Sony Shipping Spyware from SunnComm, Too

By J. Alex Halderman - Posted on November 11th, 2005 at 8:30 pm

Now that virus writers have started exploiting the rootkit built into Sony-BMG albums that utilize First4Internet's XCP DRM (as I warned they would last week), Sony has at last agreed to temporarily stop shipping CDs containing the defective software:

We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use.

What few people realize is that Sony uses another copy protection program, SunnComm's MediaMax, on other discs in their catalog, and that this system presumably is not included in the moratorium. Though MediaMax doesn't resort to concealing itself with a rootkit, it does behave in several ways that are characteristic of spyware.

I originally wrote about MediaMax back in 2003. It was the first copy restricting technology that installed software in an attempt to block ripping and copying. SunnComm has continued to develop its anti-copying tools, and today MediaMax is distributed on albums from Sony-BMG and several smaller labels. Sony titles that use MediaMax include Grown and Sexy by Babyface and Z by My Morning Jacket. These discs aren't hard to spot; the back album covers usually contain a label that includes a sunncomm.com URL.

Like XCP, recent versions of MediaMax engage in spyware-style behavior. They install software without meaningful consent or notification, they include either no means of uninstalling the software or an uninstaller that claims to remove the entire program but doesn't, and they transmit information about user activities to SunnComm despite statements to the contrary in the end user license agreement and on SunnComm's web site. I'll describe each of these problems in detail below.

1. MediaMax installs without meaningful consent or notification

When a MediaMax-protected CD is inserted into a computer running Windows, the Windows Autorun feature launches a program from the CD called PlayDisc.exe. Like most installers, this program displays a license agreement, which you may accept or decline. But before the agreement appears, MediaMax installs around a dozen files that consume more than 12 MB on the hard disk. Most are copied to the folder c:\Program Files\Common Files\SunnComm Shared\, shown below:

These files remain installed even if you decline the agreement. One of them, a kernel-level driver with the cryptic name "sbcphid", is both installed and launched. This component is the heart of the copy protection system. When it is running, it attempts to block CD ripping and copying applications from reading the audio tracks on SunnComm-protected discs. MediaMax refrains from making one final change until after you accept the license—it doesn't set the driver to automatically run again every time Windows starts. Nevertheless, the code keeps running until the computer is restarted and remains on the hard disk indefinitely, even if the agreement is declined. [Update 11/28: In several common scenarios, MediaMax goes a step further and sets the driver to automatically run again every time Windows starts, even if the user has never agreed to the license.]

To see if SunnComm's driver is present on a Windows XP system, open the start menu and select Run. In the box that pops up, type

cmd /k sc query sbcphid

and click OK. If the response includes "STATE: 1 STOPPED", the driver is installed; if it includes "STATE: 4 RUNNING", the driver is installed and actively restricting access to music. Alternately, you can look for the driver's file, sbcphid.sys, which will be located in the c:\windows\system32\drivers\ folder if it is installed.

(Newer version of SunnComm's software can also block copying on Mac systems, as reported by MacInTouch. However, since Mac OS X does not automatically run software from CDs, Mac users will only be affected if they manually launch the installer.)

Is there any meaningful notice before the program is installed? On the contrary, the Sony license agreement (which happens to be identical to the agreement on XCP discs, despite significant differences between XCP and MediaMax) states that the software will not be installed until after you accept the terms:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.

Notice too that while the agreement partially describes the protection software, it fails to disclose important details about what the software does. Yes, the MediaMax driver tries to "protect the audio files embodied on the CD," but it also attempts to restrict access to any other CD that use SunnComm's technology. You only need to agree to installation on one album for the software to affect your ability to use many other titles.

2. MediaMax discs include either no uninstaller or an uninstaller that fails to remove major components of the software

None of the MediaMax albums I've seen from Sony-BMG include any option to uninstall the software. However, some titles from other labels do include an uninstall program. For instance, the album You Just Gotta Love Christmas by Peter Cetera (Viastar Records) adds MediaMax to the Windows Add/Remove Programs control panel, the standard interface for removing programs. If you elect to remove the software, it displays the following prompt:

Clicking "Yes" does cause parts of MediaMax to be deleted, including nearly all the files in the SunnComm shared folder. However, the protection driver remains installed and active despite the suggestion that "MediaMax and all of its components" would be removed. That means iTunes and other programs still cannot access music for any SunnComm-protected CD.

[Update: Apparently SunnComm was providing an uninstaller to users who persistently demanded one, but the uninstaller opened a severe security hole in users' systems.]

3. MediaMax transmits information about you to SunnComm without notification or consent

Sony and SunnComm seem to go out of their way to suggest that MediaMax doesn't collect information about you. From the EULA:

[T]he SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

SunnComm's customer care web page is equally explicit:

Is any personal information collected from my computer while using this CD?:
No information is ever collected about you or your computer without you consenting.

