Forgot your password?
typodupeerror
Sony Media Music Security

EFF and Sony Disclose New DRM Security Hole 258

Posted by CowboyNeal
from the yet-another dept.
Dotnaught writes "The Electronic Frontier Foundation (EFF) and SONY BMG Music Entertainment said on Tuesday that SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. Security firm iSEC Partners discovered the hole following a request by the EFF to examine the SunnComm software. The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC. The EFF and iSEC delayed disclosing the problem until SunnComm could develop a fix."
This discussion has been archived. No new comments can be posted.

EFF and Sony Disclose New DRM Security Hole

Comments Filter:
  • by scenestar (828656) on Wednesday December 07, 2005 @08:47AM (#14201462) Homepage Journal
    How big of a drama it is.

    Sue the bastards and get it over with.
  • Useful indeed (Score:5, Insightful)

    by Renegade Lisp (315687) * on Wednesday December 07, 2005 @08:50AM (#14201479)
    And to think that only yesterday, there was a slashdot story [slashdot.org] wondering whether the EFF had outlived its usefulness... So there's your answer, I guess.
    • Damn. Beat me to it you did. Mod parent up; this sums up yesterday's BS story.
    • by Billosaur (927319) * <wgrother@OOOopto ... inus threevowels> on Wednesday December 07, 2005 @09:09AM (#14201606) Journal

      From EFF: "We're pleased that SONY BMG responded quickly and responsibly when we drew their attention to this security problem," said EFF staff attorney Kurt Opsahl. "Consumers should take immediate steps to protect their computers."

      As if Sony, which already has a boatload of negative publicity, could do anything else. I think even the stuffed shirts there must now realize that they can't let anything else fall through the cracks or their music business might collapse. Don't be surprised in Sony divests itself of BMG music at some point in the future, to keep from losing customers for its home electronics business.

      • by CaptainZapp (182233) * on Wednesday December 07, 2005 @10:01AM (#14202028) Homepage
        Most surprising is the change of Tune of Mr. Hesse, from:

        "Users don't know what a rootkit is so why should they care"

        to

        "We are taking the concerns of our customers very seriously, blahblahblah"

        Could it be that Mr. Hesse is full of shit?

      • by Anonymous Coward on Wednesday December 07, 2005 @10:51AM (#14202474)
        Don't be surprised in Sony divests itself of BMG music at some point in the future, to keep from losing customers for its home electronics business.

        They already lost me. And when a company loses my business, they lose it permanently.

        I had a Technics CD player in the mid-80's that had to be fixed repeatedly for the same problem under warranty. When the problem recurred shortly after the unit went out of warranty and they refused to fix or replace it, I sent a polite letter to the head of Panasonic USA explaining the situation and telling them that if they didn't replace the unit I'd never buy a another Panasonic product. They declined to fix or replace the unit and twenty years later, I still don't have another Panasonic product.

        You can be sure that there will never be a Sony product in my house in the future.

        Of course, this could be their attempt to implement DRM by fear. If your PC gets compromised every time you put a Sony audio disk in the drive, maybe you'll stop doing it. If you don't put the CD in your PC, they don't have to worry about you copying it.
      • by IAmTheDave (746256) <basenamedave-sd.yahoo@com> on Wednesday December 07, 2005 @10:58AM (#14202531) Homepage Journal
        Don't be surprised in Sony divests itself of BMG music at some point in the future, to keep from losing customers for its home electronics business.

        Why, because Sony's other electronics shops won't be including any DRM built in, like DRM on HDMI and new high def TVs, DRM in new Blu-Ray DVD players, DRM in game machines and on game discs, DRM on Blu-Ray discs... I can almost guarentee that some of this DRM will prevent users from using the content they purchase the way they want to use it. Sony needs not to divest itself of BMG as a solution, because the problem exists at a much higher level - the perception that DRM is a "Good Thing." Until they resolve THAT issue, Sony is in for some hurt.

