December 12, 2024

MediaMax Permanently Installs and Runs Unwanted Software, Even If User Declines EULA

In an earlier post I described how MediaMax, a CD DRM system used by Sony-BMG and other record labels, behaves like spyware. (MediaMax is not the same as XCP, the technology that Sony-BMG has recalled; Sony-BMG is still shipping MediaMax discs.) MediaMax phones home whenever you play a protected CD, automatically installs over 12 MB of software before even displaying an End User License Agreement, and fails to include an uninstaller.

Part of the software that MediaMax installs is a driver meant to interfere with ripping and copying from protected discs. I had believed that MediaMax didn’t permanently activate this driver—set it to run whenever the computer starts—unless the user accepted the license agreement. As it turns out, this belief was wrong, and things are even worse that I had thought.

In the comments to our last MediaMax story, reader free980211 pointed out that the driver sometimes becomes permanently activated if the same protected CD is used more than once, even if the user never agrees to the EULA. This wasn’t apparent from my earlier tests because they were conducted under tightly controlled conditions, with each trial beginning from a fresh Windows installation and involving only carefully scripted operations. I’ve performed further tests and can now confirm that MediaMax is permanently activated in several common situations in spite of explicitly withheld consent.

When this happens depends on what version of MediaMax is being used. An older version, called CD-3, was introduced in 2003 and is present on albums released as recently as this summer. There is also a newer version, MediaMax MM-5, which has been shipping for a little over a year. You can tell which version is on a CD by examining the files in the disc’s root directory. Albums protected by MediaMax CD-3 contain a file called LAUNCHCD.EXE, while MM-5 albums include a file named PlayDisc.exe.

When you insert a CD containing either version of MediaMax, an installer program automatically starts (unless you have disabled the Windows autorun feature). This installer places the copy protection driver and other files on the hard disk, and then presents a license agreement, which you are asked to accept or decline. In the following scenarios the driver may become permanently activated even if you always decline the agreement:

  • You insert a CD-3 album, then later insert an MM-5 album
  • You insert an MM-5 album, then later insert a CD-3 album
  • You insert an MM-5 album, reboot, then later insert the same album or another MM-5 album

These steps don’t have to take place all at once. They can happen over a period of weeks or months.

This is bad news for people who like to play CDs in their computers. Many users are unaware that their CDs contain MediaMax until the license agreement appears on their screens, but by this time it may be too late to stop the driver from being permanently activated. Even if users are careful to decline the EULA every time, the circumstances when the software becomes active anyway are common enough to be practically inevitable.

This may be an annoyance to music fans—unless you disable the driver, you’ll have a hard time playing any MediaMax-protected titles, let alone copying them to your iPod—but it’s also a security risk, since the driver is loaded as part of the Windows kernel and has the ability to control virtually any aspect of the computer’s operation. We don’t know whether the MediaMax driver contains any vulnerability that can be exploited to do further damage, but the way it is installed creates a dangerous precedent.

Is this behavior illegal? It should be. Installation of system level software where the user has explicitly denied permission raises serious security concerns and is wrong.

Comments

  1. […] J. Alex Halderman has posted another look at Sony’s MediaMax DRM, which is still being shipped on Sony CDs. “MediaMax phones home whenever you play a protected CD, automatically installs over 12 MB of software before even displaying an End User License Agreement, and fails to include an uninstaller.” Even more fun is its tendency to install itself even when the user declines the EULA, though that has the look of a bug rather than malice. (Log in to post comments) […]

  2. […] To save some clicking (Score:5, Informative) by kawika (87069) on Thursday December 22, @12:03PM (#14318696) This is the original blog [freedom-to-tinker.com] that revealed the SunnComm DRM installed despite the user declining the EULA. Whereas the XCP DRM could hide behind the EULA excuse, I don’t see how SunnComm has any legal fig leaf here (though IANAL).Supposedly there is about ten times [com.com] more SunnComm DRM in the wild than XCP DRM, so maybe Sony felt they couldn’t sacrifice holiday sales despite the legal exposure. [ Reply to This ] […]

  3. Gerry is very Unhappy says

    For those who are reading Steve K. If SunnComm is installing any software on any computer without the owner’s permission and agreement, SunnComm and those companies who include SunnComm software in their products, specifically Sony Corporation, are liable for any loss or damage to the owner, of any nature whatsoever, for such improper installation. Anybody who supports SunnComm or Sony Corporation’s rights to engage in such illegal activity, when it has been made absolutely clear to them that such activity is illegal, open themselves up to inclusion in any legal action, whether civil or criminal, as an additional defendent or an accussed. Why? Because defense of an illegal act suggests that neither SunnComm or Sony need to take immediate corrective action, and such a position is further damaging to those affected by the original illegal acts. This most definitely applies to someone who is an investor in either SunnComm or Sony. So for Steve K., whose proper email address is available to the managers of this site, his attempts at defending SunnComm and Sony are as insidious and damaging as would be his attempts if he were an employee of either company, and thus his remonstrations about not being an employee will not prove an adequate defense at trial. Now he has been informed.