Yet like XCP, the MediaMax software "phones home" to SunnComm every time you play a protected CD. Using standard network monitoring tools, you can observe MediaMax connecting to the web server license.sunncomm2.com and sending the following request headers:

POST /perfectplacement/retrieveassets.asp?id= 7F63A4FD-9FBD-486B-B473-D18CC92D05C0 HTTP/1.1 Accept: */* Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: license.sunncomm2.com Content-Length: 39 Connection: Keep-Alive Cache-Control: no-cache

This shows that MediaMax opens a web page from a SunnComm server and sends a 32-character identifier (highlighted)—apparently a unique code that tells SunnComm what album you're listening to. The request also contains standard HTTP headers from which the company can learn what operating system you are running (in the above example, NT 5.1, a.k.a. Windows XP) and what version of Internet Explorer you use (here, IE 6).

SunnComm also gets to observe your computer's IP address, which is transmitted to every Internet server you connect to. You are assigned an IP address by your Internet service provider or system administrator. Many users are issued frequently changing "dynamic" IP addresses that make it difficult to track them individually, but others have fixed, "static" addresses. If you have a fixed address, SunnComm can piece together the messages from your computer to find out all the protected discs you listen to and how often you play them. In some cases, such as if you are a Princeton student, knowing the address is enough to let SunnComm track down your name, address, and phone number.

So why does MediaMax contact a SunnComm server in the first place? The server's response to the above request isn't very informative:

Microsoft VBScript runtime

error '800a000d'
Type mismatch: 'ubound'

/perfectplacement/retrieveassets.asp, line 26

Apparently a bug in the server software prevents it from returning any useful information. However, the name "Perfect Placement" in the URL provides a valuable clue about the server's purpose. A SunnComm web page describes "Perfect Placement" as a MediaMax feature that allows record labels to "[g]enerate revenue or added value through the placement of 3rd party dynamic, interactive ads that can be changed at any time by the content owner." Presumably the broken site is supposed to return a list of ads to display based on the disc ID.

Just because the server software is buggy doesn't mean it isn't collecting data. If SunnComm's web site is configured like most web servers, it logs the information described above for every request. We can't know for certain what, if anything, SunnComm does with the data, but that's why transmitting it at all raises privacy concerns.

…

To summarize, MediaMax software:

Is installed onto the computer without meaningful notification or consent, and remains installed even if the license agreement is declined;
Includes either no uninstall mechanism or an uninstaller that fails to completely remove the program like it claims;
Sends information to SunnComm about the user's activities contrary to SunnComm and Sony statements and without any option to disable the transmissions.

Does MediaMax also create security problems as serious as the Sony rootkit's? Finding out for sure may be difficult, since the license agreement specifically prohibits disassembling the software. However, it certainly causes unnecessary risk. Playing a regular audio CD doesn't require you to install any new software, so it involves minimal danger. Playing First4Internet or SunnComm discs means not only installing new software but trusting that software with full control of your computer. After last week's revelations about the Sony rootkit, such trust does not seem well deserved.

Viewed together, the MediaMax and XCP copy protection schemes reveal a pattern of irresponsible behavior on the parts of Sony and its pals, SunnComm and First4Internet. Hopefully Sony's promised re-examination of its copy protection initiatives will involve a hard look at both technologies.

Tagged:

jhalderm's blog

Comment by The PC Doctor on November 12th, 2005 at 9:21 am.

Removing the Sony DRM rootkit

Detailed information from BleepingComputer.com on how to remove the Sony DRM rootkit.
At the same time, Ed Felten of Freedon to Tinker reminds us that Sony uses SunnComm DRM technology as well as XCP.

It’s MY PC!
Second variant...

Comment by sitharus on November 12th, 2005 at 9:57 am.

Very interesting... certainly puts me off buying CDs.

One thing though, even if the licence prohibits decompilation does the fact that the software will install when you disagree mean you can decline the licence but still have access to the software? No legal agreement has been entered in to if you decline...

Comment by Emil on November 12th, 2005 at 10:14 am.

"Does MediaMax also create security problems as serious as the Sony rootkitâ€™s? Finding out for sure may be difficult, since the license agreement specifically prohibits disassembling the software."

1. Seeing as the software is installed first, you can simply decline the EULA and then reverse-engineer the software.

2. What the EULA says is generally irrelevant anyway. There is no basis in law for EULAs.

Emil

Comment by Michael Righi on November 12th, 2005 at 10:32 am.

