Re: Question of the day: iTunes + Watermarking?

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anton Chuvakin wrote:
> > I followed the exact same procedure, on my PowerBook and a co-
> > worker's Mac Mini, and received identical results.  I don't know why
> > the resulting hash is different from yours.  Each computer downloaded
>
> So, what does this prove: watermarking or decompressing of the lossy
> compression? I am not entirely sure why decompressing something which
> was produced with lossy compression would decompress differently
> thought... I would assume that if Ryan repeats his steps again he
> would get the samew md5....

Well, it's one data point. I'm willing to bet that BB and Steve Tornio
followed slightly different procedures. Hopefully they'll work together
on it and figure it out: But here's another take on the whole thing.

Lots of people have emailed me privately or the list and said certain
things like: "There's no way Job's would watermark. He's too
lazy/nice/hate's DRM/etc"

But here's what I think: I think he'd sell his left nut to the devil to
maintain the iTunes monopoly. So when the studios (protecting their OWN
monopoly) asked him what he was going to do about super-distribution, I
think he had a Keynote slideshow on it.

Here's what I think it said:

1. We don't care about small time traders, or even people who just trade
one or two songs on Kazaa.
2. We can prevent someone from converting their whole library to mp3 via
two methods:
   1. Making it reasonably slow
   2. Using a watermark that will survive mp3 [F1]
3. Watermarking every song differently is not a good idea:
   1. We don't have a lot of bits we can shove in, so we need to
conserve them
   2. It's slow and our order process is slow enough
   3. It's easy to notice
4. Instead, we have a time-based scheme, where every hour our signal
changes. We shove this signal into every song downloaded that hour in a
way that survives mp3 [F1]
5. Given one song, we know within a population group of many millions
who it came from. Given 50 songs, we can identify the individual account
and turn it off or prosecute (or remotely update their iTunes with a
special trojan if we can buy enough congressman to make that legal).

This would explain why two people who go out and get the song right now
have the exact same song. But two people who are wildly different in
their download times don't.

It's how I would do it, anyways. We don't use this kind of watermarking
scheme for CANVAS, but someday we might. :>

- -dave

[F1] It's not that hard to defeat mp3 encoding with a modern day
watermark. Ogg is probably slightly tougher, but this is something Apple
would be quite good at. To do it right, you just need a better
perceptive model than the compressor has. Apple has a whole team working
on perceptive modelers for their proprietary compression. (imho)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iD8DBQFEs7JgtehAhL0gheoRAjhGAJ9yFqMjf8I2/YxHhABpo1becLXJ0ACfdav/
kU9EHiC6he3ArYne1XzW7z0=
=8Vhu
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave