Sony's SunnComm DRM Patch a Security Risk

Spad writes "The BBC is reporting that mere days after the EFF and Sony announced a patch to fix the vulnerability in its SunnComm DRM system, security researchers Ed Felten and Alex Halderman have discovered that the patch itself introduces yet more vulnerabilities. They have now asked users not to apply the patch and are urging Sony to recall all of the affected CDs from sale. Sony has said that approximately six million CDs using [SunnComm] MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless."

Eat me, Sony.

[grub]

Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

The publishers are just middlemen (middle-management?) scrambling to keep their distribution means relevant: cut them out like a cancer.

a) Freely download
b) Buy what you like (second hand if possible)
c) Pay to see the artists live

Re:Eat me, Sony.

[amliebsch]

No, no, no, it was Jerry and Kramer.

* Kramer: "Its a write off for them!"
o Jerry: "How is it a write off?"
* Kramer: "They just write it off. Jerry, these big companies, they write off everything."
o Jerry: "(pause) You don't even know what a write off /is/."
* Kramer: "Do You?"
o Jerry: "No, I Don't."
* Kramer: "But /they/ do..and /they're/ the ones writing it off."

Re:Eat me, Sony.

[Shakrai]

Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

As much as I hate Sony you don't think they are absorbing the cost as well? Just because they get to "write it off" doesn't mean they magically get the money back. A write off or a charge off is just an accounting term. They will probably get to report that write off when they file their income taxes -- it will reduce the amount of taxable income they had -- but they still have to absorb the cost.

You or I can do the same thing with some expenses. You can reduce your taxable income by reporting expenses for medical care, uninsured losses, crime losses or bad debt (you loan me money and I default). Whether or not this makes sense for you (vs just taking the standard deduction) is something that only you or your accountant could figure out.

Re:Eat me, Sony.

[The_Rook]

wanna bet that sony will figure out a way to charge the musicians for the recall and destruction of the "defective" discs?

Re:Eat me, Sony.

[sgent]

Almost, but not quite... Companies pay taxes (at least in the US) on net income, not revenue. So extending your example of a 50% tax rate and $20 net income...

50% of $20 = $10 available to shareholders and $10 in taxes. If the company then distributes that $10 to the shareholders (sends them a check) the shareholder's have to pay taxes on the money recieved on their personal income taxes.

Ok, now assume they have a recall that costs them $5. So its $20 - $5 writeoff = $15. $15 x 50% = 7.50 in taxes, and 7.50 to distribute.

The concept of a write-off is often misunderstood. One reason that its even such an issue is in the case of small to medium business. Remember that the corporate income is taxed, and then taxed again when distrubted to shareholders. A small business can buy a MSDN subscription for $2,000. This means that it will only clost the owner approximately $1,000 in take home pay. Its not that its free, but just that it costs less to the owner than if joe blow hobbiest had bought the same subsription.*

*Note, taxes are complex, this doesn't even attempt to explain the complexities -- including common workarounds.

Phew!

Phew, after seeing the list of artists all I can say is if these are the artists who'll be affected I'll be secure for years to come!

Nice

[ruiner13]

I wonder how this will play out if a minor buys one of the broken CDs, puts it in their parents computer and it gets taken over. As (at least in the US) minors cannot agree to contracts, I'm thinking the EULA cannot legally be agreed to by them. Since their EULA installs the rootkit on yes or no answers, this turns out to be illegal on so many levels. So much for buying Sony ever again, they make decent TVs, it is a shame that one of their divisions has to make such a bad image for the whole company.

Re:Nice

[fdiskne1]

This particular bug gets installed even if you decline the EULA. Sony and Sunncomm, what a wonderful combination. Remember, this is the same company that tried suing someone for putting on their web site "Hold the shift key down while inserting a copy protected CD to prevent the DRM software from being installed."

Just shaking my head at their idiocy and getting ready to watch the fireworks, assuming anything actually happens because of this mess.