A few months ago I communicated with Sunncomm, the company that developed this software for Sony, about their program. I specifically wanted to find out how to remove it from my computer. In the end I learned that in order to partially remove it I would need ActiveX and Internet Explorer since their uninstall utility is web based. It's interesting to note that ActiveX was NOT listed in the minimum system requirements on the back of the CD I purchased. Additionally, as you described, this does not fully remove the software from your computer. On my web site I describe that the only way to fully remove Sony's DRM software is to format your hard drive.

Comment by Charles Miller on November 12th, 2005 at 11:09 am.

I'd consider getting in touch with whoever is managing the Sony case in California - this sounds like good evidence.

Comment by Rauru Blog » Blog Archive » Sony ã®äºŒå€‹ç›®ã® on November 12th, 2005 at 11:21 am.

[...] Freedom To Thinker ã®è¨˜äº‹ã«ã‚ˆã‚‹ã¨ã€Sony BMG ã® CD ãŒ rootkit ã«éš ã—ã¦ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã™ã‚‹ DRM ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã¯ã€ã“ã‚Œã¾ã§çŸ¥ã‚‰ã‚Œã¦ã„ãŸ First4Internet è£½ã® XCP DRM ã ã‘ã§ãªãã€Suncomm è£½ã® MediaMax ã‚‚ä¸€ç·’ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚Œã‚‹ã“ã¨ãŒåˆ¤æ˜Žã—ãŸã‚‰ã—ã„ [...]

Comment by danbruno.net » Sony still sucks. on November 12th, 2005 at 11:35 am.

[...] Now someone has uncovered more DRM spyware. It's not quite as malicious as the first, since it doesn't install a rootkit to hide its files, but it's still bad news, not to mention against the license agreement: To summarize, MediaMax software: [...]

Comment by torpid on November 12th, 2005 at 11:35 am.

What the hell?!?^!#%

Why are the execs at sony who authorized the use of this software, and the employees of suncom and xcp being arrested, and dragged away in HANDCUFFS??

They CONSPIRED to damage MILLIONS of personal computers, by defrauding thier customers.

If these criminals are not sent to jail, we need to go after them with pitchforks and shotguns.

Comment by joe on November 12th, 2005 at 11:45 am.

Any indication if the 32-character number is release-specific or specific to each CD? best, Joe

Comment by protocol7 » Blog Archive » Freedom to Tinker Â» on November 12th, 2005 at 11:45 am.

[...] Great, yet another one. What the hell are they thinking? [...]

Comment by protocol7 » Blog Archive » YASS - Yet Another So on November 12th, 2005 at 11:46 am.

[...] Great, yet another one. What the hell are they thinking? [...]

Comment by anonymous on November 12th, 2005 at 1:06 pm.

It's worth noting that installing software on a PC in the UK without consent (which, if the CD doesn't have any explicit warning on the cover will be the case) breaks UK law (the Computer Misuse Act - http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm). The good news is that they can be extradited for this (that means we can drag them over here and try them).

Comment by Brian G on November 12th, 2005 at 1:16 pm.

this was a big deal in the summer when DMB put the virus on my computer.

DMB sent out thousands of copies of Stand Up pre-orders and not one customer knew ahead of time that this horrible crap was going to infect their computers.

Comment by grrowl on November 12th, 2005 at 1:32 pm.

Well, if you insert the CD, (have the files copied), then deny the licence agreement, you are well within your rights to dissassemble the product that has already been installed to the computer, right? ;)

Comment by luizg on November 12th, 2005 at 2:23 pm.

Well, since it gets installed even if you don't accept the license agreement, you can go ahead and reverse engineer it!

Comment by Anonymous on November 12th, 2005 at 2:27 pm.

I wouldn't expect any less from Sony.

Comment by Alex D on November 12th, 2005 at 2:48 pm.

I've been reading about the DRM software included with the ablum Z by My Morning Jacket on several blogs and websites. My computer didn't autoplay the CD and I successfully ripped it to MP3s with iTunes. I was never confronted with an EULA, and I can't find any of the traces of the software described here on my computer. Does this sound right? To get around it just don't autoplay the CD?

Comment by J. Alex Halderman on November 12th, 2005 at 4:09 pm.

Alex D:

What you're seeing is correct. SunnComm's protection works entirely through software. If autorun is turned off, or if you hold the shift key (which temporarily suspends autorun) every time you insert the disc, then MediaMax won't be able to install. You'll then be able to use the disc like a normal, unprotected CD.

In contrast, the XCP system includes a second layer of protection that works even if no special software gets installed. That's why programs like iTunes and Windows Media Player still have trouble ripping XCP discs even when autorun is turned off. (Though this second layer doesn't involve installing software, it seems to only work on Windows systems, so iTunes can rip XCP CDs just fine on Macs.)

Comment by J. Alex Halderman on November 12th, 2005 at 4:15 pm.

Joe:

That's an excellent question. I haven't been able to tell whether the disc ID is unique per title or per copy because I only have one sample of each CD. The ID highlighted in the post is from a copy of Babyface's "Grown & Sexy." Can anyone with that album report whether they observe the same ID?

