We propose this new logo
The story that wouldn’t go away —
And maybe it shouldn’t: Security researchers — the same ones who earlier this week found serious security holes in a patch Sony issued to remove the scariest components of its anti-piracy program — today bring us evidence of similarly frightening security holes associated with another digital rights management (DRM) program the recording label uses on some CDs, a product called SunnComm MediaMax.
Edward Felten, a computer science professor at Princeton University, said that while SunnComm and Sony BMG offer a tool that allows users to completely uninstall the program, the uninstaller also opens the computer up to extremely serious security problems, much like the uninstaller for First4Internet’s infamous copy-protection program.
From Felten’s post: “When you visit the SunnComm uninstaller web page, you are prompted to accept a small software component — an ActiveX control called AxWebRemoveCtrl created by SunnComm. This control has a design flaw that allows any Web site to cause it to download and execute code from an arbitrary URL.
“If you’ve used the SunnComm uninstaller, the vulnerable AxWebRemoveCtrl component is still on your computer, and if you later visit an evil Web site, the site can use the flawed control to silently download, install and run any software code it likes on your computer. The evil site could use this ability to cause severe damage, such as adding your PC to a botnet or erasing your hard disk.”
Felten said you can tell whether the vulnerable control is installed on your computer by using a tool he developed: the “AxWebRemoveCtrl detector.” More details are avaiable at his blog, Freedom-to-Tinker.com. A note of caution from Felten, however:
“Unfortunately, if you use our tool to block the control, you won’t be able to use SunnComm’s current uninstaller to remove their software. It’s up to them to replace the flawed uninstaller with a safe one as soon as possible, and to contact those who have already used the vulnerable uninstaller with instructions for closing the hole.”
Great, so now we’re waiting for a safe uninstall tool from both Sony and SunnComm?
This is the management team that’s going to rescue Sony?
Update, Friday 18 Nov:
It seems that the XCP software from UK company First4Internet that Sony had been using to prevent unauthorised copying of its music CDs, until it agreed to recall some 4.7 million discs, contains code ‘infringing the copyright of several open source projects’, Johansen [DVD Jon] notes in his blog. This includes code that he himself wrote for VLC, a free cross-platform media player.
The code was uncovered by Finnish software developer Matti Nikki, who also discovered other copyright violations.
‘We can confirm that at least five functions in the XCP software are identical to functions in LAME,’ Thomas Dullien from Sabre Security, a company that specialises in the analysis of complex software, told Reuters.
Although open source software can be freely used, it must be credited as such. No mention of it was made in the XCP code.
Everyone is talking about the root-kit and the uninstaller, but the EULA is amost worse.
http://www.eff.org/deeplinks/archives/004145.php
1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That’s because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
2. You can’t keep your music on any computers at work. The EULA only gives you the right to put copies on a “personal home computer system owned by you.”
3. If you move out of the country, you have to delete all your music. The EULA specifically forbids “export” outside the country where you reside.
4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
5. Sony-BMG can install and use backdoors in the copy protection software or media player to “enforce their rights” against you, at any time, without notice. And Sony-BMG disclaims any liability if this “self help” crashes your computer, exposes you to security risks, or any other harm.
6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That’s right, no matter what happens, you can’t even get back what you paid for the CD.
7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.
8. You have no right to transfer or sell the music on your computer, even along with the original CD.
9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.
And here’s another story about how “real” story, how the supposed security companies failed to discover this root-kit and even failed to address it AFTER it was discovered. I’m in agreement, it’s egregious!
http://www.wired.com/news/privacy/0,1848,69601,00.html?tw=wn_story_page_prev2
Choice quotes:
“But much worse than not detecting it before Russinovich’s discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.”
“What happens when the creators of malware collude with the very companies we hire to protect us from that malware?”
The problem now, is that the media won’t be interested in the new story. “We’ve done that kind of story with Sony already”.
It will be like when the Worldcom story broke. It was a much bigger story than Enron (much, much more money), but the mainstream media wasn’t interested. “We did that story already with Enron”
I hope I’m wrong, because media pressure is the only thing that will press Sony to do the right thing.
A lot of those points above are exagerated and blown out of prortion and taken completely out of context.
It was picked apart by typical /.ers last week – then the more rational /.ers actually read it
for example:
” 3. If you move out of the country, you have to delete all your music. The EULA specifically forbids “export” outside the country where you reside.”
If you move country, you will cease residing in your current country and then reside in the new one. So of course you can take your digital media there.
point 9 would also be dismissed under fair use agreement if it was for personal use/display, and not being published some place.
Any way, if we all actually read the EULAs no-one would bother installing anything. Have you read Windows Media Player EULA? That is much more scary.
One thing that nobody seems to discuss is that Sony is using software from third parties for it’s DRM… so what other companies have hired 4 Internet or whatever those losers are called, and used the same software, maybe without a license or EULA? As I suggested when this whole thing started a couple of weeks ago, both Sony cancelled the whole project and Microsoft classified this as malware to be detected and removed by a security update. But what other companies used the same malware and didn’t even bother to do a EULA or anything else?
DRM is evil, plain and simple.
All this wierdness makes me wonder what kind of drm sony have planed for blue-ray
Lear: “A lot of those points above are exagerated and blown out of prortion and taken completely out of context.”
First, the first job of any attorney is to exaggerate, blow stuff out of proportion, and take stuff out of context. In other words, stretch the language of the EULA as far as possible to benefit Sony.
Second, it’s quite clear from the EULA that Sony has an agenda to eliminate fair use.
Third, it’s also quite clear from the EULA that Sony has an agenda to eliminate the first sale doctrine, i.e., eliminate our right to resell the music, movies, and games we buy.
Check out this patent Sony obtained:
http://www.joystiq.com/entry/1234000420067137/
It’s a technology that equates used software, games, and movies with pirated versions. And then makes it impossible to play such used or resold games on a different system.
Well, Sony is not learning the lesson, all they think about now will be how to get back the tens of millions of dollars they lost for recalling the CDs…
As long as we buy it, as long as we line up, pants down, with spread cheeks, as long as we “Click here now for some free kind of mindless bullshit!”, as long as we worship the digital a/v gods then we sure as hell deserve every deep penetration/ejaculation we receive.
What’s up with this ten thousand songs in your hip pocket deal anyways?
Get a life.