Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony's SunnComm DRM Patch a Security Risk

Posted by Zonk on from the spears-cds-bring-one-of-the-horsemen dept.

Spad writes "The BBC is reporting that mere days after the EFF and Sony announced a patch to fix the vulnerability in its SunnComm DRM system, security researchers Ed Felten and Alex Halderman have discovered that the patch itself introduces yet more vulnerabilities. They have now asked users not to apply the patch and are urging Sony to recall all of the affected CDs from sale. Sony has said that approximately six million CDs using [SunnComm] MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless."

20 of 218 comments (clear)

  1. Eat me, Sony. by grub · · Score: 5, Insightful


    Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

    The publishers are just middlemen (middle-management?) scrambling to keep their distribution means relevant: cut them out like a cancer.

    a) Freely download
    b) Buy what you like (second hand if possible)
    c) Pay to see the artists live

    --
    Trolling is a art,
    1. Re:Eat me, Sony. by amliebsch · · Score: 4, Funny
      No, no, no, it was Jerry and Kramer.
      * Kramer: "Its a write off for them!"
      o Jerry: "How is it a write off?"
      * Kramer: "They just write it off. Jerry, these big companies, they write off everything."
      o Jerry: "(pause) You don't even know what a write off /is/."
      * Kramer: "Do You?"
      o Jerry: "No, I Don't."
      * Kramer: "But /they/ do..and /they're/ the ones writing it off."
      --
      If you don't know where you are going, you will wind up somewhere else.
    2. Re:Eat me, Sony. by Shakrai · · Score: 4, Interesting

      Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

      As much as I hate Sony you don't think they are absorbing the cost as well? Just because they get to "write it off" doesn't mean they magically get the money back. A write off or a charge off is just an accounting term. They will probably get to report that write off when they file their income taxes -- it will reduce the amount of taxable income they had -- but they still have to absorb the cost.

      You or I can do the same thing with some expenses. You can reduce your taxable income by reporting expenses for medical care, uninsured losses, crime losses or bad debt (you loan me money and I default). Whether or not this makes sense for you (vs just taking the standard deduction) is something that only you or your accountant could figure out.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    3. Re:Eat me, Sony. by The_Rook · · Score: 4, Insightful

      wanna bet that sony will figure out a way to charge the musicians for the recall and destruction of the "defective" discs?

      --
      when religion is no longer the opiate of the masses, governments will resort to real opiates.
  2. Phew! by Anonymous Coward · · Score: 5, Funny

    Phew, after seeing the list of artists all I can say is if these are the artists who'll be affected I'll be secure for years to come!

  3. Nice by ruiner13 · · Score: 5, Interesting

    I wonder how this will play out if a minor buys one of the broken CDs, puts it in their parents computer and it gets taken over. As (at least in the US) minors cannot agree to contracts, I'm thinking the EULA cannot legally be agreed to by them. Since their EULA installs the rootkit on yes or no answers, this turns out to be illegal on so many levels. So much for buying Sony ever again, they make decent TVs, it is a shame that one of their divisions has to make such a bad image for the whole company.

    --

    today is spelling optional day.

    1. Re:Nice by fdiskne1 · · Score: 4, Interesting

      This particular bug gets installed even if you decline the EULA. Sony and Sunncomm, what a wonderful combination. Remember, this is the same company that tried suing someone for putting on their web site "Hold the shift key down while inserting a copy protected CD to prevent the DRM software from being installed."

      Just shaking my head at their idiocy and getting ready to watch the fireworks, assuming anything actually happens because of this mess.

      --
      But why is the rum gone?
  4. The music gene pool is self correcting by lohphat · · Score: 5, Funny

    Given the titles affected, consumers had it coming.

  5. Oh goodness! More to investigate and recall. by saskboy · · Score: 4, Informative

    I even went to the bother of giving the EFF, Sony, and "independent 3rd pary verification" the benefit of the doubt that they wouldn't frick things up AGAIN after their XCP DRM patch hole. Now I have to update my blog to say the MediaMax patch is hosed.

    http://www.independentbands.com/cd/switchfoot/noth ingissound.html
    Some interesting info was brought to my attention today by http://www.glynhotz.com/ the lawyer in Ontario suing Sony over XCP for consumers in Canada. EMI issued a recall on a DRM infected CD, on October 6, shortly after Sony was notified of the rootkit in their XCP CDs.

