Slashdot Mirror
EFF and Sony Disclose New DRM Security Hole
Dotnaught writes "The Electronic Frontier Foundation (EFF) and SONY BMG Music Entertainment said on Tuesday that SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. Security firm iSEC Partners discovered the hole following a request by the EFF to examine the SunnComm software. The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC. The EFF and iSEC delayed disclosing the problem until SunnComm could develop a fix."
How big of a drama it is.
Sue the bastards and get it over with.
perpetually dwelling in the -1 pits
And to think that only yesterday, there was a slashdot story wondering whether the EFF had outlived its usefulness... So there's your answer, I guess.
Hopefully the fix is them turning around, bending over, and grabbing their ankles.
activestudios web design
Who in their right mind would voluntarily install something from SunComm or SonyBMG given their track record?
Their software phones home and cripples your computer. Would anyone here actually trust them?
Sony has done more damage to the DMCA and set back DRM farther than the combined efforts of the EFF and like-minded people around the world. We should all thank them.
It is clear that DRM software is going to be as open to bugs as any other
software, and some of these will constitute a security threat.
Surely the solution is obvious. If they built DRM software directly into the
operating system, then it could be happily updated with all the rest of the
software, using whatever update mechanisms your OS provides.
I'm sure that the security minded folks on slashdot will be the first to
support a legal requirement for DRM in all OS'es, so that we can solve this
problem before it becomes really serious.
Phil
But first you install stealthy and quite possibly illegal software with one hand , and on the other you install DRM with a Security hole that hardly anyone will patch because they will likely not hear about it.
Way to go Sony , you truly are a bunch of arse-holes .
Well at least if this gets major press coverage it may cause an even large headache to ever encroaching wave DRM
The only things certain in war are Propaganda and Death. You can never be sure which is which though
Root kits, Serial Copy Management, Macrovision, Content Protection for Prerecorded Media, Advanced Access Content System, blah, blah, blah. The most effective DRM is for the lables to continue to put out crappy music. Eventually we'll all find something better to listen to.
Are you...Are you some kind of genius?
No, ma'am, I'm just a regular Slashdot reader.
Since they are redoing the CDs, maybe they can change the names too?
Alicia Keys - Unplugged, but still Infected
Amici - Forever Defined as Dishonest
Britney Spears - Hitme, but Don't RipMe
Cassidy - I'm A Hustla in Your PC
David Gray - Life In Slow Motion Since your PC has a Rootkit
Faithless - Forever Faithless Sony
Imogen Heap - Speak For Yourself, I Love Rootkits
Leo Kottke/Mike Gordon - Sixty Six Steps to Uninstall the Rootkit
Raheem Devaughn - The Hate Experience
Santana - All That I Am Allowed to Copy
Stellastarr* - Harmonies for the Haunted PC
Various - So Annoying: An All Star Tribute To Rootkits
Wakefield - Which Side Are You On? Sony or the Public?
YoungBloodZ - Everybody Know Me, Nobody Copy Me
He who knows best knows how little he knows. - Thomas Jefferson
..did they also fix that little issue where the DRM installs itself even if the user doesn't accept the EULA?
Great, now not only do I have to make sure all my users' applications are patched, but I have to track patches on every frigging DRM implementation out there as well.
Well, payback is a bitch.
I have already steered a friend away from a Sony stereo to another brand, making it clear that Sony is not a good "citizen" and they would do well to stay clear of any Sony products.
Yes, I am only one puny person, but I've already cost them a couple of hundred bucks, and will continue do so at every opportunity.
A house divided against itself cannot stand.
From EFF: "We're pleased that SONY BMG responded quickly and responsibly when we drew their attention to this security problem," said EFF staff attorney Kurt Opsahl. "Consumers should take immediate steps to protect their computers."
As if Sony, which already has a boatload of negative publicity, could do anything else. I think even the stuffed shirts there must now realize that they can't let anything else fall through the cracks or their music business might collapse. Don't be surprised in Sony divests itself of BMG music at some point in the future, to keep from losing customers for its home electronics business.
