In an earlier post I described how MediaMax, a CD DRM system used by Sony-BMG and other record labels, behaves like spyware. (MediaMax is not the same as XCP, the technology that Sony-BMG has recalled; Sony-BMG is still shipping MediaMax discs.) MediaMax phones home whenever you play a protected CD, automatically installs over 12 MB of software before even displaying an End User License Agreement, and fails to include an uninstaller.
Part of the software that MediaMax installs is a driver meant to interfere with ripping and copying from protected discs. I had believed that MediaMax didn't permanently activate this driver—set it to run whenever the computer starts—unless the user accepted the license agreement. As it turns out, this belief was wrong, and things are even worse that I had thought.
In the comments to our last MediaMax story, reader free980211 pointed out that the driver sometimes becomes permanently activated if the same protected CD is used more than once, even if the user never agrees to the EULA. This wasn’t apparent from my earlier tests because they were conducted under tightly controlled conditions, with each trial beginning from a fresh Windows installation and involving only carefully scripted operations. I’ve performed further tests and can now confirm that MediaMax is permanently activated in several common situations in spite of explicitly withheld consent.
When this happens depends on what version of MediaMax is being used. An older version, called CD-3, was introduced in 2003 and is present on albums released as recently as this summer. There is also a newer version, MediaMax MM-5, which has been shipping for a little over a year. You can tell which version is on a CD by examining the files in the disc’s root directory. Albums protected by MediaMax CD-3 contain a file called LAUNCHCD.EXE, while MM-5 albums include a file named PlayDisc.exe.
When you insert a CD containing either version of MediaMax, an installer program automatically starts (unless you have disabled the Windows autorun feature). This installer places the copy protection driver and other files on the hard disk, and then presents a license agreement, which you are asked to accept or decline. In the following scenarios the driver may become permanently activated even if you always decline the agreement:
- You insert a CD-3 album, then later insert an MM-5 album
- You insert an MM-5 album, then later insert a CD-3 album
- You insert an MM-5 album, reboot, then later insert the same album or another MM-5 album
These steps don't have to take place all at once. They can happen over a period of weeks or months.
This is bad news for people who like to play CDs in their computers. Many users are unaware that their CDs contain MediaMax until the license agreement appears on their screens, but by this time it may be too late to stop the driver from being permanently activated. Even if users are careful to decline the EULA every time, the circumstances when the software becomes active anyway are common enough to be practically inevitable.
This may be an annoyance to music fans—unless you disable the driver, you’ll have a hard time playing any MediaMax-protected titles, let alone copying them to your iPod—but it’s also a security risk, since the driver is loaded as part of the Windows kernel and has the ability to control virtually any aspect of the computer’s operation. We don’t know whether the MediaMax driver contains any vulnerability that can be exploited to do further damage, but the way it is installed creates a dangerous precedent.
Is this behavior illegal? It should be. Installation of system level software where the user has explicitly denied permission raises serious security concerns and is wrong.
Front page posts
The first mistake is using an operating system which allows installation of kernel drivers/patches without explicit permission or acknowledgement from the user. All else follows... it's like asking for abuse, then being completely surprised when you get it.
MediaMax copy protection does things behind your back!
The music industry get up to more tricks straight out of the virus writers’ handbook!
Alex Halderman at Freedom to Tinker describes how the MediaMax copy protection software activates even if the user has declined the EULA (End User Lice...
When someone explicitly indicates that they do not agree to an EULA, and a CD appears to eject without playing, then that user has a reasonable expectation that no software was installed on their computer.
Sony-BMG knew or should have known that MediaMax software installed despite explicit refusal of their terms. Sony-BMG knew or should have known that software installed in those circumstances could become permanently activated in a common pattern of use.
Sony-BMG intended that MediaMax software would be installed and permanently activated whether or not the system owner agreed.
So just what is it going to take before Sony's corporate officers start facing arrest warrants?
Injured persons need to complain.
Businesses seem the most likely to have documentable policies controlling software installation that would cause someone to refuse the EULA.
