SDMI Says At Least Three Technologies Survived Hacker Test

An industry-backed organization attempting to devise
standards for the delivery of digital music online says that at
least three proposed copyright-protection technologies survived a
controversial $60,000 open challenge to the "hacker" community.

However, a team of researchers who would rather publish the results
of their hacks than collect prize money beg to differ.

Leonardo Chiariglione, executive director of the Secure Digital
Music Initiative (SDMI), told Newsbytes today that three of six
security technologies originally submitted for the open test in
September apparently emerged from the challenge without "successful
attacks."

Of the other three technologies, two were successfully hacked,
according to the standards set by the SDMI for evaluating some 447
submissions in the challenge. However, Chiariglione said, the team
judging the challenge found they could not reproduce one of those
successful attacks on other music files.

Chiariglione said that a sixth technology was withdrawn from the
challenge by its vendor early in the evaluation process, so the
SDMI's testing committee did not report whether or not it had been
bested by challenge participants.

The hacker challenge offered $10,000 as a prize for each technology
being tested. Chiariglione said that, when SDMI members adopt the
findings of the challenge evaluation committee at its plenary
session in Washington later this week, one or two $10,000 prizes
could be handed out - depending on whether or not members feel the
hack that could not be repeated was successful.

"This is something that is currently being hotly debated by the
SDMI plenary," Chiariglione said. "The testing management committee
has provided a report, and I decided to issue a statement because
it was something that the media was very keen to receive. On the
other hand, the ultimate decision resides with the plenary, and the
plenary hasn't made a decision yet."

He said an official decision should be in hand by Friday.

Chiariglione said the three methods that apparently survived the
challenge unhacked include digital watermarking technologies as
well as other approaches. Digital watermarks can be used to brand
copyrighted digital music content so that it can be identified.
Other methods could include encryption techniques, but Chiariglione
said the SDMI isn't announcing the exact specifications - or who
the successful vendors are - until later.

One company, San Diego, Calif.-based Verance Corp. spoke out on its
own Oct. 24, saying its watermarking technology was one of the
challenge survivors.

The strong showing of the various technologies contrasts with news
reports after the mid-October challenge deadline that quoted
unidentified SDMI sources as saying all of the technologies had
been successfully broken.

In addition, a team of researchers with links to Princeton
University and Xerox's Palo Alto Research Center (PARC) published a
detailed description of their defeat of what they said were the
four technologies based on digital watermarks.

Today, the Princeton/PARC teams posted a notice on its Web site
saying that, despite SDMI's claim today, "We stand by our previous
announcement that we were able to defeat the four watermarking
technologies."

"Our focus has always been on the scientific question of whether
the SDMI's technologies, if deployed, could be defeated by
pirates," the researchers wrote. "We demonstrated that they could
be defeated, by making small modifications to the music files so
that the watermarks were no longer detectable but the sound quality
was still acceptable.

"Instead of the scientific question, the SDMI has chosen to focus
on who is eligible for the cash prize that they have offered. Since
we chose to forgo the cash prize in order to retain our right to
publish our results, we understand that the SDMI no longer
considers us to be entrants in their contest. Their announcement
regarding their contest does not invalidate our scientific
results."

The SDMI said earlier that the final determination of whether a
security technology has been successfully cracked would be based on
a number of factors, including the quality of the recordings after
the removal of the security features - an evaluation that was made
with the help of human ears. In addition, the SDMI said the hacks
to be repeatable by crackers with a reasonable arsenal of computing
power.

The "repeatability tests" for apparently successful hacks started
on Oct. 23, according to the SDMI. However, Verance implied in its
announcement that that attacks deemed to be unsuccessful were not
subject to those additional tests.

Chiariglione said that the SDMI will also be able to learn from the
work of hackers who may not have been able to overcome the security
technologies.

"We have received many descriptions of different hacking methods,"
he said. "Even though they were not successful, all of this was
very interesting for us and, particularly, for the submitters."

The SDMI is at: http://www.sdmi.org/.

Details on the attempts of the university/PARC team can be found
here: http://www.cs.princeton.edu/sip/sdmi/.