Sony's SunnComm DRM Patch a Security Risk

Spad writes "The BBC is reporting that mere days after the EFF and Sony announced a patch to fix the vulnerability in its SunnComm DRM system, security researchers Ed Felten and Alex Halderman have discovered that the patch itself introduces yet more vulnerabilities. They have now asked users not to apply the patch and are urging Sony to recall all of the affected CDs from sale. Sony has said that approximately six million CDs using [SunnComm] MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless."

Oh goodness! More to investigate and recall.

[saskboy]

I even went to the bother of giving the EFF, Sony, and "independent 3rd pary verification" the benefit of the doubt that they wouldn't frick things up AGAIN after their XCP DRM patch hole. Now I have to update my blog to say the MediaMax patch is hosed.

http://www.independentbands.com/cd/switchfoot/noth ingissound.html [independentbands.com]
Some interesting info was brought to my attention today by http://www.glynhotz.com/ [glynhotz.com] the lawyer in Ontario suing Sony over XCP for consumers in Canada. EMI issued a recall on a DRM infected CD, on October 6, shortly after Sony was notified of the rootkit in their XCP CDs.

Any one care to investigate this further?

http://www.boycottsony.us/ [boycottsony.us]

original article from Felten and Halderman

[edfelten]

The original explanation of this, from Ed Felten and Alex Halderman, is at http://www.freedom-to-tinker.com/?p=942 [freedom-to-tinker.com]

Re:The music gene pool is self correcting

[Anonymous Coward]

Except for BRMC - excellent rock & roll - damned shame they're with Sony.

Illegal

[DeanFox]

"Sony BMG said the MediaMax copy protection system, which is supposed to stop people making illegal copies of CDs, has been used on 50 titles sold in North America."

Why do the keep emphasizing, "making illegal copies" when it is not illegal? I have the right to make as many copies as I want. What I cannot do is make un-authorized copies (fair use IS authorized) or distribute those copies.

Re:Nice

[cortana]

Holding down the Shift key stopped AutoRun and prevented the software from being installed. Halderman wrote about the software, and the "infamous Shift key attack," in an academic paper and posted it online. Within 24 hours, SunnComm was threatening a $10 million lawsuit, and vowing to refer Halderman to authorities for allegedly committing a felony under the controversial Digital Millennium Copyright Act, or DMCA.

By the next day, the company had backed down in the face of public outrage. Looking back, Halderman says, "The whole experience was a whirlwind.... The response was way bigger than (anything I'd) expected."

Source: Wired News: Music Man Cracks DRM Schemes [wired.com], 7th December 2005.

Re:Don't sit HERE whining, TELL THEM

[entirety]

Where is Sony Music located, and how can I get in touch?

The corporate headquarters for Sony Music Entertainment Inc. is located in New York City:

Sony Music Entertainment Inc.
550 Madison Ave
New York, NY 10022-3211
sonymusiconline@sonymusic.com

Re:Phew!

[Anonymous Coward]

check again. Sony owns a lot of labels [wikipedia.org] and I'm guessing you own a lot more sony music than you realize.

Re:Eat me, Sony.

[sgent]

Almost, but not quite... Companies pay taxes (at least in the US) on net income, not revenue. So extending your example of a 50% tax rate and $20 net income...

50% of $20 = $10 available to shareholders and $10 in taxes. If the company then distributes that $10 to the shareholders (sends them a check) the shareholder's have to pay taxes on the money recieved on their personal income taxes.

Ok, now assume they have a recall that costs them $5. So its $20 - $5 writeoff = $15. $15 x 50% = 7.50 in taxes, and 7.50 to distribute.

The concept of a write-off is often misunderstood. One reason that its even such an issue is in the case of small to medium business. Remember that the corporate income is taxed, and then taxed again when distrubted to shareholders. A small business can buy a MSDN subscription for $2,000. This means that it will only clost the owner approximately $1,000 in take home pay. Its not that its free, but just that it costs less to the owner than if joe blow hobbiest had bought the same subsription.*

*Note, taxes are complex, this doesn't even attempt to explain the complexities -- including common workarounds.

Re:Why was the EFF involved in this?

[sgent]

The EFF had a lawsuit against sony outstanding regarding this technology (they sued for BOTH this and the XMP technology). This was part of Sony's attempt to mitagate damages from the lawsuit. Lawyers who care about their clients will often try to settle as much as possible rather than dragging it out for 10 years -- where no one is helped.

Re:Why was the EFF involved in this?

[openfrog]

The EFF did not release the insecure patch. Sony did. What the EFF did was to allow Sony some time to release it:

In accordance with standard information security practices, EFF and iSEC delayed public disclosure of the details of the exploit to provide SunnComm the opportunity to develop an update.

IMHO: I admit that I don't know all the implications of the EFF move, probably no one does at this time. However, I would be prudent before blaming them. If Sony begins to listen to intelligent people instead of DRM vendors, it might not be a bad thing. In the end, their commercial interests might prevail, but at that time, the EFF will have earned a public recognition that can be used to access and mobilise public opinion.

Be a software pirate....

[caffeinatedOnline]

just hold down the shift key!!

