Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Music Media Security

Sony's SunnComm DRM Patch a Security Risk 218

Posted by Zonk from the spears-cds-bring-one-of-the-horsemen dept.
Spad writes "The BBC is reporting that mere days after the EFF and Sony announced a patch to fix the vulnerability in its SunnComm DRM system, security researchers Ed Felten and Alex Halderman have discovered that the patch itself introduces yet more vulnerabilities. They have now asked users not to apply the patch and are urging Sony to recall all of the affected CDs from sale. Sony has said that approximately six million CDs using [SunnComm] MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless."
This discussion has been archived. No new comments can be posted.

Sony's SunnComm DRM Patch a Security Risk More

Sony's SunnComm DRM Patch a Security Risk

Comments Filter:

  • Eat me, Sony. (Score:5, Insightful)

    by grub ( 11606 ) <slashdot@grub.net> on Friday December 09, 2005 @09:49AM (#14219301) Homepage Journal

    Sony will get to write off the bad CDs as defective at the end of the fiscal year. You or I accidentally burn something on the stove and we absorb the cost.

    The publishers are just middlemen (middle-management?) scrambling to keep their distribution means relevant: cut them out like a cancer.

    a) Freely download
    b) Buy what you like (second hand if possible)
    c) Pay to see the artists live
    • Wasn't there a Seinfeld episode to this effect? I don't remember the exact quote, but...

      Jerry: George, you can't take that, it's stealing!

      George: These big companies, they just write it off anyways.

      Jerry: Write it off? Do you even know what that means?

      George: Yeah, uh, er, no.

      • Re:Eat me, Sony. (Score:5, Funny)

        by amliebsch ( 724858 ) on Friday December 09, 2005 @10:30AM (#14219729) Journal
        No, no, no, it was Jerry and Kramer.
        * Kramer: "Its a write off for them!"
        o Jerry: "How is it a write off?"
        * Kramer: "They just write it off. Jerry, these big companies, they write off everything."
        o Jerry: "(pause) You don't even know what a write off /is/."
        * Kramer: "Do You?"
        o Jerry: "No, I Don't."
        * Kramer: "But /they/ do..and /they're/ the ones writing it off."

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Friday December 09, 2005 @10:37AM (#14219807)
      Comment removed based on user account deletion

      • Re:Eat me, Sony. (Score:3, Interesting)

        by WebCrapper ( 667046 )
        Unfortunately, Sony is such a big company, that nothing will really happen except they may claim to have lost $xxx,xxx... If you think about the company as a whole, thats nothing really. That is technically the cost of shipping & handling plus the (very) few hours of work from their programmers.

        I would honestly like to see Sony taken to court for this. This is nothing but a spyware case by a large, global company who thought they could get away with it.

      • Re:Eat me, Sony. (Score:5, Insightful)

        by The_Rook ( 136658 ) on Friday December 09, 2005 @11:15AM (#14220174)
        wanna bet that sony will figure out a way to charge the musicians for the recall and destruction of the "defective" discs?
    • a) Freely download

      Yeah, and but don't then turn around and complain if a company infringes on the GPL. I think that would be called hypocrisy.

      b) Buy what you like (second hand if possible)

      I already buy almost all of my music second hand.

      c) Pay to see the artists live

      That's usually stupidly expensive, I think most of the money probably goes to the property owners anyway.

      • Re:Eat me, Sony. (Score:3, Insightful)

        by CastrTroy ( 595695 )
        That's usually stupidly expensive, I think most of the money probably goes to the property owners anyway.

        That really depends on the bands you like to see. I often go to concerts for $10 to $20. I've also seen some pretty popular artists for quite cheap. You just have to be smart about what bands you see. In my eyes, no band is worth the $80 arena ticket so you can see them from 500 ft. away. However, many bands that i may not like so much, are really fun to go and see when you can be within 50 ft. (1
        • I'm too old, but not too deaf, to be 10 feet away from ANY band.

