Sony's SunnComm DRM Patch a Security Risk

Spad writes "The BBC is reporting that mere days after the EFF and Sony announced a patch to fix the vulnerability in its SunnComm DRM system, security researchers Ed Felten and Alex Halderman have discovered that the patch itself introduces yet more vulnerabilities. They have now asked users not to apply the patch and are urging Sony to recall all of the affected CDs from sale. Sony has said that approximately six million CDs using [SunnComm] MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless."

Eat me, Sony.

[grub]

Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

The publishers are just middlemen (middle-management?) scrambling to keep their distribution means relevant: cut them out like a cancer.

a) Freely download
b) Buy what you like (second hand if possible)
c) Pay to see the artists live

Re:Eat me, Sony.

[amliebsch]

No, no, no, it was Jerry and Kramer.

* Kramer: "Its a write off for them!"
o Jerry: "How is it a write off?"
* Kramer: "They just write it off. Jerry, these big companies, they write off everything."
o Jerry: "(pause) You don't even know what a write off /is/."
* Kramer: "Do You?"
o Jerry: "No, I Don't."
* Kramer: "But /they/ do..and /they're/ the ones writing it off."

Re:Eat me, Sony.

[Shakrai]

Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

As much as I hate Sony you don't think they are absorbing the cost as well? Just because they get to "write it off" doesn't mean they magically get the money back. A write off or a charge off is just an accounting term. They will probably get to report that write off when they file their income taxes -- it will reduce the amount of taxable income they had -- but they still have to absorb the cost.

You or I can do the same thing with some expenses. You can reduce your taxable income by reporting expenses for medical care, uninsured losses, crime losses or bad debt (you loan me money and I default). Whether or not this makes sense for you (vs just taking the standard deduction) is something that only you or your accountant could figure out.

Re:Eat me, Sony.

[WebCrapper]

Unfortunately, Sony is such a big company, that nothing will really happen except they may claim to have lost $xxx,xxx... If you think about the company as a whole, thats nothing really. That is technically the cost of shipping & handling plus the (very) few hours of work from their programmers.

I would honestly like to see Sony taken to court for this. This is nothing but a spyware case by a large, global company who thought they could get away with it.

Re:Eat me, Sony.

[CastrTroy]

That's usually stupidly expensive, I think most of the money probably goes to the property owners anyway.

That really depends on the bands you like to see. I often go to concerts for $10 to $20. I've also seen some pretty popular artists for quite cheap. You just have to be smart about what bands you see. In my eyes, no band is worth the $80 arena ticket so you can see them from 500 ft. away. However, many bands that i may not like so much, are really fun to go and see when you can be within 50 ft. (10 ft. sometimes) of the band, and only pay $15.

Re:Eat me, Sony.

[The_Rook]

wanna bet that sony will figure out a way to charge the musicians for the recall and destruction of the "defective" discs?

Re:Eat me, Sony.

[Ryosen]

"nothing will really happen except they may claim to have lost $xxx,xxx to piracy."

Fixed it for you.

Re:Eat me, Sony.

[sgent]

Almost, but not quite... Companies pay taxes (at least in the US) on net income, not revenue. So extending your example of a 50% tax rate and $20 net income...

50% of $20 = $10 available to shareholders and $10 in taxes. If the company then distributes that $10 to the shareholders (sends them a check) the shareholder's have to pay taxes on the money recieved on their personal income taxes.

Ok, now assume they have a recall that costs them $5. So its $20 - $5 writeoff = $15. $15 x 50% = 7.50 in taxes, and 7.50 to distribute.

The concept of a write-off is often misunderstood. One reason that its even such an issue is in the case of small to medium business. Remember that the corporate income is taxed, and then taxed again when distrubted to shareholders. A small business can buy a MSDN subscription for $2,000. This means that it will only clost the owner approximately $1,000 in take home pay. Its not that its free, but just that it costs less to the owner than if joe blow hobbiest had bought the same subsription.*

*Note, taxes are complex, this doesn't even attempt to explain the complexities -- including common workarounds.

Re:Eat me, Sony.