  4. We should all be sending letters to Sony. That said, I doubt they will all have the same tone. For example, some of you might urge them not to infringe upon your hard drives with their hidden files, thereby putting your personal property at risk, whereas my letter will be quite different. My letter states that I will be making an active attempt to never purchase a Sony product again. The rootkit was bad enough; it is now obvious that this company cares zilch for its customers, and has no legitamacy of any sort. I’m sure my letter will be discarded, and thus I decided to make stickers with all pertinent information. I plan on taking them to stores where CDs are distributed, and helping get the word to other potential customers about Sony’s illegal activities.

    My fingers are crossed for those involved in the class-action lawsuit.

  5. Ned Ulbricht says

    Jesse,

    Why don’t you try telnet’ing to port 80 and see if you still get a 404 on that url?

    (Or, would someone please make the obvious point about RCPT TO in the context of the MTA to MTA system, so that I can reply in the context of the MUA to head trajectory and write-current system. There’s something about system boundaries and models, and user expectations that I don’t think I’ve emphasized quite enough.)

  6. The new SunnComm uninstaller doesn’t appear to expose users to the same kind of vulnerability that the old one did. It leaves a lot to be desired (for instance, MediaMax will be reinstalled if you try to use a SunnComm CD in the computer again and autorun is turned on), but at least SunnComm is distributing the tool without forcing users to jump through as many hoops as before.

    HTTP error 404 the page cannot be displayed.

    Yeah, that’s a great improvement. Sure you don’t actaully get your MediaMax uninstalled, but (and let’s be frank here) you didn’t before anyway. So obvisouly, this is a much superior solution to what was offered up for us before–thank you, SunnComm, for your infinite wisdom!

  7. Ned Ulbricht says

    Jesse,

    I think my NDA allows me to say that I spent a little bit of time investigating one approach to eliminating the v on Neumann bottleneck. Perhaps that, together with coding FPGAs, gives me a somewhat different perspective: I tend to think that the line between processing and storage is not so hard and fast as to make a good legal rule that may be (unthinkingly) applied in general contexts. But we don’t have to go so far as exotic, futuristic computing architectures. The “To:” header in email, like the “Newsgroups:” header in usenet are processing directives—instructions—that determine the system should store the message on disk.

    supercat indirectly proposed a legal rule that, paraphrased, might read, “Any person who distributes non-removable software must warn the user prior to installation, and gain explicit consent.” I don’t think that’s necessarily good law programming.

  8. I just breezed thru the license agreement included in one of the MediaMax CDs. It states you are not allowed to export the LICENSED MATERIALS outside of the country you live in, and that your right to use the LICENSED MATERIALS is terminated if you become insolvent, go bankrupt, or even if you are served with a writ of garnishment.

    I wonder how they will enforce those rules – OR would it just allow them to force people that are pillaged by RIAA to give up their CD’s?

  9. Jesse: Let me amplify that point: it may be difficult to completely destroy information without causing the loss of other information, especially if that information is burned onto a number of CDs (the best one could do would be to read all the ‘still-wanted’ information off the CDs, burn new copies of that information, and then destroy the old CDs). On the other hand, one’s usual goal when uninstalling a program isn’t to unrecoverably obliterate all trace of it, but rather to free up any system resources (disk space, memory, CPU time, ‘hooks’, etc.) that it might otherwise use and prevent it from doing anything undesirable. If a copy of the program happens to exist on a backup CD, who cares? The space isn’t going to be usable for anything even if the program is rendered unreadable. If a copy exists on backup tapes, again, who cares? If the tapes are wiped and reused, the copy will be erased, and if the tapes aren’t reused removing the copy wouldn’t free up any useful space.

    By contrast, one of the design goals of XCP is to damage a system such that XCP becomes necessary for its continued function. I know of no legitimate program that does any such thing without (1) having a very good reason–beneficial to the USER–for doing so, and (2) making very clear to the user beforehand what it’s going to be doing and what the implications are. For example, over a decade ago, a program called Stacker would provide on-the-fly hard drive compression. A drive that was compressed could hold much more information than a drive that was not, but the information so held could only be accessed when Stacker was loaded. Someone who filled up a 20MB hard drive with 25MB of data and then felt like uninstalling Stacker would have a problem, but it would be one which (1) he was warned about, and (2) would be impossible for Stac to avoid, other than by forbidding users from storing more than 20MB worth of data on a 20MB drive (which would, of course, defeat the whole purpose of having Stacker in the first place).

    XCP, of course, meets neither of those criteria. Its sole DESIGN PURPOSE is to impair the functionality of the user’s machine (failing criterion one). Further, users are not informed prior to installation that they will neither be allowed, nor likely able, to remove the software once it has installed itself.

  10. Ned Ulbricht says

    supercat wrote on December 2nd, 2005 at 10:07 pm:

    While it is true that there are some legitimate programs that cannot be very well removed once installed, all such programs I’m aware of (at least all the ones I’d consider ‘legitimate’) either make very clear prior to installation that they cannot be removed, or at absolute minimum are difficult to remove as a result of oversight rather than deliberate design.

    The first fundamental of practical security is backup.

    If we think about a computer system as not just a box on (or under) your desk, then the backup tapes, disks, &c are part of the system. Once any software has been installed into a system like that, it’s almost impossible to completely remove.

    Or consider distributed computing sytems, like usenet. You could argue, well that’s just text. But html is code. And if you say that no reasonable ‘froup smiles on html posts, then what about the NNTP headers? Aren’t those code-like, at least? Where’s the line?