    • I can't believe people are taking that article seriously. It has to be some sort of bizarre joke on the part of The Register. Ignoring the ridiculous premise, take a look at the content of the article. It's written by someone calling himself "Bonhomie Snoutintroff", which should give you an idea of what to expect. He calls the EFF "pale vegetarians", and the media "pigopolists". What does that even mean? At the end of the article, there is a registered trademark symbol for no reason.

      Here is the Register'
      • in other news from the register [theregister.co.uk]
        • Celine Dion fights mutant rats on Xbox 360 [theregister.co.uk]
        • Mutant rats menace Belfast [theregister.co.uk]
        • Killer squirrel pack guts dog [theregister.co.uk]
        • Youths strap hamster to rocket [theregister.co.uk]
        • Al-Qaeda probes enemy on Google Earth [theregister.co.uk]
        • Japan triumphs with MP3 toilet seat [theregister.co.uk]
        • Entire porn outfit for sale on eBay [theregister.co.uk]
        • Slashdot practises safe sex [theregister.co.uk]
  • by xmuskrat (613243) on Wednesday December 07, 2005 @08:50AM (#14201480) Homepage
    Hopefully the fix is them turning around, bending over, and grabbing their ankles.
  • Quick Question... (Score:5, Interesting)

    by parsnip11 (637516) on Wednesday December 07, 2005 @08:53AM (#14201498)
    Who in their right mind would voluntarily install something from SunComm or SonyBMG given their track record?

    Their software phones home and cripples your computer. Would anyone here actually trust them?
    • by jc42 (318812) on Wednesday December 07, 2005 @09:24AM (#14201697) Homepage Journal
      Who in their right mind would voluntarily install something from SunComm or SonyBMG given their track record?

      Most of the victims have no idea that they're installing software on their computer. They're just playing a CD that they bought.

      We geeks and nerds on /. understand the issue. 99% of the population don't even know what "installing software" means, have never done it (intentionally), and aren't to blame for being victims of such things.

      Blame the criminals, not their victims.

      • 99% of the population don't even know what "installing software" means

        you mean when I download a program from the CD to my computer?
  • Thank you Sony! (Score:5, Insightful)

    by Suzumushi (907838) on Wednesday December 07, 2005 @08:55AM (#14201512)
    Sony has done more damage to the DMCA and set back DRM farther than the combined efforts of the EFF and like-minded people around the world. We should all thank them.
    • Re:Thank you Sony! (Score:5, Interesting)

      by morgan_greywolf (835522) on Wednesday December 07, 2005 @09:04AM (#14201580) Homepage Journal
      Yes, but the one thing they haven't been successful in is pointing out the danger of DRM to Joe Sixpack. A number of people I've spoken with have never heard of the Sony 'rootkit' case and had no idea that playing a recent Sony DRM-protected CD on a Windows PC could be dangerous to their computer system.
      • Re:Thank you Sony! (Score:3, Insightful)

        by VitaminB52 (550802)
        Yes, but the one thing they haven't been successful in is pointing out the danger of DRM to Joe Sixpack.

        Antivirus software reporting the Sony DRM software as a virus should take care of that.
        Oh yes, and popular DJ's on national radio should warn their audience about the Sony DRM shit^H^H^Hoftware.

        • Oh yes, and popular DJ's on national radio should warn their audience about the Sony DRM shit^H^H^Hoftware.

          Yeah, because it makes perfect sense for them to tell people to boycott one of the companies that pay their bills... *rolls eyes*
          • I don't know about the US, but here in the UK, most commercial radio stations seem to be funded by the ad placements, not the recording industry. They do need a special kind of licence to play the music over the air, though, and presumably the copyright holder could deny them permission to do it.

