MPAA Developing Digital Fingerprinting Technology

Danathar writes "The MPAA is looking to use digital fingerprinting technologies that in conjunction with legislation will enable and force ISPs to look for network traffic that matches the signatures. " From the article: " Once completed, Philips' technology--along with related tools from other companies--could be a powerful weapon in Hollywood's increasingly aggressive attempts to choke off the flood of films being traded online."

Encryption

[Odo]

And ISPs are going to search for fingerprints in encrypted downloads how exactly?

It would be relatively easy for the next generation of P2P applications to add very basic encryption. Possibly based on a captcha (just a regular zip file encrypted against the random letters contained in a gif).

Or will the MPAA's next trick be to purchase legislation banning encryption.

Re:Encryption

[J'raxis]

Probably a lot easier to just use SSL [openssl.org]. Most existing protocols (like HTTP, POP3, IMAP) add an encryption layer this way.

There are already some P2P programs that support encryption, such as Freenet [sourceforge.net] and MUTE [sourceforge.net].

Re:Encryption

[Anonymous Coward]

> Probably a lot easier to just use SSL.

Yes, but SSL still leaves you open to the MPAA running a robot to download stuff, check for fingerprints in what it has downloaded, and recording the IP addresses of where it obtained the material. A captcha means they'd have to pay someone in Bangladesh $15/day to type in codes.

Re:Encryption

[QuantumG]

Uhh.. I thought it was obvious that the way these systems would work is to actually fetch from the user whatever files they are offering and then process them. The only solution I can think of for this is to put one of those public turing test systems into the P2P client which forces the downloader to prove they are human before you allow them to download your files. Of course, I'm sure the MPAA's system could get around that by passing the test off to someone else who wants to download files, which would

Re:Encryption

[Breakfast Pants]

The ISPs will be legally required to do man in the middle attacks. When you start up an SSL connection they will accept it as if they were the destination and then make a request to the destination for a connection. They will then pipe all info between the two connections through their fingerprinting program, and then pipe the approved data to you and to them. None of this will ever happen.

Re:Encryption

[Yartrebo]

This wouldn't work with public key encryption.

Have the 2 peers send over their public keys and then any data to be sent is encrypted with the corresponding public key.

The ISP in the middle cannot decode either stream without breaking into the recipient's computer and copying the key.

Re:Encryption

[CodeBuster]

This wouldn't work with public key encryption.

sure it would, that is the whole point behind the man-in-the-middle attack. It was discovered as a weakness in key exchange protocols such as diffie-hellman which rely upon exchange of public keys between previously unknown parties who do not use a trusted third party to manage public keys. The premise of the man-in-the-middle attack is that an intermediary intercepts the public keys (which must be transmitted in the clear) during the exchange protocol before they reach the intended recipients and substitutes his own public key instead. Then when the symmetric key is computed by the recipients during the key exchange (using the man-in-the-middle's public key) all three of them, both recipients and the man-in-the-middle, will have the secret symmetric key and the entire session will be compromised. Moreover, the recipients will have no idea that the man-in-the-middle exists because they had not previously exchanged public keys. The solution to this problem in practice has been to have a trusted third party repository for public keys, such as Thawte, which signs public key requests with its own private key to verify the origin of each public key. However, this requires central registration and management of keys, something which is unlikely to be palatable to P2P users for obvious reasons and thus the man-in-the-middle problem will persist when computing session keys for encryption on P2P networks. Man in the Middle is somewhat difficult to implement in practice, but not impossible (ISPs would make the perfect men-in-the-middle), so this is not merely a theoretical possibility.

Re:Encryption

[ArbitraryConstant]

A protocol doesn't have to be invulnerable, it just has to be strong enough that stopping it would cripple the economy.

As an example of a circumvention technique, consider if BitTorrent were to be extended to allow trackers to use encrypted connections to the clients, and to mediate keys between the various clients. Torrent files could be extended to contain the public key of the tracker. Then, regular SSL connections to the torrent websites would work.

I can think of a few other things off the top of my head... The client-to-client connections could be made to look like SSH connections. Can't stop those without crippling the economy and people actually pay attention to the keys there so you can't proxy it either. Or, you could start putting keys in the DNS records like Yahoo! domainkeys. UDP messages would be a pretty big PITA to classify and firewall.

The people behind most of the p2p protocols are way smarter than me and I could do any of those.

Re:Encryption

[mark-t]

The problem with man-in-the-middle attacks is you have to be there to intercept the connection when it begins (no problem for ISP's), but until the connection is well underway, you have no way to know if any particular connection will contain material you may have wanted to snoop on.

It's simply infeasable for an ISP to track absolutely _EVERY_ outgoing connection on its network and decrypt its contents for perusal by the MPAA, so this isn't gonna happen. At best all the ISP would be able to do is a random cross-sampling of its entire set connections, and try to infer actual usage from that (although they wouldn't be able to actually prosecute anyone without the direct evidence).

Re:Encryption

[TGK]

It doesn't matter if it's trivial. It's a catch 22 thanks to the RIAA.

If P2P Apps implement encryption then breaking that encryption becomes a violation of the DMCA. Hell, even trying to break that encryption becomes a violation of the DMCA.

They can legaly require breaks, but only if they get the DMCA overturned or provide a special exception to anyone who runs an ISP.

Of course, in a world where any insecure Linksys router can be an ISP, that won't get them very far.

They won't get this through, and ev

Re:Encryption

[Yartrebo]

There are ways around it.