[sunburntkamel]

objection to b)

buying second hand only covers your butt in case someone audits your music collection. (likelyhood=0). it doesn't benefit the artist, or the record company. it only benefits the used CD store and the guy who sold the CD.

replacement b)Buy what you like IN THE FIRST WEEK, or buy it from the band at the show.

Re:Eat me, Sony.

[Ryan+Amos]

A few years ago Ticketmaster and Clear Channel decided that selling out concerts meant lost revenue. Their goal is to price the tickets high enough that they get about 90% occupancy. Then Clear Channel cut Ticketmaster out of the loop and started handling their own ticket sales. The end result of this is concerts that almost never sell out, but the face value on the tickets is about what you would have paid from a scalper.

Since Clear Channel typically owns the venue, puts the tour together, owns the radio stations on which the concert is promoted and sells the tickets, all the money goes to them. Their public image has become so bad recently that they have taken to promoting their concerts under the names of all the old regional promoters they bought up probably 10 years ago (I know it's Pace Concerts in the south.)

Re:Eat me, Sony.

[sgent]

Does a company pay tax on money they distribute to shareholders? I know if they give every employee a nice bonus they don't wind up paying a corporate income tax on that. Do they pay a corporate income tax on money earmarked for dividends?

A corporation pays tax on income. So if they have $1,000 in income, then that is taxed. Payroll/bonuses are a little different. If I pay you $100, then I will often (not always) owe the government $7.65 PLUS whatever I with-hold from your paycheck for the purpose of social security matching. So to flesh out the above, $1000-100-7.65 = 892.35. If the corporation has a 35% income tax rate, they will owe 892.35 X .35 = 312.33 in income tax, leaving an after tax profit of $580.03

Conversely, if they don't give you the $100 christmas bonus, then they will owe income taxes of $350, for a net after tax income of $650. This means paying you a $100 bonus, only cost them $69.97 in after tax profit.

Dividends and stock buybacks MUST come from after tax profit. So in the above case, the maximum divident would be $350 or $312.33 depending on the example. The company can chose not to distribute the entire amount of profit (for a variety of legitimate reasons), in which case it is added to retained earnings. It would not be subject to additional income taxation on that amount on a corporate level (assuming it sits in a bank earning no interest).

The classic double taxation comes as follows... Taking the above profit of $650, when it is distributed to an individual they also must pay taxes on that amount -- approximately the same 35%. This means that their actual in the bank amount would be $422.50 (assuming the $650 example above).

The reason this comes up in small business, is that if I'm a partnership or sole proprietor, I am only taxed once at the personal level. All profits are passed down (as well as expenses) to my personal tax form on Schedule C. So a part time consultant would have an after tax income of $650, but Accenture would have an after tax income of $422.50.

Under certain conditions, a special case of corporation called a Subchapter-S Corp, is not subjected to that "double taxation" mentioned above. This is restricted to closley held corporations (less than 100 shareholders I think), and has other restrictions.

This can get more complex, and one otherthing to keep in mind (espcially for small businesses), is that profit and cash don't line up. For instance, if I spend $2000 for a computer, I'm not allowed to expense it in the year it is purchased -- but it must be written off over 5 years. The same idea exists with invoices. If I issue an invoice for $5,000 on December 20, but am not paid, I will still owe taxes on that amount.

Virii, worms and DRM ...

[VitaminB52]

are the digital infections AV software should protect your PC against.

Phew!

Phew, after seeing the list of artists all I can say is if these are the artists who'll be affected I'll be secure for years to come!

Nice

[ruiner13]

I wonder how this will play out if a minor buys one of the broken CDs, puts it in their parents computer and it gets taken over. As (at least in the US) minors cannot agree to contracts, I'm thinking the EULA cannot legally be agreed to by them. Since their EULA installs the rootkit on yes or no answers, this turns out to be illegal on so many levels. So much for buying Sony ever again, they make decent TVs, it is a shame that one of their divisions has to make such a bad image for the whole company.

Re:Nice

[fdiskne1]

This particular bug gets installed even if you decline the EULA. Sony and Sunncomm, what a wonderful combination. Remember, this is the same company that tried suing someone for putting on their web site "Hold the shift key down while inserting a copy protected CD to prevent the DRM software from being installed."

Just shaking my head at their idiocy and getting ready to watch the fireworks, assuming anything actually happens because of this mess.