    Jes’ saying.

  11. After all these malware we should have a little bit of fun:
    http://finance.yahoo.com/q/bc?s=SCMI.PK&t=2y

    But we should not forget about EMI and there malware:
    http://finance.yahoo.com/q/bc?s=MVSN&t=2y

  12. //supercat: False. It’s my computer, and SunnComm and F4i’s convoluted uninstall procedures requiring submitting personal information and begging for an uninstaller are definitely malicious and possibly criminal in my opinion. (You may have mistaken quoted text from SunnComm investor Steve K for my own statement.)//

    Steve K: Please see and answer my above post which was improperly addressed to sm. Thanks.

    sm: Sorry ’bout that. Thanks for the heads-up.

  13. Oh, and by the way Steve K, if you continue to insist that ripping to MP3 is illegal, please refer to this page, specifically the paragraph entitled “What is your stand on MP3?”.

    MP3 is just a technology and the technology itself never did anything wrong!
    If you choose to take your own CDs and make copies for yourself on your computer or portable music player, that’s great. It’s your music and we want you to enjoy it at home, at work, in the car and on the jogging trail.

    There you have it. The RIAA itself condones ripping CDs to MP3 for personal use.


  14. You SunnComm shills keep using the word “enhanced”. I do not think that word means what you think it means.

    ROFL 🙂

    ‘Enhanced CD’ is the name given by Phillips/Sony.

  15. Steve K: The fact that spyware companies are afraid to call your darling product what it is for fear of being sued by a known litigious company does not make it any less malicious. It’s already been noted that antispyware companies have been slow to respond to this newly discovered crop of spyware being foisted by “legitimate” (i.e., big) companies.

    supercat: False. It’s my computer, and SunnComm and F4i’s convoluted uninstall procedures requiring submitting personal information and begging for an uninstaller are definitely malicious and possibly criminal in my opinion. (You may have mistaken quoted text from SunnComm investor Steve K for my own statement.)

  16. sm: True or false: Media companies have the right to install any and all such software on your machine as they see fit, and to forbid you from removing it.

    If false, please define the limits of media companies’ right to install software on your machine.

    While it is true that there are some legitimate programs that cannot be very well removed once installed, all such programs I’m aware of (at least all the ones I’d consider ‘legitimate’) either make very clear prior to installation that they cannot be removed, or at absolute minimum are difficult to remove as a result of oversight rather than deliberate design.

    Despite this, do you believe that it is proper for a company to install non-removable software on a machine without getting the owner’s explicit consent to install non-removable software (i.e. the consent of an owner who is aware that the software will be non-removable)?

  17. “There’s a difference between serving a banner on a website and installing a program that is difficult to uninstall and makes surrepetitious network connections.”

    This is straight from spysweeper 4.5 with all the latest spyware / adware fingerprints loaded:

    –Congratulations! No spyware, adware or unwanted items were detected–

    I have MediaMax installed in my PC and every spyware program I have tried does not see MediaMax as spyware, adware or malware.

    Also, I don’t know if you read in an earlier post of mine, but you do not have to be connected to the internet to use a Mediamax CD which further proves that the program does not operate exclusively by making the alleged spyware-like connections Halderman claims.

    “You fail to remember the RIAA vs Diamond case. The Ninth Circuit U.S. Court of Appeals ruled that copying music to an MP3 player is legal. Here’s a news article to refresh your memory. ”

    There is no statement in this article that states you can rip mp3 files from CD’s to your hard drive legally. It merely dismisses the rio player as not being a “digital recording device” and thus it does not need to have a SCMS incorporated in the device.

  18. J. Stanley says

    You SunnComm shills keep using the word “enhanced”. I do not think that word means what you think it means.

  19. Ned Ulbricht says

    MAD at SONY!,

    I don’t quite know how to tell you this, MAD!, but no one can confirm that SunComm’s uninstaller is now safe to use. As a practical matter, for any software, about the best the field can deliver right now is that code came from a trustworthy source; it has been well-inspected by independent experts; and it has stood the test of time. Not one of these qualities applies to SunComm’s new, closed-source uninstaller.

    Even if those qualities did apply, well, the up and down of the whole sorry mess is that your machine has been cracked and compromised. As a general rule, in that situation you need to reinstall / restore from backup, and then patch / close the vulnerability. It’s not usually recommended to try to “uninstall” malicious software after a cracker has gained administrative privileges.

    Now, I’m sure I’ll get an argument from people who will claim that if your machine was that valuable to you, then you’d have had better security practices and wouldn’t have been compromised….

  20. MAD at SONY! says

    Can someone help me with my question below please….

    “Furious at SONY, I declined the EULA and found the softw”are installed!! THis is just not right!

    Can anyone confirm that their uninstaller is now safe to use?

    Sunncomm claims that this is a brand new uninstall utility that has addressed the issues (the security hole of the ActiveX control – AxWebRemoveCtrl) and will leave no security risks.

    They sent me this link:

    “Please click here and follow instructions to remove MediaMax:
    http://www.sunncomm.com/support/tools/removal.asp
    Thank you very much and we do hope you have a fine day!
    SunnComm Technical Support Team”

    Also, is there a way to add these songs into my itune library without using your software. I just want to load these songs to my itune and then my ipod so I can listen to them at work.”

