Slashdot Mirror
EFF and Sony Disclose New DRM Security Hole
Dotnaught writes "The Electronic Frontier Foundation (EFF) and SONY BMG Music Entertainment said on Tuesday that SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. Security firm iSEC Partners discovered the hole following a request by the EFF to examine the SunnComm software. The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC. The EFF and iSEC delayed disclosing the problem until SunnComm could develop a fix."
Who in their right mind would voluntarily install something from SunComm or SonyBMG given their track record?
Their software phones home and cripples your computer. Would anyone here actually trust them?
I've never understood how any userland bullshit software could manage the complexities of opening up a hole *on accident*. Call me paranoid, but, when shit like this gets 'found', they call it being 'found' because someone put it there.
..did they also fix that little issue where the DRM installs itself even if the user doesn't accept the EULA?
Yes, but the one thing they haven't been successful in is pointing out the danger of DRM to Joe Sixpack. A number of people I've spoken with have never heard of the Sony 'rootkit' case and had no idea that playing a recent Sony DRM-protected CD on a Windows PC could be dangerous to their computer system.
My blog
You might wanna check out last.fm instead. Not exactly to get more top-40-ish in your musical taste, but to find all sorts of cool music you would never come across otherwise. Just type the names of those bands you don't know into their interface, and listen to some preview tracks. Or let them analyze your listening habits and suggest music to you. They even give you your own personalized radio station.
No, I'm not affiliated with them, just an amazed user for a couple of weeks now.
Corporations are sometimes their own worse enemy. It has gotten to the point that I feel safer downloading my music from complete strangers on the internet than buying it in a store.
The other farce in this fiasco is that these methods of protection are so easy to defeat that "anyone" who actually uploads music would not be slowed down for even a second.
So we have an extreme example of a rights denial system that penalizes in the extreme the clueless who never were going to upload anyway, and does nothing, not one iota, to stop uploaders.
Earth to idiots at corp HQ. Sony will feel the pain for years to come on this one. If I were an artist, I would be looking for a "no DRM" clause in my contracts when dealing with these morons.
This may be a little off topic, but with this whole Sony root kit thing has anyone checked their Sony software lines for the same exploits? I had been an avid user of Sony Vegas software since they bought out Sonic Foundry, but now I am scared to install it again. There goes about 400 dollars just cuase I lost trust for Sony. It was great software much faster and more stable than Premier Pro, probably becuase Sony didn't write it. It makes you wonder what else they have corrupted in their control game.
According to this report at CNET,
"Sony said it will notify customers though a banner advertisement directly in the SunnComm software"
So now you get banner ads with your audio cd+DRM.
Nice.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
The article states that " SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. "
Does this mean that once the SunnComm DRM software is patched it will go back to working as designed -- that is, do the DRM restrictions continue to constrain the end users' freedoms to use the music? Is the SunnComm software "fixed" or removed?
I would have been happier to have heard they designed a removal tool.
*grumblecakes*
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Don't be surprised in Sony divests itself of BMG music at some point in the future, to keep from losing customers for its home electronics business.
They already lost me. And when a company loses my business, they lose it permanently.
I had a Technics CD player in the mid-80's that had to be fixed repeatedly for the same problem under warranty. When the problem recurred shortly after the unit went out of warranty and they refused to fix or replace it, I sent a polite letter to the head of Panasonic USA explaining the situation and telling them that if they didn't replace the unit I'd never buy a another Panasonic product. They declined to fix or replace the unit and twenty years later, I still don't have another Panasonic product.
You can be sure that there will never be a Sony product in my house in the future.
Of course, this could be their attempt to implement DRM by fear. If your PC gets compromised every time you put a Sony audio disk in the drive, maybe you'll stop doing it. If you don't put the CD in your PC, they don't have to worry about you copying it.
I had a similar experience with a fairly new Sony monitor. Even though it was under warranty, they tried to make excuses about why the repair wouldn't be covered. After much pulling of teeth, I finally got it repaired 3 months later. No more Sony products for me. They have run their formerly good name into the ground.
In fact, if Sony's hardware division loses marketshare, the board of directors will give more emphasis to the music division. They will pay higher saleries to the upper management of that division, give it a bigger budget, and so on.
Sony needs to see hardware as a source of potential profits, and music, (especially DRM'ed music), as a source of losses that threaten to drag the whole company down. The lawsuits already filed and in process will definitely do that, if they don't grow big enough to actually destroy the company and not just threaten it. There is no way a huge fine from various state and national governments can be misinterpreted as either a general market condition, a consumer resonse to poor marketing, or piracy, so in this case, a boycott is superfluous at best and negative at worst.
Who is John Cabal?
I walked in to my local record store TWO DAYS ago with the Sony/BMG list of XCP titles. I asked the counter clerk if they had pulled the titles yet.
The response was, "Which one do you want".
The clerk knew of the issue. He even helped me confirm that the catalog number for the disk was a match. The titles were still on the shelves for sale. The store was replacing the disks as new disks came in from Sony.
Two out of three record stores that I checked that day had the titles available for purchase.
This is a recall?
Also, it is not as if you can look on the spine of the CD to find out that it is a Sony disk. These disks are sold under other label names. I believe that the one I got was an Electra. Sony/BMG is in the really fine print on the back, as well as the XPC URL.