Re:Nice

[cortana]

Holding down the Shift key stopped AutoRun and prevented the software from being installed. Halderman wrote about the software, and the "infamous Shift key attack," in an academic paper and posted it online. Within 24 hours, SunnComm was threatening a $10 million lawsuit, and vowing to refer Halderman to authorities for allegedly committing a felony under the controversial Digital Millennium Copyright Act, or DMCA.

By the next day, the company had backed down in the face of public outrage. Looking back, Halderman says, "The whole experience was a whirlwind.... The response was way bigger than (anything I'd) expected."

Source: Wired News: Music Man Cracks DRM Schemes, 7th December 2005.

The music gene pool is self correcting

[lohphat]

Given the titles affected, consumers had it coming.

Re:The music gene pool is self correcting

[91degrees]

Indeed. If only the rest of the world could have perfect taste.

Oh goodness! More to investigate and recall.

[saskboy]

I even went to the bother of giving the EFF, Sony, and "independent 3rd pary verification" the benefit of the doubt that they wouldn't frick things up AGAIN after their XCP DRM patch hole. Now I have to update my blog to say the MediaMax patch is hosed.

http://www.independentbands.com/cd/switchfoot/noth ingissound.html
Some interesting info was brought to my attention today by http://www.glynhotz.com/ the lawyer in Ontario suing Sony over XCP for consumers in Canada. EMI issued a recall on a DRM infected CD, on October 6, shortly after Sony was notified of the rootkit in their XCP CDs.

Any one care to investigate this further?

http://www.boycottsony.us/

Bitten by the patch?

[ReformedExCon]

So you could be hit once by the original flaw. Then you could be hit one more time by the flaw in the patch?

Someone should write a song about that.

Re:Bitten by the patch?

[Arhat]

Someone should write a song about that.

Oops, I Did It Again?

Re:Bitten by the patch?

[k4_pacific]

You can call it:
DRMed if you do, DRMed if you don't

Re:Bitten by the patch?

[ellijacket]

I bought a cd the other day
then I placed it in my cd tray
My songs started playing to my delight
Then I danced away through the night
Never suspecting the sinister plan
That was put in place by the music man

My computer began to sneer and snort
Viruses were streaming through the ports
No matter what, I could not see
The viruses were hidden from me
I never suspected the sinister plan
That was put in place by the music man

I patched the bug and felt ok
My computer would live another day
but then my box fell to it's knees
no more bits could it process for me
I never suspected the sinister plan
Now I'll never buy from the music man.

Sony/BMG, A Division of Al-Qaida

[swschrad]

congratulations, oh bearded one, for your infiltration of computers in the western world. and congratulations for keeping your sizeable stock holdings in Sony and Bertlesmann secret for so long.

there is no other plausible explaination for the number of times Sony/BMG has shot itself in the nuts over copy protection that cannot do what they want it to do. it MUST be a plot against humanity by the AntiChrist. no other logic works out.

This could be a good thing:

[Donniedarkness]

I think that after Sony loses EVEN MORE money because of this, they may be a little conservative in the future. I still urge everyone to not buy any Sony products (I just talked my parents out of buying a $1300 Sony Camcorder, a $200 Sony car stereo system, and a Sony HDTV that has a price that I don't know). We need to show these guys that WE WILL NOT TOLERATE this sort of shit. These guys are doing whatever they can to make as much money as they can. Let's kick them where it hurts.

Why was the EFF involved in this?

[Sanity]

Why did the EFF get involved in the announcement or endorsement of this patch? The EFF is a legal organization, not a technical organisation. Now, instead of the egg landing squarely on Sony's face, where it deserves to be, the EFF is embarrassed too.

The EFF should have pointed out the vulnerabilities to Sony and left it at that, there was no need for the EFF to lend its name to Sony's fix for the problem.

Re:Why was the EFF involved in this?

[openfrog]

I see a good reason for the EFF to get involved. Sony was succeding in keeping the two DRM issues separate, at least on the legal and larger public side (developers are (were?) seen as a negligible entity. The Agreement for the patch was for the EFF a way to get Sony to recognise the reality of the larger problem. I don't know if the EFF knew already what would follow, but I would not be surprised. Good move EFF!