    Thank you.

  21. “That is as complete lie! I never admitted such a thing, who do you think you are? I live in the North East and have nothing to do with Sunncomm other than the fact that I am an investor.”

    Employee, investor, either way it’s obvious you refuse to look at the situation objectively since have a vested interest in the success of SunnComm.

    “LOL, it goes from spyware, to adware, you may want to contact every company that posts banners on their websites or maybe call Musicmatch spyware.”

    There’s a difference between serving a banner on a website and installing a program that is difficult to uninstall and makes surrepetitious network connections.

    “You fail to grasp that this is breaking copyright laws.”

    You fail to remember the RIAA vs Diamond case. The Ninth Circuit U.S. Court of Appeals ruled that copying music to an MP3 player is legal. Here’s a news article to refresh your memory.

  22. “Steve K, thanks for the tacit admission that you are a SunnComm employee”

    That is as complete lie! I never admitted such a thing, who do you think you are? I live in the North East and have nothing to do with Sunncomm other than the fact that I am an investor.

    “and also your admission that MediaMax is adware.”

    LOL, it goes from spyware, to adware, you may want to contact every company that posts banners on their websites or maybe call Musicmatch spyware.

    “CD, I can rip to MP3 and listen anywhere, including the Rio I bought in 2001.”

    You fail to grasp that this is breaking copyright laws.

    “since you fail to mention the fact that the WMAs are locked to the computer that ripped them. You can’t take them to work or on the road. Songs “purchased” from WMA online stores are the same, only worse, since you don’t have a physical artifact storing the music–the music you paid for is guaranteed to disappear when you have a hard drive crash or upgrade your PC or reinstall the OS.”

    You can take them to work, I have with no problems. You seem to know a lot of mis-information. You may want to research things before posting incorrect statements.

  23. Ned Ulbricht says

    Ooops! Obviously, my observation, “I would think that SunnComm would have a more reasonable response to, ‘Q: Is there a way to remove your software from my computer?'” should not have been included in the blockquote.

    Sorry for any inconvenience.

  24. Ned Ulbricht says

    Hooper,

    18 U.S.C. § 1030(e)(11):

    the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service;

    I would think that SunnComm would have a more reasonable response to, “Q: Is there a way to remove your software from my computer?”

  25. So, this is what the SunnComm site tells users who want to remove MediaMax software:

    Q: Is there a way to remove your software from my computer?

    A: Please note that MediaMax was designed to manage and safeguard the copyrights of specified artists’ CDs while giving you an enhanced visual and listening experience. It does not interfere with or impact any of the normal operations and/or functions of your computer.

  26. —-
    “You’ve utterly failed to grasp the point. With a normal (non “enhanced”) CD, I can rip to MP3 and listen anywhere, including the Rio I bought in 2001. I could listen on an iPod too if I had one, which I don’t, but a lot of people do. But by locking the customer into WMA+DRM, MediaMax only makes a CD less valuable (if not outright dangerous).”
    —-

    now lets switch some nouns around….

    —-
    “You’ve utterly failed to grasp the point. With a normal (non “enhanced”) VHS tape, I can rip to mpeg2 and watch anywhere, including the Rio I bought in 2001. I could watch on an iPod too if I had one, which I don’t, but a lot of people do. But by locking the customer into DVD+CSS, CSS only makes a DVDs less valuable (if not outright dangerous).”
    —-

    CSS has been cracked long ago so nobody cares that it exists, but so has MediaMax.

    —-
    “Your suggestion that you can listen to your ripped WMAs anywhere is disingenuous, by the way, since you fail to mention the fact that the WMAs are locked to the computer that ripped them”

    Or an SDMI compatible device (hence take it with you)…a fact you fail to mention which makes your own comment disingenuous. If you want it on another computer, take the CD with you. Is that really hard?

    “Also, I’d appreciate if you’d stop blaming Apple for refusing to license FairPlay. A normal (non “enhanced”) CD can be ripped to an iPod with no trouble at all.”

    There is nothing keeping Apple from supporting enhanced CDs in iTunes if customers wanted that support. The labels are bending over backwards to provide support to apple to work with these enhanced CDs in iTunes. Apple doesn’t have to license FairPlay when the Labels are willing to open up ehanced CDs to iTunes, but Apple still doesn’t do it. All that’s needed is a small update to iTunes and millions of CDs instantly become available that weren’t previously and that none of the competition have access to.

    Make no mistake Apple IS screwing their customers over with lack of support for DRM’d CDs, but they also are playing with a double edged sword; It’s in Apple’s best interest if ALL CD sales are replaced by iTunes sales.

  27. Steve K, thanks for the tacit admission that you are a SunnComm employee, and also your admission that MediaMax is adware.

    You’ve utterly failed to grasp the point. With a normal (non “enhanced”) CD, I can rip to MP3 and listen anywhere, including the Rio I bought in 2001. I could listen on an iPod too if I had one, which I don’t, but a lot of people do. But by locking the customer into WMA+DRM, MediaMax only makes a CD less valuable (if not outright dangerous).