Comment by Another DRM protection from Sony at kelvinfoo weblog on November 12th, 2005 at 5:12 pm.

[...] Source [...]

Comment by Independent Sources » Blog Archive » Public Serv on November 12th, 2005 at 5:41 pm.

[...] Update: More Sony Malware (from Freedom to Tinker) To summarize, MediaMax software: [...]

Comment by Andrew on November 12th, 2005 at 5:55 pm.

I was actually listening to "Z" on iTunes when I found this article on boingboing, and almost had a heart attack. But, as with Alex D., I don't have autoplay enabled, and I ripped the CD to iTunes with no problems, no software installation, and also ported it to my nanopod without any issues.

F#$k I hate Sony.

Never again will I buy anything from them.

Comment by John Altermoede on November 12th, 2005 at 10:16 pm.

After reading your article I started doing some checking on SunnComm. I was startled to find out that not only is their software dispicable, but the company itself is dispicable.

Some of the things I found out.....

They issued a press release on a $20M deal. The customer is ficticious and the deal was just a fabrication.

The issued a press release to say they had a $4M cash deal. This turned out to be a stock only deal in a worthless penny stock.

On 3 separate occassions they issued press releases on issuing shares that they owned in other companies as dividends to SunnComm shareholders. For two of the announcements, they never followed through. For the third, they only issued 25% of what they promised and then stopped issuing more.

The company that does their marketing, MediaMax Technology, is just a sham. The announcement on the agreement to make MediaMax Technology their marketing arm made it look like MediaMax Technology was some international company in the entertainment field. It turns out that MediaMax Technology was just a shell company with no employees and the only purpose of the marketing deal was to strip SunnComm shareholders of a large portion of their ownership in SunnComm's copy protection products and give it to the chronies behind both SunnComm and MediaMax Technology. In fact MediaMax Technology (called Quiet Tiger when the deal was first made) was located in the same building as SunnComm, shared the same staff and fax number. SunnComm are now making a big deal about merging with MediaMax Technology (which just returns everything to the status quo, but with SunnComm shareholders owning a lot less of the technology that what they began with).

Just check out these links....

http://www.our-street.com/SEC-SunnComm4.htm

http://p2pnet.net/story/4567

Comment by Ville Oksanen on November 13th, 2005 at 3:01 am.

It seems that Sony's XCP-uninstaller is the "same quality" as the rest of the products; from Muzzy: Uninstaller

he uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It's called "RebootMachine". If you have installed Sony's ActiveX control, follow the link to invoke the RebootMachine method....

Comment by Anonymous on November 13th, 2005 at 4:36 am.

Seem as though anyone seeking free music or the ability to steal content should continue to follow Halderman. How do you get a job at just sitting in front of a computer and looking for ways to beat the artists out of their
just due.

I wonder how halderman would make it in the real world. He is protectd under the veil of science because this is new to most. He is saying exactly
what aboput Sunncomm? Should it exist or not? Is itdoing anything illegal?

Comment by Anonymous on November 13th, 2005 at 5:09 am.

Where, in all of this analyzing, of technologies, is there some reference to macrovisions technology? Interestingly I've seen none as of yet. Why is that?

Comment by FuckyouTroll on November 13th, 2005 at 5:33 am.

"Seem as though anyone seeking free music or the ability to steal content should continue to follow Halderman. How do you get a job at just sitting in front of a computer and looking for ways to beat the artists out of their
just due.

Fuck you, troll.

Comment by Armagon on November 13th, 2005 at 5:46 am.

Anonymous said,
> How do you get a job at just sitting in front of a computer and looking for ways to beat the artists out of their just due.

That's easy. You find a record company to hire you.

Like a restaurant inspector -- who verifies that the contents from a reputable source will not make humans sick, Alex Halderman is verifying that the contents from a reputable company will not make your computer sick.

I am not a pirate. It is my right (as a Canadian) to make a copy of all my CDs, and I have them all of my computer where they are so much more useful to me. I would like to applaud Alex for his efforts in keeping us safe from corporate malware.

Now, going slightly off topic, companies like Sunncomm should not need to exist, and nor should we need defenders against them. In this age of moral relativism, where people do not discriminate between right and right, and it is so easy to "game the system" instead of acting honourably and uprightly, what Sony is doing further erodes the trust that should be between buyer and vendor, and exacerbates the problem. As I said, I am not a pirate, but if I can't be treated with respect, then why should I return it? [And I think it would be so bittersweet if Sony could be tried against the DMCA for bypassing technological protection measures on a personal computer system!]

Armagon

Comment by inductio :: Sony, sempre ela :: November :: 2005 on November 13th, 2005 at 5:54 am.