Thank you, Mr. Halderman!
I thought I was losing my mind when I saw the driver running in auto. Then I replicated it on another machine, and was hoping it was just an isolated problem, perhaps even limited to just my disc. It is a strange feeling indeed to feel happy that I wasn't screwing up, and at the same time, disturbed about the true depth of the problem. Oh, well...
I know you have taken a lot of abuse from various parties in breaking these stories, but I most certainly appreciate it. You guys have done a fantastic job with this story, and I only hope it helps Sony/BMG see the wrongs of their way. They still have a chance to fix this, in my eyes, but perhaps I am too kind.
As a side note, it looked as if there might be an uninstaller available, but I was not about to fire up IE and try it until I heard something back. Does anyone have a confimation that the uninstaller is back and safe to use?
Thanks again.
This strikes me as a mistake. I can imagine the conversation at the MediaMax 5 design meetings:
"It looks like users sometimes find the service and turn it off. What should we do about this?"
"Well, what if we look to see if MediaMax is already installed but deactivated, and if so activate it."
"Great idea, Johnson!"
[villainous laughter]
And meanwhile, nobody thought "what if it's not actiavted because they clicked 'No'?"
Not that this makes them innocent. This sort of clumsiness cannot be permitted in a program which runs in kernel mode.
free980211,
Great work bringing this behavior to light. Thank you!
The new SunnComm uninstaller doesn't appear to expose users to the same kind of vulnerability that the old one did. It leaves a lot to be desired (for instance, MediaMax will be reinstalled if you try to use a SunnComm CD in the computer again and autorun is turned on), but at least SunnComm is distributing the tool without forcing users to jump through as many hoops as before.
Mr. Halderman,
Thanks for the heads-up on the uninstaller. I tried to uninstall it form the device manager, but that didn't work. Finally, a safe way to be free of this garbage!
I have definitely learned a big lesson (the hard way) about the dangers of auto-run. I will definitely take some time and figure out how to do that.
I think the biggest lesson I have taken out of this whole experience is how important the academic process and public statement of findings really can be. More eyes on a topic can definitely expand one's understanding of what is going on. I am happy to have served a small part in the process.
Brent,
Perhaps you're remembering...
“ElcomSoft verdict: Not guilty” by Lisa M. Bowman, CNET, 17 Dec 2002
Jury foreman Dennis Strader said the jurors agreed ElcomSoft's product was illegal but acquitted the company because they believed the company didn't mean to violate the law.
"We didn't understand why a million-dollar company would put on their Web page an illegal thing that would (ruin) their whole business if they were caught," he said in an interview after the verdict. Strader added that the panel found the DMCA itself confusing, making it easy for jurors to believe that executives from Russia might not fully understand it.
Funny I use debian linux and have no problem with the installer I guess it is a windows thing.
Well at least they can't complain that you broke the EULA when you reverse engineer the program :)
I seem to be one of the relatively few private individuals who have extremely stringent software installation requirements -- I was instrumental in getting Xfire to not only sign its installer, but also to sign its EXE file and its DLL files as well. (If a piece of code is running on my system, i want to know where it's coming from and who installed it.)
Does someone like me [a former sysadmin] have any right to bitch under these circumstances -- especially when I run a Windows 2000 domain with security policies set?
Ned Ulbricht:
There is a fundamental difference between the ElcomSoft and a (future) Sony/BMG case. ElcomSoft was a Russian company without a presence in the US, whose software (which was legal in Russia) appeared for sale on a website hosted in the US. ElcomSoft took swift measures to rectify the problems.
Sony/BMG is a multinational with subsidaries in the US. Sony/BMG put the software, with dubious US legality, on CDs aimed at the US market. Sony/BMG still claims that "there is no problem".
