in return for receiving a fraction of the prize money."

That sounds like a not entirely equitable distribution of round two. But the boffins dismiss it as pointless and invalid: "As academic researchers, we felt the second round of the challenge was unscientific and offered us no further information. Our goal is to understand, document, and study the technologies being used by SDMI. Since the second round provided no oracle access and no further unwatermarked content, there was nothing we could learn from it. In addition, we feel that the second round as designed by SDMI is not a valid test of whether a first-round success is repeatable, since it gives the participant much less information than was available in the first round."

And then it's in with the bayonet. They describe the SDMI challenge as being as much intended to hide the design of the watermarking schemes as to test whether they can be broken. Once the players are out, they can be reverse-engineered, and/or they can be used to check cracks quickly - if it won't play, you didn't crack it. Yet.

SDMI's security model "is inherently vulnerable... no matter how sophisticated their watermarking technologies become... we are confident that we can continue to develop attacks like we have if SDMI updates their technologies." Oh well - back to the old mixing desk? ®

Related Stories

How the hack SDMI challenge was run
SDMI hack: the 'golden ears' ride to the rescue
DMI was cracked, and is doomed: count on it
The researchers' hack FAQ (well worth reading)

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.