    Your suggestion that you can listen to your ripped WMAs anywhere is disingenuous, by the way, since you fail to mention the fact that the WMAs are locked to the computer that ripped them. You can’t take them to work or on the road. Songs “purchased” from WMA online stores are the same, only worse, since you don’t have a physical artifact storing the music–the music you paid for is guaranteed to disappear when you have a hard drive crash or upgrade your PC or reinstall the OS. (Backing up and restoring WMA DRM licenses does not solve the problem; it only postpones it, since Microsoft will only let you restore your licenses twice. After that, you can kiss your paid-for music goodbye.)

    Also, I’d appreciate if you’d stop blaming Apple for refusing to license FairPlay. A normal (non “enhanced”) CD can be ripped to an iPod with no trouble at all. The whole issue illustrates the fact that DRM is less about preventing piracy than it is about abusing copyright law to enforce monopolies.

  28. I just don’t buy Sony products of any kind anymore.
    Simple as that, and as more and more people get fed up with their paranoia about copyright infringement, and the crap they’ve put onto several CDs, they’ll lose them as customers too.
    Sincerely,
    G.L. Johnson

  29. Thanks for the welcome sm,

    You can “rip” the music from the CD using MediaMax, the program encodes the music to your PC in the wma format (or whatever format the labels allow).

    Per your statement: “(well, assuming they don’t turn off autorun or use the shift key or use a marker or stick a piece of tape on the edge of the CD)”

    Why do you have to do any of that? You simply use the MediaMax interface to burn CD-R copies and Rip WMA files to your PC. You can then move the files to any wma complaint device. You never have to put the mediamax CD in you PC again! You simply play the wma files from your media player.

    Sure ipod users want to be able to “rip” music for their players and I can understand their frustration (I use a wma device so I don’t have the same problems). The key is getting Apple to license their DRM so the on-the-fly encoder MediaMax has allows ripping of Ipod compatible music.

    “And let’s not forget that it spies on customers. I think that qualifies as harm.”

    Says Felten and Halderman, Sunncomm has stated that it does not transmit personal information. Sure it may downlnoad banner adds in the media player application, so do many other programs (musicmatch basic to list one)! Again, once you encode the files off the CD to a compressed format for your PC you never have to put the mediamax cd back in the player again. You don’t even have to have an internet connection to use the disc, Halderman never stated this. MediaMax is capable of granting the wma DRM licensing to the user even if there is no internet connection. That is right; you do not even need to be connected to the internet to rip the WMA DRM compliant tracks to your PC. I know it works without an internet connection because I tried it on my old PC that doesn’t’ have a connection.

    “Your false implication that your CDs can only be listened to with your player software violates Texas’s spyware law too–the one the Texas AG is suing Sony and F4i over.”

    I am not sure what you mean here… Again, you can listen to the music on any windows media compliant player out there once you rip the music off the CD per the rights mediamax allows. Do you really listen to your music from CDs only? I don’t, I use MusicMatch Jukebox’s mediaplayer. The encoded wma tracks play perfectly on it, just like every other wma downloaded song I purchased from their web site. I’ll say this one more time: YOU DO NOT HAVE TO ONLY USE MEDIAMAX’S PLAYER TO LISTEN TO THE MUSIC, ANY WMA COMPLIANT MEDIA PLAYER WILL WORK.

  30. Ned Ulbricht says

    Edward,

    The DMCA’s prohibitions against circumvention of TPMs was sold to Congress on the basis that it was necessary to prevent a wasteful arms race. Congress passed that law.

    Congress also passed the CFAA.

  31. Edward Kuns says

    Ned,

    Where did I say anything about *totally* secure? But an environment that makes it difficult to do anything useful without having full administrative privileges is (IMO) a broken environment. Are you going to suggest that this is a reasonable working environment? Yes, obviously in the real world we trade total security for some security and some usability. However, having used many alternatives to Windows, I can easily state that Windows is insecure in ways that are totally unnecessary for ease of use.

    Yes, buffer overflow’s *might* result in software silently being installed, but that’s like saying that because someone might be able to pick the lock at your front door, that there is no point in locking the door or for that matter even having a lock on the door.

    Finally, you suggest that the law is interested in preventing wasteful arms races. I have to say that I don’t see any evidence of that when it comes to any kind of intellectual property, at least in the US.

  32. Furious at SONY, I declined the EULA and found the software installed!! THis is just not right!

    Can anyone confirm that their uninstaller is now safe to use?

    Sunncomm claims that this is a brand new uninstall utility that has addressed the issues (the security hole of the ActiveX control – AxWebRemoveCtrl) and will leave no security risks.

    They sent me this link:

    “Please click here and follow instructions to remove MediaMax:

    http://www.sunncomm.com/support/tools/removal.asp

    Thank you very much and we do hope you have a fine day!

    SunnComm Technical Support Team”

    Also, is there a way to add these songs into my itune library without using your software. I just want to load these songs to my itune and then my ipod so I can listen to them at work.

    Thank you.

  33. The issue is not at all about running Windows with Adminstrator rights.

    It is really that 1) Companies like Sony are willing to do anything to your computer that they can get away with and 2) Windows is a piece of crap, that unfortunately (or fortunately for Sony) that most of the world uses.

    The best defense other than switching operating systems (maybe someone can think of a good one 🙂 ) is to turn off autoplay. It is unfortunate to not have the convenience of auto-play, but I learned long ago that it allowed some things to get initiated that I wanted no part of. I think this is more practical for most people than running without Admin rights (which is needed to install just about anything useful).