Here's one idea I have.
1: Peer 1 sends public key to peer 2.
2: Peer 2 concatenates his public key with the one supposedly received from peer 1 and hashes the result. This is returned to peer 1 along with peer 2's public key.
3: Peer 1 computes the hash using his public key and the public key sent from peer 2.
4: If the hash doesn't match the hash that was sent back, then the keys are compromised.

Peer 1 now signals that his key is valid. Peer 2 discards his key and both generate a ne

Re:Encryption

[42forty-two42]

Trivially broken:

1. Alice sends her public key K(a) to Bob.
2. Mallory intercepts K(a) and passes his own key, K(m) to Bob
3. Bob sends H(K(a), K(b)), k(b) to Alice
4. Mallory intercepts H(K(a), K(b)), k(b) and replaces it with H(K(a), K(m)), K(m)
5. Alice computes H(K(a), K(m)) and sees that it matches.

The problem is that neither Alice nor Bob know each other's keys, so they cannot differentiate between Mallory and each other. This is not circumventable. No matter what, Mallory can negotiate two seperate connections with each of Alice and Bob, and simply relay, unless one of the two knows the other's key.

Re:Encryption

[Federico2]

GPG users faces the same problem. But there is solution actually used:

1. Alice don't send her public key K(a) to Bob.
1b. Bob retrieves Alice's public key from a some repository around the world.
1c. That key is authenticated by a network-of-trust involving Alice's friends and other users, so Bob is protected against man-in-the-middle

Re:Encryption

[theLOUDroom]

"This wouldn't work with public key encryption."

sure it would, that is the whole point behind the man-in-the-middle attack.

Actually, no it wouldn't work. Not for a well-designed system anyways. As long as the initial download of the app occurs via an SSL connection, you can send as many public keys with the app as you choose.

However, this requires central registration and management of keys, something which is unlikely to be palatable to P2P users for obvious reasons and thus the man-in-the-mid

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Encryption

[mickwd]

Maybe the MPAA's next trick is to publicise some scheme they're thinking of using, letting it get published to Slashdot, reading what Slashdotters have to say, and using this to help decide on its viability, before investing any serious amount of money in it.

Free technical review.

Doesn't anybody else here think that occasionally someone from the "usual suspects" (Microsoft, RIAA, MPAA, etc) might read what some of their "opponents" are saying about them ? Especially when people here openly post how they will get round what the organisations concerned are trying to achieve (rightly or wrongly).

Re:Encryption

[Rosco P. Coltrane]

Maybe the MPAA's next trick is to publicise some scheme they're thinking of using, letting it get published to Slashdot, reading what Slashdotters have to say,[...] Free technical review.

So let's see: will the MPAA/RIAA implement a first-posted, GNAA-encrypted soviet russian copyright protection scheme after reading the feedback from here?

Free technical review on /.... Gee, you must be kidding surely.

Re:Encryption

[ConceptJunkie]

Yes, and of course it never would have occurred to terrorists to poison the water supply or infiltrate nuclear power plants or destroy the Holland tunnel if they hadn't heard someone discussing those possibilities on Fox News either.

Wow! Idle ramblings of a bunch of mostly adolescents. Better not let anyone hear this incredible font of devious ideas.

Oh, the horrors!

Hardly

[ewe2]

If they do read slashdot for a free technical review, they can hardly ignore the same points raised over and over again:

1. Technically infeasable and economically ruinous for ISPS to scan all network traffic (unless you want to pay them for their trouble, MPAA? you could indemify us all for the resultant Internet slowdown perhaps?). You've been told so many times, you can't be that stupid.

2. Copy-protection can always be broken. It's like King Canute live action when I go to see a movie and be insulted by MPAA movie-theft ads.

3. If you drive the people to encryption, a lot more than your precious assets will go byebye, it will bring down the gravy train for everyone else, and won't they thank you for it.

Using Occam's Razor I ask which is more likely: that they either don't read slashdot or do so in such a way as only read it for the pictures.

Who needs encryption anyway?

[Spy der Mann]

Expect "digital fingerprint remover" software to appear in the digital 'black market' as soon as this thingy is implemented.

Then expect conversations like this to appear in bash:

[Joe]The MPAA is knocking at my house! :(
[1337-0]Hahahahahah you forgot to remove the fingerprint?
[PhantomZero]ROFL! Pwned!
[Joe]It's NOT funny! I have to go, bbs :(
[1337-0]bbs, or bbl... way l?
[PhantomZero]LMAO!

Re:And the best part about encryption

[chrome]

Don't think so. The DMCA is there to protect media rights holders, not the common man.

You can't, say, have a encrypted hard disk, then sue the MPAA for decrypting it when they arrest you for movie trading, based on the DMCA.

You might have a case with regards to privacy ... oh, wait, all privacy laws have been stripped away from US citizens since 9/11, so I guess that won't work either.

Face it America: You're screwed.

DMCA and encryption.

[Grendel Drago]

Yes, they can.

The DMCA makes a whole lot of statements about copyright circumvention. But not much of anything about encryption. This is why CSS, with its laughably weak encryption, can be used, and anyone who pokes at the gaping goatse vulnerability-hole is then liable for horrible, horrible damages.

If you're not using encryption to protect your copyright---and if you're not selling all those "vacation" JPEGs and school papers, it's damn hard to show copyright damages---the DMCA is mute on this issue.

It is designed to protect copyright holders, not to protect anyone who uses encryption.

--grendel drago

Re:Why Bother Encrypting?

[SunFan]

Another possibility would be to just randomly alter the last bits of each sample (for formats that this works with).