            • Don't get me wrong. I *do* think that DJs should mention this, since that's supposedly (although this is highly arguable) part of their role in being in the media. I'm sure, however, that this is something that is getting mentioned at the college and local radio levels. Problem is that in the US, it's well known that the major radio networks/providers receive a lot of money from the major labels to promote their crap, and this is where my comment above comes in. After all, it's not the dorky little guy sitt
            • Here it's not called ad revenue, it's called payola:

              http://www.msnbc.msn.com/id/8700936/ [msn.com]
        • Right, because everyone keeps their virus definitions up to date...
      • Re:Thank you Sony! (Score:3, Informative)

        by Phisbut (761268)
        A number of people I've spoken with have never heard of the Sony 'rootkit' case and had no idea that playing a recent Sony DRM-protected CD on a Windows PC could be dangerous to their computer system.

        I dunno about the media where you are, but up here in Québec, the Sony DRM screwup made the evening news bulletin on more than one occasion on two of the most watched channels, even clearly stating that the music CD's installed spyware without your agreement. Although not everybody knows what a rootkit i

  • by Phillip2 (203612) on Wednesday December 07, 2005 @08:56AM (#14201523)
    It is clear that DRM software is going to be as open to bugs as any other
    software, and some of these will constitute a security threat.

    Surely the solution is obvious. If they built DRM software directly into the
    operating system, then it could be happily updated with all the rest of the
    software, using whatever update mechanisms your OS provides.

    I'm sure that the security minded folks on slashdot will be the first to
    support a legal requirement for DRM in all OS'es, so that we can solve this
    problem before it becomes really serious.

    Phil
    • by /ASCII (86998)
      It's obvious that you are joking, but the problem is that this is exactly the solution that will be proposed, and in politics it is the preferred type of solution.
    • by eggoeater (704775) on Wednesday December 07, 2005 @09:06AM (#14201591) Journal
      It is clear that DRM software is going to be as open to bugs as any other software...
      Actually...much more so.
      DRM software has to do more than regular software to prevent users from circumventing it, with the latest craze being OS hooks.
      Insecure software + OS hooks = HUGE security risks.
      If you ever want to release a worm that takes advantage of a DRM security hole, just put it on a web site that tells you how to disable that particular DRM. People will google for a way to disable their DRM, go to your site, and WHAM.

    • I'm sure that the security minded folks on slashdot will be the first to support a legal requirement for DRM in all OS'es, so that we can solve this problem before it becomes really serious.

      * applauds *

      Bravo! It's been far too long since I've seen a really good troll on /. - too many people think it's sufficient to copy and paste classic trolls of the past, or don't understand trolling and just post obscenities and flamebait, so it's wonderful to see a new, proper troll from time to time.

      Good trolling

  • Sorry to be rude (Score:5, Insightful)

    by FidelCatsro (861135) * <fidelcatsro@gmaiQUOTEl.com minus punct> on Wednesday December 07, 2005 @08:57AM (#14201525) Journal
    But first you install stealthy and quite possibly illegal software with one hand , and on the other you install DRM with a Security hole that hardly anyone will patch because they will likely not hear about it.
    Way to go Sony , you truly are a bunch of arse-holes .
    Well at least if this gets major press coverage it may cause an even large headache to ever encroaching wave DRM
    • by rbochan (827946) on Wednesday December 07, 2005 @09:40AM (#14201853) Homepage
      According to this report [com.com] at CNET,
      "Sony said it will notify customers though a banner advertisement directly in the SunnComm software"

      So now you get banner ads with your audio cd+DRM.
      Nice.

    • Re:Sorry to be rude (Score:2, Informative)

      by hokeyru (749540)
      Agreed. We can argue about whether evil is worse than incompetence, but the combination of the two is truly fearsome.