The music gene pool is self correcting

[lohphat]

Given the titles affected, consumers had it coming.

Oh goodness! More to investigate and recall.

[saskboy]

I even went to the bother of giving the EFF, Sony, and "independent 3rd pary verification" the benefit of the doubt that they wouldn't frick things up AGAIN after their XCP DRM patch hole. Now I have to update my blog to say the MediaMax patch is hosed.

http://www.independentbands.com/cd/switchfoot/noth ingissound.html
Some interesting info was brought to my attention today by http://www.glynhotz.com/ the lawyer in Ontario suing Sony over XCP for consumers in Canada. EMI issued a recall on a DRM infected CD, on October 6, shortly after Sony was notified of the rootkit in their XCP CDs.

Any one care to investigate this further?

http://www.boycottsony.us/

Bitten by the patch?

[ReformedExCon]

So you could be hit once by the original flaw. Then you could be hit one more time by the flaw in the patch?

Someone should write a song about that.

Re:Bitten by the patch?

[Arhat]

Someone should write a song about that.

Oops, I Did It Again?

Re:Bitten by the patch?

[k4_pacific]

You can call it:
DRMed if you do, DRMed if you don't

Re:Bitten by the patch?

[ellijacket]

I bought a cd the other day
then I placed it in my cd tray
My songs started playing to my delight
Then I danced away through the night
Never suspecting the sinister plan
That was put in place by the music man

My computer began to sneer and snort
Viruses were streaming through the ports
No matter what, I could not see
The viruses were hidden from me
I never suspected the sinister plan
That was put in place by the music man

I patched the bug and felt ok
My computer would live another day
but then my box fell to it's knees
no more bits could it process for me
I never suspected the sinister plan
Now I'll never buy from the music man.

This could be a good thing:

[Donniedarkness]

I think that after Sony loses EVEN MORE money because of this, they may be a little conservative in the future. I still urge everyone to not buy any Sony products (I just talked my parents out of buying a $1300 Sony Camcorder, a $200 Sony car stereo system, and a Sony HDTV that has a price that I don't know). We need to show these guys that WE WILL NOT TOLERATE this sort of shit. These guys are doing whatever they can to make as much money as they can. Let's kick them where it hurts.

Why was the EFF involved in this?

[Sanity]

Why did the EFF get involved in the announcement or endorsement of this patch? The EFF is a legal organization, not a technical organisation. Now, instead of the egg landing squarely on Sony's face, where it deserves to be, the EFF is embarrassed too.

The EFF should have pointed out the vulnerabilities to Sony and left it at that, there was no need for the EFF to lend its name to Sony's fix for the problem.

Re:Why was the EFF involved in this?

[openfrog]

I see a good reason for the EFF to get involved. Sony was succeding in keeping the two DRM issues separate, at least on the legal and larger public side (developers are (were?) seen as a negligible entity. The Agreement for the patch was for the EFF a way to get Sony to recognise the reality of the larger problem. I don't know if the EFF knew already what would follow, but I would not be surprised. Good move EFF!

--
Think!

Oh what a tangled web we weave...

[digitaldc]

...when Sony CDs we do receive.

Now if people can be sued for unlawful downloading, do people have the right to sue for unlawful malware?

I think I will go on over to Microsoft.com and find some information about 'Sony rootkit'
Here are my results:

Results for:
all the words: sony rootkit; category: Support & Troubleshooting; site: All of Microsoft.com;

Support & Troubleshooting

no results were found in this category.