Thanks for writing this article. It was timely for me since I put in the latest David Gray CD to rip MP3's for my player. I saw the MediaMax logo come up right away and before I could do anything about it - it came up with the End User License Agreement. I declined and ejected the CD. I was thinking it was the rootkit, so I put a piece of tape on the first 1/2 inch of the CD and put it in again. A window popped up to say to insert the David Gray CD even though it was already inserted. I went into my Task Manager and saw PlayDisk.exe in my memory, so I stopped the service and ripped the CD.
I haven't rebooted to see if PlayDisk has come back yet, so I'll have to check. At least I know now it wasn't the rootkit - no more Sony for me...
While I don't appreciate what Sony is doing, I still don't understand why this is much of a problem. Who is stupid enough to use an account with administrator rights for normal use?
We know the big problem is most people run Windows as an administrative user. Does this software still get installed if the user is running as a non-administrative user? Aren't non-administrative users generally restricted from being able to install kernel level software?
The problem is bad enough, but it would seem the DRM is installed only because of poor practices followed by the vast majority of Windows users.
I would like to know if the MediaMax software is able to install itself when used by a regular user (not an administrator). What about in a corporate/enterprise environment where the IS department has locked down the machines, not allowing users to install software? Does it install in that situation as well? Or does it just prevent the CD from playing?
It would be quite funny if the best way to defeat some of these DRM issues were as simple as following best-practices that almost no one running Windows currently follows (short of managed enterprises).
"Installation of system level software where the user has explicitly denied permission raises serious security concerns and is wrong."
Installation of *any* software where the user has explicitely denied permission is illegal, at least in France it is considered breach into a computer system (code pénal, art. 323-1 to 323-7), leading to up to 1 year in jail and a fine of 15000 EUR. If the intrusion results in an alteration and/or blocking of the system, make that three years and 45000 EUR. And that's not including the fact that the facilities that helped such breach may be closed for up to five years, for instance.
Of course, Sony might argue that the breach was not intentional. This would be difficult, given that installing such software was their declared intent, should the user have agreed.
"Who is stupid enough to use an account with administrator rights for normal use?"
My 70-year-old mom, for one. I don't give her flak about it, because she has enough trouble with double-click and right-click command sequences. Fortunately, she doesn't use the computer to play music, as she has dedicated devices for that!
I wonder if this is why, when I recently tried to use Nero Burning ROM to make a mix disc of some of my mp3s, that it just wouldn't work, despite my having used the program for such a purpose many times before. Turns out I had inserted Sarah McLachlan's Afterglow into my computer a while back and apparently it's a Suncomm-corrupted title.
To answer the "boy-you-are-stupid" questions like who runs Windows in administrator mode, etc. -- well, I have to confess I don't know what a kernel is and was unaware of things like autorun and I've used computers for years and years. I just don't pay attention to stuff like that (just like I don't care much about how my car works, only that it does) and I suspect I'm in the vast majority of blissfully ignorant folk with no time or interest in knowing all the ins and outs of their appliances.
I'm getting a fast education about these things now, though, and undoubtedly so are many other people. This might ultimately be one of the best results of Sony BMG's invasive attack on its customers. And you better believe I'm not giving that crooked company another cent of my money.
Now I need to figure out how to stop their apparently ongoing theft of my (rather ancient) computer's functionality and resources...
This is, actually, incredibly stupid on the part of these companies. Their defense in court, such as it is, is that the user accepted the EULA and that what they installed was therefore an authorized installation.
Since this demonstrates that they install it regardless, this presumption is shattered and they'll have to prove some other way that the user authorized the installation. I think they'll have a hard time showing that in court.
If John Doe uses someone else's computer to install and run software that is in violation of the security policies of the owner of that computer, John Doe gets arrested. Why should SONY/BMG be treated any differently? People made these decisions and should be held accountable for the illegal access to other peoples property. It is a crime to go into my house after I have told you not to (trespass), and to alter the structure of my house so that it does not work as it did before (Vandalism). Taking information out of my house is also a crime (theft). Just because it happens in a computer doesn't mean it is less of a crime.
