---------- Forwarded message ---------- -------- Original Message -------- Subject: [PLUG] USENIX Security: SDMI Invited Talk + Panel Date: Wed, 15 Aug 2001 21:31:48 -0700 From: Steve Beattie <steve@wirex.net> Reply-To: plug@pdxlinux.org To: plug@pdxlinux.org [I'm at the 2001 USENIX Security Conference in Washington DC this week. The SDMI paper that was prevented from being presented at the Information Hiding conference earlier this year under threat of a lawsuit was allowed by the RIAA/SDMI to be presented here, with an additional panel session discussing the political aspects of the situation. I took notes for the wirex employees not present, and am forwarding it to the PLUG list given that certain members were interested in the Dmitry Sklyarov case, as they're both examples of the egregiousness of the DMCA] USENIX Security: SDMI Invited Talk + Panel Note: by transmitting this summary with comments, I'm possibly in violation of the DMCA by transmitting information about copy protection circumvention measures. Both the talk and forum were excellent. Supposedly USENIX webcast it live; hopefully they'll make it available somewhere on www.usenix.org. ------------------------------------------------------------------------ Technical presentation Reading between the lines: Lessons learned from the SDMI challenge Scott Craver et al SDMI Challenge overview - three weeks in sept oct 2000 - SDMI invited "hackers" to crack a number of proposed technologies - 4 watermarking - 2 authentication - cash prize offered, but under onerous (NDA) terms Just what is SDMI? - both robust and fragile watermarks Challenge terms - 3 samples provided for each technology - original sound clip a - marked sound clip a - marked sound clip b - SDMI provides "oracles" to which to submit attacked sound clip B - no description of algorithms - no access to watermark embedders - no access to watermark detectors - no details to oracle - only 3 weeks General Approach - three types - brute force - slightly "brute" attacks - reverse engineering Technologies B and C - Initial analysis reveled signals with a relatively narrowband signaling Tech a & b - A had a very slight smooth warping in time domain, +/- 0.3 ms every 3+ second - estimating and reversing warping did not defeat technology A, but the same operation defeated technology F! More A - attack: instead of removing/compressing [audio details that I'm missing] - ripples in freq imply echo hiding. Fairly complex echo hiding in this case Echo Hiding - a method of embedding data which deliberate but "inaudible"... Patent search time - Verance US patent #05940135 Echo Detection developed several techniques to estimate echo hiding - can constructively combine multiple frames - drove them to develop better methods for echo detection after the challenge Demo on BeOS of finding echoes (where they do and don't exist) They've used their research to improve data hiding and watermarking technology Technologies D & E A signature Track - TOC hashed into a playable audio track - 2532 samples 80 frequency bins = 80 bits - not a 9kbyte hash, but 80 bits - oh wait, only 16bits repeated 5 times with a constant shuffling. - at most, they gave 100 tracks with two hash collisions. - tech d did not appear to behave as documented - tech e challenge did not include any data to use to analyze Assessment - complex system with many SPOFs - appears to implement a complex usage policy - not a good way to keep "honest people honest" - basic concept is problematic - requires trusted clients in a hostile environment Conclusions - no secret CS-EE skills needed - the only dirty secret in the paper is that there are no dirty secrets - watermarking useful, just not here - overall concept is broken - security through obscurity (still) does not work! - people ignore this principal at their peril Technical questions - peter honeyman: what are the possibility of a real secure SDMI showing up? - a watermark will not work to actively enforce a usage policy - How many technologies did you actually break? - got responses from the four watermarking oracles, don't know the actual criteria of the oracles. - areas where watermarking are useful? - e.g. fragile watermarks for tamper evidence to digital photographs, robust watermarking for the duplication of currency. - john shapiro: complex means to keep "honest people honest" are more likely to fail over simple means? - agrees - what is threat model the challenge trying to echo? - ask SDMI people, not them. couldn't believe how simple the 16-bit scheme was, and had to give up assumption that sdmi people were thinking the same way the researchers were. ------------------------------------------------------------------------ Panel: Peter Jaszi, washington college of law, american university Cindy Cohn, EFF Ed Felten, Princeton Peter Jaszi ----------- Basic Architecture of the anti-circumvention portion of the DMCA Copyright: all about balance between rights of consumers and producers Important thing to understand: chapter 12 is NOT copyright law, it's a (dangerous) add-on to copyright law! Sec 1201 a1A - "Thou shalt not circumvent for access" - Potential for exceptions by rules made under sec 1201 a1b - in oct 2000, the LoC announced a rule limited to circumvention - obsolete techs - lists of web servers - don't apply to creation/traffic of circumvention tools sec 1201 a2: no trafficking in access tools sec 1201 b1: no trafficking in copying tools - SDMI challenge under this section - don't know the scope of these prohibitions Note that the language of sec 1201c, preserving (among other things) the "fair use" defense, applies to copyright, but not "paracopyright" (the DMCA). sec 1201d - library exemption -- completely bogus. sec 1201e - law enforcement exception - quite robust, of limited use to rest of the world sec 1201f - reverse engineering exception - narrower in scope of limitations than allowed under current case law (of copyright) sec 1201h - defeating minors privacy exception sec 1201i - personal data exception - can take advantage of it only if you make your own tools sec 1201g - encryption research exception - uncertain in scope sec 1201j - security testing research exception weakness