GetOuttaMySpace - The Anti-Social Network
You must be new here.
RIAA Bans Telling Friends About Songs
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
Or
Sit here and rip the whole thing off the net for free and burn it to CD and copy it to my IPod.Yeah DRM is a great way to stop piracy.Maybe they should try offering value for money instead.
I've never understood how any userland bullshit software could manage the complexities of opening up a hole *on accident*. Call me paranoid, but, when shit like this gets 'found', they call it being 'found' because someone put it there.
To install the software originally the user had to be an administrator (a lot of software requires admin rights because most of the system won't allow a basic user to install system-wide software. e.g. It could add files in your user directory and the like, but not in Program Files). From then on the software is running as System, operating as a part of the system (which is why it's called a root kit).
My guess is that the folder where the software is stored has the ACLs set to Everyone with Full Control, or something similar. Because this root kit is run as System when the system boots up, a simple user exploit could circumvent user isolation by overwriting some of the rootkit files, and on next boot it'll be running as System, with full local permissions.
Sony is really setting DRM and copy-protection back by several years. And with each annoucement, they are making more and more people dislike DRM. That's not a bad thing, I suppose, but they're making it painfully obvious that the only fix for this is the complete removal of the software for people's systems with instructions on how to prevent the software from being loaded again in the future. (Sadly, a huge number of people don't know about the Shift key as an autorun disabler.)
/. but it's become clear that negative reactions like DRM are not what keep CD sales going.
Frankly, I want to see a major mea culpa from Sony on just about every TV and radio station that targets the audience from all of those DRMed audio CDs complete with previous said instructions and a promise (that will be kept) that such DRM techniques will never be used in the future.
Considering that even artists themselves are starting to fight back against DRM stating that it does nothing but hurt the fans, which is true, it's about time for the heads of these companies to realize that Sony has crossed the line and that DRM for audio CDs is not only useless but can have dire consequences. I'm not going to use that silly "information wants to be free" dogma that is used too often on
Maybe they should - gasp! - try adding value that the customer wants and cannot get over the Internet through downloading rather than trying to add chains to a product that we want to legally buy. For example:
* Buy the CD and get the concert DVD for 1/2 price
* Buy the CD and get a discount on concert tickets and merchandise
* Buy the CD and accumulate points that can be redeemed for other items
Tactics like these, where items that cannot be downloaded are offered as incentive, is a much better alternative to increase sales than pissing off the customer base by nefarious methods such as DRM. This is particularly true because DRM can be defeated by one simple method: CD line out --> PC line in.
In short, make it worth my while to buy the CD and not download it. DRM, particularly the kind that Sony implemented, does the opposite.
The Overrated mod is for reversing inappropriate, positive mods, not for voicing disagreement with a post.
Corporations are sometimes their own worse enemy. It has gotten to the point that I feel safer downloading my music from complete strangers on the internet than buying it in a store.
The other farce in this fiasco is that these methods of protection are so easy to defeat that "anyone" who actually uploads music would not be slowed down for even a second.
So we have an extreme example of a rights denial system that penalizes in the extreme the clueless who never were going to upload anyway, and does nothing, not one iota, to stop uploaders.
Earth to idiots at corp HQ. Sony will feel the pain for years to come on this one. If I were an artist, I would be looking for a "no DRM" clause in my contracts when dealing with these morons.
Never underestimate the awesome power of pale vegetarian lawyers.
This may be a little off topic, but with this whole Sony root kit thing has anyone checked their Sony software lines for the same exploits? I had been an avid user of Sony Vegas software since they bought out Sonic Foundry, but now I am scared to install it again. There goes about 400 dollars just cuase I lost trust for Sony. It was great software much faster and more stable than Premier Pro, probably becuase Sony didn't write it. It makes you wonder what else they have corrupted in their control game.