      If you have have any of these CD's, return them. If you're a fan of any of these artists, write them a letter:

      Trey Anastasio, Shine (Columbia)
      Celine Dion, On ne Change Pas (Epic)
      Neil Diamond, 12 Songs (Columbia)
      Our Lady Peace, Healthy in Paranoid Times (Columbia)
      Chris Botti, To Love Again (Columbia)
      Van Zant, Get Right with the Man (Columbia)
      Switchfoot, Nothing is Sound (Columbia)
      The Coral, Th
  • by faqmaster (172770) <[jones.tm] [at] [gmail.com]> on Wednesday December 07, 2005 @08:57AM (#14201527) Homepage Journal
    Root kits, Serial Copy Management, Macrovision, Content Protection for Prerecorded Media, Advanced Access Content System, blah, blah, blah. The most effective DRM is for the lables to continue to put out crappy music. Eventually we'll all find something better to listen to.
  • the paranoid ac (Score:2, Interesting)

    by Anonymous Coward

    "The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC. The EFF and iSEC delayed disclosing the problem until SunnComm could develop a fix."

    I've never understood how any userland bullshit software could manage the complexities of opening up a hole *on accident*. Call me paranoid, but, when shit like this gets 'found', they call it being 'found' because someone put it there.

    • Re:the paranoid ac (Score:4, Informative)

      by ergo98 (9391) on Wednesday December 07, 2005 @09:20AM (#14201674) Homepage Journal
      I've never understood how any userland bullshit software could manage the complexities of opening up a hole *on accident*. Call me paranoid, but, when shit like this gets 'found', they call it being 'found' because someone put it there.

      To install the software originally the user had to be an administrator (a lot of software requires admin rights because most of the system won't allow a basic user to install system-wide software. e.g. It could add files in your user directory and the like, but not in Program Files). From then on the software is running as System, operating as a part of the system (which is why it's called a root kit).

      My guess is that the folder where the software is stored has the ACLs set to Everyone with Full Control, or something similar. Because this root kit is run as System when the system boots up, a simple user exploit could circumvent user isolation by overwriting some of the rootkit files, and on next boot it'll be running as System, with full local permissions.
    • Re:the paranoid ac (Score:3, Interesting)

      by jc42 (318812)
      Call me paranoid, but, when shit like this gets 'found', they call it being 'found' because someone put it there.

      Hey, Paranoid, you're not paranoid enough.

      I keep noticing the same misuse of the passive voice to avoid saying who's to blame. As a programmer, it's perfectly obvious to me that no computer ever installs software by accident. It takes some significant software to install something like this, and (as the Intelligent Design folks like to point out), this software doesn't get there by random flipp
      • Something else I noticed: Before seeing this article on slashdot, I'd just been reading the coverage of the story on news.google.com, and I was a bit bemused by the fact that I couldn't find mention of the kinds of computers that were vulnerable to this exploit. Now, call me paranoid too, but I'll make the wild surmise that they were running Microsoft Windows.

        I have posted this before - almost always it isn't an INTERNET worm, it is a MICROSOFT I.E. worm, it isn't an EMAIL virus, it is a MICROSOFT OUTLOOK e
  • by digitaldc (879047) * on Wednesday December 07, 2005 @09:00AM (#14201551)
    Since they are redoing the CDs, maybe they can change the names too?

    Alicia Keys - Unplugged, but still Infected
    Amici - Forever Defined as Dishonest
    Britney Spears - Hitme, but Don't RipMe
    Cassidy - I'm A Hustla in Your PC
    David Gray - Life In Slow Motion Since your PC has a Rootkit
    Faithless - Forever Faithless Sony
    Imogen Heap - Speak For Yourself, I Love Rootkits
    Leo Kottke/Mike Gordon - Sixty Six Steps to Uninstall the Rootkit
    Raheem Devaughn - The Hate Experience
    Santana - All That I Am Allowed to Copy
    Stellastarr* - Harmonies for the Haunted PC
    Various - So Annoying: An All Star Tribute To Rootkits
    Wakefield - Which Side Are You On? Sony or the Public?
    YoungBloodZ - Everybody Know Me, Nobody Copy Me
    • by Pac (9516)
      I understand it is supposed to be a joke, but I can't help being amazed by the fact that I can recognize exactly two artists from your list, Britney and Santana. And the former just because she's a famous TV/news celebrity, I have never really listened to anything from her, except the occasional unnoteworthy clip. I own some songs/cds from Santana.