  34. I was wrong. Seems you can listen without Bandlink after all — is working here on my work computer, but for some reason neither Media Player nor Winamp on my home system wanted to find the audio. Weird. Anyway, this program looks somewhat more benign than I thought at first, but I’d still rather just listen to the disc without “enhancing” my PC.

    We now return you to your regularly scheduled MediaMax shilling (gack); thank heaven I didn’t accidentally pay for one of those awful discs.

  35. Anyone know anything about the “Bandlink” program or the firm that makes it, “CD Intelligence”?

    This is the crap that came with my aforementioned Afterglow disc by Sarah McLachlan. I went back and read the fine print on the label and it doesn’t say anything about “copy protection,” nor does the EULA, but it does vaguely sound like spyware. Of course, the warning on the label instead talks about the software as an enhancement (note to Sony: which does not mean “replacement”) and how you can “gain access to Exclusive Bonus Content” and that kind of hoo-ha. (Hey, it’s not a bug, it’s a feature!)

    What it doesn’t say is that, although you think you are buying a bona-fide compact disc (it even refers to the disc as a CD”), you can’t use this defective product the way you could a normal CD. That is, you apparently have to run Crapwareplayer.exe to listen on a PC instead of just using your normal media player. Ergo, it’s not a CD, it’s a less functional cousin to a CD, selling for the same price as a fully functional CD.

    As for ripping, I just turned off autorun. So what I’ll have to do apparently to listen to this disc on my PC without crapping my system up with spyware is rip the songs to a new disc. Why did I pay for Sony BMG/Arista’s disc if I have to use one of my own discs anyway? Why do they refer to these things as CDs when they aren’t?

    This whole thing is sneaky at best and totally dishonest at worst. And to agree with the comment above about unwanted usage of CPU cycles et. al. decreasing availability, I agree fervently. My system is an old P2-450 nevertheless running Windows XP. On it’s fastest day it’s a dinosaur, so believe me, crapping up my system with spyware is very noticeable and a huge waste of my time (and dollars, when I have to buy anti-spyware software to delete things I never wanted installed). So I’ll say it again, I consider sneaking crapware onto my system an act of THEFT. Who are the real thieves here?

  36. Ned Ulbricht says

    18 U.S.C. § 1030(e) (8):

    the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;

    A running process consumes computing cycles, impairing the availability of a system. Network connections use bandwidth which impairs the availability of a system. And 15 MB of disk space impairs the availability of a system.

  37. So SunnComm shows up in the discussion after all! Welcome, Steve K!

    So MediaMax prevents “unautorized” copying of MediaMax discs (well, assuming they don’t turn off autorun or use the shift key or use a marker or stick a piece of tape on the edge of the CD), and it does this by installing a filter driver that we have only your vague assurance to tell us that it doesn’t interfere with what you consider the normal operation of the CD drive. I consider ripping legally purchased CDs to be normal operation of the drive, so that makes MediaMax malware in my eyes right off the bat. (For what it’s worth, I stopped buying CDs years ago when MediaMax was first shipped. I refuse to buy a CD that I can’t rip to MP3 and use on my non-WMA-DRM portable music player.)

    The fact that it installs explicitly against the user’s request should kill your “hide behind the EULA” defense too. I can’t wait for the EFF’s lawsuit to go to court.

    And let’s not forget that it spies on customers. I think that qualifies as harm.

    Your false implication that your CDs can only be listened to with your player software violates Texas’s spyware law too–the one the Texas AG is suing Sony and F4i over. Hopefully you’ll find yourself a co-defendant on that one in the near future.

  38. I still am waiting to see what damage anything installed by Mediamax does to your PC (it has been certified by Microsoft). It prevents unautorized copying – of Mediamax discs – (with this driver running), it doesn’t render your DVD-ROM, CD-ROM or anything else useless on you PC. It hasn’t been shown to cause a security risk, only stated that it may do so. So do may thousands of other software packages installed on peoples computers.

    The disclaimer on the CD says it will install software when you put it in your computer, anyone who can read should understand this prior to putting the disc in your PC:

    —————————————————————–
    “This CD is enhanced with MediaMax software. Windows compatible instructions: Insert disc into CD-ROM drive. Software will automatically install. If it doesn’t, click on “LaunchCd.exe.” Mac OS instructions: Insert disc into CD-ROM drive. Click on “Start.” Usage of the CD on your computer requires your acceptance of the end user license agreement and installation of specific software contained on the CD. ”
    —————————————————————–

    I don’t understand why it is such a “find” that it automatically installs when you put the disc in your PC, it says so on the label!

  39. There are good grounds for believing that the modification of data in the absence of agreement to the EULA would be an unauthorised modification. If the computer is protected by a password login, it is probably “protected data”. The unauthorised modification of protected data is illegal in the State of New South Wales, Australia.

    See section 308H of the Crimes Act
    http://www.legislation.nsw.gov.au/fragview/inforce/act+40+1900+pt.6-sec.308h+0+N

    308H Unauthorised access to or modification of restricted data held in computer (summary offence)

    (1) A person:

    (a) who causes any unauthorised access to or modification of restricted data held in a computer, and

    (b) who knows that the access or modification is unauthorised, and

    (c) who intends to cause that access or modification,

    is guilty of an offence.

