Re: hacksdmi?

[Blue Boar <BlueBoar () THIEVCO COM>]

OK, here's another tangent to the issue:

Why do they (RIAA?) want a watermark in the first place?  What can you
do with it?

Here are the possibilities I see:

1 Watermark must be present to play in an SDMI player.
2 Watermark can be used to trace origin of music
3 Watermark is designed to intentionally degrade sound quality
4 Reliable identifier of a particular piece of music
5 Lack of watermark denotes something

What am I missing?

I tend to dismiss #3.  Were there no MP3 already prevalent, they might
accomplish something there.

#1 is, as I understand it, is what the SDMI folks claim is the reason
they want a watermark.  What does this buy them?  Supposedly, they
want to make SDMI players.  I assume they'd only play SDMI-tagged music,
else what is the point?  Where does the SDMI watermark go in?  If I'm
not mistaken, .wav files are essentially raw data pulled right from
the CD (for files that originate on a CD obviously).  We have examples
from the SDMI people that .wav files can contain a watermark just fine.
So, it would appear that one of their stated goals, verifying ownership
of the original CD is met.  But if the watermark can survive compression,
etc..  then why can't I just trade watermarked MP3s on Napster?  They'd
go right into my SDMI walkman just fine, no?  And won't one of us just
write a ripper that makes files with the watermark, even for sources
without it, like a week after the SDMI players are out?  How long do
they expect the watermark reading algorithm to stay secret, after they
start distributing mass-market players?  Universal secret==bad.

#2 is interesting.  Suppose the SDMI folks are laboring under the
delusion that we're not going to be able to modify watermarks.
Suppose also that they have an agenda to track music "pirates".
Wouldn't they embed something in the watermark to tie the origin
to a particular individual?  2 scenarios: They let you download
music on-line, from a web site that you have given your credit
card number two.  Why not watermark the file on the way down to
you, with your GUID that says that this is "your" music file,
so that if it shows up on Gnutella, they know who let slip.
(BTW, the proper answer to give when your registered warez show
up in the publis is "those damn hackers must have stolen it
off my hard drive".  FUD works both ways.)  The other scenario
is that your SDMI-approved ripper creates a random GUID for you
at install time, and embeds that in all the music you RIP.  We've
seen plenty of spyware do this type of thing.  Heck, even Word
does it to you.  Mass-market CDs can't have anything personalized
embedded in them, they have to be mass-pressed.  Nothing to stop them
from doing region-encoding ala DVDs, though... either to make you
buy multiple copies, or to track piracy geographically.

#4 could actually be benefical, in addition to draconian.  It would
be rather nice to take a random MP3 file, and be able to look up
what it is, based on the watermark.  This is open to a tremendous
amount of abuse, though.  Obviously, it helps the pirate-trackers
more automatically catalogue your evil deeds.  Now, Metallica can
tell it's their song, even if it's named 'Don't tread on me - by
FUCK LARS!"

I'm not sure exactly what I'm getting at with #5 yet... something
along the lines of it being a crime to carry unlicensed MP3s? :)


..Or maybe I'm just being paranoid, and not giving the RIAA the
proper amount of trust.

So what does this have to do with breaking the watermark?  Everything.
At least, for the production one... if it ever gets that far.

Unless I've missed some scenario... then there isn't any way
for watermarks to work.  They are ALL client-side security.
(This doesn't count the legislation angle, of course, as
numerous folks have pointed out.  That's not a techical
issue.)  Minus one possibility.

If they limit you to only being able to get SDMI music from a
web site, they have one chance:

All SDMI players contain the RIAA public-key.  The SDMI
music store not only ties the song to you.. but it takes a hash
of the song as well, and signs the whole mess with the
RIAA private key, and drops it in as a watermark.  Then,
I can't strip the watermark.. it won't play on my SDMI-man.
I can't drop in a replacement watermark, I don't have the private
key.

I either hack the player itself to rip out the checking routine,
or I just stick with MP3s and my own player.  Cat's out of the
bag there.

                                        BB