Sony is out of touch

[gasmonso]

They're constantly pushing for technologies that people don't want and hopefully is going to hurt Sony. First there was the memory stick, now destructive DRM and the possibility of locking down PS3 games to one device. If lawsuits don't correct this (and they most likely won't), it's up to the consumer to correct the issue with their wallet.

gasmonso http://religiousfreaks.com/

original article from Felten and Halderman

[edfelten]

The original explanation of this, from Ed Felten and Alex Halderman, is at http://www.freedom-to-tinker.com/?p=942

Big surprise

[mrRay720]

Did anyone really think that Sony were going to stop doing evil things? They don't see themselves as having any financial benefit from truly removing the damage they do to their consumers' computers. They have their reasons for wanting this crap of there in the first place, and a bit of bad publicity they think will blow over soon enough just isn't going to make those reasons go away.

There will be an updated patch eventually that actually does a half decent job of removing the worst of the security holes - they'll have to if they don't want a blanket removal of all their spyware from AV companies as a security measure. Not even a giant of Sony's stature can last too long being seen actively attacking and damaging all of their customers.

Then, after the news outlets have had their fill of the story, 6 months or so down the line they won't be wanting to run the same thing over again. Sony will then be free to come out with the next wave of evil but slightly less dangerous malware. That's how it goes. The next round will be a bit less dangerous, a LOT more secretive, but with the same anti-consumer schemes.

That's my opinion, anyway.

conspiracy teory

[nazsco]

1. sony claims it needed the DRM crap to prevent pirates
2. sum up the recall of the cds and drm development into "loses due to pirates"
3. lots of news: "p2p makes music company loose money!"
4. ?
5. PROFIT!

Illegal

[DeanFox]

"Sony BMG said the MediaMax copy protection system, which is supposed to stop people making illegal copies of CDs, has been used on 50 titles sold in North America."

Why do the keep emphasizing, "making illegal copies" when it is not illegal? I have the right to make as many copies as I want. What I cannot do is make un-authorized copies (fair use IS authorized) or distribute those copies.

Man Bites Dog

[headkase]

Boycott's are ineffective and Sony's proven they're too incompetent to even clean up after themselves. I'd like to see some lawyers sick themselves on Sony... Let's see a class action settlement of ~$100 for each user to get a professional to remove the security hole the software introduces. They just don't seem to understand anything but dollars so at least the lawyers would be using the right stick.

Re:This is a good thing, in the long run

[Chaffar]

"In the long run all of this trouble is a good thing. Sony is galvanizing people against DRM."

I disagree. Even though in theory this should happen, I feel that anyone who understood the nature and purpose of DRM was already against it in every way. I don't think that this fiasco attracted anyone's attention except of those who are already pretty much against DRM. This isn't really a M$ Vs. Linux Vs. Mac debate, where each party has its own arguments. I think that even the people who are against piracy kinda see how pointless these types of measures are, especially those that harm the innocent (i.e. the thing about not being able to copy more than 3 times screwing over iPod users?).

finally now i can use p2p again

[nazsco]

and when sony sues me (thu RIAA), i just load one of those handy cds with digital-rootkit-management and claim that someone else (probably at sony) was hijacking my computer and putting all those mp3, that i've never heard about before, there.

Re:Don't sit HERE whining, TELL THEM

[entirety]

Where is Sony Music located, and how can I get in touch?

The corporate headquarters for Sony Music Entertainment Inc. is located in New York City:

Sony Music Entertainment Inc.
550 Madison Ave
New York, NY 10022-3211
sonymusiconline@sonymusic.com

What a good product might look like

[Ant2]

What if you could purchase an Audio CD that:

- could play in all CD players, including PCs and car stereos?
- had an extra track with non-DRM MP3s, OGG, and WMA files?
- included cover art in JPG and PNG format?
- included the full lyrics in TXT format?
- was free from DRM and other executables?
- (oh, and actually had songs you liked)

Would you buy this? I would.

So let me get this right...

x installed rootkit
x virus was written to use rootkit
x lied about it sending info
x licensing was illegal
x contained stolen copyrighted code
x created patch that contained vulnerability
x patch collected info from machine

x another drm contained vulnerability
x created patch with vulnerability

9 strikes. Did I leave anything out?