Cracked or not? The SDMI saga continues.

Did hackers successfully break watermarks designed to protect digital music?


On Oct. 3, Salon published a story outlining serious divisions within the Secure Digital Music Initiative (SDMI) as to whether the “watermarking” system that SDMI was testing as a way to protect digitally distributed music would actually work. Then, on Oct. 12, Salon reported that hackers who had been invited by SDMI to test the security system had successfully broken all the watermarks.

Salon based its reporting on three sources who spoke only on the condition that they not be identified. It also quoted an SDMI spokesperson denying that the watermarks had been successfully “cracked.” But on Oct. 13, SDMI director Leonardo Chiariglione declared in an story that Salon’s story was “completely wrong, unfounded, anonymous slander.”

We returned to one of our original sources, seeking a response to Chiariglione’s rebuttal. Our source replied, giving us even greater detail about what is happening behind SDMI’s closed doors. We have decided to publish our insider’s response, verbatim, along with additional responses from both Chiariglione and Matt Oppenheim, senior V.P. of business and legal affairs for the Recording Industry Association of America (RIAA).

Our source:

Your story (which I just re-read carefully to make sure) is 100 percent accurate. All four technologies in the public test had successful attacks submitted against them. The key is how “success” is defined. In this case, the attacked samples have been 1) run through a watermark detector to ensure that the watermark was removed, and 2) subjected to preliminary listening tests performed by “golden ears” listeners to ensure that each attacked sample still sounded better than a 64 kbps MP3 file.

Two sets of “golden ears” listeners are being used. If there’s a case in which there’s disagreement between the two “golden ears” listeners on whether the attacked sample meets criteria two above, a third set of golden ears will listen to the sample and break the tie.

There’s one further step in the verification phase of the public testing process, which is a requirement that the attack be “reproducible,” meaning that additional samples will be given to the successful testers so they can work their hacking magic all over again.

There are some developments that, in the current atmosphere of mistrust, could make some participants feel that the recording industry is trying to take complete control of the selection process. For instance, the tie-breaking “golden ears” listener, rather than being a neutral third party, will likely be an employee of Universal Music Group, a company with more than a passing interest in seeing a watermark, any watermark, be chosen. This would mean that two of the three golden ears testers would be RIAA members.

Also, in the wake of last week’s published accounts, RIAA members so intimidated and berated a member of the testing committee, who they blamed for the release of information, that the member resigned from the committee. The RIAA then insisted that all testing committee members, current and past, sign a strict nondisclosure agreement. Many IT [information technology] and CE [consumer electronics] companies have very strict policies as to the type of NDA their employees can sign. It’s possible that due to this fact there will not be representation from IT or CE companies on the testing committee, even though those companies have the most expertise in this area. Hopefully, though, the fact that RIAA counsel Matt Oppenheim publicly apologized to the former testing committee member [Tuesday], coupled with some rework of the NDA, might lead to a positive resolution.

You Might Also Like

Finally, the recording industry expressed interest in not holding what was expected to be the next type of testing — known as restricted attack — and moving instead to what was originally supposed to be the third type — known as analytic attack. Given their druthers, I think the RIAA would not choose to return later to restricted attack testing, but I expect that other SDMI members will insist on it. More testing means more accurate data on the suitability of the technologies being evaluated.

Leonardo’s comments are exactly what I expected — holding to the party line that nothing’s wrong, because indeed they have not yet made public the preliminary data (which does exist and which you accurately reported). I would expect this face-saving to continue at least through the next SDMI meeting in November, but not much further. Even if the testing process moves forward in such a way that one or two technologies survive the first round without a “confirmed” break, later rounds of more detailed testing could find that even the first-round survivors fall below the specific standards SDMI has set for its purposes.

Leonardo Chiariglione responds:

Sometimes it is hard to let facts get in the way of a good story. As executive director of SDMI, let me give you some of the facts:

1) It is simply impossible for anybody to have carried out the checks necessary to verify that watermarking had indeed been removed without damage to the music between the time the Testing Management Committee received information and the publication of the article.

2) As I am sure you have noticed, your anonymous source carefully shifted the use of tense from past tense in the first paragraph, to the present and then future tenses in the second paragraph. This shift in tense confirms exactly what SDMI has been saying: At this point in time we are still evaluating collected information. No one can confirm the results your anonymous source originally reported, because tests are still underway. Like your source, we simply do not know yet what those results will be.

3) The speculation that your anonymous source is making about what is going to happen next is mere idle gossip. Serious people in SDMI, starting with the executive director, are focusing efforts on the tasks at hand, not on idle speculation.

Leonardo Chiariglione
executive director, SDMI

Matt Oppenheim:

I’m speaking on behalf of the RIAA.

In your last article you wrote about how the record companies are running scared, emergency meetings, those kinds of things. It’s so far from the truth — it’s not factually accurate, it’s a perception, but it’s not a fair perception. Record companies have been very strong proponents from the get-go of this public challenge. We want to know whether the technologies under consideration are viable. For us to be trying to hide the results would be counter to that desire.