        • Re:Eat me, Sony. (Score:3, Interesting)

          by Ryan Amos ( 16972 )
          A few years ago Ticketmaster and Clear Channel decided that selling out concerts meant lost revenue. Their goal is to price the tickets high enough that they get about 90% occupancy. Then Clear Channel cut Ticketmaster out of the loop and started handling their own ticket sales. The end result of this is concerts that almost never sell out, but the face value on the tickets is about what you would have paid from a scalper.

          Since Clear Channel typically owns the venue, puts the tour together, owns the radio s
    • Actually, it occurs to me that due to Sony's (et al) actions, buying legit CDs is no longer a safe or reasonable thing to do. So I'd strike (b) from your list, and just stick with downloads (open formats only, for safety) and watching acts live.

  • Virii, worms and DRM ... (Score:3, Insightful)

    by VitaminB52 ( 550802 ) on Friday December 09, 2005 @09:51AM (#14219325) Journal
    are the digital infections AV software should protect your PC against.
    • Were Norton AV and the other anti-virus suites silent as Sony's rootkit ran wild on peoples systems? If so, their software would be in the garbage immediately if this were on one of my boxes.
      • Most AV software won't protect against spyware either. That's generally a separate product. The sony code is definately malware, but it isn't considered by the AV companies to be a virus.

        Considering sony's stance, IMHO the AV companies should change their position, and their customers should demand it.
      • Were Norton AV and the other anti-virus suites silent as Sony's rootkit ran wild on peoples systems? If so, their software would be in the garbage immediately if this were on one of my boxes.

        <PRAGMATIC>

        I wouldn't do that; IMHO an incomplete protection against digital malware is better than no protection at all.
        </PRAGMATIC>
      • IIRC only one antivirus program detected and removed it, everyone else was afraid to tangle with Sony. All I remember is that it wasn't Symantec. Some of them remove the rookit part but not the DRM.

  • Phew! (Score:5, Funny)

    by Anonymous Coward on Friday December 09, 2005 @09:51AM (#14219330)
    Phew, after seeing the list of artists all I can say is if these are the artists who'll be affected I'll be secure for years to come!
    • funny that. My very first reaction was also "Phew"

      Judging by my recent cd purchases, I'll be safe evermore.

    • I get the joke behind the parent post, but I can actually say it with a pretty high level of seriousness.

      About the most 'pop' artist I've bought a CD from was Nickelback, but they've been a disappointment since 'The Long Road' so I feel pretty safe on the CD front. Just looking at the kind of music-based podcasts I listen to will show you that most of the artists I listen to are self-sufficient. As for the few mainstream songs I do get these days, I'll pony up the dollar for a download on iTunes considering

  • Nice (Score:5, Interesting)

    by ruiner13 ( 527499 ) on Friday December 09, 2005 @09:52AM (#14219340) Homepage
    I wonder how this will play out if a minor buys one of the broken CDs, puts it in their parents computer and it gets taken over. As (at least in the US) minors cannot agree to contracts, I'm thinking the EULA cannot legally be agreed to by them. Since their EULA installs the rootkit on yes or no answers, this turns out to be illegal on so many levels. So much for buying Sony ever again, they make decent TVs, it is a shame that one of their divisions has to make such a bad image for the whole company.

    • Re:Nice (Score:5, Interesting)

      by fdiskne1 ( 219834 ) on Friday December 09, 2005 @09:59AM (#14219424)

      This particular bug gets installed even if you decline the EULA [freedom-to-tinker.com]. Sony and Sunncomm, what a wonderful combination. Remember, this is the same company that tried suing someone [theregister.co.uk] for putting on their web site "Hold the shift key down while inserting a copy protected CD to prevent the DRM software from being installed."

      Just shaking my head at their idiocy and getting ready to watch the fireworks, assuming anything actually happens because of this mess.

      • just a quesiton, do you know what happened to the princeton guy? was he sued? do you have any other references with stories follow up?

        • Re:Nice (Score:3, Informative)

          by cortana ( 588495 )

          Holding down the Shift key stopped AutoRun and prevented the software from being installed. Halderman wrote about the software, and the "infamous Shift key attack," in an academic paper and posted it online. Within 24 hours, SunnComm was threatening a $10 million lawsuit, and vowing to refer Halderman to authorities for allegedly committing a felony under the controversial Digital Millennium Copyright Act, or DMCA.