Re:Why Bother Encrypting?

[suckmysav]

"All you need to do is a slight file format transforamtion (just uuencode and then zip) will mask the watermarks."

You are quite correct that this will defeat the watermarking.

There would be significant side affect though. You could say goodbye to downloading a single file from multiple sources because if we were to use your proposed solution then every copy of "The Matrix" on the P2P network would be unique, therefore you would not have the advantage of pulling in all the "parts" from disparate sources.

will the good old MPAA make

[oliverthered]

Anne_Caliguiri@mpaa.org Add to Address Book

Dear Oliver,

Thanks for your e-mail.

While Peer-to-Peer (P2P) networks allow for a great deal of opportunity
for distribution of entertainment, P2P networks unfortunately enable
massive amounts of pirate activity.

When people upload or download others' copyrighted works, that is, in
fact, illegal. There is nothing illegal about P2P technologies, if
you're sharing work that you have the rights to share. But, most
commercial works you find available on P2P networks (e.g., albums you
find in stores, movies you find in theatres or stores) were not posted
there legally.

It is only this illegal activity that the MPAA is fighting against. We
will continue to embrace technology and the opportunities it offers
responsible citizens using it legally.

Thanks again for writing, and please let me know if you have additional
questions.

Anne

Forget it

[Karamchand]

Trying to make bits uncopyable is like trying to make water not wet. -- Bruce Schneier

Re:Forget it

[evilmousse]

aaaactually, mr wizard taught me that it's just the water's skin that's really wet--that is, it's self-adhesive properties...

pour a shitload of babypowder on a cup of water, and stick your finger down to the bottom. it'll be baby-fresh instead of wet.

Re:Forget it

[Anonymous Coward]

Analyzing humor is like dissecting a frog: Nobody really enjoys it and the frog generally dies as a result. -- E. B. White

Re:Forget it

[evilmousse]

i'll remember that next time i'm reading barefoot gen.

Re:Forget it

[tfoss]

Only on slashdot would you find someone arguing against 'water is wet.'

-Ted

Hmm.

[Grendel Drago]

Either that's really fucking awesome, or you just figured out a way to make ten thousand Slashdotters all get baby powder on themselves.

I suppose I'll go acquire some baby powder and find out.

Either way, kudos to you.

--grendel drago

Re:Forget it

[Dachannien]

pour a shitload of babypowder on a cup of water

Hey, now, it's a lot of work grinding those babies up into powder. I'm sure as hell not gonna waste it trying to figure out something lame like whether water is wet or not.

Computer = COPY

[BoldAC]

As long as you can get it onto a computer, people are going to figure out how to make it copy it.

Just take the new napster mess where everybody is loading up on free music right now:

Napster/Winamp hack to get unprotected free music [tech-recipes.com]

Re:Computer = COPY

[cnettel]

It's quite a different thing to copy a bit and to remove waterprinting data with an acceptable loss in quality. On the other hand, I would be truely impressed if they succeeded in creating a technology which made reading the print trivial even with a transcoded and compressed copy down to a level where the compression would make the copy "uninteresting". It could be relatively easy to make a perfect rip 100 % identifiable and force all copies to lose some quality in covering up the waterprint. And, no, even

Re:Computer = COPY

[Prof.Phreak]

Watermarking is overrated. To remove -any- watermark (defeat -any- watermarking scheme), you just have to re-watermark the media. That's it. In pretty much all cases, that will make the original watermark unretrievable (at least not in any statistical sense).

There is a very strict balance between signal power and watermark power---if you increase watermark power (make it harder to remove), you're degrading the media. There is a balance that exists between the two---and to destroy the balance, you just have to re-watermark the image the 2nd time (yes, losing some quality), and all of a sudden, the original watermark is gone.

Pretty much all papers that claim to embed their watermarks several times have either tweaked media or tweaked watermarks that specifically embed the data into different things---but if you re-apply any spread spectrum watermark to the media, all of the separate tweaked parts are gone.

The trick is `quality loss'... but then again, most of the time it's not -that- bad.

Crypto

[alehmann]

And then P2P programs will start encrypting traffic. What's the point?

Re:Crypto

[J'raxis]

What prevents someone from running a p2p app across port 443? It's not like ports are hardcoded into protocols; they're simply defaults or "recommended." Maintaining a list of "known" HTTPS servers is rather unwieldy, sort of like going back to the days when we all used /etc/hosts for name->IP lookups, no? Also what about SSH, VPN, and so on? There're a lot more standard encrypted services people use than HTTPS.

It'd also be quite difficult to tell what is encrypted and what isn't -- encrypted data, like

Better than upstream measures

[dostalgic]

While I'm certainly no a fan of the **AA, and I don't believe we need any more legislation, this to me is the least offensive method of combatting piracy. Assuming the technology works properly, this stops the actual illegal activity (i.e., trading copyrighted material) rather than needlessly infringing upon your right to make a legitimate backup or degrading the image with copy-protection schemes.

I've long argued that such upstream measures are unfair. By moving the enforcement downstream to the proximate

Re:Better than upstream measures

[mboverload]

They are scanning MY traffic! What do you not get about this. ISP are being forced by the cartels to do their bidding.

This is a step away from the goverment scanning traffic to pick out "evil terrorists trying to kill innocent American babies".

Re:Better than upstream measures

[mboverload]

Yes, I know. I use gaim-encrytion whenever I know one of their taps/other measures would be alerted.

Hardware firewall, software firewall, seperate network from the internet to share files between computers, whack hard drives with a sledge hammers before I throw them out, etc. I didn't know the EFF had card, I will ahve to look into that.