Kudos to all for the work done on the multiply nasty Windows versions. Fortunately the EFF etc class action aims at MediaMax as much as, if not more than XCP. But Sony need to be forced to withdraw their MediaMax discs as well. (And if they are not, they are establishing a de facto standard for "acceptable" CP technologies.)
I however am a (reasonably smug) Mac user. We all know that we don't have the same vulnerabilities. We need to click more than once, and enter an admin account password to get the MediaMax programs on our Macs. We all know that no mac user could be so stupid. But Macs are now being pushed as safe for grannies.
For Mac users this is still a threat, though as a social engineering exploit, rather than a (totally) surrepticiously installed one. It is malware which is presented to us by a presumptively respectable source (SonyBMG) to allow us to do something we want (get full usage of our shiny new audio disc).
Does anyone know what MediaMax does if installed on an Mac? All I have seen is a reference to it installing two kext (kernel extension) packages. Does the new uninstaller get it off Macs as well, without requiring command line activity (which many Mac users would not be comfortable with)?
TomCS
MediaMax requires administrative privledges to install. Once installed, non administrators can run the software.
If a non-administrator runs the mediamax software for the first time, the CD is ejected (a non privledged operation) and a message box is displayed saying something along the lines of "you must be administrator to run this program".
“Who is stupid enough to use an account with administrator rights for normal use?â€
Every windows user I know - the limited account is so limited as to be useless.
@ Dave "To answer the “boy-you-are-stupid†questions like who runs Windows in administrator mode, etc. — well, I have to confess I don’t know what a kernel is and was unaware of things like autorun and I’ve used computers for years and years."
Windows has always had a poor security model. Until NT, if you were sitting at the machine you had access to *everything*. (It's the same for the Mac OS - which, fortunately, has been scrapped by Apple and replaced with an OS based on Free BSD Unix (OS X). Pity MS didn't scrap Windows and start again, huh?)
XP does not invite you to set up a non-administrative account at installation. Moreover, much software in the Windows world won't run except on an admin account. (On OS X, BTW, you actually need to re-authenticate to get into system areas.)
Microsoft knows what the problem is. It has finally twigged that valuing usability and backwards-compatibility over security is a very bad idea. Hence the talk of LUAP. But it may be too late to turn the ship now. This may help:
http://nonadmin.editme.com/
I think you can turn off autorun with Tweak UI:
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
I really don't understand this argument about administrator mode.
18 U.S.C § 1030 uses the terms "authorization" and "authorized access".
Are people seriously arguing that operating a Windows machine in administrator mode implicitly "authorizes" any and all access? Whether or not the user clicks "No" on an install screen?
I think that if that if the user explicitly refuses the EULA then access is just plain not authorized.
This is just more proof that Sony is the lead conspirator in these DRM disasters. I believe that MediaMax and First4Internet are just pawns being used as canon fodder by Sony. Companies like Sony do not just buy this type of software at Best Buy.
They put together a set of specifications that state exactly what they expect the software to do. Sony’s Project Team would be intimately involved in the design, testing and implementation of the software. For them to now tell the general public that they did not know what the software did is just absurd. They knew exactly what the software did as well as when, where and how it did it, before they ever purchased it. If the lawsuits do go to trial or a State Attorney General subpoenas all of Sony’s internal project documents and communications this will become apparent.
This is the same company that gave the portable mp3 player market to Apple. They had one on the market before Apple. Sony was the gold standard in portable devices with the Walkman name. Sony designed such onerous DRM software to be used with it, that it cost them the market. This, in the end will also be the downfall of Blu-ray. See these articles on Cnet- Microsoft and Intel endorse HD-DVD, HP and Blu-ray group at odds.
Where are the SunnComm trolls today? Y'know, I almost miss them.
Ned,
No-one is arguing that running as Administrator in Windows is implicit consent to anything. People are just pointing out that in a secure environment, you cannot have something silently installed without knowing about it. This malware is just one more reason to teach people how to run Windows without administrative rights (as much as possible). It's also one more reason to teach people about the alternatives that exist to Windows.