          By the next day, the company had backed down in the face of public outrage. Looking back, Ha

    • Can anyone tell me how to find this DRM stuff on my CDs? All I can see is a bunch of .mp3 files....does this mean I've been infected?
    • I don't think that matters. A porn site doesn't get convicted if a minor got in by using daddy's credit card. They have in "good faith" believed that an adult has agreed to the EULA. What should bite their ass is secretly installing software even if you decline. That alone should be a lesser crime. Installing system-level patches to change the way the system works should be a felony hacking charge. That is what any other hacker would get if he secretly installed a rootkit with his apparently legitimate soft
      • You're obviously missing a clear difference.

        CD's are purposely marketed and sold to minors.
        Porn isn't.

        So the GP has a valid point. Can Sony get sued for trying to force/enforce an illegal contract?

  • The music gene pool is self correcting (Score:5, Funny)

    by lohphat ( 521572 ) on Friday December 09, 2005 @09:52AM (#14219343)
    Given the titles affected, consumers had it coming.

  • Oh goodness! More to investigate and recall. (Score:5, Informative)

    by saskboy ( 600063 ) on Friday December 09, 2005 @09:53AM (#14219353) Homepage Journal
    I even went to the bother of giving the EFF, Sony, and "independent 3rd pary verification" the benefit of the doubt that they wouldn't frick things up AGAIN after their XCP DRM patch hole. Now I have to update my blog to say the MediaMax patch is hosed.

    http://www.independentbands.com/cd/switchfoot/noth ingissound.html [independentbands.com]
    Some interesting info was brought to my attention today by http://www.glynhotz.com/ [glynhotz.com] the lawyer in Ontario suing Sony over XCP for consumers in Canada. EMI issued a recall on a DRM infected CD, on October 6, shortly after Sony was notified of the rootkit in their XCP CDs.

    Any one care to investigate this further?

    http://www.boycottsony.us/ [boycottsony.us]

  • Bitten by the patch? (Score:3, Funny)

    by ReformedExCon ( 897248 ) <reformed.excon@gmail.com> on Friday December 09, 2005 @09:54AM (#14219357)
    So you could be hit once by the original flaw. Then you could be hit one more time by the flaw in the patch?

    Someone should write a song about that.

  • Good bye Sony. (Score:2, Interesting)

    by LWATCDR ( 28044 )
    I think that Sony is going to have some MAJOR issues. This DRM stuff my not mean a lot to the average music user but it could really hurt the PS3. The 360 is already out and it isn't bad. The Revolution is actually seems to be getting more interest than the PS3 from the press now.
    I for one am not going to buy any CDs from Sony anytime soon. If I do I will rip them on my Linux box and burn clean copies to use.
    • It's easy to boycott a system that hasn't come out yet (or doesn't have a launch lineup or even a finalized hardware setup yet). I imagine this ill-will towards Sony won't carry over to their PS3 console. For one thing, a lot of people do not equate Sony's media content divisions with their hardware divisions. Another thing, this is happening a year before the PS3 comes out. Are people going to hold a grudge for that long? I doubt it. Memories are generally shot.
    • The effect on the PS3 sales will unfortunately be minimal. Not only do the vast, vast majority of people not know or understand what they have done wrong, but after a few pretty screenshots or videos of the PS3, there'll be no doubt that people will conveniently forgive Sony for this crap. Remember all the /.ers overlooking the MPAAs actions when LOTR came out?

      For this to make any long-term difference whatsoever, an enormous boycott would be needed.

  • congratulations, oh bearded one, for your infiltration of computers in the western world. and congratulations for keeping your sizeable stock holdings in Sony and Bertlesmann secret for so long.

    there is no other plausible explaination for the number of times Sony/BMG has shot itself in the nuts over copy protection that cannot do what they want it to do. it MUST be a plot against humanity by the AntiChrist. no other logic works out.