Re:Better than upstream measures

[mboverload]

Oh yeah, I use PGP disks with 256 bit AES for all my important files. Also thinking of hooking up my hard drives to a shotgun or something, for emergencies =)

Oh course theres no real reason they would want me but it's a good feeling to know your data and life is secure =)

Re:Better than upstream measures

[mboverload]

Hey, is that link in your sig for real? It's not like a white sumpremisit movement or something? I wouldn't do it, but sounds like a cool idea, an oasis of freedom. =P

Re:Better than upstream measures

[schon]

this to me is the least offensive method of combatting piracy

Yes, until you get your new bill from your ISP, which includes an extra $50.00 per month so that they can afford to comply with the law.

See, I'm pretty sure that the MPAA won't be paying the ISP to implement this technology, to purchase the additional equipment to use it, and to maintain it.

Re:Better than upstream measures

[zakezuke]

While I'm certainly no a fan of the **AA, and I don't believe we need any more legislation, this to me is the least offensive method of combatting piracy

It's the most offensive method if you are like me and store your .mp3s at home and access them via remote.

Re:Better than upstream measures

[ScrewMaster]

This is nothing more than an automated private-sector wiretap. Bad thing. I don't want the FBI monitoring private communications without proper authorization and judicial oversight, and I sure as hell don't want the likes of the RIAA, MPAA or any other AA looking at my personal communications and deciding whether or not to sue me for whatever they think they've found. The RIAA is not a law enforcement arm of the government, neither is my ISP ... and I don't want either of them to become such.

It's generally considered wrong when private individuals or organizations take the law into their own hands (see: vigilante justice.) It's even more dangerous when the organization in question is as heavily-bankrolled and as morally bankrupt as our two favorite "entertainment industry trade groups". No thanks. They can keep their grubby little lawyer fingers out of my data stream.

Re:Better than upstream measures

[ScrewMaster]

Frankly, I don't want to have to deal with any kind of "dispute process" or take the risk that a failure of that process might land me in court. File-sharing of music and movies isn't my problem: it's not some significant social issue that we all need to be concerned about. Racism ... sure. Health care ... certainly. Undue corporate influence in Congress ... absolutely. But ... Music? Movies? Why are we even considering subverting our national communications system to serve the needs of a few large corporations? Most of whom, I might add, are foreign interests.

This is really starting to get out of hand. I mean, the entertainment industry is not some great cultural treasure that must be preserved at all costs (the people that run it think so, but they are mistaken.) This is an economic matter, no more and no less. I didn't shed a tear when Westinghouse went belly up, I didn't lose any sleep when K-Mart filed for bankruptcy ... some organisms survive change, and other's don't. Let the RIAA and the MPAA and all their member corporations deal with the pace of progress like every other adaptable company that survived the advent of the Internet. Gee ... the public Internet makes "rampant piracy" possible? You're losing billions? THAT'S JUST TOO GOD DAMN BAD. The world changed around you, and in any event does not exist solely for your enrichment. Deal with it.

It's funny...

[DoraLives]

that some of the scariest 1984ish stuff would be coming out of the fricking entertainment industry fer chrissakes.

Re:It's funny...

[mboverload]

Well, the big corporations ARE the government now. Senators all just puppets fighting other puppets. The US leadership is full of people who were previously in the major industry private sector, with alliances to their old contacts. Many will be rehired by their coporations once they do their damage.

This is not a Republican/Democrat thing, this is a GOVERNMENT thing.

Re:It's funny...

[TFGeditor]

" that some of the scariest 1984ish stuff would be coming out of the fricking entertainment industry fer chrissakes."

Wasn't there a movie based on that? Convicted criminals fighting for their lives and the whole thing televised? TV execs in charge of the world kind of thing?

Re:It's funny...

[SunFan]

Perhaps this will lead to a division in society between the people who know the MPAA can't take our money and those who don't. These companies exist only because of us, the customers. I have no problem at all telling them to %$#@ off, because I know entertainment is cheap and very easy to come by. Take my kid to a movie vs. take my kid to a park vs. take my kid to a ball game, whatever. Movies really are not that big of a deal. Sure I might miss great movies like Dr. Strangelove, but, ultimately, movies are just a medium for these stories and certainly not a requirement. Indy productions, stage adaptations, etc. are all different ways for the talented people out there to tell their stories. Big company execs can kiss my ass for all I care.

Come on!

[neonstz]

Even if they managed to get the fingerprinting to work, it is dead easy to circumvent.

Instead of splitting a torrent they way it is done today, just put every N bytes in the first block etc.

Another approach can be to just encrypt each transmission from a peer to another peer with a key unique for that particular connection. XOR will work just fine. (Unless they extract the key of course, but that will require more sophisticated sniffing software).

Imagine the sheer amount of data that has to be processed...

Re:Come on!

[Bri3D]

I don't think ISPs are even going to be able to pull off this simple fingerprinting, especially not with bittorrent. Why? Bittorrent is 30% of internet traffic. Either the ISPs are going to have supercomputers, or they're going to have to use simple fingerprinting. Fingerprinting with collisions. If someone can find a collision between a movie and a fairly small file the MPAA will get so many positives this will be useless.

Actually...

[Kjella]

Testing that against a known file is trivially simple. Simply take two blocks, and subtract them. You'll have (A+XOR)-(B+XOR) = A-B. If you're going to, use proper encryption. With OpenSSL it is fairly easy anyway.

Kjella

Made by Philips?