      Maybe I should spend some time listening to some top-40 radios. But then again, maybe not.
      • Re:You know... (Score:3, Interesting)

        by Renegade Lisp (315687) *

        Maybe I should spend some time listening to some top-40 radios. But then again, maybe not.

        You might wanna check out last.fm [last.fm] instead. Not exactly to get more top-40-ish in your musical taste, but to find all sorts of cool music you would never come across otherwise. Just type the names of those bands you don't know into their interface, and listen to some preview tracks. Or let them analyze your listening habits and suggest music to you. They even give you your own personalized radio station.

        No, I'

    • Switchfoot - Nothing is Sony
  • I wonder.. (Score:5, Interesting)

    by LilWolf (847434) on Wednesday December 07, 2005 @09:00AM (#14201556)
    ..did they also fix that little issue where the DRM installs itself even if the user doesn't accept the EULA?
  • by pedestrian crossing (802349) on Wednesday December 07, 2005 @09:01AM (#14201557) Homepage Journal

    Great, now not only do I have to make sure all my users' applications are patched, but I have to track patches on every frigging DRM implementation out there as well.

    Well, payback is a bitch.

    I have already steered a friend away from a Sony stereo to another brand, making it clear that Sony is not a good "citizen" and they would do well to stay clear of any Sony products.

    Yes, I am only one puny person, but I've already cost them a couple of hundred bucks, and will continue do so at every opportunity.

    • I have already steered a friend away from a Sony stereo to another brand, making it clear that Sony is not a good "citizen" and they would do well to stay clear of any Sony products.

      What makes you think Sony's Electronics division has anything to do with Sony's Music Label?

      I am thoroughly against Windows in general principle, and while I don't own one--I cerainly don't advise people against buying an XBOX simply because they have the same corporate label as Windows.

      Some people need to grow up and put their
      • it's all still sony, and i'd still rather teabag a mime (http://us.gizmodo.com/gadgets/pi5send5_f-thumb.jp g [gizmodo.com]) than spend any more money with them. what are you going to do, work towards a boycott of a subset of their company and reduce the effectiveness of that boycott, or boycott the whole company and ask others to do likewise?
      • In fact, if Sony's hardware division loses marketshare, the board of directors will give more emphasis to the music division. They will pay higher saleries to the upper management of that division, give it a bigger budget, and so on.
        Sony needs to see hardware as a source of potential profits, and music, (especially DRM'ed music), as a source of losses that threaten to drag the whole company down. The lawsuits already filed and in process will definitely do that, if they d
  • Onion article (Score:4, Insightful)

    by BushCheney08 (917605) on Wednesday December 07, 2005 @09:14AM (#14201638)
  • Now lets see (Score:4, Insightful)

    by Ilex (261136) on Wednesday December 07, 2005 @09:19AM (#14201669)
    I could drive into town and spend £12/$12 on a DRM'd malware infected CD which may or may not play in my cars CD player / Ipod

    Or

    Sit here and rip the whole thing off the net for free and burn it to CD and copy it to my IPod.
    <sarcasm>
    Yeah DRM is a great way to stop piracy.
    </sarcasm>
    Maybe they should try offering value for money instead.
  • by WidescreenFreak (830043) on Wednesday December 07, 2005 @09:20AM (#14201675) Homepage Journal
    Sony is really setting DRM and copy-protection back by several years. And with each annoucement, they are making more and more people dislike DRM. That's not a bad thing, I suppose, but they're making it painfully obvious that the only fix for this is the complete removal of the software for people's systems with instructions on how to prevent the software from being loaded again in the future. (Sadly, a huge number of people don't know about the Shift key as an autorun disabler.)