  • This could be a good thing: (Score:4, Insightful)

    by Donniedarkness ( 895066 ) <DonniedarknessNO@SPAMgmail.com> on Friday December 09, 2005 @09:56AM (#14219380) Homepage
    I think that after Sony loses EVEN MORE money because of this, they may be a little conservative in the future. I still urge everyone to not buy any Sony products (I just talked my parents out of buying a $1300 Sony Camcorder, a $200 Sony car stereo system, and a Sony HDTV that has a price that I don't know). We need to show these guys that WE WILL NOT TOLERATE this sort of shit. These guys are doing whatever they can to make as much money as they can. Let's kick them where it hurts.

  • Why was the EFF involved in this? (Score:5, Insightful)

    by Sanity ( 1431 ) on Friday December 09, 2005 @09:58AM (#14219403) Homepage Journal
    Why did the EFF get involved in the announcement or endorsement of this patch? The EFF is a legal organization, not a technical organisation. Now, instead of the egg landing squarely on Sony's face, where it deserves to be, the EFF is embarrassed too.

    The EFF should have pointed out the vulnerabilities to Sony and left it at that, there was no need for the EFF to lend its name to Sony's fix for the problem.

    • I see a good reason for the EFF to get involved. Sony was succeding in keeping the two DRM issues separate, at least on the legal and larger public side (developers are (were?) seen as a negligible entity. The Agreement for the patch was for the EFF a way to get Sony to recognise the reality of the larger problem. I don't know if the EFF knew already what would follow, but I would not be surprised. Good move EFF!

      --
      Think!
      • Good move EFF!
        Yeah, the EFF hurts their credibility by unnecessarily associating themselves with an insecure patch - and that is a good move? This must be according to some definition of "good" i'm not familiar with.
        • The EFF did not release the insecure patch. Sony did. What the EFF did was to allow Sony some time to release it:

          In accordance with standard information security practices, EFF and iSEC delayed public disclosure of the details of the exploit to provide SunnComm the opportunity to develop an update.

          IMHO: I admit that I don't know all the implications of the EFF move, probably no one does at this time. However, I would be prudent before blaming them. If Sony begins to listen to intelligent people instead
    • The EFF had a lawsuit against sony outstanding regarding this technology (they sued for BOTH this and the XMP technology). This was part of Sony's attempt to mitagate damages from the lawsuit. Lawyers who care about their clients will often try to settle as much as possible rather than dragging it out for 10 years -- where no one is helped.

  • Oh what a tangled web we weave... (Score:4, Interesting)

    by digitaldc ( 879047 ) * on Friday December 09, 2005 @10:00AM (#14219428)
    ...when Sony CDs we do receive.

    Now if people can be sued for unlawful downloading, do people have the right to sue for unlawful malware?

    I think I will go on over to Microsoft.com and find some information about 'Sony rootkit'
    Here are my results:

    Results for:
    all the words: sony rootkit; category: Support & Troubleshooting; site: All of Microsoft.com;

    Support & Troubleshooting

    no results were found in this category.

  • Sony is out of touch (Score:5, Interesting)

    by gasmonso ( 929871 ) on Friday December 09, 2005 @10:03AM (#14219450) Homepage

    They're constantly pushing for technologies that people don't want and hopefully is going to hurt Sony. First there was the memory stick, now destructive DRM and the possibility of locking down PS3 games to one device. If lawsuits don't correct this (and they most likely won't), it's up to the consumer to correct the issue with their wallet.

    gasmonso http://religiousfreaks.com/ [religiousfreaks.com]
    • Agreed. Personally I was looking forward to the PS3 and the Revolution. Granted that the gaming division of Sony has nothing to do with the Music label side, I still plan on punishing all of Sony because of this recent mess with their CDs. The big N will be getting my support from now on in terms of the console wars! And as for music, you still can't beat http://www.allofmp3.com/ [allofmp3.com]

  • original article from Felten and Halderman (Score:5, Informative)

    by edfelten ( 135938 ) on Friday December 09, 2005 @10:04AM (#14219460)
    The original explanation of this, from Ed Felten and Alex Halderman, is at http://www.freedom-to-tinker.com/?p=942 [freedom-to-tinker.com]

  • Big surprise (Score:5, Insightful)

    by mrRay720 ( 874710 ) on Friday December 09, 2005 @10:04AM (#14219463)
    Did anyone really think that Sony were going to stop doing evil things? They don't see themselves as having any financial benefit from truly removing the damage they do to their consumers' computers. They have their reasons for wanting this crap of there in the first place, and a bit of bad publicity they think will blow over soon enough just isn't going to make those reasons go away.

