EFF and Sony Disclose New DRM Security Hole

Dotnaught writes "The Electronic Frontier Foundation (EFF) and SONY BMG Music Entertainment said on Tuesday that SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. Security firm iSEC Partners discovered the hole following a request by the EFF to examine the SunnComm software. The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC. The EFF and iSEC delayed disclosing the problem until SunnComm could develop a fix."

Useful indeed

[Renegade+Lisp]

And to think that only yesterday, there was a slashdot story wondering whether the EFF had outlived its usefulness... So there's your answer, I guess.

Quick Question...

[parsnip11]

Who in their right mind would voluntarily install something from SunComm or SonyBMG given their track record?

Their software phones home and cripples your computer. Would anyone here actually trust them?

Re:Quick Question...

[jc42]

Who in their right mind would voluntarily install something from SunComm or SonyBMG given their track record?

Most of the victims have no idea that they're installing software on their computer. They're just playing a CD that they bought.

We geeks and nerds on /. understand the issue. 99% of the population don't even know what "installing software" means, have never done it (intentionally), and aren't to blame for being victims of such things.

Blame the criminals, not their victims.

Thank you Sony!

[Suzumushi]

Sony has done more damage to the DMCA and set back DRM farther than the combined efforts of the EFF and like-minded people around the world. We should all thank them.

Re:Thank you Sony!

[morgan_greywolf]

Yes, but the one thing they haven't been successful in is pointing out the danger of DRM to Joe Sixpack. A number of people I've spoken with have never heard of the Sony 'rootkit' case and had no idea that playing a recent Sony DRM-protected CD on a Windows PC could be dangerous to their computer system.

Effective DRM

[faqmaster]

Root kits, Serial Copy Management, Macrovision, Content Protection for Prerecorded Media, Advanced Access Content System, blah, blah, blah. The most effective DRM is for the lables to continue to put out crappy music. Eventually we'll all find something better to listen to.

Revised titles for Sony Rootkit CDs

[digitaldc]

Since they are redoing the CDs, maybe they can change the names too?

Alicia Keys - Unplugged, but still Infected
Amici - Forever Defined as Dishonest
Britney Spears - Hitme, but Don't RipMe
Cassidy - I'm A Hustla in Your PC
David Gray - Life In Slow Motion Since your PC has a Rootkit
Faithless - Forever Faithless Sony
Imogen Heap - Speak For Yourself, I Love Rootkits
Leo Kottke/Mike Gordon - Sixty Six Steps to Uninstall the Rootkit
Raheem Devaughn - The Hate Experience
Santana - All That I Am Allowed to Copy
Stellastarr* - Harmonies for the Haunted PC
Various - So Annoying: An All Star Tribute To Rootkits
Wakefield - Which Side Are You On? Sony or the Public?
YoungBloodZ - Everybody Know Me, Nobody Copy Me

I wonder..

[LilWolf]

..did they also fix that little issue where the DRM installs itself even if the user doesn't accept the EULA?

Re:Build it into the OS

[eggoeater]

It is clear that DRM software is going to be as open to bugs as any other software...

Actually...much more so.
DRM software has to do more than regular software to prevent users from circumventing it, with the latest craze being OS hooks.
Insecure software + OS hooks = HUGE security risks.
If you ever want to release a worm that takes advantage of a DRM security hole, just put it on a web site that tells you how to disable that particular DRM. People will google for a way to disable their DRM, go to your site, and WHAM.

EFF

[Kev_Stewart]

Never underestimate the awesome power of pale vegetarian lawyers.

Re:Perhaps not (Was Re:Useful indeed)

[CaptainZapp]

Most surprising is the change of Tune of Mr. Hesse, from:

"Users don't know what a rootkit is so why should they care"

to

"We are taking the concerns of our customers very seriously, blahblahblah"

Could it be that Mr. Hesse is full of shit?

Re:Perhaps not (Was Re:Useful indeed)

Don't be surprised in Sony divests itself of BMG music at some point in the future, to keep from losing customers for its home electronics business.

They already lost me. And when a company loses my business, they lose it permanently.

I had a Technics CD player in the mid-80's that had to be fixed repeatedly for the same problem under warranty. When the problem recurred shortly after the unit went out of warranty and they refused to fix or replace it, I sent a polite letter to the head of Panasonic USA explaining the situation and telling them that if they didn't replace the unit I'd never buy a another Panasonic product. They declined to fix or replace the unit and twenty years later, I still don't have another Panasonic product.

You can be sure that there will never be a Sony product in my house in the future.

Of course, this could be their attempt to implement DRM by fear. If your PC gets compromised every time you put a Sony audio disk in the drive, maybe you'll stop doing it. If you don't put the CD in your PC, they don't have to worry about you copying it.

Re:Perhaps not (Was Re:Useful indeed)

[chrish]

To answer a question with another question:

Is he a corporate executive?