also be prevented from employing the components of the protection software that allow users to access
restricted copies of the music; however, they could create their own software to provide this capability if
they desired. On the other hand, free riding publishers would not be restricted to marking their disc for
only one scheme. By identifying their discs as copy protected with multiple schemes (e.g., both XCP and
MediaMax), they could invoke multiple layers of security and provide stronger protection than is available
with any single technique, all without paying. Preventing free riding by publishers requires some kind of disc
authentication mechanism to control access to installed active protection software--a meta-copy protection
technique.
5.2
MediaMax Disc Recognition
To find out how well the disc recognition mechanisms employed by CD DRM systems meet the ideal require-
ments, we examined the recognition system built into MediaMax. This system drew our attention because
MediaMax's creators have touted their advanced disc identification capabilities, including the ability to iden-
tify individual tracks within a compilation as protected [22]. (XCP appears to use a less sophisticated disc
recognition system based on a marker stored in the data track of protected discs; we did not include it in this
study.)
We determined how MediaMax identifies protected albums by tracing the commands sent to the CD
drive with and without the active protection software running. These experiments took place on a Windows
XP VMWare virtual machine running on top of a Fedora Linux host system, which we modified by patching
the kernel IDE-SCSI driver to log all CD drive activity.
With this setup we observed that the MediaMax software executes a disc recognition procedure imme-
diately upon the insertion of a CD. The MediaMax driver reads two sectors of audio at a specific offset
from the beginning of audio tracks--approximately 365 and 366 frames in (a CD frame stores
1
75
second
of sound). On unprotected discs, the software scans through every track in this way, but on MediaMax-
protected albums, it stops after the first three tracks, apparently having detected an identifying feature. The
software decides whether or not to block read access to the audio solely on the basis of information in this
region, so we inferred that the identifying mechanism takes the form of an inaudible watermark embedded
in this part of the audio stream.
6
Locating the watermark amid megabytes of audio might have been difficult, but we had the advantage
of a virtual Rosetta Stone. The actual Rosetta Stone--a 1500 lb. granite slab, unearthed in Rosetta, Egypt,
in 1799--is inscribed with the same text written in three languages: ancient hieroglyphics, demotic (sim-
plified) hieroglyphics, and Greek. Comparing these inscriptions provided the key to deciphering Egyptian
hieroglyphic texts. Our Rosetta Stone was a single album, Velvet Revolver's Contraband, released in three
different versions: a U.S. release protected by MediaMax, a European release protected by a passive scheme
developed by Macrovision, and a Japanese release with no copy protection. We decoded the MediaMax
watermark by examining the differences between the audio on these three discs. Binary comparison re-
vealed no differences between the releases from Europe and Japan; however, the MediaMax-protected U.S.
release differed slightly from the other two in certain parts of the recording. By carefully analyzing these
differences--and repeatedly attempting to create new watermarked discs using the MediaMax active protec-
tion software as an oracle--we were able to deduce the structure of the watermark.
The MediaMax watermark is embedded into the audio of each track in 30 clusters of modified audio
samples. Each cluster is made up of 288 marked 16-bit audio samples followed by 104 unaltered samples.
Three mark clusters exactly fit into one 2352-byte CD audio frame. The watermark is centered at approxi-
mately frame 365 of the track; though the detection routine in the software only reads two frames, the mark
extends several frames to either side of the designated read target to allow for imprecise seeking in the audio
6
By locating the watermark nearly five seconds after the start of the track rather than at the very beginning, MediaMax reduces
the likelihood that it will occur in a very quiet passage (where it might be more audible) and makes cropping it out more destructive.
10