    There will be an updated patch eventually that actually does a half decent job of removing the worst of the security holes - they'll have to if they don't want a blanket removal of all their spyware from AV companies as a security measure. Not even a giant of Sony's stature can last too long being seen actively attacking and damaging all of their customers.

    Then, after the news outlets have had their fill of the story, 6 months or so down the line they won't be wanting to run the same thing over again. Sony will then be free to come out with the next wave of evil but slightly less dangerous malware. That's how it goes. The next round will be a bit less dangerous, a LOT more secretive, but with the same anti-consumer schemes.

    That's my opinion, anyway.
    • DRM crippled CD's have with us for a number of years now. Granted the actual music company that tries it changes but it seems clear none of them have simply accepted that DRM is only damaging them.

      They keep hoping that this time the consumers will be ready for it. Someday, they will be right.

  • The damage is most likely done to those who are susceptible.

    Anyway, the patch is a non-issue for Americans who are prohibitted by law from downloading or applying it. The patch issue only effects people in countries where it is not illegal to modify/remove/circumvent DRM software. In the States the solution is much simpler: just format the disk and reinstall the OS.

  • conspiracy teory (Score:5, Insightful)

    by nazsco ( 695026 ) on Friday December 09, 2005 @10:15AM (#14219555) Journal
    1. sony claims it needed the DRM crap to prevent pirates
    2. sum up the recall of the cds and drm development into "loses due to pirates"
    3. lots of news: "p2p makes music company loose money!"
    4. ?
    5. PROFIT!

  • This is a good thing, in the long run (Score:3, Insightful)

    by Eagle5596 ( 575899 ) <slashUser@5[ ].org ['596' in gap]> on Friday December 09, 2005 @10:16AM (#14219570)
    In the long run all of this trouble is a good thing. Sony is galvanizing people against DRM. In the future companies may find people simply don't buy any products with DRM because they are afraid there will be security holes. All in all this is probably a good thing for consumers in the long run as it will keep DRM off of CD's.

    • Re:This is a good thing, in the long run (Score:4, Insightful)

      by Chaffar ( 670874 ) on Friday December 09, 2005 @10:25AM (#14219655)
      "In the long run all of this trouble is a good thing. Sony is galvanizing people against DRM."

      I disagree. Even though in theory this should happen, I feel that anyone who understood the nature and purpose of DRM was already against it in every way. I don't think that this fiasco attracted anyone's attention except of those who are already pretty much against DRM. This isn't really a M$ Vs. Linux Vs. Mac debate, where each party has its own arguments. I think that even the people who are against piracy kinda see how pointless these types of measures are, especially those that harm the innocent (i.e. the thing about not being able to copy more than 3 times screwing over iPod users?).

  • Illegal (Score:4, Informative)

    by DeanFox ( 729620 ) * <spam.myname@gmai[ ]om ['l.c' in gap]> on Friday December 09, 2005 @10:22AM (#14219624)

    "Sony BMG said the MediaMax copy protection system, which is supposed to stop people making illegal copies of CDs, has been used on 50 titles sold in North America."

    Why do the keep emphasizing, "making illegal copies" when it is not illegal? I have the right to make as many copies as I want. What I cannot do is make un-authorized copies (fair use IS authorized) or distribute those copies.

