[alg] [Fwd: [PLUG] USENIX Security: SDMI Invited Talk + Panel] (fwd)
Jim Choate
ravage at ssz.com
Thu Aug 16 16:21:02 PDT 2001
---------- Forwarded message ----------
-------- Original Message --------
Subject: [PLUG] USENIX Security: SDMI Invited Talk + Panel
Date: Wed, 15 Aug 2001 21:31:48 -0700
From: Steve Beattie <steve at wirex.net>
Reply-To: plug at pdxlinux.org
To: plug at pdxlinux.org
[I'm at the 2001 USENIX Security Conference in Washington DC this week.
The SDMI paper that was prevented from being presented at the Information
Hiding conference earlier this year under threat of a lawsuit was allowed
by the RIAA/SDMI to be presented here, with an additional panel session
discussing the political aspects of the situation. I took notes for
the wirex employees not present, and am forwarding it to the PLUG list
given that certain members were interested in the Dmitry Sklyarov case,
as they're both examples of the egregiousness of the DMCA]
USENIX Security: SDMI Invited Talk + Panel
Note: by transmitting this summary with comments, I'm possibly in
violation of the DMCA by transmitting information about copy protection
circumvention measures. Both the talk and forum were excellent.
Supposedly USENIX webcast it live; hopefully they'll make it available
somewhere on www.usenix.org.
------------------------------------------------------------------------
Technical presentation
Reading between the lines: Lessons learned from the SDMI challenge
Scott Craver et al
SDMI Challenge overview
- three weeks in sept oct 2000
- SDMI invited "hackers" to crack a number of proposed technologies
- 4 watermarking
- 2 authentication
- cash prize offered, but under onerous (NDA) terms
Just what is SDMI?
- both robust and fragile watermarks
Challenge terms
- 3 samples provided for each technology
- original sound clip a
- marked sound clip a
- marked sound clip b
- SDMI provides "oracles" to which to submit attacked sound clip B
- no description of algorithms
- no access to watermark embedders
- no access to watermark detectors
- no details to oracle
- only 3 weeks
General Approach
- three types
- brute force
- slightly "brute" attacks
- reverse engineering
Technologies B and C
- Initial analysis reveled signals with a relatively narrowband
signaling
Tech a & b
- A had a very slight smooth warping in time domain, +/- 0.3 ms every 3+
second
- estimating and reversing warping did not defeat technology A, but the
same operation defeated technology F!
More A
- attack: instead of removing/compressing
[audio details that I'm missing]
- ripples in freq imply echo hiding. Fairly complex echo hiding in this
case
Echo Hiding
- a method of embedding data which deliberate but "inaudible"...
Patent search time
- Verance US patent #05940135
Echo Detection
developed several techniques to estimate echo hiding
- can constructively combine multiple frames
- drove them to develop better methods for echo detection after the
challenge
Demo on BeOS of finding echoes (where they do and don't exist)
They've used their research to improve data hiding and watermarking
technology
Technologies D & E
A signature Track
- TOC hashed into a playable audio track
- 2532 samples
80 frequency bins = 80 bits
- not a 9kbyte hash, but 80 bits
- oh wait, only 16bits repeated 5 times with a constant shuffling.
- at most, they gave 100 tracks with two hash collisions.
- tech d did not appear to behave as documented
- tech e challenge did not include any data to use to analyze
Assessment
- complex system with many SPOFs
- appears to implement a complex usage policy
- not a good way to keep "honest people honest"
- basic concept is problematic
- requires trusted clients in a hostile environment
Conclusions
- no secret CS-EE skills needed
- the only dirty secret in the paper is that there are no dirty
secrets
- watermarking useful, just not here
- overall concept is broken
- security through obscurity (still) does not work!
- people ignore this principal at their peril
Technical questions
- peter honeyman: what are the possibility of a real secure SDMI showing up?
- a watermark will not work to actively enforce a usage policy
- How many technologies did you actually break?
- got responses from the four watermarking oracles, don't know the
actual criteria of the oracles.
- areas where watermarking are useful?
- e.g. fragile watermarks for tamper evidence to digital photographs,
robust watermarking for the duplication of currency.
- john shapiro: complex means to keep "honest people honest" are more
likely to fail over simple means?
- agrees
- what is threat model the challenge trying to echo?
- ask SDMI people, not them. couldn't believe how simple the 16-bit
scheme was, and had to give up assumption that sdmi people were
thinking the same way the researchers were.
------------------------------------------------------------------------
Panel:
Peter Jaszi, washington college of law, american university
Cindy Cohn, EFF
Ed Felten, Princeton
Peter Jaszi
-----------
Basic Architecture of the anti-circumvention portion of the DMCA
Copyright: all about balance between rights of consumers and producers
Important thing to understand: chapter 12 is NOT copyright law, it's a
(dangerous) add-on to copyright law!
Sec 1201 a1A
- "Thou shalt not circumvent for access"
- Potential for exceptions by rules made under sec 1201 a1b
- in oct 2000, the LoC announced a rule limited to circumvention
- obsolete techs
- lists of web servers
- don't apply to creation/traffic of circumvention tools
sec 1201 a2: no trafficking in access tools
sec 1201 b1: no trafficking in copying tools
- SDMI challenge under this section
- don't know the scope of these prohibitions
Note that the language of sec 1201c, preserving (among other things) the
"fair use" defense, applies to copyright, but not "paracopyright" (the
DMCA).
sec 1201d - library exemption -- completely bogus.
sec 1201e - law enforcement exception - quite robust, of limited use to
rest of the world
sec 1201f - reverse engineering exception - narrower in scope of
limitations than allowed under current case law (of copyright)
sec 1201h - defeating minors privacy exception
sec 1201i - personal data exception - can take advantage of it only if
you make your own tools
sec 1201g - encryption research exception - uncertain in scope
sec 1201j - security testing research exception
weakness two these sections:
- both are decided upon after that fact, researchers can't know what's
legal and not-legal a priori
- must have consent of organization performing research on
- must have "professional standing"
http://www.ipclinc.org
Cindy Cohn
----------
Jaszi told us everything about 1201 we need to know, except:
- EFF is ground central for fighting DMCA
- introduced EFF legal team (doing pro bono work)
Opposition papers to DMCA are available on the EFF website.
