Sony's SunnComm DRM Patch a Security Risk

Spad writes "The BBC is reporting that mere days after the EFF and Sony announced a patch to fix the vulnerability in its SunnComm DRM system, security researchers Ed Felten and Alex Halderman have discovered that the patch itself introduces yet more vulnerabilities. They have now asked users not to apply the patch and are urging Sony to recall all of the affected CDs from sale. Sony has said that approximately six million CDs using [SunnComm] MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless."

Nice

[ruiner13]

I wonder how this will play out if a minor buys one of the broken CDs, puts it in their parents computer and it gets taken over. As (at least in the US) minors cannot agree to contracts, I'm thinking the EULA cannot legally be agreed to by them. Since their EULA installs the rootkit on yes or no answers, this turns out to be illegal on so many levels. So much for buying Sony ever again, they make decent TVs, it is a shame that one of their divisions has to make such a bad image for the whole company.

Good bye Sony.

[LWATCDR]

I think that Sony is going to have some MAJOR issues. This DRM stuff my not mean a lot to the average music user but it could really hurt the PS3. The 360 is already out and it isn't bad. The Revolution is actually seems to be getting more interest than the PS3 from the press now.
I for one am not going to buy any CDs from Sony anytime soon. If I do I will rip them on my Linux box and burn clean copies to use.

Re:Nice

[fdiskne1]

This particular bug gets installed even if you decline the EULA [freedom-to-tinker.com]. Sony and Sunncomm, what a wonderful combination. Remember, this is the same company that tried suing someone [theregister.co.uk] for putting on their web site "Hold the shift key down while inserting a copy protected CD to prevent the DRM software from being installed."

Just shaking my head at their idiocy and getting ready to watch the fireworks, assuming anything actually happens because of this mess.

Oh what a tangled web we weave...

[digitaldc]

...when Sony CDs we do receive.

Now if people can be sued for unlawful downloading, do people have the right to sue for unlawful malware?

I think I will go on over to Microsoft.com and find some information about 'Sony rootkit'
Here are my results:

Results for:
all the words: sony rootkit; category: Support & Troubleshooting; site: All of Microsoft.com;

Support & Troubleshooting

no results were found in this category.

Sony is out of touch

[gasmonso]

They're constantly pushing for technologies that people don't want and hopefully is going to hurt Sony. First there was the memory stick, now destructive DRM and the possibility of locking down PS3 games to one device. If lawsuits don't correct this (and they most likely won't), it's up to the consumer to correct the issue with their wallet.

gasmonso http://religiousfreaks.com/ [religiousfreaks.com]

Re:Why was the EFF involved in this?

[openfrog]

I see a good reason for the EFF to get involved. Sony was succeding in keeping the two DRM issues separate, at least on the legal and larger public side (developers are (were?) seen as a negligible entity. The Agreement for the patch was for the EFF a way to get Sony to recognise the reality of the larger problem. I don't know if the EFF knew already what would follow, but I would not be surprised. Good move EFF!

--
Think!

Man Bites Dog

[headkase]

Boycott's are ineffective and Sony's proven they're too incompetent to even clean up after themselves. I'd like to see some lawyers sick themselves on Sony... Let's see a class action settlement of ~$100 for each user to get a professional to remove the security hole the software introduces. They just don't seem to understand anything but dollars so at least the lawyers would be using the right stick.

Re:Eat me, Sony.

[Shakrai]

Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

As much as I hate Sony you don't think they are absorbing the cost as well? Just because they get to "write it off" doesn't mean they magically get the money back. A write off or a charge off is just an accounting term. They will probably get to report that write off when they file their income taxes -- it will reduce the amount of taxable income they had -- but they still have to absorb the cost.

You or I can do the same thing with some expenses. You can reduce your taxable income by reporting expenses for medical care, uninsured losses, crime losses or bad debt (you loan me money and I default). Whether or not this makes sense for you (vs just taking the standard deduction) is something that only you or your accountant could figure out.

What a good product might look like

[Ant2]

What if you could purchase an Audio CD that:

- could play in all CD players, including PCs and car stereos?
- had an extra track with non-DRM MP3s, OGG, and WMA files?
- included cover art in JPG and PNG format?
- included the full lyrics in TXT format?
- was free from DRM and other executables?
- (oh, and actually had songs you liked)

Would you buy this? I would.

Re:Eat me, Sony.

[WebCrapper]

Unfortunately, Sony is such a big company, that nothing will really happen except they may claim to have lost $xxx,xxx... If you think about the company as a whole, thats nothing really. That is technically the cost of shipping & handling plus the (very) few hours of work from their programmers.

I would honestly like to see Sony taken to court for this. This is nothing but a spyware case by a large, global company who thought they could get away with it.

Re:Eat me, Sony.

[sunburntkamel]

objection to b)

buying second hand only covers your butt in case someone audits your music collection. (likelyhood=0). it doesn't benefit the artist, or the record company. it only benefits the used CD store and the guy who sold the CD.

replacement b)Buy what you like IN THE FIRST WEEK, or buy it from the band at the show.

Re:Eat me, Sony.

[Ryan Amos]

A few years ago Ticketmaster and Clear Channel decided that selling out concerts meant lost revenue. Their goal is to price the tickets high enough that they get about 90% occupancy. Then Clear Channel cut Ticketmaster out of the loop and started handling their own ticket sales. The end result of this is concerts that almost never sell out, but the face value on the tickets is about what you would have paid from a scalper.

Since Clear Channel typically owns the venue, puts the tour together, owns the radio stations on which the concert is promoted and sells the tickets, all the money goes to them. Their public image has become so bad recently that they have taken to promoting their concerts under the names of all the old regional promoters they bought up probably 10 years ago (I know it's Pace Concerts in the south.)