This article originally appeared on WinPlanet.com
The SDMI is the Secure Digital Music Initiative, a grouping primarily of companies in the IT and music fields, offered a challenge to hackers back in September. Find a flaw in the SDMI's copy protection scheme, and you would win money. Now the winners have been announced.
The SDMI is essentially one of the music industry's potential answers to the illegal copying of music and the proliferation of bootleg songs in MP3 format, whether through sharing between friends, or--more seriously in the industry's eyes--through a company such as Napster or Scour. The music industry has been fighting hard in the courts, managing to shut down the Scour Exchange and in the case of one company, reaching a partial compromise with Napster. What's been missing from the music industry's battle so far has been an attempt to deal with the technology at hand.
It's not too surprising, though. The difficulty with competing on a technical basis is that it's a losing battle. It's much easier to find a flaw in a system than to build a flawless system, for one thing. For another, the new technologies are not very well suited to the type of control that the music industry has enjoyed in the past. With records and tapes, the medium of transmission was in the hands of the music makers. When CDs originally came along, the same was true. The difficulty is not so much that CDs can now be copied--the same was true with tapes. The difficulty is that the lines of transmission are no longer in the hands of the music industry. Now that music can be stored on writable CD-ROMs and hard drives, and transmitted through the Internet, it shares new media with countless other forms of data and other applications.
It is extraordinarily difficult to stop the flow of any one type of information--whether illicit music copies, pornography or spam--without interrupting the flow of all other information. Filtering programs for email spam and for blocking access to web content deemed inappropriate, have encountered this difficulty. When you try to filter out spam, you end up losing more mail than you bargained for; web blocking software simply cannot block all the questionable sites, and always ends up blocking useful information in the process.
The music industry is aware of the difficulty of fighting the technology. This is one reason the RIAA has used legal means to fight online music trading. Similarly, though, it is obvious that whoever discovers a means to deliver music only to those who pay for it, and to impede the copying of that music, will make a lot of money.
ny scheme that makes it possible to commercialize Net music, to sell music online and yet prevent copying, will probably require cryptography. Methods have been devised involving encrypting the music and then decrypting for the users, as with DVD. Unfortunately, as with DVD, these schemes are inevitably breakable. The problem is that as long as the data representing the music is available at some point, the system is defeatable. After all, at worst it's a matter of recording the output.
However, SDMI seemed to believe it had a chance to make it happen. Its challenge in September, daring programmers and researchers to break their code, was met with mixed reviews. For one thing, the reason for the challenge was to look for potential flaws and improve the system before deployment. Many of the hackers who might have had the skills to break the code, were hesitant to aid a system that would be used to reduce the free exchange of music. Some programmers stated that the best time to crack the SDMI code would be after deployment. Furthermore, researchers from institutions such as Princeton pointed out that the challenge did not offer as much information as would typically be available if the system was already in use, thus artificially increasing the difficulty of the challenge and reducing the reliability of the analysis.
However, despite these difficulties, SDMI announced winners to its contest. It's difficult to determine whether or not this is what SDMI wanted. Is the contest merely meant as a publicity stunt? Was the SDMI hoping that the contest would be won, in order to show demonstrate good will, or was the organization hoping for its system to go unbeaten? In fact, it's difficult to tell whether the code was cracked by the winners at all, simply because SDMI has kept the winners' names anonymous. In the meantime, though, researchers from Xerox and both Princeton and Rice universities have also claimed to have broken the SDMI code.
The interesting aspect to this game is that the contest really means very little in the security game. Security expert Bruce Schneier suggests that five to ten years of rigorous, open analysis by experts are required before a cryptographic system can be considered difficult to break.
There is the possibility, however, that the system is not meant to be unbreakable. Could it be a built-in form of obsolescence, ensuring that the system will have to be changed regularly? Whatever the case, the best the old media industries can hope for is a way to make the sharing of music and video more difficult. Sooner or later, the industry is probably going to have to change the way it does business.