Sony's SunnComm DRM Patch a Security Risk 218
Spad writes "The BBC is reporting that mere days after the EFF and Sony announced a patch to fix the vulnerability in its SunnComm DRM system, security researchers Ed Felten and Alex Halderman have discovered that the patch itself introduces yet more vulnerabilities. They have now asked users not to apply the patch and are urging Sony to recall all of the affected CDs from sale. Sony has said that approximately six million CDs using [SunnComm] MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless."
Oh goodness! More to investigate and recall. (Score:5, Informative)
http://www.independentbands.com/cd/switchfoot/not
Some interesting info was brought to my attention today by http://www.glynhotz.com/ [glynhotz.com] the lawyer in Ontario suing Sony over XCP for consumers in Canada. EMI issued a recall on a DRM infected CD, on October 6, shortly after Sony was notified of the rootkit in their XCP CDs.
Any one care to investigate this further?
http://www.boycottsony.us/ [boycottsony.us]
original article from Felten and Halderman (Score:5, Informative)
Re:The music gene pool is self correcting (Score:1, Informative)
Illegal (Score:4, Informative)
"Sony BMG said the MediaMax copy protection system, which is supposed to stop people making illegal copies of CDs, has been used on 50 titles sold in North America."
Why do the keep emphasizing, "making illegal copies" when it is not illegal? I have the right to make as many copies as I want. What I cannot do is make un-authorized copies (fair use IS authorized) or distribute those copies.
Re:Nice (Score:3, Informative)
Source: Wired News: Music Man Cracks DRM Schemes [wired.com], 7th December 2005.
Re:Don't sit HERE whining, TELL THEM (Score:5, Informative)
The corporate headquarters for Sony Music Entertainment Inc. is located in New York City:
Sony Music Entertainment Inc.
550 Madison Ave
New York, NY 10022-3211
sonymusiconline@sonymusic.com
Re:Phew! (Score:1, Informative)
Re:Eat me, Sony. (Score:3, Informative)
50% of $20 = $10 available to shareholders and $10 in taxes. If the company then distributes that $10 to the shareholders (sends them a check) the shareholder's have to pay taxes on the money recieved on their personal income taxes.
Ok, now assume they have a recall that costs them $5. So its $20 - $5 writeoff = $15. $15 x 50% = 7.50 in taxes, and 7.50 to distribute.
The concept of a write-off is often misunderstood. One reason that its even such an issue is in the case of small to medium business. Remember that the corporate income is taxed, and then taxed again when distrubted to shareholders. A small business can buy a MSDN subscription for $2,000. This means that it will only clost the owner approximately $1,000 in take home pay. Its not that its free, but just that it costs less to the owner than if joe blow hobbiest had bought the same subsription.*
*Note, taxes are complex, this doesn't even attempt to explain the complexities -- including common workarounds.
Re:Why was the EFF involved in this? (Score:2, Informative)
Re:Why was the EFF involved in this? (Score:2, Informative)
In accordance with standard information security practices, EFF and iSEC delayed public disclosure of the details of the exploit to provide SunnComm the opportunity to develop an update.
IMHO: I admit that I don't know all the implications of the EFF move, probably no one does at this time. However, I would be prudent before blaming them. If Sony begins to listen to intelligent people instead of DRM vendors, it might not be a bad thing. In the end, their commercial interests might prevail, but at that time, the EFF will have earned a public recognition that can be used to access and mobilise public opinion.
Be a software pirate.... (Score:2, Informative)
Re:Eat me, Sony. (Score:2, Informative)
A corporation pays tax on income. So if they have $1,000 in income, then that is taxed. Payroll/bonuses are a little different. If I pay you $100, then I will often (not always) owe the government $7.65 PLUS whatever I with-hold from your paycheck for the purpose of social security matching. So to flesh out the above, $1000-100-7.65 = 892.35. If the corporation has a 35% income tax rate, they will owe 892.35 X .35 = 312.33 in income tax, leaving an after tax profit of $580.03
Conversely, if they don't give you the $100 christmas bonus, then they will owe income taxes of $350, for a net after tax income of $650. This means paying you a $100 bonus, only cost them $69.97 in after tax profit.
Dividends and stock buybacks MUST come from after tax profit. So in the above case, the maximum divident would be $350 or $312.33 depending on the example. The company can chose not to distribute the entire amount of profit (for a variety of legitimate reasons), in which case it is added to retained earnings. It would not be subject to additional income taxation on that amount on a corporate level (assuming it sits in a bank earning no interest).
The classic double taxation comes as follows... Taking the above profit of $650, when it is distributed to an individual they also must pay taxes on that amount -- approximately the same 35%. This means that their actual in the bank amount would be $422.50 (assuming the $650 example above).
The reason this comes up in small business, is that if I'm a partnership or sole proprietor, I am only taxed once at the personal level. All profits are passed down (as well as expenses) to my personal tax form on Schedule C. So a part time consultant would have an after tax income of $650, but Accenture would have an after tax income of $422.50.
Under certain conditions, a special case of corporation called a Subchapter-S Corp, is not subjected to that "double taxation" mentioned above. This is restricted to closley held corporations (less than 100 shareholders I think), and has other restrictions.
This can get more complex, and one otherthing to keep in mind (espcially for small businesses), is that profit and cash don't line up. For instance, if I spend $2000 for a computer, I'm not allowed to expense it in the year it is purchased -- but it must be written off over 5 years. The same idea exists with invoices. If I issue an invoice for $5,000 on December 20, but am not paid, I will still owe taxes on that amount.
"Remote Attestation" and content access monopolies (Score:3, Informative)
ALL third party and more importantly operating system based DRM puts the user at greater risk. If the DRM code itself is not exploited then there are always new vulnerabilities being discovered in the media players and browsers used to play and display encoded content.
August 02, 2005 "Remote Attestation" and content access monopolies [blogspot.com]