[mr.henry]

It is sort of amusing that this technology is being developed by Philips, makers of the Philips DVP-642 [techtastic.ca], probably the most pirate friendly DVD player on the market today.

Re:Made by Philips?

[fyoder]

It is sort of amusing that this technology is being developed by Philips, makers of the Philips DVP-642, probably the most pirate friendly DVD player on the market today.

Makes sense. Make money selling tech to both sides.

Re:Made by Philips?

[chris_eineke]

probably the most pirate friendly DVD player

Yeah, it's used to play DVD-Arrrrrrrr's. :-)

Quick! Let's trash the MPAA!

[casuist99]

I mean, we all know the MPAA trash-talking is coming. I do seriously hope, however, that the MPAA is working on two fronts with respect to movies and the Internet.

Stopping illegal downloads and uploads of movies is certainly a fine goal, as the MPAA wants to make money. I understand that from a pragmatic, capitalist perspective.

The problem I have is that I have heard little from the MPAA about developing a content distribution mechanism through the Internet. Allowing people to pay for movies online (fo

Great

[Anonymous Coward]

"legislation will enable and force ISPs to look for network traffic that matches the signatures."

Its a good thing the MPAA can essentially create legislation at will now.

5 years from now..

[evilmousse]

..govt. and coportate interests will lament the day they drove the average user to encryption.

Re:5 years from now..

[thpr]

...the *AA will be attempting to tax every bit - regardless of content - in the argument that each one could be a transmission of media that is depriving thier coffers of some money.

Oh. Sure. I believe you.

[Anonymous Coward]

So they start sniffing networks for bits with the "acoustic properties" of music.

And just by coincidence-- maybe a glitch or something-- they happen to latch on to a VoIP phone conversation I'm having with a friend about a sensitive personal matter. Maybe the dryer's running in the background. And their algorithm decides it's "acoustically" music.

And they send out a subpeona, and they check, and they find oh no, you weren't trading music, you were just using the phone. And everything's dropped, and there'

in other news

[tod_miller]

anti-gay-signature.sf.net was not shut down by the MPAA despite the continued erosion of peopels rights in the US.

The open source software removes the tracking that it says violates peoples rights to copy thier own music around with them using thier own networks.

in a pres release anti-gay-signature.sf.net said:

"Hahaha Pwned! How do you like that MPAA?"

I am glad I am not hooked up to an ipod life support machine 24/7.

Resolution

[zakezuke]

To the tune of Phish - Reba

Zip it
Encrypt it
digital signatures work no more

Screw em

[Whammy666]

Personally, I don't trade mp3's. But considering the extremist and blatantly arrogant posture that the **AA has adopted leaves me feeling no pity for any losses (real or imagined) that they may have suffered. With this in mind, I refuse to purchase any music or videos anymore... not that anything that gets released is worth a shit (let alone $20) anyway.

If they want to assume an anti-consumer posture, then they can just all go out of business. Screw em.

Don't They Know?

[TheKidWho]

That information has a desire to be free?

SneakerNet the Ultimate

[LionKimbro]

We have 1TB disks coming up soon.

I don't know how many terrabytes of released music exist in the world, but I imagine it's a finite number.

We'll probably have 100TB disks, and then 10,000 TB cubes at some point in the future.

Perhaps all the worlds music will fit in the space of a cubic centimeter.

You visit your friend's house, put your cube-disk next to his cube-disk, hit "copy", and then walk home with your copy of the entire world's music.

Really, there's not a whole friggin' lot you can do about that.

Perhaps the possesion of world-music cube-disks will be the next marijuana possesion.

Re:SneakerNet the Ultimate

[Bri3D]

Except that as time goes on our population is sadly getting bigger exponentially. Meaning there are more people who may have the music gene/music skillz/good relatives/whatever. Meaning there will be more music. Admittedly music is growing slower then disk, but just as a point...

Re:SneakerNet the Ultimate

[mboverload]

All the talent was used up in the 70's.

Or you can go to the library with your laptop...

[John Seminal]

All the music I can think of and many DVD's are at my library. You don't even need a library card, because you don't have to check anything out. You just toss the DVD or CD in the laptop and copy it over. Put the DVD or CD back in the collection when done, and you have your copy that you can listen to whenever you want.

I think what the MPAA and RIAA wants to do with p2p is not to shut it down (because that will be an impossible goal), but to make it so hard to copy stuff that 99% of the people will not wa

Two ridiculous science fiction stories in one day?

[bigtallmofo]

First I read this story [slashdot.org] today, and I swear I still want my 5 minutes back from wasting my time reading it. Then comes along this story about the MPAA developing "fingerprinting" technology. I suppose that when someone rips a DVD using DVDShrink or DVDDecryptor or any number of other programs that said program is going to copy said fingerprint wholly intact into the resulting file even if it compresses said file. Then, after I convert it to DivX format, I'm sure the fingerprint is still going to be intact. Then after I transfer it with (Insert any of BitTorrent, WinMX, IRC, FTP, etc, etc, etc, etc) the fingerprint is going to be sent intact without using a fragmented TCP packet. Assuming all this to be true, my ISP is supposed to then pick out this needle-sized fingerprint in a galactic-sized haystick.

This is pure science fiction.

Hmm, wouldn't...

[scifience]

Wouldn't this digital "fingerprint" just be erased/garbled when it is encoded in a different format, like, say, DivX or XViD?

Re:Hmm, wouldn't...

[thpr]

No. If they take the 4 or 5 most significant bits across a song and perform (for example) an MD5 hash of them, then any encoding mechanism (MP3, OGG, etc.) would still result in the same hash. Same goes for video.