--
Think!

Re:Why was the EFF involved in this?

[sgent]

The EFF had a lawsuit against sony outstanding regarding this technology (they sued for BOTH this and the XMP technology). This was part of Sony's attempt to mitagate damages from the lawsuit. Lawyers who care about their clients will often try to settle as much as possible rather than dragging it out for 10 years -- where no one is helped.

Re:Why was the EFF involved in this?

[openfrog]

The EFF did not release the insecure patch. Sony did. What the EFF did was to allow Sony some time to release it:

In accordance with standard information security practices, EFF and iSEC delayed public disclosure of the details of the exploit to provide SunnComm the opportunity to develop an update.

IMHO: I admit that I don't know all the implications of the EFF move, probably no one does at this time. However, I would be prudent before blaming them. If Sony begins to listen to intelligent people instead of DRM vendors, it might not be a bad thing. In the end, their commercial interests might prevail, but at that time, the EFF will have earned a public recognition that can be used to access and mobilise public opinion.

Oh what a tangled web we weave...

[digitaldc]

...when Sony CDs we do receive.

Now if people can be sued for unlawful downloading, do people have the right to sue for unlawful malware?

I think I will go on over to Microsoft.com and find some information about 'Sony rootkit'
Here are my results:

Results for:
all the words: sony rootkit; category: Support & Troubleshooting; site: All of Microsoft.com;

Support & Troubleshooting

no results were found in this category.

Sony is out of touch

[gasmonso]

They're constantly pushing for technologies that people don't want and hopefully is going to hurt Sony. First there was the memory stick, now destructive DRM and the possibility of locking down PS3 games to one device. If lawsuits don't correct this (and they most likely won't), it's up to the consumer to correct the issue with their wallet.

gasmonso http://religiousfreaks.com/

original article from Felten and Halderman

[edfelten]

The original explanation of this, from Ed Felten and Alex Halderman, is at http://www.freedom-to-tinker.com/?p=942

Big surprise

[mrRay720]

Did anyone really think that Sony were going to stop doing evil things? They don't see themselves as having any financial benefit from truly removing the damage they do to their consumers' computers. They have their reasons for wanting this crap of there in the first place, and a bit of bad publicity they think will blow over soon enough just isn't going to make those reasons go away.

There will be an updated patch eventually that actually does a half decent job of removing the worst of the security holes - they'll have to if they don't want a blanket removal of all their spyware from AV companies as a security measure. Not even a giant of Sony's stature can last too long being seen actively attacking and damaging all of their customers.

Then, after the news outlets have had their fill of the story, 6 months or so down the line they won't be wanting to run the same thing over again. Sony will then be free to come out with the next wave of evil but slightly less dangerous malware. That's how it goes. The next round will be a bit less dangerous, a LOT more secretive, but with the same anti-consumer schemes.

That's my opinion, anyway.

conspiracy teory

[nazsco]

1. sony claims it needed the DRM crap to prevent pirates
2. sum up the recall of the cds and drm development into "loses due to pirates"
3. lots of news: "p2p makes music company loose money!"
4. ?
5. PROFIT!

This is a good thing, in the long run

[Eagle5596]

In the long run all of this trouble is a good thing. Sony is galvanizing people against DRM. In the future companies may find people simply don't buy any products with DRM because they are afraid there will be security holes. All in all this is probably a good thing for consumers in the long run as it will keep DRM off of CD's.

Re:This is a good thing, in the long run

[Chaffar]

"In the long run all of this trouble is a good thing. Sony is galvanizing people against DRM."

I disagree. Even though in theory this should happen, I feel that anyone who understood the nature and purpose of DRM was already against it in every way. I don't think that this fiasco attracted anyone's attention except of those who are already pretty much against DRM. This isn't really a M$ Vs. Linux Vs. Mac debate, where each party has its own arguments. I think that even the people who are against piracy kinda see how pointless these types of measures are, especially those that harm the innocent (i.e. the thing about not being able to copy more than 3 times screwing over iPod users?).

Re:great way to keep kids away from britney...