[...] JÃ¡ parece um absurdo? Pois embora a Sony tenha se comprometido a desinstalar este rootkit da First4Internet, parece que eles usam outro DRM em seus CDs, que tambÃ©m age como malware. E sobre o qual eles, obviamente, nÃ£o emitiram uma frase sequer de que pretendem parar de utilizÃ¡-lo, ou que publicarÃ£o ferramentas para retirÃ¡-lo do computador. [...]

Comment by Anonymous on November 13th, 2005 at 6:37 am.

Armagon, How many copies of your OS do you make as your right (as a Canadian) and how many copies of Microsoft word, excel or Symantec's software do you have or any other software for that matter? Is that your right as well?

Comment by tim lindner on November 13th, 2005 at 6:37 am.

There is a specific case where Mac OS X will automatically run software on a CD. If Classic is running (Mac OS X's Mac OS 9 compatibility environment) and Quicktime is configured to auto launch a start-up program on a CD (this is the default configuration) then the CDs startup program will run.

Comment by brian on November 13th, 2005 at 7:41 am.

I found the sbcphid process in the run state on my system, but none of the suncom shared folders/files. The sbcphid file I found in my drivers folder has a creation/modified date of 8/23/01 11:00 AM.

Comment by J. Alex Halderman on November 13th, 2005 at 8:09 am.

brian:

This might not be clear from my post, but only newer "MM5" versions of MediaMax install software into the SunnComm Shared folder. Older "CD3" versions just install the sbcphid driver (before the EULA, as described above). It was probably one of these discs that placed the file on your system.

Comment by Adam Mastromarino on November 13th, 2005 at 10:54 am.

To me it is very simple, the day of the record label is slowly coming to an end, the day is coming where bands and artists will no longer need these middlemen to get their songs sold. Bands can release their music for sale directly from their own webpages without DRM. Of course copying will still cause loss of sales but the band will surly still make more money than currently due to the extorsionate ammounts of cash record label already keep for themselves.

Raz

Comment by Armagon on November 13th, 2005 at 10:58 am.

Well, Anonymous, I expect that our conversation will be pointless, and that I should probably just stop now. Nevertheless ...

While I do own a legal copy of MS Office, and legal copies of some MS operating systems, I do not use them, as I prefer to use software that potentially allows me to improve upon it (ie. open source software). As I said, I am not a pirate.

I understand your point -- if it is OK for me to copy music, then do I also copy software? As you also know, the two things are different. For one thing, there has been no comparable court decisions -- such as, IIANM, the one allowing you to copy a CD to tape to listen to in your automobile -- allowing you to make copies of your software.

So, no, it is not my right to make copies of proprietary software.

Having said all that (and not being a lawyer), I have no qualms making a backup of my original Office CD, or running Office under WINE from Linux, or running old games I own under an emulator (like Dosbox) -- these are things that were not forseen by the original authors, but they make it so that their product continues to be useful to me.

I do understand that I have no right to give anyone else a copy of software (or music, or other works), without either giving them all my other copies or destroying all my other copies, unless of course the license permits me to.

Armagon

Comment by Mike on November 13th, 2005 at 12:30 pm.

Question, does any of this apply to Macintosh computers what so ever?

Comment by zapkitty on November 13th, 2005 at 1:47 pm.

Mike wrote:

"Question, does any of this apply to Macintosh computers what so ever?"

Yes and No, apparently...

Not the Windows tech stuff, but according to the Macintouch site the DRM package provided by Sunncomm for Sony CD's also comes with Macintosh malware, but that stuff has to ask for admin privileges first

So apparently the crap can't autoinstall like the Windows malware in the same Sunncomm DRM package.

*If* given permission then it messes with the Mac kernel extensions.

Comment by Henry Latner on November 13th, 2005 at 5:42 pm.

Mr. Halderman,

There are things I'd like your comment on:

1: Mediamax Technologies recently announced that Kevin Clement will be leaving his post as Senior Director, New Technology, for BMG Music, to take a position at MMXT as CEO. Wouldn't it seem that since the the main person in the US, who knows all there is to know about the technology and it's use by the record companies, is jumping ship to ride with Mediamax, that it's a proven and successfull DRM method?

2: I'm a long shareholder of both Sunncomm and Mediamax and I really have to wonder what your real agenda is with your attacks on Mediamax. Your first paper on the shift key only restated a fact that was already well known by everybody involved. In doing that though you hurt every shareholder of the companies because of the way it was released to the public and used by bashers. The stock still hasn't recovered from your attack even though it is the most successfull, problem free, and widely accepted DRM in the business today. Now it's being reported that you maybe some kind of agent for Macrovision, { http://www.investorshub.com/boards/read_msg.asp?message_id=8483292 } , at the company chat board. I would like to know what is your prime motivation for the regular negative reports on Mediamax?