According to this report at CNET,
"Sony said it will notify customers though a banner advertisement directly in the SunnComm software"
So now you get banner ads with your audio cd+DRM.
Nice.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
The most interesting part about the whole Sony BMG rootkit fiasco, and now this, is that it seems as if Sony is doubly screwed from now on, because whenever they put out a new product, it's going to be hacked from all sides, to find little holes like this. I'm sure there are plenty of other products out there that behave similarly or have holes in them, that are from other companies, and aren't getting exposed because they didn't piss off the internet community.
It's this kind of backlash now that is bustin Sony, because anything they put out from now on better be bullet-proof, or else it will wind up being counterproductive
Some people say 'Digital Rights Managment' is good for the consumer.
Some doctors used to recommend cigarettes.
The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC.
This is Windows we're talking about; I wouldn't be surprised if we're on to the seventh or eighty party by now.
Guy asked me for a quarter for a cup of coffee. So I bit him.
why the new acts can't all sound like Lionel Richie or Billy Ocean.
I think that you missed the poster's point, since you mention old pop chart stars. The problem isn't that today's pop charts don't feature yesterday's pop chart music nor soundalikes --- expecting that would be totally dumb.
The problem is that today the music scene is ruled 99% by the pop charts as a result of the ruthless efficiency of the Big Business side of the music industry, to the extent that almost all other musical styles are marginalized to near extinction. Musicians no longer come out of art school wanting to do something novel for their own niche audience; greed has overcome artistic integrity.
Back in the day, the studios and labels were comparatively amateurish and ineffective, so public tastes were strongly influenced by radio station jockeys, through student union gigs/concerts, and by music tabloid reviews of live acts. These have almost no effect today. The image makers and immense marketting machine hold the scene in a vice-like grip.
So it's not old age, only. It's also that musical horizons have been slammed down tight all around us, with only a few wonderful exceptions to the rule offering a temporary escape.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
The article states that " SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. "
Does this mean that once the SunnComm DRM software is patched it will go back to working as designed -- that is, do the DRM restrictions continue to constrain the end users' freedoms to use the music? Is the SunnComm software "fixed" or removed?
I would have been happier to have heard they designed a removal tool.
*grumblecakes*
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
I am still waiting to see how you patch a CD -- short of replacing it entirely, that is.
For now, I wouldn't trust Sony to patch my Tinkertoys properly, let alone my computer.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
This is not the "rootkit" DRM software that were talking about here. This is the other DRM crapware that Sony/BMG has on its discs. I buy a moderate amount of music on CDs, then rip them to MP3s to play on my Rio and car stereo. I was planning to buy Carlos Santana's new disc when this whole flap came up. I checked, saw that Santana wasn't on the rootkit list, and briefly considered buying it, although I have avoided all DRMed music to this point. No worries, I'll rip it on my Linux box anyway.
I changed my mind, and I'm glad I did. One less bit of malware in the stream of commerce. I did go to Carlos' website and told them I had decided not to buy the disc and why. From the notes there, it seems they have been getting a lot of that. This may be the most effective way to deal with this issue. Tell the artists that you will not buy their art, if it comes packaged with such crap.
Some mornings it's hardly worth chewing through the restraints to get out of bed.
**Clicky - Google - Clicky**
MediaMax titles @Sony BMG website
XCP titles @SonyBMG website
I walked in to my local record store TWO DAYS ago with the Sony/BMG list of XCP titles. I asked the counter clerk if they had pulled the titles yet.
The response was, "Which one do you want".
The clerk knew of the issue. He even helped me confirm that the catalog number for the disk was a match. The titles were still on the shelves for sale. The store was replacing the disks as new disks came in from Sony.
Two out of three record stores that I checked that day had the titles available for purchase.
This is a recall?
Also, it is not as if you can look on the spine of the CD to find out that it is a Sony disk. These disks are sold under other label names. I believe that the one I got was an Electra. Sony/BMG is in the really fine print on the back, as well as the XPC URL.