  • Man Bites Dog (Score:4, Interesting)

    by headkase ( 533448 ) on Friday December 09, 2005 @10:22AM (#14219629)
    Boycott's are ineffective and Sony's proven they're too incompetent to even clean up after themselves. I'd like to see some lawyers sick themselves on Sony... Let's see a class action settlement of ~$100 for each user to get a professional to remove the security hole the software introduces. They just don't seem to understand anything but dollars so at least the lawyers would be using the right stick.
    • sony this sony that sony this that and sony that this, sony sony sony, sony who sony what sony how and sony why? ...

      IGNORE THEM.

      Don't protest, don't argue, don't boycott, don't fight.

      Just ignore them. I couldn't name you five popular Sony labeled bands or groups. Stop thinking about it.

      Are people really that compelled to buy every piece of music they come into?

      Tom
  • Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless.

    What does that have to do with a story about DRM? We already know they're affected.

  • finally now i can use p2p again (Score:3, Funny)

    by nazsco ( 695026 ) on Friday December 09, 2005 @10:37AM (#14219809) Journal
    and when sony sues me (thu RIAA), i just load one of those handy cds with digital-rootkit-management and claim that someone else (probably at sony) was hijacking my computer and putting all those mp3, that i've never heard about before, there.

  • is to start voting agaisnt companies that screw over their market like this. Don't buy Sony. I've always found Sony to be in a favorable light, but this is just one huge bad call. Unless they recall all the CDs and replace them with clean CDs they will not fix this in my eyes.

  • I know! (Score:2, Funny)

    by Ruff_ilb ( 769396 )
    Lets fix it with a rootkit!
  • It was discovered, and remarked upon, and even posted in comments to the original Slashdot article about the patch, on the same day.
  • I am actually curious if anyone has any of these infected CDs if there is anything on the CD case or the liner notes that make any mention of the possibility that software will be installed on a computer if used on a PC, or if they even have the compact disc logo anywhere on it. Can anyone confirm? P.S., I would NOT advise putting it in your computer to see if there is anything on the CD, unless of course you happen to be running some other OS besides Windows or Mac (as I think some sort of kernel mod can

  • What a good product might look like (Score:4, Interesting)

    by Ant2 ( 252143 ) on Friday December 09, 2005 @11:02AM (#14220048)
    What if you could purchase an Audio CD that:

    - could play in all CD players, including PCs and car stereos?
    - had an extra track with non-DRM MP3s, OGG, and WMA files?
    - included cover art in JPG and PNG format?
    - included the full lyrics in TXT format?
    - was free from DRM and other executables?
    - (oh, and actually had songs you liked)

    Would you buy this? I would.

  • Then how do we get rid of this thing? (Score:3, Funny)

    by Darthmalt ( 775250 ) on Friday December 09, 2005 @11:03AM (#14220054)
    Friend of mine bought the switchfoot cd and put it in her computer. I've tried using all the so called patches and microsoft's anti spyware all of which failed to remove it. I've gotten to the point where now I can see the files but they're write protected. If I bypass the write protection and delete them will it screw up the laptop?

    CURSE YOU SONY!!! and your sudden but inevitable betrayal.
    • Simple, It's called format & re-install. I hope everyone that has to use this solution will then send a copy of the bills to Sony. When they don't respond or laugh at you then take it to small claims court. A few million little suits like this will make something happen.

      I charge $75 - $85 to F&R and driver it up.
  • Check out this story [wired.com] on Wired about Sony's latest guerilla marketing ploy. Sony has hired graffitti artists to paint buildings in New York, Chicago, Atlanta, Philadelphia, Los Angeles and Miami with graffitti showing people playing with the PSP. NOt everyone is happy with this. I know if they painted MY building (assuming I had one), I'd be suing them.

  • Curious... (Score:2, Insightful)

    by GmAz ( 916505 )
    By recalling the CDs and sending out new ones without the DRM, does this remove the DRM from the machine or just leave it there. Or does the new CD remove the DRM when you play it? Same for the Sony Rootkit. By recalling the CDs, it sounds like they stopped the spread but didn't remove the auctual DRM software. If this has been answered before, I am sorry.
  • Paraphrasing and modifying the previous article:

    According to a Slashdot user, the Music Listeners' Association is stepping up to launch the next phase in the consumer industry's battle against government-protected music. The MLA is demanding jail time for the maintainers of CDs offering undocumented rootkits and worms. The MLA President has stated that refusing CDs and imposing boycotts is not enough, stating that by 'throw [ing]in some jail time I think we'll be a little more effective' in its crusade."