To Alex Halderman
Alex, thanks for your analysis of MediaMax. If you have the time and inclination, there is one additional thing that would be worth testing:
You have established that MediaMax transmits certain information about the CD and the PC it is used on back to Sony/SunnComm. You have also established that even if the EULA is rejected, the driver is still installed on the PC in "inactive" mode and you have also established that if a subsequent MediaMax CD is placed in the CD-ROM, that original driver is permanently activated even if the EULA is again rejected.
In this latter situation, with the driver now permanently active following 2 rejections of the EULA, what happens when non-Mediamax CDs are placed in the CD-ROM? Does the active driver send information back to Sony/SunnComm regarding non-protected disks? If it did, that would really prove without doubt that the reporting has nothing to do with the technicalities of the copy protection and everything to do with spying for marketing or other purposes.
Edward,
A totally secure computing environment means your computer is unplugged from the network, unplugged from the wall, and smashed with a sledgehammer—at least a couple of dozen times. In a somewhat insecure computing environment there are real tradeoffs with usability. In a typical Windows computing environment, even if the user isn't running as an administrator, buffer overflows might result in software silently being installed without the user becoming aware.
As was pointed out over at the Picker MobBlog a few months ago, the law is interested in preventing wasteful arms races.
Alex,
Why did your professor nad mentor (Felton) misquote you about the mediamax software being "spyware-like" or "charactoristic of" instead calling it spyware which is a complete fabrication of your analysis from what I have read. Care to clarify? Do you yourself care to call it "spyware"?
Anonymous wrote:
"... You have also established that even if the EULA is rejected, the driver is still installed on the PC in “inactive†mode..."
Nope.
Though you may not intend it as such, that phraseology sounds like a corporate weasel attempt :)
Per reports here and elsewhere the malware is ACTIVE. It is installed and running.
It is LEFT installed and running regardless of whether the user has accepted or declined the EULA.
Which is very illegal in a lot of jurisdictions.
Whether or not the malware is set to autostart on next reboot is just icing on the cake.
(The fact that some Windows machines may need frequent rebooting does not lessen or excuse the offense.)
The malware is installed and left running sans consent.
The issue raised by the exposure of Sunncomm's "Autostart at all costs" trickery above is, really, just this:
"How many charges of felony conspiracy can now be added to the Sony docket?"
And I see the Sunncomm shill is back spamming the blog replies with even more vaguely threatening harassment.
Y'know... I wonder how these open records will play out when Sunncomm is hauled into court to answer for their part in these crimes.
I agree with Ned. There is no such thing as “totally secure computingâ€. Unfortunately most of the commercially available software for windows will not operate properly,if at all, in user mode. Some of the programs will not even show up on the desktop even after you allow all users access. This is why most people run as administer. You must choose a proper compromise between functionality and security. This is apparently going to be more difficult with Sony’s latest tricks.
And yes I sometimes feel like hitting it with a sledgehammer.
The solution is easy:
USE A MACINTOSH !!!
No windows ? No rootkit, no driver, no insecure drivers !!!
Zire
I just wonder why Microsoft doesn't just issue one of their frequent patches that disables Auto-run?
Of course I don't really wonder that, but that is what consumers should be demanding. Sony will then be stuck with the same position they are in on OS X. Leaving an executable on the disc and hoping the user clicks on it and agrees to install. I'm guessing that wouldn't make them very happy.
All these SunnComm trolls should watch out ...
Wouldn't it be nice if the EFF asked FTT for their logs :-) and found out where the trolls were coming from :-)
(Oh - and if you think FTT isn't allowed to hand them over, think again. I don't know their policy on this, but if I were them I'd just say "I need a judicial subpoena to cover my back - go get it and you're welcome to them".)
Cheers,
Wol
Anthony Youngman wrote:
"Wouldn’t it be nice if the EFF asked FTT for their logs :-) and found out where the trolls were coming from :-)"
Err... why?