    Frankly, I want to see a major mea culpa from Sony on just about every TV and radio station that targets the audience from all of those DRMed audio CDs complete with previous said instructions and a promise (that will be kept) that such DRM techniques will never be used in the future.

    Considering that even artists themselves are starting to fight back against DRM stating that it does nothing but hurt the fans, which is true, it's about time for the heads of these companies to realize that Sony has crossed the line and that DRM for audio CDs is not only useless but can have dire consequences. I'm not going to use that silly "information wants to be free" dogma that is used too often on /. but it's become clear that negative reactions like DRM are not what keep CD sales going.

    Maybe they should - gasp! - try adding value that the customer wants and cannot get over the Internet through downloading rather than trying to add chains to a product that we want to legally buy. For example:
    * Buy the CD and get the concert DVD for 1/2 price
    * Buy the CD and get a discount on concert tickets and merchandise
    * Buy the CD and accumulate points that can be redeemed for other items

    Tactics like these, where items that cannot be downloaded are offered as incentive, is a much better alternative to increase sales than pissing off the customer base by nefarious methods such as DRM. This is particularly true because DRM can be defeated by one simple method: CD line out --> PC line in.

    In short, make it worth my while to buy the CD and not download it. DRM, particularly the kind that Sony implemented, does the opposite.
    • I would settle for true Compact Disks that contain good music and have imaginative covers and liners.
  • iSecPartners (Score:3, Informative)

    by under_score (65824) <mishkin-slashdot@bertei g . com> on Wednesday December 07, 2005 @09:22AM (#14201686) Homepage
    FWIW, I have known one of the founding partners at iSec, Jesse Burns, since high school. He's a very very smart guy with almost instinctual understanding of security issues and problems. This is a shameless plug for my friend's company: they're great and you'd do well to hire them if you want a good security audit or training done.
  • They left @stake en masse when the company was acquired by Symantec in 2004, and in so doing decimated the San Francisco office. Every one of the folks at iSec is absolutely top-notch. And no, I'm not astroturfing...
  • by guidryp (702488) on Wednesday December 07, 2005 @09:27AM (#14201714)
    Corporations are sometimes their own worse enemy. It has gotten to the point that I feel safer downloading my music from complete strangers on the internet than buying it in a store.

    The other farce in this fiasco is that these methods of protection are so easy to defeat that "anyone" who actually uploads music would not be slowed down for even a second.

    So we have an extreme example of a rights denial system that penalizes in the extreme the clueless who never were going to upload anyway, and does nothing, not one iota, to stop uploaders.

    Earth to idiots at corp HQ. Sony will feel the pain for years to come on this one. If I were an artist, I would be looking for a "no DRM" clause in my contracts when dealing with these morons.
  • EFF (Score:5, Funny)

    by Kev_Stewart (737140) on Wednesday December 07, 2005 @09:29AM (#14201730)
    Never underestimate the awesome power of pale vegetarian lawyers.
  • Sony Software (Score:5, Interesting)

    by Ankou (261125) on Wednesday December 07, 2005 @09:30AM (#14201735)
    This may be a little off topic, but with this whole Sony root kit thing has anyone checked their Sony software lines for the same exploits? I had been an avid user of Sony Vegas software since they bought out Sonic Foundry, but now I am scared to install it again. There goes about 400 dollars just cuase I lost trust for Sony. It was great software much faster and more stable than Premier Pro, probably becuase Sony didn't write it. It makes you wonder what else they have corrupted in their control game.
    • If you have the time and expertise you can install it within a virtual machine or WINE and monitor network traffic from the host environment. I wouldn't write that $400 off so quickly.
      • Re:Sony Software (Score:3, Insightful)

