Vulnerability Development mailing list archives
Re: hacksdmi?
From: Blue Boar <BlueBoar () THIEVCO COM>
Date: Fri, 13 Oct 2000 23:45:11 -0700
OK, here's another tangent to the issue: Why do they (RIAA?) want a watermark in the first place? What can you do with it? Here are the possibilities I see: 1 Watermark must be present to play in an SDMI player. 2 Watermark can be used to trace origin of music 3 Watermark is designed to intentionally degrade sound quality 4 Reliable identifier of a particular piece of music 5 Lack of watermark denotes something What am I missing? I tend to dismiss #3. Were there no MP3 already prevalent, they might accomplish something there. #1 is, as I understand it, is what the SDMI folks claim is the reason they want a watermark. What does this buy them? Supposedly, they want to make SDMI players. I assume they'd only play SDMI-tagged music, else what is the point? Where does the SDMI watermark go in? If I'm not mistaken, .wav files are essentially raw data pulled right from the CD (for files that originate on a CD obviously). We have examples from the SDMI people that .wav files can contain a watermark just fine. So, it would appear that one of their stated goals, verifying ownership of the original CD is met. But if the watermark can survive compression, etc.. then why can't I just trade watermarked MP3s on Napster? They'd go right into my SDMI walkman just fine, no? And won't one of us just write a ripper that makes files with the watermark, even for sources without it, like a week after the SDMI players are out? How long do they expect the watermark reading algorithm to stay secret, after they start distributing mass-market players? Universal secret==bad. #2 is interesting. Suppose the SDMI folks are laboring under the delusion that we're not going to be able to modify watermarks. Suppose also that they have an agenda to track music "pirates". Wouldn't they embed something in the watermark to tie the origin to a particular individual? 2 scenarios: They let you download music on-line, from a web site that you have given your credit card number two. Why not watermark the file on the way down to you, with your GUID that says that this is "your" music file, so that if it shows up on Gnutella, they know who let slip. (BTW, the proper answer to give when your registered warez show up in the publis is "those damn hackers must have stolen it off my hard drive". FUD works both ways.) The other scenario is that your SDMI-approved ripper creates a random GUID for you at install time, and embeds that in all the music you RIP. We've seen plenty of spyware do this type of thing. Heck, even Word does it to you. Mass-market CDs can't have anything personalized embedded in them, they have to be mass-pressed. Nothing to stop them from doing region-encoding ala DVDs, though... either to make you buy multiple copies, or to track piracy geographically. #4 could actually be benefical, in addition to draconian. It would be rather nice to take a random MP3 file, and be able to look up what it is, based on the watermark. This is open to a tremendous amount of abuse, though. Obviously, it helps the pirate-trackers more automatically catalogue your evil deeds. Now, Metallica can tell it's their song, even if it's named 'Don't tread on me - by FUCK LARS!" I'm not sure exactly what I'm getting at with #5 yet... something along the lines of it being a crime to carry unlicensed MP3s? :) ..Or maybe I'm just being paranoid, and not giving the RIAA the proper amount of trust. So what does this have to do with breaking the watermark? Everything. At least, for the production one... if it ever gets that far. Unless I've missed some scenario... then there isn't any way for watermarks to work. They are ALL client-side security. (This doesn't count the legislation angle, of course, as numerous folks have pointed out. That's not a techical issue.) Minus one possibility. If they limit you to only being able to get SDMI music from a web site, they have one chance: All SDMI players contain the RIAA public-key. The SDMI music store not only ties the song to you.. but it takes a hash of the song as well, and signs the whole mess with the RIAA private key, and drops it in as a watermark. Then, I can't strip the watermark.. it won't play on my SDMI-man. I can't drop in a replacement watermark, I don't have the private key. I either hack the player itself to rip out the checking routine, or I just stick with MP3s and my own player. Cat's out of the bag there. BB
Current thread:
- Re: hacksdmi?, (continued)
- Re: hacksdmi? Ralph Moonen (Oct 13)
- Re: hacksdmi? Masial (Oct 13)
- Re: hacksdmi? spiff (Oct 14)
- Message not available
- Re: SDMI - The way I would make the water mark. Ralph Moonen (Oct 14)
- Re: hacksdmi? Steve Mosher (Oct 12)
- Re: hacksdmi? David Knaack (Oct 12)
- Re: hacksdmi? Robert Johnson (Oct 13)
- Re: hacksdmi? Robert A. Seace (Oct 13)
- Re: hacksdmi? Granquist, Lamont (Oct 14)
- Re: hacksdmi? Ben Galehouse (Oct 15)
- Re: hacksdmi? David Knaack (Oct 16)
- Re: hacksdmi? Ralph Moonen (Oct 12)
- Re: hacksdmi? Steve Mosher (Oct 12)
- Re: hacksdmi? Bluefish (P.Magnusson) (Oct 19)