Sdmi more headless than ever

Initiative head Chiariglione resigns after hackers reveal internal details about SDMI technology

Richard Chiariglione, executive director of the Secure Digital Music Initiative (SDMI), announced his resignation yesterday. Shortly before, two French hackers had started to document their successful attacks on SDMI technologies on the web .

Chiarglione used this year’s first meeting of the initiative in Los Angeles to officially announce his resignation. He announced that he would be stepping down from his post in the next few months and then returning to his real job at Telecom Italia’s research department. The SDMI consortium has not yet been able to provide any information about possible successors.

The timing of the departure is unfortunate for the SDMI project, which is in the midst of its most serious crisis since its inception in December 1998. At that time, on the initiative of the music industry, about 180 record and technology companies joined forces to create a standard for secure music distribution. An ambitious goal was announced: to be on the market with SDMI end devices before Christmas 1999. But the coarseness of the group and the difficulty of the undertaking led to delays, so that Christmas 2000 was targeted instead.

The only result: a specification for updating

Nothing came of it either. So far, the initiative has had only one modest success. In June 1999, the consortium published specifications for the so-called "Phase one compatible portable audio players". Since the actual security technology had not yet been developed at that time, the phase-one specification does not include much more than the possibility of later updating the devices to phase-two players.

Then it became autumn, and again Christmas without SDMI devices was approaching. Unrest spread among members of the initiative, results were demanded. In this situation, the SDMI consortium came up with a momentous idea: they wanted to put the technologies developed so far to the public test and called on the hackers of the world to try their hand at them. Whoever can crack one of the technologies presented should receive 10.000 dollars received.

Poorly documented hacks were not evaluated



Shortly after the end of the competition, rumors spread that all the technology had fallen victim to the hackers. What followed was like a second-rate soap opera: the SDMI consortium denied it on the spot. Some SDMI members, however, told the online magazine Salon.com, the denial was just a diversionary maneuver, the hackers had actually won on all fronts. The SDMI consortium denied further. Then some crypto experts from Princeton University declared they had succeeded in all watermarks. A detailed documentation of the attacks will follow soon on their website.

In January, Princeton professor Edward Felten had to back down on this point: The watermarking company Verance had opposed the publications, citing the Digital Millennium Copyright Act. Without documentation, the hack was not acknowledged by the SDMI consortium, which was relieved to learn that only two technologies fell victim to hackers. The two lucky guys received 5000 dollars each. All other 445 attempts were unsuccessful – or just poorly documented.

The prize is awarded, the hacking continues

Two French hackers have documented their SDMI attack quite excellently. Julien Stern and Julien Beuf publish on their website, launched earlier this week, details of one of the presented technologies: possible attack methods are discussed as well as the amed functionality of the watermark in question. The competition is long over. But the two say they plan to devote similar meticulousness to the other watermarks, time permitting. Otherwise, the hacker community will surely succeed in further successful attacks on the other SDMI technologies through their publication.

Whether the disclosures contributed to Chiarglione’s resignation is uncertain. Shortly before, the consortium had suffered two further bitter setbacks: Freiburg-based chip manufacturer Micronas had declared its intention to withdraw from the initiative. SDMI had confused consumers too much, the company, which claims to have launched four million MP3 chipsets last year, said in justification. In addition, at the Computer Entertainment Show in Las Vegas, Sony presented for the first time CD players that, in addition to normal audio CDs, can also play self-burned CD-ROMs with MP3s. Until then, Sony was considered to be an out-and-out enemy of MP3s, thanks to its own record label. It wasn’t just critics, therefore, who saw Sony’s about-face as a clear sign in the direction of the SDMI consortium. Apparently Richard Chiarglione understood this sign.