The stupid part is that even trivial encoding changes (zip) much less encryption (DES, AES, PKC) render this useless. The way around that is actually doing application layer filtering on data, and I with them luck with that. Besides encryption still getting around this in many cases, the CPU time required to do near-real-time layer 7 processing of ALL of the packets going through an ISP is obscene. (remember this type of filtering requires persistence of those packets for a period of time in order to reconstruct the resulting media, because the few bytes in a single IP frame probably isn't enough to know if it's media). Such investment would drive every ISP except Microsoft bankrupt.

What the MPAA is really pursuing right now is watermarking (mentioned later in the article). They have proposed altering each image that goes to different movie theaters or DVDs (especially previews that go to the MP Academy), etc. By watermarking the image against a master (of 'neutral' color, it is possible to determine which copy it came from even if it has been re-encoded.

The alteration is of certain items in the image. It is not on the magnitude of a least-significant bit (which different encoding schemes would then garble). What these watermarking systems do is change it by a number of bits, and do so in a recognizable fashion. In a scene, this might change brightness of the clouds, or the brown of the ground, etc. The net is that a distinct watermark can be created on the image. By altering different items in different films (and at different times), the net result is indistinguishable to the watcher; yet when the 'master' is known to the MPAA, the patterns can be distinguished to determine the source of a pirated copy of a movie or song (regardless of how it might have been re-encoded - unless it's at REALLY low quality)

Bassackwards

[jav1231]

It seems to me that the MPAA and RIAA are spending more time and money making the Internet and digital technology conform to their will than they are figuring out how they are going to exist in it. It's like traveling to another planet where animals, birds, fish, and other wildlife are already thriving yet insisting to not only keep your spacesuit on, but running around and trying to put one on everyone who's already figured out that you can breathe there.

Can fingerprints survive encryption?

[G4from128k]

I wonder if these fingerprints can be designed to be detectable in an encrypted file? Given that the MPAA knows the pattern of the data itself (the music) and the fingerprint, it seems possble that ghosts of that known data would be detectable in the encrypted data. I remember a cautionary tale of encrypting images with a particular implementation of DES. If the image contained large expanses of pixels of an indentical value, the outline of the image appeared in the bits of the DES-encrypted output.

Although good encrytion should make it impossible to recover unknown bits in the original file, it seems to make no gaurantees that one can't detect the presense of known data (of a sufficiently clever pattern) in the encrypted file.

IANAC, so any expert comments about why known data is made irreversibly invisible by encryption would be appreciated

Freenet

[wr0x2]

It surprises me that no one has mentioned freenet so far. Although I believe that freenet itself is condemned to fail, it certainly sets a standard as far as privacy and encryption are concerned. http://freenet.sourceforge.net/

Re:Freenet

[swilver]

Actually, bandwidth just keeps increasing. It seems reasonable to assume that in the near future we could have gigabit lines in every home (they've already started the roll out of 10mbit+ connections here). It does not seem as likely that the bandwidth needs of video/audio will go up anytime soon (especially not audio).

So basically it won't be long before we'll have more bandwidth than we know what to do with... then you install Freenet (or some other P2P app that does its own routing).

This does NOT matter

[AntiPasto]

... The hackers are taking over TV and movies anyway.

http://www.ourmedia.org/ [ourmedia.org]
http://www.unmediated.org/ [unmediated.org]

etc... just google for it... Get involved in your public access TV today.

Allright

[Deliveranc3]

There is already concern about the nature of copywrite... now they will slow down the entire internet to suit their needs?

These guys going down!

Finally!!!

[Duncan3]

A good use for ROT13 :)

umm....

[nukem996]

Wont someone figure out how to remove the finger prints? Isnt that law unconstitutional(invasion of privacy)? This hole thing seems like its going to fail horribly.

Lost Cause

[Macfox]

How embarrassing... What hope do we have, when the MPAA/RIAA pushes these schemes that are so easily defeated by overlaying simple encryption. When you see the effort, time and dollars being spent on such frivolous plans, it really hits home how out of touch these organisations are.

I liken their plight to the alchemists trying to turn lead into gold. The only sure thing is, their being taken for a ride by law/anti p2p firms and companies like Philips Technology cashing in on their ignorance.

Sadly I don't

ISPs

[vistic]

IANAL and IRECTAL, but why do ISPs have to then shoulder the responsibility of policing all this traffic and enforcing this proposed law? I don't think it could even be accomplished, considering how many ISPs are out there, and how hard it would be to make them all put in the same effort and follow the same procedures. It seems to me the only way to force such an internet-wide filtering scheme would be to pass all the data through a government server (or servers), and that's not going to happen considering how everyones so used to things being the way they are now, infrastructure-wise.

The MPAA/RIAA need to realize that these measures they keep proposing time and again are futile. Even if your ISP started policing your traffic, you could switch to a smaller ISP that's being more lax in its enforcement and is "below the radar".

And how does the MPAA propose getting these digital fingerprints onto ALL media? And how long would it take for someone to figure out how to strip the fingerprint from the file?

When it comes down to it, *any* DRM in audio files is defeatable by playing it back on a high quality speaker and re-recording it with a high quality recorder. A similar set-up could be used (with more difficulty) for video I suppose as well.

The MPAA/RIAA need to change their tactics in a big way and figure out how they can give the market what they want at a price they want, so that everyone who's downloading movies and music today decides that the MPAA/RIAA's new way is easier, and downloading isn't worth the hassle. I think one of the big things they're releasing is that people will pay more for special features and other things that add value to their product which are simply unavailable online.

