Gimmicks Won't Protect Your Digital Assets from Being Copied
By Bruce Schneier
January 22, 2001
Hacking contests are a popular way for software companies to demonstrate claims of how good their security products are in practice. But companies looking to protect their digital assets shouldn't give too much credence to these challenges.
These contests typically involve a group or vendor offering money to anyone who can break through its firewall, crack its algorithm or make a fraudulent transaction using its technology. The Secure Digital Music Initiative (SDMI), an industry group that's developed encryption methods to protect the copying of digital music files, issued a hacking challenge in September, offering $10,000 to anyone who could strip various copy-protection technologies out of songs provided as examples. SDMI put forth six different technologies, and already researchers from Princeton and Rice Universities and Xerox's Palo Alto Research Center claim to have broken four of them. The SDMI disagrees, saying that only two were successfully hacked. Finger- pointing and jeering continue.
This example underscores several flaws with these challenges:
- Hacking contests are meaningless; they don't show security. Just because a technology survives a contest doesn't mean it's secure. There's no way of knowing whether anyone really tried to compromise the security of either a system or some form of content. Did anyone skilled try to break the system? Security experts generally have more important things to do than try to break a system so that maybe they can claim a prize, and hackers may likewise be unmotivated. The SDMI held a contest for six different schemes (one scheme was withdrawn early). Even if the SDMI is right that only two of its schemes were broken, do you have any reason to trust the other ones?
- Even if a large enough universe of skilled hackers gave their best effort to trying to meet the challenge, there are other issues companies must consider before assuming their content is secure. Notably, watermarking-the process of embedding identifying information in a file-doesn't always work. It's impossible to design a music watermarking method that cannot be removed. For example, someone can play the watermarked music and rerecord it. If he does it multiple times and uses DSP technology to combine the recordings, the resultant signal quality is excellent. There's almost always a shortcut to neutralize the watermark faster and more efficiently.
- Even if a company can find a method of watermarking that can't be compromised, it doesn't solve other issues. For example, if a media player plays only watermarked files, then watermarked copies of a file will play. If there are media players that don't play files with a watermark, then removing the watermark will defeat this scheme. If a watermark is designed to identify the legitimate owner of the file, that still doesn't prove who copied the file or direct the copyright owner to the party who has illegally copied the content.
- Even if watermarking can prevent the copying of electronic content by average users, it doesn't solve the problem in general. It's not enough to protect music from Joe Average; you need to protect it from Jane Hacker. If just one person is good enough to defeat the system, she can post the dewatermarked music on the Internet for everyone to download, or write a hacking tool so that anyone can dewatermark music. On computers, automation is more powerful than skill.
Digital files intrinsically undermine the scarcity model of business-to wit, replicate many copies and sell each one. Companies that find alternate ways to do business, whether they be advertising or membership funded, are likely to survive in the digital economy. The media companies figured this out quickly when radio was invented- and then television-so why are they so slow to realize it this time around? The sooner we start accepting the intrinsic copyability of digital files, the better off we'll be.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..