    Maximum penalty: Imprisonment for 2 years.

    (2) An offence against this section is a summary offence.

    (3) In this section:

    restricted data means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer.

  40. Anthony Youngman wrote:

    “Wouldn’t it be nice if the EFF asked FTT for their logs 🙂 and found out where the trolls were coming from :-)”

    Err… why?

    I myself was referring the damage the simple existence of the shills’ harassment and spin-control attempts, as recorded in various blogs, would do if presented as additional evidence in the trials. It would be minor stuff compared to the other gaping holes the defendants insist on blowing in their case, but it wouldn’t help them either.

    Still… while shilling in some circumstances can be illegal, and in other cases can be legally actionable… just being a shill in and of itself doesn’t constitute a crime.

  41. Anthony Youngman says

    All these SunnComm trolls should watch out …

    Wouldn’t it be nice if the EFF asked FTT for their logs 🙂 and found out where the trolls were coming from 🙂

    (Oh – and if you think FTT isn’t allowed to hand them over, think again. I don’t know their policy on this, but if I were them I’d just say “I need a judicial subpoena to cover my back – go get it and you’re welcome to them”.)

    Cheers,
    Wol

  42. James Bailey says

    I just wonder why Microsoft doesn’t just issue one of their frequent patches that disables Auto-run?

    Of course I don’t really wonder that, but that is what consumers should be demanding. Sony will then be stuck with the same position they are in on OS X. Leaving an executable on the disc and hoping the user clicks on it and agrees to install. I’m guessing that wouldn’t make them very happy.

  43. The solution is easy:

    USE A MACINTOSH !!!

    No windows ? No rootkit, no driver, no insecure drivers !!!

    Zire

  44. I agree with Ned. There is no such thing as “totally secure computing”. Unfortunately most of the commercially available software for windows will not operate properly,if at all, in user mode. Some of the programs will not even show up on the desktop even after you allow all users access. This is why most people run as administer. You must choose a proper compromise between functionality and security. This is apparently going to be more difficult with Sony’s latest tricks.
    And yes I sometimes feel like hitting it with a sledgehammer.

  45. Anonymous wrote:

    “… You have also established that even if the EULA is rejected, the driver is still installed on the PC in “inactive” mode…”

    Nope.

    Though you may not intend it as such, that phraseology sounds like a corporate weasel attempt 🙂

    Per reports here and elsewhere the malware is ACTIVE. It is installed and running.

    It is LEFT installed and running regardless of whether the user has accepted or declined the EULA.

    Which is very illegal in a lot of jurisdictions.

    Whether or not the malware is set to autostart on next reboot is just icing on the cake.

    (The fact that some Windows machines may need frequent rebooting does not lessen or excuse the offense.)

    The malware is installed and left running sans consent.

    The issue raised by the exposure of Sunncomm’s “Autostart at all costs” trickery above is, really, just this:

    “How many charges of felony conspiracy can now be added to the Sony docket?”

    And I see the Sunncomm shill is back spamming the blog replies with even more vaguely threatening harassment.

    Y’know… I wonder how these open records will play out when Sunncomm is hauled into court to answer for their part in these crimes.

  46. beatlejuice says

    Alex,
    Why did your professor nad mentor (Felton) misquote you about the mediamax software being “spyware-like” or “charactoristic of” instead calling it spyware which is a complete fabrication of your analysis from what I have read. Care to clarify? Do you yourself care to call it “spyware”?

  47. Ned Ulbricht says

    Edward,

    A totally secure computing environment means your computer is unplugged from the network, unplugged from the wall, and smashed with a sledgehammer—at least a couple of dozen times. In a somewhat insecure computing environment there are real tradeoffs with usability. In a typical Windows computing environment, even if the user isn’t running as an administrator, buffer overflows might result in software silently being installed without the user becoming aware.

    As was pointed out over at the Picker MobBlog a few months ago, the law is interested in preventing wasteful arms races.

  48. To Alex Halderman

    Alex, thanks for your analysis of MediaMax. If you have the time and inclination, there is one additional thing that would be worth testing:

    You have established that MediaMax transmits certain information about the CD and the PC it is used on back to Sony/SunnComm. You have also established that even if the EULA is rejected, the driver is still installed on the PC in “inactive” mode and you have also established that if a subsequent MediaMax CD is placed in the CD-ROM, that original driver is permanently activated even if the EULA is again rejected.

    In this latter situation, with the driver now permanently active following 2 rejections of the EULA, what happens when non-Mediamax CDs are placed in the CD-ROM? Does the active driver send information back to Sony/SunnComm regarding non-protected disks? If it did, that would really prove without doubt that the reporting has nothing to do with the technicalities of the copy protection and everything to do with spying for marketing or other purposes.

  49. Edward Kuns says

    Ned,

    No-one is arguing that running as Administrator in Windows is implicit consent to anything. People are just pointing out that in a secure environment, you cannot have something silently installed without knowing about it. This malware is just one more reason to teach people how to run Windows without administrative rights (as much as possible). It’s also one more reason to teach people about the alternatives that exist to Windows.