    Any one care to investigate this further?

    http://www.boycottsony.us/

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  6. Why was the EFF involved in this? by Sanity · · Score: 4, Insightful
    Why did the EFF get involved in the announcement or endorsement of this patch? The EFF is a legal organization, not a technical organisation. Now, instead of the egg landing squarely on Sony's face, where it deserves to be, the EFF is embarrassed too.

    The EFF should have pointed out the vulnerabilities to Sony and left it at that, there was no need for the EFF to lend its name to Sony's fix for the problem.

  7. Sony is out of touch by gasmonso · · Score: 4, Interesting

    They're constantly pushing for technologies that people don't want and hopefully is going to hurt Sony. First there was the memory stick, now destructive DRM and the possibility of locking down PS3 games to one device. If lawsuits don't correct this (and they most likely won't), it's up to the consumer to correct the issue with their wallet.

    gasmonso http://religiousfreaks.com/
  8. original article from Felten and Halderman by edfelten · · Score: 5, Informative

    The original explanation of this, from Ed Felten and Alex Halderman, is at http://www.freedom-to-tinker.com/?p=942

  9. Big surprise by mrRay720 · · Score: 5, Insightful

    Did anyone really think that Sony were going to stop doing evil things? They don't see themselves as having any financial benefit from truly removing the damage they do to their consumers' computers. They have their reasons for wanting this crap of there in the first place, and a bit of bad publicity they think will blow over soon enough just isn't going to make those reasons go away.

    There will be an updated patch eventually that actually does a half decent job of removing the worst of the security holes - they'll have to if they don't want a blanket removal of all their spyware from AV companies as a security measure. Not even a giant of Sony's stature can last too long being seen actively attacking and damaging all of their customers.

    Then, after the news outlets have had their fill of the story, 6 months or so down the line they won't be wanting to run the same thing over again. Sony will then be free to come out with the next wave of evil but slightly less dangerous malware. That's how it goes. The next round will be a bit less dangerous, a LOT more secretive, but with the same anti-consumer schemes.

    That's my opinion, anyway.

  10. conspiracy teory by nazsco · · Score: 5, Insightful

    1. sony claims it needed the DRM crap to prevent pirates
    2. sum up the recall of the cds and drm development into "loses due to pirates"
    3. lots of news: "p2p makes music company loose money!"
    4. ?
    5. PROFIT!

  11. Re:Bitten by the patch? by Arhat · · Score: 5, Funny

    Someone should write a song about that.

    Oops, I Did It Again?

  12. Re:Bitten by the patch? by k4_pacific · · Score: 4, Funny

    You can call it:
    DRMed if you do, DRMed if you don't

    --
    Unknown host pong.
  13. Re:Bitten by the patch? by ellijacket · · Score: 4, Funny

    I bought a cd the other day
    then I placed it in my cd tray
    My songs started playing to my delight
    Then I danced away through the night
    Never suspecting the sinister plan
    That was put in place by the music man

    My computer began to sneer and snort
    Viruses were streaming through the ports
    No matter what, I could not see
    The viruses were hidden from me
    I never suspected the sinister plan
    That was put in place by the music man

    I patched the bug and felt ok
    My computer would live another day
    but then my box fell to it's knees
    no more bits could it process for me
    I never suspected the sinister plan
    Now I'll never buy from the music man.

  14. Re:Don't sit HERE whining, TELL THEM by entirety · · Score: 5, Informative

    Where is Sony Music located, and how can I get in touch?

    The corporate headquarters for Sony Music Entertainment Inc. is located in New York City:

    Sony Music Entertainment Inc.
    550 Madison Ave
    New York, NY 10022-3211
    sonymusiconline@sonymusic.com

  15. What a good product might look like by Ant2 · · Score: 4, Interesting

    What if you could purchase an Audio CD that:

    - could play in all CD players, including PCs and car stereos?
    - had an extra track with non-DRM MP3s, OGG, and WMA files?
    - included cover art in JPG and PNG format?
    - included the full lyrics in TXT format?
    - was free from DRM and other executables?
    - (oh, and actually had songs you liked)

    Would you buy this? I would.

  16. So let me get this right... by Anonymous Coward · · Score: 5, Insightful

    x installed rootkit
    x virus was written to use rootkit
    x lied about it sending info
    x licensing was illegal
    x contained stolen copyrighted code
    x created patch that contained vulnerability
    x patch collected info from machine

    x another drm contained vulnerability
    x created patch with vulnerability

    9 strikes. Did I leave anything out?