Re:Eat me, Sony.

[sgent]

Does a company pay tax on money they distribute to shareholders? I know if they give every employee a nice bonus they don't wind up paying a corporate income tax on that. Do they pay a corporate income tax on money earmarked for dividends?

A corporation pays tax on income. So if they have $1,000 in income, then that is taxed. Payroll/bonuses are a little different. If I pay you $100, then I will often (not always) owe the government $7.65 PLUS whatever I with-hold from your paycheck for the purpose of social security matching. So to flesh out the above, $1000-100-7.65 = 892.35. If the corporation has a 35% income tax rate, they will owe 892.35 X .35 = 312.33 in income tax, leaving an after tax profit of $580.03

Conversely, if they don't give you the $100 christmas bonus, then they will owe income taxes of $350, for a net after tax income of $650. This means paying you a $100 bonus, only cost them $69.97 in after tax profit.

Dividends and stock buybacks MUST come from after tax profit. So in the above case, the maximum divident would be $350 or $312.33 depending on the example. The company can chose not to distribute the entire amount of profit (for a variety of legitimate reasons), in which case it is added to retained earnings. It would not be subject to additional income taxation on that amount on a corporate level (assuming it sits in a bank earning no interest).

The classic double taxation comes as follows... Taking the above profit of $650, when it is distributed to an individual they also must pay taxes on that amount -- approximately the same 35%. This means that their actual in the bank amount would be $422.50 (assuming the $650 example above).

The reason this comes up in small business, is that if I'm a partnership or sole proprietor, I am only taxed once at the personal level. All profits are passed down (as well as expenses) to my personal tax form on Schedule C. So a part time consultant would have an after tax income of $650, but Accenture would have an after tax income of $422.50.

Under certain conditions, a special case of corporation called a Subchapter-S Corp, is not subjected to that "double taxation" mentioned above. This is restricted to closley held corporations (less than 100 shareholders I think), and has other restrictions.

This can get more complex, and one otherthing to keep in mind (espcially for small businesses), is that profit and cash don't line up. For instance, if I spend $2000 for a computer, I'm not allowed to expense it in the year it is purchased -- but it must be written off over 5 years. The same idea exists with invoices. If I issue an invoice for $5,000 on December 20, but am not paid, I will still owe taxes on that amount.

"Remote Attestation" and content access monopolies

[NZheretic]

Don't just go after Sony. The REAL THREAT comes from the operating vendors themselves.

ALL third party and more importantly operating system based DRM puts the user at greater risk. If the DRM code itself is not exploited then there are always new vulnerabilities being discovered in the media players and browsers used to play and display encoded content.

August 02, 2005 "Remote Attestation" and content access monopolies [blogspot.com]

Remote Attestation" and content access monopolies

The Trusted Platform Module [classicbeta.com] provides the hardware functionality for digital rights software to provide effective remote attestation [wikipedia.org] and digital key withholding.

Both Microsoft and Apple have plans for media-digital-content-viewers that, at the request of a digital content provider, will not allow the user to view or access specific digital content if the operating system has been modified in certain ways.

Because, for the foreseeable future, it is impossible for the digital rights management software to detect if an individual modification to a particular subsystem is hostile to the goals of the demanded digital rights, all software and subsystems relating to the operating system with storage and input to display will have to be digitally signed by Microsoft or Apple before it can be accepted by the DRM subsystem. Microsoft and Apple are effectively locking the user out from changing parts of the operating environment.

Because it is possible for hackers to read digital keys used to encrypt content direct from the computer's memory, the operating system has to be built with the ability to lock the user from being able to access pages of memory used by the mediaplayer and digital rights management system.

OS based Digital Right Management systems are based on the principle of locking the owner of the computer out of the ability to access sections of memory and disk space used by the DRM mediaplayer systems.

Locking the owner out of parts of the computer has become a major security issue [computerworld.co.nz].

Microsoft's Mediaplayer, Active-X ( still used with some DRM ), Real's realplayer, Adobe's PDF viewers, Apple's Quicktime and even Microsoft's and Sun's Java JVMs, have in the past had remotely exploitable vulnerabilities.

OS based DRM combined with TPM based encryption along with enviable future vulnerability holes in media access offers the malware/virus/worm creator the ability to hide a virus from any antivirus tool or live forensic analysis. Existing stealth viruses already have ability to hide the modifications it has made to files, going undetected by antivirus programs. DRM encryption offers the ability for the malware to store content, and without the keys to decode the content, keep it hidden from any forensic analysis.

Crackers and hackers always find ways to exploit the code to access or share protected content. There is not a DRM system that has not been cracked within months of widespread release. The focus on the code use d in such systems also comes to the attention of malware/virus creators. The same holes discovered by those who just want to freely access content may possibly also be abused by those wanting to crack into your computer. Similar holes in other types media viewers, the webbrowser and email programs, are increasingly being used for criminal gain by phishers and spyware makers.

Some vendors reportedly have in the past purposely left backdoors in the source code to allow access by US intelligence agencies [techlawjournal.com]. This has not only become a major issue for other countries who fear spying, since discovered backdoors quickly become the criminal's frontdoor i