3: In this report, your claim is that Mediamax contains spyware. Wouldn't the anti-spyware companies have it targeted if it was? Mediamax is Microsoft certified and they also are not targeting it as spyware. Many of the industry experts on the company chat board { http://www.investorshub.com/boards/read_msg.asp?message_id=8483292 } also say that it contains no spyware. Are you certain that your testing was accurate because it seems that nobody else but you is getting these results.

Henry Latner

Comment by G3K on November 13th, 2005 at 6:06 pm.

Got this from Amerie's Touch, I think. That record was incorrectly listed as having the rootkit software; it's got this one instead.

Comment by Henry Latner on November 13th, 2005 at 6:16 pm.

Dear Mr. Halderman,

I am a long shareholder in both Sunncomm and Mediamax Technologies.

I really have to question you as to your motivation for these attacks on our DRM product. To put it bluntly, your reports have cost me alot of money. They have hurt the stocks to the point that they are unable to recover despite the fact that Mediamax is now the most successfull, problem free, and accepted DRM method available today.

Mediamax is so well regarded that Kevin Clement is leaving his comfortable position as the Senior Director, New Technology, for BMG Music, to take a position as CEO of Mediamax technologies. This guy is one of the worlds formost experts on audio DRM and it's usage by record companies and he's jumping in the Mediamax boat. That tells me that he sees the future being very bright for Mediamax.

Your now saying that Mediamax is spyware. I believe that your investigation must be flawed at best. None of the anti-spyware has targeted Mediamax as spyware. Mediamax is also certified by Microsoft and their anti-spyware application also does not target Mediamax as spyware. You seem to be the only one that's calling it spyware. Why is that?

Back to questioning your motivation to attack Mediamax and Sunncomm. It has now being disclosed on the company chat board that you might be acting as an agent for Macrovision, Sunncomm's only real competitor, { http://www.investorshub.com/boards/read_msg.asp?message_id=8483292 }. Can you please address your seeming obsession Mediamax and the absence of commentary on Macrovision DRM methods.

Henry Latner

Comment by Henry Latner on November 13th, 2005 at 6:18 pm.

Sorry about the double posting. I didn't think it took the first time.

Henry Latner

Comment by pariah on November 13th, 2005 at 6:21 pm.

I remember the first time I tried to copy a SunnComm CD.
I messed around for a couple of hours, trying everything I could think of, and I wound up with several garbled copies of the disc.
I finally gave up trying to defeat the software, deciding to just do a quick Google search the next day (as I did not have internet access in my house at the time).
Still, I was determined to have something to listen to in the car the next dayâ€¦
SO, I pulled out my SONY portable CD player and an inexpensive audio patch cable *.
I plugged from the Line Out on the CD player to the Line In on my computer. I had a program at the time which I set to record from the Line In. This program also had a few other features [automatically splitting tracks when there is silence, and setting a maximum recording length], but you can get all the basic Line In recording features you need using a free program called â€˜Audacityâ€™.
Since I had set a maximum record time, and since the CD player turns off automatically when the disc is done, I left it going and went to bed. The next morning, I burned the files onto a CD.
When I compared my digital-to-analog-to-digital copy of the CD to the original, I was really surprised that I hadnâ€™t lost as much quality as I had expected to.
Later that day, I got online, read about the â€˜problemâ€™ with the disc, and I did a system restore [which removed the symptoms of the disease] and disabled AutoRun.
No problems since.

*(6-Ft. Shielded Cable, 1/8" Stereo Plug to 1/8" Stereo Plug; Radio Shack part number: 42-2387; $4.99)

http://www.radioshack.com/product/index.jsp?productId=2102949&cp=2032058...

Comment by » Sony and how NOT to do the customer experience thing on November 13th, 2005 at 6:30 pm.

[...] Secondly: Sony suspends the manufacture of their copyright protection CD’s containing XCP technology because it creates a security risk for Windows PC’s. Click here for the full story. [...]

Comment by John Altermoede on November 13th, 2005 at 8:35 pm.

What a strange and very uninformed post by Henry Latner.

To blame Alex for the drastic drop in SunnComm's share price is just unbelievable.

Has he forgotton that SunnComm is where it is today because of SunnComm management.

Has he forgotton that the current CEO issued this press release in 2000 -

"SunnComm signs $20M deal with Taiwanese CD producer"

http://www.bizjournals.com/phoenix/stories/2000/12/11/daily49.html

The $20M deal was a fabrication. There is no company called Will-Shown Technology.

Has he forgotton that in 2001, SunnComm anounced this deal with Dstage

"SunnComm Receives $4 Million for Digital Content Security License"

http://www.findarticles.com/p/articles/mi_m0EIN/is_2001_Nov_6/ai_79784669

But the reality was that they did not receive $4M from Dstage. Just 2 million restricted shares in the penny stock, later revised down to 500K shares, that trade today at $0.07 cents each.

