A hacking challenge, sponsored by the music recording industry, is drawing fire from academic researchers who feel the ballyhooed contest was as much a public relations stunt as a serious test of online music security.
“This was not the most effective way to find out whether the technologies would stand up to pirates,” said Edward Felten, a professor of computer science at Princeton University and a participant in the contest. “There was at least some public relations aspect to the test.”
Matt Oppenheim, a member of the contest committee, countered that the challenge was a legitimate security test. He said of Felten, “What he wants to do is criticize the system from the outside, then publish to the rest of the world how to defeat the system.”
Concerns over the terms of the contest sparked Internet-age-old debates: What constitutes a reasonable public test of a security technology? Can its sponsors expect their volunteer participants to keep silent about what they learn?
Last falls contest was sponsored by the Secure Digital Music Initiative, the recording industry-led effort to secure online music distribution. The official results found that only one of the six technologies SDMI is considering was hacked. But several groups, including Feltens, who didnt follow the official rules, said they successfully defeated four of the six schemes and were unable to hack the others because they had too little information.
Many commercial enterprises sponsor public challenges with cash prizes to test the security of their products. The idea is to encourage a large number of responsible hackers to find weaknesses in the product and inform the company of the results.
Critics claimed, however, that the SDMI challenge was far from the industry norm. SDMI provided far less information than a pirate would have, they said, and required them to sign a nondisclosure agreement (NDA) to be eligible for the $10,000 prize. Felten chose not to sign so he could publish the results of his work.
“Industry standards involve making far more information available and no researcher is going to sign an NDA,” said David Wagner, a professor of computer science at the University of California, Berkeley, who looked at the contest rules but chose not to participate. “The scientific goal here is to better understand how to build secure protection schemes. . . . I work at a public university and get public funding, so I make the results of my research publicly available.”
Oppenheim said the companies providing the technologies were not willing to make many details public without a signed nondisclosure agreement. He said he has invited Felten to consult for SDMI and get “the keys to the kingdom,” if he will only agree not to disclose them.
Felten gained exposure during the Microsoft antitrust trial last year, when he demonstrated a program that stripped the Internet Explorer browser from the Windows operating system.
Part of the three-week music challenge was to defeat four watermarks, signals woven into the music that can identify a track as copyrighted. The contest committee also provided an “oracle,” a program running on a Web site that could determine whether a watermark was present in any given track.
Felten, working with colleagues at Rice University and Xerox PARC, said limited information hindered their efforts, and the oracle had a six- to eight-hour turnaround time. In the real world, he noted, there would be software that could instantly recognize the presence of the watermarks.
Felten fears he could be fined or imprisoned, under the rules of the Digital Millennium Copyright Act, for publishing the results of his work and he is consulting with lawyers before releasing his results.
Meanwhile, a group from France, which also claimed to have defeated the watermarks, published its results on a French Web site at www.julienstern.org/sdmi/.
Oppenheim, who is also senior vice president of business and legal affairs at the Recording Industry Association of America, said the DMCA probably does prohibit Felten from publishing his results.