  • So let me get this right... (Score:5, Insightful)

    by Anonymous Coward on Friday December 09, 2005 @11:50AM (#14220562)
    x installed rootkit
    x virus was written to use rootkit
    x lied about it sending info
    x licensing was illegal
    x contained stolen copyrighted code
    x created patch that contained vulnerability
    x patch collected info from machine

    x another drm contained vulnerability
    x created patch with vulnerability

    9 strikes. Did I leave anything out?
  • just hold down the shift key!!
  • But instead of putting them in the computer, I downloaded the songs from limewire.

    I've heard too much about vulnerabilities and the like regarding these CDs. I bought the CDs, left them in the wrapper, and downloaded the music online. What's wrong with that?

  • "Remote Attestation" and content access monopolies (Score:3, Informative)

    by NZheretic ( 23872 ) on Friday December 09, 2005 @02:09PM (#14221968) Homepage Journal
    Don't just go after Sony. The REAL THREAT comes from the operating vendors themselves.

    ALL third party and more importantly operating system based DRM puts the user at greater risk. If the DRM code itself is not exploited then there are always new vulnerabilities being discovered in the media players and browsers used to play and display encoded content.

    August 02, 2005 "Remote Attestation" and content access monopolies [blogspot.com]

    Remote Attestation" and content access monopolies

    The Trusted Platform Module [classicbeta.com] provides the hardware functionality for digital rights software to provide effective remote attestation [wikipedia.org] and digital key withholding.

    Both Microsoft and Apple have plans for media-digital-content-viewers that, at the request of a digital content provider, will not allow the user to view or access specific digital content if the operating system has been modified in certain ways.

    Because, for the foreseeable future, it is impossible for the digital rights management software to detect if an individual modification to a particular subsystem is hostile to the goals of the demanded digital rights, all software and subsystems relating to the operating system with storage and input to display will have to be digitally signed by Microsoft or Apple before it can be accepted by the DRM subsystem. Microsoft and Apple are effectively locking the user out from changing parts of the operating environment.

    Because it is possible for hackers to read digital keys used to encrypt content direct from the computer's memory, the operating system has to be built with the ability to lock the user from being able to access pages of memory used by the mediaplayer and digital rights management system.

    OS based Digital Right Management systems are based on the principle of locking the owner of the computer out of the ability to access sections of memory and disk space used by the DRM mediaplayer systems.

    Locking the owner out of parts of the computer has become a major security issue [computerworld.co.nz].

    Microsoft's Mediaplayer, Active-X ( still used with some DRM ), Real's realplayer, Adobe's PDF viewers, Apple's Quicktime and even Microsoft's and Sun's Java JVMs, have in the past had remotely exploitable vulnerabilities.

    OS based DRM combined with TPM based encryption along with enviable future vulnerability holes in media access offers the malware/virus/worm creator the ability to hide a virus from any antivirus tool or live forensic analysis. Existing stealth viruses already have ability to hide the modifications it has made to files, going undetected by antivirus programs. DRM encryption offers the ability for the malware to store content, and without the keys to decode the content, keep it hidden from any forensic analysis.

    Crackers and hackers always find ways to exploit the code to access or share protected content. There is not a DRM system that has not been cracked within months of widespread release. The focus on the code use d in such systems also comes to the attention of malware/virus creators. The same holes discovered by those who just want to freely access content may possibly also be abused by those wanting to crack into your computer. Similar holes in other types media viewers, the webbrowser and email programs, are increasingly being used for criminal gain by phishers and spyware makers.

    Some vendors reportedly have in the past purposely left backdoors in the source code to allow access by US intelligence agencies [techlawjournal.com]. This has not only become a major issue for other countries who fear spying, since discovered backdoors quickly become the criminal's frontdoor i

Slashdot Top Deals

Single tasking: Just Say No.

Close