Has he forgotton that SunnComm made this announcement in 2002, but never paid the dividends to its shareholders (and didn't ever announce that they were not going to pay the dividends)

"SunnComm plans stock dividend"

http://phoenix.bizjournals.com/phoenix/stories/2002/02/25/daily49.html

Has he forgotton that later in 2002, SunnComm announced this dividend in Fan Energy shares to be paid to SunnComm stock holders, but they too were never paid (and they didn't announce they were not going to pay them)

"SunnComm Shareholders to Receive Property Dividend"

http://www.sunncomm.com/press/pressrelease.asp?prid=200210220900

Has he forgotton that SunnComm announced in 2004 that it would pay 96M shares in Quiet Tiger to SunnComm shareholders and then suspended the dividends after just 24M shares were distributed.

"SunnComm Receives Notice that its 96,290,414 QuietTiger Common Shares have been Registered"

http://www.sunncomm.com/press/pressrelease.asp?prid=200407211100

This is the reason they gave for suspending further distributions.

"1 for 1 - a shareholder friendly deal for our long term shareholders, I understand that you believe you deserve the dividend too however the 1 for 1 fair valuation is a better deal than the former remaining dividend distributions could have possibly been. We replaced your bread with CAKE and in order to bake your cake we need to spend the bread. If you are unaware of how WELL you have been taken care of here, please call me and I will discuss it with you. Managements position is that the former dividend will either be retired into the treasury or used to pay off debt."

http://www.investorshub.com/boards/read_msg.asp?message_id=5935078

Has he forgotton that SunnComm made this announcement also in 2004

"SunnComm Forms 11 Global Subsidiaries; Shareholders to Receive Share Dividend"

http://www.sunncomm.com/press/pressrelease.asp?prid=200403301015

A year later we find out that these global subsidiaries are just a set of $2 companies set up in the US and (most) later allowed to disolve. Do I need to mention that no dividends have been paid either?

Has he forgotton that SunnComm announced this acquisition of DarkNoise Technology through its partner Quiet Tiger -

"QuietTiger Announces Acquisition of DarkNoise Technologies Limited"

http://www.sunncomm.com/press/pressrelease.asp?prid=200402040700

DarkNoise was just bogus software, unheard of by any label, even though DarkNoise claimed all the labels were testing it. What's more, in that PR they stated: "Additionally, DarkNoise will continue to operate out of their West London office acting as QuietTigerâ€™s European sales and R&D satellite branch."

But research done by UK online site "The Register" discovered that DarkNoise was not located at the London address claimed, but just a small village in Yorkshire.

"In a statement announcing the buy, SunnComm presented Dark Noise as a proven player in the DRM market that was currently awaiting the approval of two patents for the analog hole technology. The Register, however, searched UK government filings and found that Dark Noise is a very small firm that has moved from office to office and is currently headquartered in Whitby, Yorkshire well outside of the London address claimed in the press release. We also searched three different patent databases in the Europe and the US and could fine no record of an application or approved patent for Dark Noise."

http://www.theregister.co.uk/2004/09/27/sunncomm_death_or_glorry/page4.html

And what about all the shenanigans with MediaMax Technology Corporation, fka Quiet Tiger Inc, fka Fan Energy.

Even though Quiet Tiger (a failed energy company when known as Fan Energy, later to become a floppy disk manufacturer - producing no floppy disks) was located in the same building as SunnComm and shared the same CFO, it was presented as the following when SunnComm signed a marketing agreement with it in early 2004.

"Quiet Tiger, Inc., a fully reporting public company that currently trades on the OTC Bulletin Board under the symbol "QTIG", is an international sales and marketing group representing the implementation and delivery of digital content security products for the music and entertainment industry. Our team of sales and marketing professionals, with over 50 years of experience in the music, movie and entertainment industry, has established relationships around the world that will enable the penetration of our product lines into each targeted market segment."

http://www.sunncomm.com/press/pressrelease.asp?prid=20040123700

Why did SunnComm try to make it look like Quiet Tiger was some independent organization when it was just a corporate shell located in the same offices as SunnComm? Yet at the time it had no staff (except for SunnComm's CFO who acted as part time CFO). SunnComm's Bill Whitmore moved over to become CEO there when that agreement came into effect and a few weeks later they made their first hire.

After "moving" marketing across to Quiet Tiger (an empty shell), what happens? Quiet Tiger changes its name to MediaMax Technology Corporation and then announces its intent to merge with SunnComm.

"MediaMax Technology Corporation Signs Letter of Intent to Merge with SunnComm International, Inc."

http://www.sunncomm.com/press/pressrelease.asp?prid=200503310900

So what was all that about - move marketing to an empty shell and then merging it back in again.