        by Ankou (261125)
        Good call, that may work for network trasmisions, but there are other possible scenarios to take into consideration. For instance, how do I know if when I create a training video and burn it with their software, I dont propagate their root kit on that CD/DVD. The software does come with all kinds of protection options, so it isn't crazy to think of that kind of scenario. You are right 400 dollars isn't something to write off so fast. Imagine though being sued later by a client who's computer got infecte
    • by jackbird (721605) on Wednesday December 07, 2005 @10:37AM (#14202358)
      I upgraded to vegas 6.0c about 3 days before the rootkit story broke. I checked my system for the $sys$ rootkit according to the Sysinternals site and found nothing.
  • 27 + 23 Canadian discs [some same artist] = 50 affected titles. You can figure out how many unique artists will be pissed off at Sony for this latest blunder...

    http://www.sonybmg.com/mediamax/titles.html [sonybmg.com]
  • Wake up Artists (Score:2, Informative)

    by 4Dmonkey (936872)
    Someone should go and tell the artists that they dont need these greedy evil middlemen to sell their music nowadays. They can simply create their own portals.
    That should solve a lot of problems.
  • by Ch*mp (863455)
    The patch prevents you from 'innocultating' your PC against the risk of future 'infection'.

    The gist of this press release is that I now have to keep a list of all the titles that might be affected just in case I, or anyone in my family decides to buy a MediaMax protected CD (or are given one as a gift) - Yes you can still buy a flawed CD. Even if Sony issues a recall on ALL affected CDs that does not give me 100% protection from this mess.

    I now have to keep monitoring my PC forever more in case someon
    • just in case I, or anyone in my family decides to buy a MediaMax protected CD (or are given one as a gift)

      Spread the word, CDs make crappy presents [whatacrappypresent.com].

      If somebody gives you a CD for Xmas, simply refuse it like you would a moldy fruitcake.

      FWiW, I'm yet another person who'll never buy anything from Sony, ever again.

  • Doubly Screwed (Score:4, Insightful)

    by Anonymous Coward on Wednesday December 07, 2005 @09:43AM (#14201887)
    The most interesting part about the whole Sony BMG rootkit fiasco, and now this, is that it seems as if Sony is doubly screwed from now on, because whenever they put out a new product, it's going to be hacked from all sides, to find little holes like this. I'm sure there are plenty of other products out there that behave similarly or have holes in them, that are from other companies, and aren't getting exposed because they didn't piss off the internet community.

    It's this kind of backlash now that is bustin Sony, because anything they put out from now on better be bullet-proof, or else it will wind up being counterproductive
  • Does anyone know if there is a website out there that has a list of all the DRMed CDs put out by Sony and others? I looked on Google, but didn't find anything...

    I would like to know so that I can make sure my dollars don't go to DRMed CDs.

    JOhn
  • by Havenwar (867124)
    Until they make a patch for the crappy music on most of those CD's, I'm not purchasing. Oh, and while they're at it, make a patch for their distribution, since it seems something is faulty with their current method of forcing me to walk to the store and buying the physical disc... when I don't even have a regular cd-audio player.

    Of course this is a needed step for the "average joe" out there that didn't even know he got a malicious rootkit for free when playing a cd on his pc, but then again, does this aver
  • DRM (Score:4, Funny)

    by Kaenneth (82978) on Wednesday December 07, 2005 @10:04AM (#14202055) Homepage Journal
    Some people say 'Digital Rights Managment' is good for the consumer.

    Some doctors used to recommend cigarettes.
  • Apple could really capitalize on this whole Sony Rootkit DRM fiasco by advertising iTunes as the only "safe" way to get your music - they REALLY could clean up by finding a way to enable users to buy the entire album all at once instead of individual songs, for the same price as the typical retail physical CD.
    • finding a way to enable users to buy the entire album all at once instead of individual songs, for the same price as the typical retail physical CD.

