Feeds

Uni team claims SDMI cracked, and ‘inherently vulnerable’

Hackers say they'll tell us how they did it RSN...

  • alert
  • submit to reddit

Gartner critical capabilities for enterprise endpoint backup

SDMI now looks comprehensively hacked, with the release of a report by a group of security and digital watermarking researchers claiming that they successfully beat the Hack SDMI challenge.

Amusingly, the team members are heavily Princeton University, one being none other than Edward Felten, whose previous greatest hit was ripping Internet Explorer out of Win98 for the prosecution in the Microsoft trial.

There's also a guy from PARC - one last go at stopping other people inventing technology and then selling it before they call us off? An unworthy thought...

The researchers haven't - yet - explained how they did it. That's promised for a technical paper to be released next month. But what they've published so far seems fairly convincing, and fairly damning of the future of the application of watermarking technology in the music business.

They participated in the SDMI challenge, "analysed the clips watermarked with the four technologies, and successfully modified them so that the watermarks could no longer be detected, while maintaining a level of audio quality satisfactory to SDMI."

They've no absolute proof that they managed the latter, but there's a nasty little barb that illustrates their confidence, and suggests SDMI is on a hiding to nothing: "As for our standard of audio quality, we have reason to believe that some modifications we performed were no more damaging than the watermarking methods themselves. If consumers consider those modifications too damaging to music, then they might feel the same way about the watermarks."

As we pointed out earlier today, the SDMI has people engaged in trying to detect imperfections in sound caused by watermarks, in addition to the ones involved in checking degradation associated with watermark removal. Sure, Felten & Co probably aren't golden ears, but they should surely have a fair idea.

One possible weakness in their case is that they claim that the SDMI automated systems ("oracles," apparently) told them so. "The oracle would email the submitter if the attack appeared to have rendered the mark undetectable, without significantly damaging the audio quality in the process. SDMI's oracles told us that our attacks have succeeded on all four watermarking technologies."

Previous evidence we've seen suggested that audio quality wouldn't be measured in detail until after that stage of the test. SDMI certainly appears to be relying on the expert "golden ears" to make the final call.

But it does seem clear they passed the first stage, because they know about the shadier stage two of the challenge. In stage two entrants were given additional tracks to defeat, but there was no oracle, so the results were entirely in SDMI's hands. "The SDMI requested that participants send the results of their watermark removal tools along with technical details of how the watermarks were removed. Following this, the SDMI would then offer participants the chance to sign a non-disclosure agreement in return for receiving a fraction of the prize money."

That sounds like a not entirely equitable distribution of round two. But the boffins dismiss it as pointless and invalid: "As academic researchers, we felt the second round of the challenge was unscientific and offered us no further information. Our goal is to understand, document, and study the technologies being used by SDMI. Since the second round provided no oracle access and no further unwatermarked content, there was nothing we could learn from it. In addition, we feel that the second round as designed by SDMI is not a valid test of whether a first-round success is repeatable, since it gives the participant much less information than was available in the first round."

And then it's in with the bayonet. They describe the SDMI challenge as being as much intended to hide the design of the watermarking schemes as to test whether they can be broken. Once the players are out, they can be reverse-engineered, and/or they can be used to check cracks quickly - if it won't play, you didn't crack it. Yet.

SDMI's security model "is inherently vulnerable... no matter how sophisticated their watermarking technologies become... we are confident that we can continue to develop attacks like we have if SDMI updates their technologies." Oh well - back to the old mixing desk? ®

Related Stories

How the hack SDMI challenge was run
SDMI hack: the 'golden ears' ride to the rescue
DMI was cracked, and is doomed: count on it
The researchers' hack FAQ (well worth reading)

Secure remote control for conventional and virtual desktops

More from The Register

next story
Why has the web gone to hell? Market chaos and HUMAN NATURE
Tim Berners-Lee isn't happy, but we should be
Microsoft boots 1,500 dodgy apps from the Windows Store
DEVELOPERS! DEVELOPERS! DEVELOPERS! Naughty, misleading developers!
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
'Stop dissing Google or quit': OK, I quit, says Code Club co-founder
And now a message from our sponsors: 'STFU or else'
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Uber, Lyft and cutting corners: The true face of the Sharing Economy
Casual labour and tired ideas = not really web-tastic
Linux turns 23 and Linus Torvalds celebrates as only he can
No, not with swearing, but by controlling the release cycle
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.