The MPAA/RIAA's realization will come, I just don't know how many more years it will take and how many eras we need to go through (Usenet era, Napster era, Kazaa era, BitTorrent era) before they realize that people out there are innovative enough to come up with a new filesharing means, always. Maybe the current crop of CEOs and managers need to be gone before that will ever happen.

This will work....

[russint]

Until someone invents something like ssl... oh...

Slower 'net access

[nurb432]

We have implemented a box at work that monitors all traffic for 'stuff', and its slowed us down significantly. Regardless if its Internet web traffic or simple SQL queries on internal servers.

Having this stuff mandated on our isp will just about kill our connection. ( and raise costs ) Between this and spam it will drive people off line ( which might be their ultimate goalanyway, cant download if you arent on the 'pirate-net' )

Why not just create an encrypted wrapper?

[Bishop923]

I would think a way to go would be to use some low-grade form of encryption using random keys that aren't known to the end-user. Something that would be trivial to break on a user's home system, but would be impractical for the ISP to process on a large-scale.

Is this feasable, or would it just turn into an arms-race of "who has the bigger processor"?

The scariest way ...

[RM6f9]

for an ISP to deal with the pressure behind the situation: "If we can't read it, we won't pass it across our portion of the Internet."

All too do-able in the hyper-paranoid post 9/11 US of A...

Afraid yet?

Re:The scariest way ...

[Joff_NZ]

I think the banks of the world might have something to say about that, and last time I checked, they are way bigger, and wield *much* bigger sticks than the MPAA/RIAA

Wow!

[rbarreira]

The trick is to make that identification process work even if the file is compressed, turned into a different computer file format or otherwise changed slightly. For a song, this means basing the fingerprint on the music's acoustical properties, rather than on the ones and zeros that make up a given digital file.

The video process is similar, but would use visual characteristics of individual video frames instead of audio qualities.

A good fingerprinting technique must be able to identify the movie even if parts of it are being downloaded out of order, or if some bits have been cut out, Maandonks said.

Wow, is this a kind of an april's fool or something? I don't even think I need to comment much on the infeasibility of this...

Next thing you know, the RIAA will be solving NP-complete problems in constant time or something...

Re:Wow!

[Wylfing]

Wow, is this a kind of an april's fool or something? I don't even think I need to comment much on the infeasibility of this...

Agreed. The story makes it seem like this could be implemented next month or something. The technical and legal hurdles here are huge. Even if this fingerprinting technique is the cat's meow, building a database of fingerprints by itself might take years (those masters need to be found, loaded, queued, etc.). And that says nothing about the challenge of keeping this database current

SSL

[Danathar]

A "little" off my own topic since I submitted the story....but the result of this I would imagine would be that p2p will start using SSL to encrypt the traffic (I put this in my text blurb for the story...but slashdot editors chopped it). Anyhow...this will NOT only defeat the MPAA, but MANY universities use trafic shapers to fingerprint Bittorrent and p2p traffic to keep it from saturating their bandwidth to the Internet. SSL encrypted p2p will effectively make packet shaping these services impossible.

Hey **IAs, I'll trade ya...

[teamhasnoi]

you can have your unbreakable copy protection in exchange for 20 year copyright length.

Of course, my right to "fair use" will stand, so I can make backup copies and time and format shift for my own personal use.

You figure it out.

Screw 'em

[Kris_J]

That's it. Movies have too much baggage. And they're crap. My mother bought "I Robot". I lasted five minutes. I had to sit through an un-skippable "ad" where I was reminded not to steal movies only to be presented with a move where the first line is a product placement. Two plot cliches could be found in just the first few minutes. (Character saved by a minority, still doesn't like them and character misjudges the action of a minority and acts like an arse.)

Quote frankly I'm having way too much fun with books at the moment. Real, Dead Tree Format books. There's some great stuff being produced, not like the pap that is a "blockbuster" movie.

I walked away from new music ages ago. I neither buy new stuff nor download anything. Because I also don't listen to the radio (*shudder*), I have no idea what music is out there. Thus I don't buy any. I'm watching less and less TV, I don't download movies and I don't go to the cinema. Movies are coming out now, I don't know what they are. When I do finally find out about them, I wonder why anyone pays money to see them, apart from being able to say they paid money and saw them.

damn

[Kanasta]

soon I won't be able to send my calculation of the value of Pi to my friends..............

Let's assume that the MPAA can stop P2P

[Simonetta]

Instead of going on for a hundred messages about the miniscule details of P2P, encryption, and the rest, let's assume that the MPAA can stop P2P and think of what the effects would be and the unintended consequences.
So... Assume that someday,
Super DRM is in place on Hollywood movies. When you download a Hollywood film, they have a record of the film and the PC address that it went to.
Now what are they going to do? Will they just have an automatic robot prosecutor (like the photo-radar that automaticly sends you a speeding ticket)? What will the fine be? $100,000 per movie? And what if no one pays? Do they automatically link to your bank account and deduct $100,000; or $10,000; or maybe just 50% of whatever's in the account? Will they have the ability to automatically garnish your wages so that 35% of whatever you earn for the rest of your life goes to them before taxes?
And just exactly how many people do they think that they are going to do this to in a country that has more guns than people before the leader of MPAA gets his pointy-little head blown off?
There are millions of people out there trading movies. Not one thinks that there is anything wrong with doing it. Not one thinks that the movie that they just spent hours downloading for a crappy little image is worth paying hundreds of dollars for, never mind hundreds of thousands of dollars. If they did, then they would pay $20 for the DVD. Or ten dollars to go to the theater and watch it.