I honestly do not believe any typical sony cd purchaser

1. understands what happened or what they should do,
2. understands if that if he did undertstand, he was wrong and should
3. understand that the second revision to his understanding was wrong, and so should not have downloaded to begin with (the patch) or should just get the tunes elsewhere...

I work in an IT company. We develop software for the masses. Yet two of my colleagues did not know the term "rootkit" or have heard about the Sony goof-up. These were not office clerks or marketing people. They were 30-ish and both had developer background.

That served as a reality check for me. This case has hardly been touched by the mainstream media.

What's worse, now scores of naive users will try out rootkit detectors with no understanding of using them properly. False alarms will ensue, like claims of Firefox running 10 rootkits. Yeah, right! There will be lots of noise in the blogs, and little mention in the mainstream media. Joe Public will not be enlightened by this.

Illegal

[DeanFox]

"Sony BMG said the MediaMax copy protection system, which is supposed to stop people making illegal copies of CDs, has been used on 50 titles sold in North America."

Why do the keep emphasizing, "making illegal copies" when it is not illegal? I have the right to make as many copies as I want. What I cannot do is make un-authorized copies (fair use IS authorized) or distribute those copies.

Man Bites Dog

[headkase]

Boycott's are ineffective and Sony's proven they're too incompetent to even clean up after themselves. I'd like to see some lawyers sick themselves on Sony... Let's see a class action settlement of ~$100 for each user to get a professional to remove the security hole the software introduces. They just don't seem to understand anything but dollars so at least the lawyers would be using the right stick.

Re:Bitten by the patch? Lyrics

[amcdiarmid]

Hit by the flaw, Bitten by the patch.
Lyrics by me.

I got hit by the flaw, and bitten by the patch
A computer rebuild, a 'driver with a ratchet
It's hit me, it'll be hitting you
How much did you pay for that Sony Doo-Doo?

I Put a music CD in my CD-Drive
Hit "I Accept" to some DRM jive
Now I'm here, waiting for the other shoe
and to make it worse, the music sucked too

Hit by the flaw, bitten by the patch
That company just said bend-over biatch
Bitten by the patch, hit by the flaw
hold on to your hat, 'cause that ain't all

Picked it up this morning from the TV news
Sony got another system that you don't want to use
As if the first one was'nt bad enough, with your computer flubed up
They got a second system that's also bad enough

Hit by the flaw, bitten by the patch
some big CEO needs to take it up the ass

"That's enough now, I'm Tired" - Oppourtunites never knock - The Clash - version where the kid sings it.

Re:Web 2.0

[meringuoid]

sites are able to leverage Web 2.0 technologies

Please don't use the word 'leverage' again unless you can estimate a value in newton metres. It makes you sound like a PHB.

Rephrasing into sensible English,

sites are able to use Web 2.0 technologies

Re:Bitten by the patch? Lyrics

[93,000]

. . . and to make it worse, the music sucked too

Something about that line struck me terribly funny. Bravo.

I hope you're not mad that I reprinted it without permission.

finally now i can use p2p again

[nazsco]

and when sony sues me (thu RIAA), i just load one of those handy cds with digital-rootkit-management and claim that someone else (probably at sony) was hijacking my computer and putting all those mp3, that i've never heard about before, there.

I know!

[Ruff_ilb]

Lets fix it with a rootkit!

Re:Don't sit HERE whining, TELL THEM

[entirety]

Where is Sony Music located, and how can I get in touch?

The corporate headquarters for Sony Music Entertainment Inc. is located in New York City:

Sony Music Entertainment Inc.
550 Madison Ave
New York, NY 10022-3211
sonymusiconline@sonymusic.com

What a good product might look like

[Ant2]

What if you could purchase an Audio CD that:

- could play in all CD players, including PCs and car stereos?
- had an extra track with non-DRM MP3s, OGG, and WMA files?
- included cover art in JPG and PNG format?
- included the full lyrics in TXT format?
- was free from DRM and other executables?
- (oh, and actually had songs you liked)

Would you buy this? I would.

Then how do we get rid of this thing?

[Darthmalt]

Friend of mine bought the switchfoot cd and put it in her computer. I've tried using all the so called patches and microsoft's anti spyware all of which failed to remove it. I've gotten to the point where now I can see the files but they're write protected. If I bypass the write protection and delete them will it screw up the laptop?