What you can do: make the general public aware of why the DMCA is bad
- articulate clearly the problems
- each person should find 5 non-technical people and explain to them
the problems of the DMCA
- prod organizations we belong to to support against the DMCA
- join the EFF, "freedom doesn't just happen"
Ed Felten
---------
acknowledgement of the other authors
Presentation of paper is important victory, but came at a major cost in
effort. We can't afford do this for every research paper. Forward
research in to these areas are NOT protected, and could be squashed.
Questions
---------
q - smb: ed, why did University presidents not stand up as strongly as
they could.
ed - princeton did help defend. universities are convservative
organizations.
q - peter honeyman: dmca seems to be encouraging, not discouraging,
copying technologies.
cindy - eff has thought about stating that if you want to put out
anti-copying technologies, you give you copyright protection.
peter - another possibility is to encoding rules of fair use in DMCA
(see sec 1201k)
q - what is different about today's presentation and the planned
presentation, and the wired article fallout.
ed - more or less the same presentation. The paper contains more content
than what was in the original paper, due to information withheld out
of fear DMCA. No legal fallout from the wired article.
q - register journalist: press has a role to play. Why doesn't the
mainstream press doesn't realize they have a stake in this, wrt
press freedom?
cindy - amount of press is growing, especially wrt Dmitry situation. The
press is mostly concentrated in the hands of content holders. The
press wants to appear non-partisan, and not take sides. Journalists
did write a brief for the 2600 case.
peter - journalist can print smoking gun memos (copyright the
corporation) under fair use. But if the journalist has to go to
someone to decrypt the same (encrypted) copyrighted documents, it is
illegal under the DMCA.
q - does the statute take into account dual-use technologies?
peter - the statute does take it into account. It does not however give
users of the technology some comfort that it
cindy - DeCSS was described as for linux playback, with no positive
affect.
q - jon shapiro, johns hopkins university IT: how abroad is the
application of the DMCA?
ed - echo technology is useful in seismology, and the princeton
seismologists are outraged that the DMCA will prevent the research that
they will find useful.
cindy - we don't know how broadly it will apply.
peter - reads the language, and it's possibly very broad.
q - interactions between this case and Dmitry's case
cindy - as a strict legal matter, they're different legal jurisdictions,
and so they're not binding wrt each other.
q - what are lessons learned for university professors and univ. legal
councils, dos and don'ts?
ed - there's no easy answer to that question. My best advice: talk to
people who've been in it before. Keep goals and values in mind when
writing papers and doing research. hasn't happened enough times to
draw lessons.
peter - advice to (conservative) general council, stress how
controversial this is.
cindy - if university won't support you, there are others (inc. the eff)
who will.
q - john gilmore: what does the panel think of people who encourage the
RIAA and others to break the copyright social contract?
dan - they keep us in business breaking their stuff
ed - as a scientist, it's important to understand the limitations of
this technology.
q - can a summary (such as this one) be considered distributed legally
under the DMCA?
cindy - a stump cindy question. it would be difficult for them to squash
such a summary.
peter - if you were to talk about the strengths and weaknesses of this
paper.
ed - the question "can I tell my advisor about this" sums up the
problems, that people don't know what their legal limitations are.
q - will widespread civil disobedience of this statute be a reality?
cindy - I never advise people to violate the law. However, when a law
doesn't fit what society believes is right, then legislators need to
re-examine the law.
peter - copyright system has function well for last couple of centuries,
not because it is policed, but because there is a collective buy-in
of its purposes and what it accomplishes. The DCMA has some a lot of
assumptions that the content industries have about people and
scientists.
q - why doesn't industry want more research into this, to make the
protection mechanisms stronger?
ed - RIAA has a different mindset, that it's more important that people
believe the technology is strong, not whether really is strong or
not.
q - nick verbitzky (sp?), working on a documentary: people believe that
stealing music from Napster is okay because you're stealing from
crooks (the record industry). Public opinion is in our favor. Why
aren't consumers aware of what's going on?
cindy - (girl scouts DO pay royalties for songs they sing around campfires
to BMI) Because this is cutting edge stuff that the EFF deals with.
--
Steve Beattie Don't trust programmers?
<steve at wirex.net> Complete StackGuard distro at
http://immunix.org/~steve/ immunix.org
-------------------------------------------------------------------------------
Support PLUG and the Open Source Community
http://www.linuxfund.org/lugs/?lug=plug
To unsubscribe from the PLUG list visit
http://www.pdxlinux.org/mailing_list/
--
--
Michael H. Collins Admiral: Penguinista Navy International
http://www.linuxlink.com Migration
Free Linux Email http://www.78704.com
Speech enabled Chat http://24.93.54.40
This Ain't California http://geekaustin.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: alg-unsubscribe at austinlug.org
For additional commands, e-mail: alg-help at austinlug.org
More information about the cypherpunks-legacy
mailing list