The rational is exposed on this article on P2PNET

"SunnComm to MediaMax Technology Corporation: A rose by any other name?"

http://p2pnet.net/story/4567

And after announcing its intent to merge, nearly 8 months later it still hasn't files the S-4. Two companies in the same building, sharing staff, in the same industry, tied together by the one product and they are having difficulty merging. Could that be due to the auditors not signing off on the audits, something that was to be done 2 or 3 months ago? What might they have found? Lots I would imagine.

Then there is all the bogus products they have announced that no one in the industry have heard of (even months after the announcement). Here are just a few:

http://www.sunncomm.com/press/pressrelease.asp?prid=20040628846

http://www.sunncomm.com/press/pressrelease.asp?prid=200509071055

The reason why the share price is where it is today is not because of Halderman, but because of the actions of SunnComm management.

But also don't forget the fundamentals.....

What revenue has their marketing arm, MediaMax Technology Corporation, brought in selling MediaMax. Look at their SEC filings:

To June 30th 2005, just $99.5K. For all of 2004, Just $106K.

Comment by John Altermoede on November 13th, 2005 at 9:04 pm.

The SunnComm paranoia is just unbelievable.

Apparently the reason Alex is supposed to be acting as an agent for Macrovision is - wait for it - because one of MVSN's directors is an alumni of princeton.

Can you imagine it. Halderman, a Princeton student, is going to all this effort to discredit SunnComm, because one of Macrovision's directors is an alumni of Princeton.

What's more, they claim that Alex has never analyzed Macrovision's copy protection. Yet the document that Alex first produced on MediaMax CD3:

"Analysis of the MediaMax CD3 Copy-Prevention System"

http://www.cs.princeton.edu/~jhalderm/cd3/

clearly references and links to another document of his

"To understand why, we can compare MediaMax to prior anti-copy systems like the ones I studied in my earlier report, "Evaluating New Copy-Prevention Techniques for Audio CDs" [9]. "

This referenced document analyzes SunnComm's earlier copy protection, Sony's Key2Audio and Midbar's Cactus Data Shield. But Macrovision bought Midbar a few years ago, and their technology is that Cactus Data Shield CDS - so that puts paid to the conspiracy theory.

http://www.cs.princeton.edu/~jhalderm/papers/drm2002.pdf

Comment by John2g on November 13th, 2005 at 11:23 pm.

This is an interesting comment from Kevin McAleavey of BOClean.

http://www.dslreports.com/forum/remark,14783731~start=40#14798805

There are actually several different SONY rootkits, all ya need to do is look over the list of covered nasties:

Â»www.nsclean.com/trolist.html

But yes, if you insert an infected CD, it goes byebye.

And the rootkit actually installs BEFORE you click on the agreement. While AUTORUN.EXE is showing you the agreement, GO.EXE is busy installing the rootkit long before you even start reading.

Comment by Cornelius J Rat on November 14th, 2005 at 12:07 am.

Henry Latner said:
> Your (sic) now saying that Mediamax is spyware. I believe that your
> investigation must be flawed at best. None of the anti-spyware
> has targeted Mediamax as spyware. Mediamax is also certified
> by Microsoft and their anti-spyware application also does not
> target Mediamax as spyware.
> You seem to be the only one thatâ€™s calling it spyware. Why is that?
I would guess he's calling it spyware because it contacts a Suncomm server with details of what you're doing. That sounds like a reasonable definition of spyware to me. As to why no-one else is calling it spyware - well, I suspect that like Symantec with the XCP rootkit, they had not had it pointed out to them. Now we know, I'm sure someone will let them know.

Comment by adam on November 14th, 2005 at 12:41 am.

mr. henry latner, with due respect, please stop being so selfish and look at this rationally for one second, will you?

when mr Halderman is enlightening us , telling us how to protect our own pc's so they dont crash because of this drm bullshit, which Sony should have done so in the first placve....when he is doing good out here on the internet, for the benefit of us consumers,you have the nerve to call his enlightening post as 'attacks' ? shame on you.

Comment by Joey on November 14th, 2005 at 12:58 am.

Henry Latner, what rubblish man.
everybody hates DRM, get a clue before you post such crap.
and stop trying to divert the attention from the REAL isse, DRM crap, to somewhere else, because its NOT going to work.

and lastly dude, i hope the stocks never rise again. ever.

Comment by JJ on November 14th, 2005 at 1:13 am.

hey latner, go bitch somewhere else.
i want to thank J. Alex Halderman for this excellent article. keep up the great work!
cheers,
JJ

Sorry, comments closed.

Freedom to Tinker is hosted by Princeton's Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you'll find comment and analysis from the digital frontier, written by the Center's faculty, students, and friends.