two these sections: - both are decided upon after that fact, researchers can't know what's legal and not-legal a priori - must have consent of organization performing research on - must have "professional standing" http://www.ipclinc.org Cindy Cohn ---------- Jaszi told us everything about 1201 we need to know, except: - EFF is ground central for fighting DMCA - introduced EFF legal team (doing pro bono work) Opposition papers to DMCA are available on the EFF website. What you can do: make the general public aware of why the DMCA is bad - articulate clearly the problems - each person should find 5 non-technical people and explain to them the problems of the DMCA - prod organizations we belong to to support against the DMCA - join the EFF, "freedom doesn't just happen" Ed Felten --------- acknowledgement of the other authors Presentation of paper is important victory, but came at a major cost in effort. We can't afford do this for every research paper. Forward research in to these areas are NOT protected, and could be squashed. Questions --------- q - smb: ed, why did University presidents not stand up as strongly as they could. ed - princeton did help defend. universities are convservative organizations. q - peter honeyman: dmca seems to be encouraging, not discouraging, copying technologies. cindy - eff has thought about stating that if you want to put out anti-copying technologies, you give you copyright protection. peter - another possibility is to encoding rules of fair use in DMCA (see sec 1201k) q - what is different about today's presentation and the planned presentation, and the wired article fallout. ed - more or less the same presentation. The paper contains more content than what was in the original paper, due to information withheld out of fear DMCA. No legal fallout from the wired article. q - register journalist: press has a role to play. Why doesn't the mainstream press doesn't realize they have a stake in this, wrt press freedom? cindy - amount of press is growing, especially wrt Dmitry situation. The press is mostly concentrated in the hands of content holders. The press wants to appear non-partisan, and not take sides. Journalists did write a brief for the 2600 case. peter - journalist can print smoking gun memos (copyright the corporation) under fair use. But if the journalist has to go to someone to decrypt the same (encrypted) copyrighted documents, it is illegal under the DMCA. q - does the statute take into account dual-use technologies? peter - the statute does take it into account. It does not however give users of the technology some comfort that it cindy - DeCSS was described as for linux playback, with no positive affect. q - jon shapiro, johns hopkins university IT: how abroad is the application of the DMCA? ed - echo technology is useful in seismology, and the princeton seismologists are outraged that the DMCA will prevent the research that they will find useful. cindy - we don't know how broadly it will apply. peter - reads the language, and it's possibly very broad. q - interactions between this case and Dmitry's case cindy - as a strict legal matter, they're different legal jurisdictions, and so they're not binding wrt each other. q - what are lessons learned for university professors and univ. legal councils, dos and don'ts? ed - there's no easy answer to that question. My best advice: talk to people who've been in it before. Keep goals and values in mind when writing papers and doing research. hasn't happened enough times to draw lessons. peter - advice to (conservative) general council, stress how controversial this is. cindy - if university won't support you, there are others (inc. the eff) who will. q - john gilmore: what does the panel think of people who encourage the RIAA and others to break the copyright social contract? dan - they keep us in business breaking their stuff ed - as a scientist, it's important to understand the limitations of this technology. q - can a summary (such as this one) be considered distributed legally under the DMCA? cindy - a stump cindy question. it would be difficult for them to squash such a summary. peter - if you were to talk about the strengths and weaknesses of this paper. ed - the question "can I tell my advisor about this" sums up the problems, that people don't know what their legal limitations are. q - will widespread civil disobedience of this statute be a reality? cindy - I never advise people to violate the law. However, when a law doesn't fit what society believes is right, then legislators need to re-examine the law. peter - copyright system has function well for last couple of centuries, not because it is policed, but because there is a collective buy-in of its purposes and what it accomplishes. The DCMA has some a lot of assumptions that the content industries have about people and scientists. q - why doesn't industry want more research into this, to make the protection mechanisms stronger? ed - RIAA has a different mindset, that it's more important that people believe the technology is strong, not whether really is strong or not. q - nick verbitzky (sp?), working on a documentary: people believe that stealing music from Napster is okay because you're stealing from crooks (the record industry). Public opinion is in our favor. Why aren't consumers aware of what's going on? cindy - (girl scouts DO pay royalties for songs they sing around campfires to BMI) Because this is cutting edge stuff that the EFF deals with. -- Steve Beattie Don't trust programmers? <steve@wirex.net> Complete StackGuard distro at http://immunix.org/~steve/ immunix.org ------------------------------------------------------------------------------- Support PLUG and the Open Source Community http://www.linuxfund.org/lugs/?lug=plug To unsubscribe from the PLUG list visit http://www.pdxlinux.org/mailing_list/ -- -- Michael H. Collins Admiral: Penguinista Navy International http://www.linuxlink.com Migration Free Linux Email http://www.78704.com Speech enabled Chat http://24.93.54.40 This Ain't California http://geekaustin.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: alg-unsubscribe@austinlug.org For additional commands, e-mail: alg-help@austinlug.org