Sony's SunnComm DRM Patch a Security Risk

Spad writes "The BBC is reporting that mere days after the EFF and Sony announced a patch to fix the vulnerability in its SunnComm DRM system, security researchers Ed Felten and Alex Halderman have discovered that the patch itself introduces yet more vulnerabilities. They have now asked users not to apply the patch and are urging Sony to recall all of the affected CDs from sale. Sony has said that approximately six million CDs using [SunnComm] MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless."

Eat me, Sony.

[grub]

Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

The publishers are just middlemen (middle-management?) scrambling to keep their distribution means relevant: cut them out like a cancer.

a) Freely download
b) Buy what you like (second hand if possible)
c) Pay to see the artists live

Re:Eat me, Sony.

[CastrTroy]

That's usually stupidly expensive, I think most of the money probably goes to the property owners anyway.

That really depends on the bands you like to see. I often go to concerts for $10 to $20. I've also seen some pretty popular artists for quite cheap. You just have to be smart about what bands you see. In my eyes, no band is worth the $80 arena ticket so you can see them from 500 ft. away. However, many bands that i may not like so much, are really fun to go and see when you can be within 50 ft. (10 ft. sometimes) of the band, and only pay $15.

Re:Eat me, Sony.

[The_Rook]

wanna bet that sony will figure out a way to charge the musicians for the recall and destruction of the "defective" discs?

Virii, worms and DRM ...

[VitaminB52]

are the digital infections AV software should protect your PC against.

This could be a good thing:

[Donniedarkness]

I think that after Sony loses EVEN MORE money because of this, they may be a little conservative in the future. I still urge everyone to not buy any Sony products (I just talked my parents out of buying a $1300 Sony Camcorder, a $200 Sony car stereo system, and a Sony HDTV that has a price that I don't know). We need to show these guys that WE WILL NOT TOLERATE this sort of shit. These guys are doing whatever they can to make as much money as they can. Let's kick them where it hurts.

Re:This could be a good thing:

We need to show these guys that WE WILL NOT TOLERATE this sort of shit.

Go back thru the annals of /. You will find many preaching about "If Sony supports the DMCA, we need to stop buying Sony". "If Sony supports ...." is a common theme. Yet, when the new gizmo comes out from Sony, or Sony Pictures releases a new movie - Bam! Front page on /.

"We" tolerate it just fine it seems.

Why was the EFF involved in this?

[Sanity]

Why did the EFF get involved in the announcement or endorsement of this patch? The EFF is a legal organization, not a technical organisation. Now, instead of the egg landing squarely on Sony's face, where it deserves to be, the EFF is embarrassed too.

The EFF should have pointed out the vulnerabilities to Sony and left it at that, there was no need for the EFF to lend its name to Sony's fix for the problem.

Big surprise

[mrRay720]

Did anyone really think that Sony were going to stop doing evil things? They don't see themselves as having any financial benefit from truly removing the damage they do to their consumers' computers. They have their reasons for wanting this crap of there in the first place, and a bit of bad publicity they think will blow over soon enough just isn't going to make those reasons go away.

There will be an updated patch eventually that actually does a half decent job of removing the worst of the security holes - they'll have to if they don't want a blanket removal of all their spyware from AV companies as a security measure. Not even a giant of Sony's stature can last too long being seen actively attacking and damaging all of their customers.

Then, after the news outlets have had their fill of the story, 6 months or so down the line they won't be wanting to run the same thing over again. Sony will then be free to come out with the next wave of evil but slightly less dangerous malware. That's how it goes. The next round will be a bit less dangerous, a LOT more secretive, but with the same anti-consumer schemes.

That's my opinion, anyway.

conspiracy teory

[nazsco]

1. sony claims it needed the DRM crap to prevent pirates
2. sum up the recall of the cds and drm development into "loses due to pirates"
3. lots of news: "p2p makes music company loose money!"
4. ?
5. PROFIT!

This is a good thing, in the long run

[Eagle5596]

In the long run all of this trouble is a good thing. Sony is galvanizing people against DRM. In the future companies may find people simply don't buy any products with DRM because they are afraid there will be security holes. All in all this is probably a good thing for consumers in the long run as it will keep DRM off of CD's.

Re:This is a good thing, in the long run

[Chaffar]

"In the long run all of this trouble is a good thing. Sony is galvanizing people against DRM."

I disagree. Even though in theory this should happen, I feel that anyone who understood the nature and purpose of DRM was already against it in every way. I don't think that this fiasco attracted anyone's attention except of those who are already pretty much against DRM. This isn't really a M$ Vs. Linux Vs. Mac debate, where each party has its own arguments. I think that even the people who are against piracy kinda see how pointless these types of measures are, especially those that harm the innocent (i.e. the thing about not being able to copy more than 3 times screwing over iPod users?).

Re:great way to keep kids away from britney...

I honestly do not believe any typical sony cd purchaser

1. understands what happened or what they should do,
2. understands if that if he did undertstand, he was wrong and should
3. understand that the second revision to his understanding was wrong, and so should not have downloaded to begin with (the patch) or should just get the tunes elsewhere...

I work in an IT company. We develop software for the masses. Yet two of my colleagues did not know the term "rootkit" or have heard about the Sony goof-up. These were not office clerks or marketing people. They were 30-ish and both had developer background.

That served as a reality check for me. This case has hardly been touched by the mainstream media.

What's worse, now scores of naive users will try out rootkit detectors with no understanding of using them properly. False alarms will ensue, like claims of Firefox running 10 rootkits. Yeah, right! There will be lots of noise in the blogs, and little mention in the mainstream media. Joe Public will not be enlightened by this.

Re:The music gene pool is self correcting

[91degrees]

Indeed. If only the rest of the world could have perfect taste.

Re:Web 2.0

[meringuoid]

sites are able to leverage Web 2.0 technologies

Please don't use the word 'leverage' again unless you can estimate a value in newton metres. It makes you sound like a PHB.

Rephrasing into sensible English,

sites are able to use Web 2.0 technologies

Well there is some proof of this

[SmallFurryCreature]

DRM crippled CD's have with us for a number of years now. Granted the actual music company that tries it changes but it seems clear none of them have simply accepted that DRM is only damaging them.

They keep hoping that this time the consumers will be ready for it. Someday, they will be right.

Curious...

[GmAz]

By recalling the CDs and sending out new ones without the DRM, does this remove the DRM from the machine or just leave it there. Or does the new CD remove the DRM when you play it? Same for the Sony Rootkit. By recalling the CDs, it sounds like they stopped the spread but didn't remove the auctual DRM software. If this has been answered before, I am sorry.

So let me get this right...

x installed rootkit
x virus was written to use rootkit
x lied about it sending info
x licensing was illegal
x contained stolen copyrighted code
x created patch that contained vulnerability
x patch collected info from machine

x another drm contained vulnerability
x created patch with vulnerability

9 strikes. Did I leave anything out?

they already do charge the artists!

[feepcreature]

Isn't there still the 10% or so deduction from sales, before royalties are calculated, for breakages? A legacy from the days of shellac and vinyl, I believe. They could use that... (see http://www.scoremusicmagazine.com/scorerocks/bborg 3.html) Or they could slap on another charge, and make even more money.