I myself was referring the damage the simple existence of the shills' harassment and spin-control attempts, as recorded in various blogs, would do if presented as additional evidence in the trials. It would be minor stuff compared to the other gaping holes the defendants insist on blowing in their case, but it wouldn't help them either.
Still... while shilling in some circumstances can be illegal, and in other cases can be legally actionable... just being a shill in and of itself doesn't constitute a crime.
There are good grounds for believing that the modification of data in the absence of agreement to the EULA would be an unauthorised modification. If the computer is protected by a password login, it is probably "protected data". The unauthorised modification of protected data is illegal in the State of New South Wales, Australia.
See section 308H of the Crimes Act
http://www.legislation.nsw.gov.au/fragview/inforce/act+40+1900+pt.6-sec....
308H Unauthorised access to or modification of restricted data held in computer (summary offence)
(1) A person:
(a) who causes any unauthorised access to or modification of restricted data held in a computer, and
(b) who knows that the access or modification is unauthorised, and
(c) who intends to cause that access or modification,
is guilty of an offence.
Maximum penalty: Imprisonment for 2 years.
(2) An offence against this section is a summary offence.
(3) In this section:
restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.
Competition for GoogleBase (and I see rotting dead people)
In today's IT Blogwatch, we look at the upcoming rumble in the web 2.0 database jungle: Microsoft "Fremont" vs. Google Base. Not to mention the body farm where researchers are finding out how dead bodies decompose...
First there was GoogleBa...
I still am waiting to see what damage anything installed by Mediamax does to your PC (it has been certified by Microsoft). It prevents unautorized copying - of Mediamax discs - (with this driver running), it doesn't render your DVD-ROM, CD-ROM or anything else useless on you PC. It hasn't been shown to cause a security risk, only stated that it may do so. So do may thousands of other software packages installed on peoples computers.
The disclaimer on the CD says it will install software when you put it in your computer, anyone who can read should understand this prior to putting the disc in your PC:
-----------------------------------------------------------------
"This CD is enhanced with MediaMax software. Windows compatible instructions: Insert disc into CD-ROM drive. Software will automatically install. If it doesn't, click on "LaunchCd.exe." Mac OS instructions: Insert disc into CD-ROM drive. Click on "Start." Usage of the CD on your computer requires your acceptance of the end user license agreement and installation of specific software contained on the CD. "
-----------------------------------------------------------------
I don't understand why it is such a "find" that it automatically installs when you put the disc in your PC, it says so on the label!
So SunnComm shows up in the discussion after all! Welcome, Steve K!
So MediaMax prevents "unautorized" copying of MediaMax discs (well, assuming they don't turn off autorun or use the shift key or use a marker or stick a piece of tape on the edge of the CD), and it does this by installing a filter driver that we have only your vague assurance to tell us that it doesn't interfere with what you consider the normal operation of the CD drive. I consider ripping legally purchased CDs to be normal operation of the drive, so that makes MediaMax malware in my eyes right off the bat. (For what it's worth, I stopped buying CDs years ago when MediaMax was first shipped. I refuse to buy a CD that I can't rip to MP3 and use on my non-WMA-DRM portable music player.)
The fact that it installs explicitly against the user's request should kill your "hide behind the EULA" defense too. I can't wait for the EFF's lawsuit to go to court.
And let's not forget that it spies on customers. I think that qualifies as harm.
Your false implication that your CDs can only be listened to with your player software violates Texas's spyware law too--the one the Texas AG is suing Sony and F4i over. Hopefully you'll find yourself a co-defendant on that one in the near future.
18 U.S.C. § 1030(e) (8):
the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information;
A running process consumes computing cycles, impairing the availability of a system. Network connections use bandwidth which impairs the availability of a system. And 15 MB of disk space impairs the availability of a system.
Anyone know anything about the "Bandlink" program or the firm that makes it, "CD Intelligence"?