The issue of success is really an interesting one. In your original article, the source told you that all the technologies have been successfully hacked. Now they say it’s all based on how you define success. It’s clear to me that the reason that SDMI agreed on a process that includes listening and repeatability tests is that the entire process has to be gone through before you [declare success]. SDMI has defined what success is — and success means that something has to go through all three stages of our testing. Because if something just goes through the [the first part of the testing, which checks if the watermarks have been removed] it could just be that the hacker has erased all the music too, or slowed it down to half its normal speed. And so you go through the listening test, too.

As for the issue of two out of the three listeners being record industry people, that’s not something that we’re defensive about; just as we’re having the IT people provide analysis of the robustness of technology because that’s what they do; record companies deal with audibility, so that’s what we do. We have required that the listening is blind; it’s not like record companies have control of it.

A confidentiality agreement for members of the testing committee is a necessary requirement in order to maintain a process that is fair for the proponents. There was a conference call today discussing it and hopefully everybody will be fine with it. It’s important that as we go through this process that you create a process that fairly considers the needs of the proponents. These companies have submitted their technology to testing, the testing has a set-out regimen and process — to release data that is incomplete and that you’ve agreed that you won’t release would be inappropriate and could potentially be harmful to a proponent.

There is no data that has been released to SDMI that confirms that [all six watermarks were cracked]. The process that was agreed upon, and process is very important for legal reasons, was that we would do these tests with three different steps, and until we completed those tests we would keep them confidential. Either somebody has leaked information to you which they shouldn’t, or logically they are telling you something of which they have no idea. I happen to know that there are very limited numbers of people who have the complete data, and none of those people with complete data have talked to you.

Note: This story has been corrected since its original publication.

Janelle Brown is a contributing writer for Salon.

More Related Stories

Featured Slide Shows

  • Share on Twitter
  • Share on Facebook
  • 1 of 11
  • Close
  • Fullscreen
  • Thumbnails
    Martyna Blaszczyk/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 1

    Pond de l'Archeveche - hundreds thousands of padlocks locked to a bridge by random couples, as a symbol of their eternal love. After another iconic Pont des Arts bridge was cleared of the padlocks in 2010 (as a safety measure), people started to place their love symbols on this one. Today both of the bridges are full of love locks again.

    Anders Andersson/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 2

    A bird's view of tulip fields near Voorhout in the Netherlands, photographed with a drone in April 2015.

    Aashit Desai/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 3

    Angalamman Festival is celebrated every year in a small town called Kaveripattinam in Tamil Nadu. Devotees, numbering in tens of thousands, converge in this town the day after Maha Shivratri to worship the deity Angalamman, meaning 'The Guardian God'. During the festival some of the worshippers paint their faces that personifies Goddess Kali. Other indulge in the ritual of piercing iron rods throughout their cheeks.

    Allan Gichigi/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 4

    Kit Mikai is a natural rock formation about 40m high found in Western Kenya. She goes up the rocks regularly to meditate. Kit Mikai, Kenya

    Chris Ludlow/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 5

    On a weekend trip to buffalo from Toronto we made a pit stop at Niagara Falls on the Canadian side. I took this shot with my nexus 5 smartphone. I was randomly shooting the falls themselves from different viewpoints when I happened to get a pretty lucky and interesting shot of this lone seagull on patrol over the falls. I didn't even realize I had captured it in the shot until I went back through the photos a few days later

    Jassen T./National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 6

    Incredibly beautiful and extremely remote. Koehn Lake, Mojave Desert, California. Aerial Image.

    Howard Singleton/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 7

    Lucky timing! The oxpecker was originally sitting on hippo's head. I could see the hippo was going into a huge yawn (threat display?) and the oxpecker had to vacate it's perch. When I snapped the pic, the oxpecker appeared on the verge of being inhaled and was perfectly positioned between the massive gaping jaws of the hippo. The oxpecker also appears to be screeching in terror and back-pedaling to avoid being a snack!

    Abrar Mohsin/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 8

    The Yetis of Nepal - The Aghoris as they are called are marked by colorful body paint and clothes

    Madeline Crowley/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 9

    Taken from a zodiac raft on a painfully cold, rainy day

    Ian Bird/National Geographic Traveler Photo Contest

    National Geographic Traveler Photo Contest Entries

    Slide 10

    This wave is situated right near the CBD of Sydney. Some describe it as the most dangerous wave in Australia, due to it breaking on barnacle covered rocks only a few feet deep and only ten metres from the cliff face. If you fall off you could find yourself in a life and death situation. This photo was taken 300 feet directly above the wave from a helicopter, just as the surfer is pulling into the lip of the barrel.

  • Recent Slide Shows



Comment Preview

Your name will appear as username ( settings | log out )

You may use these HTML tags and attributes: <a href=""> <b> <em> <strong> <i> <blockquote>