CURSE YOU SONY!!! and your sudden but inevitable betrayal.

Well there is some proof of this

[SmallFurryCreature]

DRM crippled CD's have with us for a number of years now. Granted the actual music company that tries it changes but it seems clear none of them have simply accepted that DRM is only damaging them.

They keep hoping that this time the consumers will be ready for it. Someday, they will be right.

Curious...

[GmAz]

By recalling the CDs and sending out new ones without the DRM, does this remove the DRM from the machine or just leave it there. Or does the new CD remove the DRM when you play it? Same for the Sony Rootkit. By recalling the CDs, it sounds like they stopped the spread but didn't remove the auctual DRM software. If this has been answered before, I am sorry.

So let me get this right...

x installed rootkit
x virus was written to use rootkit
x lied about it sending info
x licensing was illegal
x contained stolen copyrighted code
x created patch that contained vulnerability
x patch collected info from machine

x another drm contained vulnerability
x created patch with vulnerability

9 strikes. Did I leave anything out?

they already do charge the artists!

[feepcreature]

Isn't there still the 10% or so deduction from sales, before royalties are calculated, for breakages? A legacy from the days of shellac and vinyl, I believe. They could use that... (see http://www.scoremusicmagazine.com/scorerocks/bborg 3.html) Or they could slap on another charge, and make even more money.

Be a software pirate....

[caffeinatedOnline]

just hold down the shift key!!

"Remote Attestation" and content access monopolies

[NZheretic]

Don't just go after Sony. The REAL THREAT comes from the operating vendors themselves.

ALL third party and more importantly operating system based DRM puts the user at greater risk. If the DRM code itself is not exploited then there are always new vulnerabilities being discovered in the media players and browsers used to play and display encoded content.

August 02, 2005 "Remote Attestation" and content access monopolies

Remote Attestation" and content access monopolies

The Trusted Platform Module provides the hardware functionality for digital rights software to provide effective remote attestation and digital key withholding.

Both Microsoft and Apple have plans for media-digital-content-viewers that, at the request of a digital content provider, will not allow the user to view or access specific digital content if the operating system has been modified in certain ways.

Because, for the foreseeable future, it is impossible for the digital rights management software to detect if an individual modification to a particular subsystem is hostile to the goals of the demanded digital rights, all software and subsystems relating to the operating system with storage and input to display will have to be digitally signed by Microsoft or Apple before it can be accepted by the DRM subsystem. Microsoft and Apple are effectively locking the user out from changing parts of the operating environment.

Because it is possible for hackers to read digital keys used to encrypt content direct from the computer's memory, the operating system has to be built with the ability to lock the user from being able to access pages of memory used by the mediaplayer and digital rights management system.

OS based Digital Right Management systems are based on the principle of locking the owner of the computer out of the ability to access sections of memory and disk space used by the DRM mediaplayer systems.

Locking the owner out of parts of the computer has become a major security issue.

Microsoft's Mediaplayer, Active-X ( still used with some DRM ), Real's realplayer, Adobe's PDF viewers, Apple's Quicktime and even Microsoft's and Sun's Java JVMs, have in the past had remotely exploitable vulnerabilities.

OS based DRM combined with TPM based encryption along with enviable future vulnerability holes in media access offers the malware/virus/worm creator the ability to hide a virus from any antivirus tool or live forensic analysis. Existing stealth viruses already have ability to hide the modifications it has made to files, going undetected by antivirus programs. DRM encryption offers the ability for the malware to store content, and without the keys to decode the content, keep it hidden from any forensic analysis.

Crackers and hackers always find ways to exploit the code to access or share protected content. There is not a DRM system that has not been cracked within months of widespread release. The focus on the code use d in such systems also comes to the attention of malware/virus creators. The same holes discovered by those who just want to freely access content may possibly also be abused by those wanting to crack into your computer. Similar holes in other types media viewers, the webbrowser and email programs, are increasingly being used for criminal gain by phishers and spyware makers.

Some vendors reportedly have in the past purposely left backdoors in the source code to allow access by US intelligence agencies. This has not only become a major issue for other countries who fear spying, since discovered backdoors quickly become the criminal's frontdoor i