This is the crap that came with my aforementioned Afterglow disc by Sarah McLachlan. I went back and read the fine print on the label and it doesn't say anything about "copy protection," nor does the EULA, but it does vaguely sound like spyware. Of course, the warning on the label instead talks about the software as an enhancement (note to Sony: which does not mean "replacement") and how you can "gain access to Exclusive Bonus Content" and that kind of hoo-ha. (Hey, it's not a bug, it's a feature!)
What it doesn't say is that, although you think you are buying a bona-fide compact disc (it even refers to the disc as a CD"), you can't use this defective product the way you could a normal CD. That is, you apparently have to run Crapwareplayer.exe to listen on a PC instead of just using your normal media player. Ergo, it's not a CD, it's a less functional cousin to a CD, selling for the same price as a fully functional CD.
As for ripping, I just turned off autorun. So what I'll have to do apparently to listen to this disc on my PC without crapping my system up with spyware is rip the songs to a new disc. Why did I pay for Sony BMG/Arista's disc if I have to use one of my own discs anyway? Why do they refer to these things as CDs when they aren't?
This whole thing is sneaky at best and totally dishonest at worst. And to agree with the comment above about unwanted usage of CPU cycles et. al. decreasing availability, I agree fervently. My system is an old P2-450 nevertheless running Windows XP. On it's fastest day it's a dinosaur, so believe me, crapping up my system with spyware is very noticeable and a huge waste of my time (and dollars, when I have to buy anti-spyware software to delete things I never wanted installed). So I'll say it again, I consider sneaking crapware onto my system an act of THEFT. Who are the real thieves here?
I was wrong. Seems you can listen without Bandlink after all -- is working here on my work computer, but for some reason neither Media Player nor Winamp on my home system wanted to find the audio. Weird. Anyway, this program looks somewhat more benign than I thought at first, but I'd still rather just listen to the disc without "enhancing" my PC.
We now return you to your regularly scheduled MediaMax shilling (gack); thank heaven I didn't accidentally pay for one of those awful discs.
The issue is not at all about running Windows with Adminstrator rights.
It is really that 1) Companies like Sony are willing to do anything to your computer that they can get away with and 2) Windows is a piece of crap, that unfortunately (or fortunately for Sony) that most of the world uses.
The best defense other than switching operating systems (maybe someone can think of a good one :) ) is to turn off autoplay. It is unfortunate to not have the convenience of auto-play, but I learned long ago that it allowed some things to get initiated that I wanted no part of. I think this is more practical for most people than running without Admin rights (which is needed to install just about anything useful).
Furious at SONY, I declined the EULA and found the software installed!! THis is just not right!
Can anyone confirm that their uninstaller is now safe to use?
Sunncomm claims that this is a brand new uninstall utility that has addressed the issues (the security hole of the ActiveX control - AxWebRemoveCtrl) and will leave no security risks.
They sent me this link:
"Please click here and follow instructions to remove MediaMax:
http://www.sunncomm.com/support/tools/removal.asp
Thank you very much and we do hope you have a fine day!
SunnComm Technical Support Team"
Also, is there a way to add these songs into my itune library without using your software. I just want to load these songs to my itune and then my ipod so I can listen to them at work.
Thank you.
Ned,
Where did I say anything about *totally* secure? But an environment that makes it difficult to do anything useful without having full administrative privileges is (IMO) a broken environment. Are you going to suggest that this is a reasonable working environment? Yes, obviously in the real world we trade total security for some security and some usability. However, having used many alternatives to Windows, I can easily state that Windows is insecure in ways that are totally unnecessary for ease of use.
Yes, buffer overflow's *might* result in software silently being installed, but that's like saying that because someone might be able to pick the lock at your front door, that there is no point in locking the door or for that matter even having a lock on the door.
Finally, you suggest that the law is interested in preventing wasteful arms races. I have to say that I don't see any evidence of that when it comes to any kind of intellectual property, at least in the US.
Edward,
The DMCA's prohibitions against circumvention of TPMs was sold to Congress on the basis that it was necessary to prevent a wasteful arms race. Congress passed that law.
Congress also passed the CFAA.