      I think I should be paying less than in-store retail when I download my CD album. After all, in addition to the content I'm paying for my bandwidth to download it, my time in downloading, my hard drive space to store it on, any cover art or inserts that I have to print myself, as well as the blank CD I burn to play it outside of my computer and the jewel case

  • I don't want a security patch for Sony's DRM malware. Just give me a removal tool and the problem will go away on it's own.
  • by tehshen (794722) <tehshen@gmail.com> on Wednesday December 07, 2005 @10:20AM (#14202199)
    The vulnerability involves a directory installed on users' computers by the MediaMax software that could allow a third party to gain control over the affected Windows PC.

    This is Windows we're talking about; I wouldn't be surprised if we're on to the seventh or eighty party by now.
  • One nice side effect of the Sony fiasco is that the electroncs arm now has more leverage within the company - Sony is a company torn between what it can do via home electronics, and what it doesn't want to do from the media arm.

    With the media arm somewhat shamed, the electronics arm has a stronger case for doing things that are bit more open.
  • by merc (115854) <slashdot@upt.org> on Wednesday December 07, 2005 @10:43AM (#14202405) Homepage
    The article states that " SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs. "

    Does this mean that once the SunnComm DRM software is patched it will go back to working as designed -- that is, do the DRM restrictions continue to constrain the end users' freedoms to use the music? Is the SunnComm software "fixed" or removed?

    I would have been happier to have heard they designed a removal tool.

    *grumblecakes*
  • by Nom du Keyboard (633989) on Wednesday December 07, 2005 @10:47AM (#14202447)
    SunnComm is offering a patch to fix a security vulnerability with its MediaMax Version 5 content protection software on 27 SONY BMG CDs.

    I am still waiting to see how you patch a CD -- short of replacing it entirely, that is.

    For now, I wouldn't trust Sony to patch my Tinkertoys properly, let alone my computer.

  • by Kozar_The_Malignant (738483) on Wednesday December 07, 2005 @11:14AM (#14202667)

    This is not the "rootkit" DRM software that were talking about here. This is the other DRM crapware that Sony/BMG has on its discs. I buy a moderate amount of music on CDs, then rip them to MP3s to play on my Rio and car stereo. I was planning to buy Carlos Santana's new disc when this whole flap came up. I checked, saw that Santana wasn't on the rootkit list, and briefly considered buying it, although I have avoided all DRMed music to this point. No worries, I'll rip it on my Linux box anyway.

    I changed my mind, and I'm glad I did. One less bit of malware in the stream of commerce. I did go to Carlos' website and told them I had decided not to buy the disc and why. From the notes there, it seems they have been getting a lot of that. This may be the most effective way to deal with this issue. Tell the artists that you will not buy their art, if it comes packaged with such crap.

  • by micron (164661) on Wednesday December 07, 2005 @01:04PM (#14203718)
    I walked in to my local record store TWO DAYS ago with the Sony/BMG list of XCP titles. I asked the counter clerk if they had pulled the titles yet.

    The response was, "Which one do you want".

    The clerk knew of the issue. He even helped me confirm that the catalog number for the disk was a match. The titles were still on the shelves for sale. The store was replacing the disks as new disks came in from Sony.

    Two out of three record stores that I checked that day had the titles available for purchase.

    This is a recall?

    Also, it is not as if you can look on the spine of the CD to find out that it is a Sony disk. These disks are sold under other label names. I believe that the one I got was an Electra. Sony/BMG is in the really fine print on the back, as well as the XPC URL.
     
  • by Robotech_Master (14247) on Wednesday December 07, 2005 @02:31PM (#14204404) Homepage Journal
    ...as previous patches. [freedom-to-tinker.com] In other words, it leaves your computer even more vulnerable than before.

    Don't see any mention of this on the entire last page of comments listed most recently first, so I figured it was worth risking a possible karma hit for duplication.

    It seems Sony and SunComm just can't come up with a "real" fix to save their lives.

Forty two.

Working...