So, what are they going to do? Have a lottery?
They gather data on 100,000 movie downloads and then pick one at random. Throw every lawyer in Hollywood and this poor schmuck, destroy his life, and require you to watch a five minute summary of it in the theater between the Pepsi ads and movie previews?

And if they did do this? Would it make their basic product any better? Would you be more willing to shell out $12 to go see White Cop, SmartAss Black Cop XXXIV and the local 12 screen multiplex? Or the latest braindead-on-arrival CGI cliche-ridden mess from a film industry on auto-pilot?

There are thousands of movies made each year. Hundreds of them are good and some are mind-boggling excellent. Most will never get seen by the people would be willing to pay real money for the opportunity to enjoy them.

P2P is the only way that Hollywood is going to get this vast reservoir of good movies together with the willing and eager audience. Frankly, P2P is the only way that Hollywood is going to be around fifty years from now.

I wish I could say to these people to just take their head out their ass, stop trying to fight the future, and start paying attention to all the people who are seriously interested in keeping the Hollywood entertainment industry in good health through this period of epic change.

But I don't really have much hope for them anymore. Hollywood is its own worst enemy, not the P2P film freaks.

Re:Encryption

[J'raxis]

I'd suggest encrypting the entirety of the p2p traffic (SSL layer or something), otherwise things like headers and searches are still visible.

Artists

[Atroxodisse]

Musical Artists make most of their money from concert sales. Most of them have prohibitive contracts where all of the money ends up in the hands of others. If an artist is good, people go to their concert.

Re:When will they learn

[Spacejock]

Product placement! Every song could become a lengthy commercial for selected high-quality items of interest to the consumer. They could even delve into their back catalogues and digitally enhance older tracks by substituting words like 'smoke', 'like' and 'scavenger' for well-known brands.

Then they could do this with movies, cunningly inserting sponsored products at the most inopportune moments, and-- Oh...

Re:Who needs encryption?

[J'raxis]

Any decent mailserver anti-virus software can look inside compressed or encoded attachments. (The really good ones drill down recursively, too, so putting a base64ed zipfile inside a gzipped tar archive wouldn't make a difference.) What makes you think whatever scanning software they'll design to look for these fingerprints won't do the same?

Re:I Love Slashdot, Really I Do ...

[SpacePunk]

"This topic is absolutely chock-a-block with discussions about which burglars' tools work best to fuck over and steal from our neighbors. What next, discussions on how to cut through school zones and take kindergarten-age hostages to elude the police during a high-speed chase? "

I look at it like this. A discussion on how to preserve the privacy and liberty of those of us that do not commit copyright violations. Allowing this is like allowing the cops to tap my phone becuase my neighbor was caught committing a crime. It's unacceptable.

Re:While You're Bitching ...

[shark72]

"For decades they conspired on prices and you claim they "paid the price"?!"

The price-fixing settlement was not as a result of "conspiring" for "decades." Here's what happened:

1. A couple of "big box" retailers (Wal-Mart, Best Buy and the like) started selling CDs at a loss, or for extremely low margins, as an inducement to get people into the stores and buy other high-margin stuff.
2. This started hurting a few music-only chains (Tower Records, TWE and one other that slips my mind), who didn't have an acre of high-margin children's clothing or computer equipment in the back of the store that allowed them to sell CDs at a price that competed with Wal-Mart and Best Buy.
3. Tower Records, et al complained to the record companies (notably Universal) that Wal-Mart and Best Buy were putting them out of business.
4. In response, Universal started a "MAP," or "minimum advertised price" program. Universal gave Tower, et al. funding for advertising (in newspapers and the like) with the stipulation that the advertised prices didn't fall below a particular point. In case this concept seems familiar to you... lots of other industries do it, including the computer peripheral industry.
5. Best Buy and Wal-Mart noticed this and complained to the government.
6. The government smacked Universal around a bit.
7. Wal-Mart and Best Buy had the last laugh.
8. Tower Records filed for bankrupcty.

The winners here are Best Buy and Wal-Mart. The losers are the traditional record stores and indie stores that continue to get squeezed out of the business by Wal-Mart and their loss leader prices on CDs. The record companies probably don't mind; other than sending out some settlement checks and sending some crappy CDs to some libraries (as you've mentioned), this didn't hurt their bottom line. They were selling CDs to Tower Records for the same price that they sell to Wal-Mart.

You should be happy about this if:

• You don't mind buying your music in Wal-Mart (sadly, for many people reading this, Wal-Mart is the only place they know to get music, and they'll never know what it was like to have that cool indie record store in town before Wal-Mart put it out of business.) Can't beat those great Wal-Mart prices, particularly if you like Shania Twain!
• You don't like MAP pricing programs. In that case, one industry down (the record industry) and lots more to go. This battle is fought one step at a time.
• You subscribe to the "what's good for Wal-Mart is good for America" philosophy.

You should be unhappy if:

• You miss the old days when indie record stores and stores like Tower were more prevalent, and you wouldn't mind paying a few extra bucks for more selection and the opportunity to avoid going to Wal-Mart for your music.
• It bothers you that the computer peripheral industry still uses MAPs. Doesn't bother me, as that's the industry I'm in. MAPs are great.

The bottom line is that anybody who thinks that the price-fixing settlement was a strike against big business and a win for the little guy is mistaken. They're probably still chuckling about it at Wal-Mart headquarters in Bentonville.