  50. Where are the SunnComm trolls today? Y’know, I almost miss them.

  51. This is just more proof that Sony is the lead conspirator in these DRM disasters. I believe that MediaMax and First4Internet are just pawns being used as canon fodder by Sony. Companies like Sony do not just buy this type of software at Best Buy.
    They put together a set of specifications that state exactly what they expect the software to do. Sony’s Project Team would be intimately involved in the design, testing and implementation of the software. For them to now tell the general public that they did not know what the software did is just absurd. They knew exactly what the software did as well as when, where and how it did it, before they ever purchased it. If the lawsuits do go to trial or a State Attorney General subpoenas all of Sony’s internal project documents and communications this will become apparent.
    This is the same company that gave the portable mp3 player market to Apple. They had one on the market before Apple. Sony was the gold standard in portable devices with the Walkman name. Sony designed such onerous DRM software to be used with it, that it cost them the market. This, in the end will also be the downfall of Blu-ray. See these articles on Cnet- Microsoft and Intel endorse HD-DVD, HP and Blu-ray group at odds.

  52. Ned Ulbricht says

    I really don’t understand this argument about administrator mode.
    18 U.S.C § 1030 uses the terms “authorization” and “authorized access”.
    Are people seriously arguing that operating a Windows machine in administrator mode implicitly “authorizes” any and all access? Whether or not the user clicks “No” on an install screen?

    I think that if that if the user explicitly refuses the EULA then access is just plain not authorized.

  53. @ Dave “To answer the “boy-you-are-stupid” questions like who runs Windows in administrator mode, etc. — well, I have to confess I don’t know what a kernel is and was unaware of things like autorun and I’ve used computers for years and years.”

    Windows has always had a poor security model. Until NT, if you were sitting at the machine you had access to *everything*. (It’s the same for the Mac OS – which, fortunately, has been scrapped by Apple and replaced with an OS based on Free BSD Unix (OS X). Pity MS didn’t scrap Windows and start again, huh?)

    XP does not invite you to set up a non-administrative account at installation. Moreover, much software in the Windows world won’t run except on an admin account. (On OS X, BTW, you actually need to re-authenticate to get into system areas.)

    Microsoft knows what the problem is. It has finally twigged that valuing usability and backwards-compatibility over security is a very bad idea. Hence the talk of LUAP. But it may be too late to turn the ship now. This may help:

    http://nonadmin.editme.com/

    I think you can turn off autorun with Tweak UI:

    http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

  54. “Who is stupid enough to use an account with administrator rights for normal use?”

    Every windows user I know – the limited account is so limited as to be useless.

  55. MediaMax requires administrative privledges to install. Once installed, non administrators can run the software.

    If a non-administrator runs the mediamax software for the first time, the CD is ejected (a non privledged operation) and a message box is displayed saying something along the lines of “you must be administrator to run this program”.

  56. Kudos to all for the work done on the multiply nasty Windows versions. Fortunately the EFF etc class action aims at MediaMax as much as, if not more than XCP. But Sony need to be forced to withdraw their MediaMax discs as well. (And if they are not, they are establishing a de facto standard for “acceptable” CP technologies.)

    I however am a (reasonably smug) Mac user. We all know that we don’t have the same vulnerabilities. We need to click more than once, and enter an admin account password to get the MediaMax programs on our Macs. We all know that no mac user could be so stupid. But Macs are now being pushed as safe for grannies.

    For Mac users this is still a threat, though as a social engineering exploit, rather than a (totally) surrepticiously installed one. It is malware which is presented to us by a presumptively respectable source (SonyBMG) to allow us to do something we want (get full usage of our shiny new audio disc).

    Does anyone know what MediaMax does if installed on an Mac? All I have seen is a reference to it installing two kext (kernel extension) packages. Does the new uninstaller get it off Macs as well, without requiring command line activity (which many Mac users would not be comfortable with)?

    TomCS

  57. If John Doe uses someone else’s computer to install and run software that is in violation of the security policies of the owner of that computer, John Doe gets arrested. Why should SONY/BMG be treated any differently? People made these decisions and should be held accountable for the illegal access to other peoples property. It is a crime to go into my house after I have told you not to (trespass), and to alter the structure of my house so that it does not work as it did before (Vandalism). Taking information out of my house is also a crime (theft). Just because it happens in a computer doesn’t mean it is less of a crime.

  58. This is, actually, incredibly stupid on the part of these companies. Their defense in court, such as it is, is that the user accepted the EULA and that what they installed was therefore an authorized installation.

    Since this demonstrates that they install it regardless, this presumption is shattered and they’ll have to prove some other way that the user authorized the installation. I think they’ll have a hard time showing that in court.

  59. I wonder if this is why, when I recently tried to use Nero Burning ROM to make a mix disc of some of my mp3s, that it just wouldn’t work, despite my having used the program for such a purpose many times before. Turns out I had inserted Sarah McLachlan’s Afterglow into my computer a while back and apparently it’s a Suncomm-corrupted title.

    To answer the “boy-you-are-stupid” questions like who runs Windows in administrator mode, etc. — well, I have to confess I don’t know what a kernel is and was unaware of things like autorun and I’ve used computers for years and years. I just don’t pay attention to stuff like that (just like I don’t care much about how my car works, only that it does) and I suspect I’m in the vast majority of blissfully ignorant folk with no time or interest in knowing all the ins and outs of their appliances.

    I’m getting a fast education about these things now, though, and undoubtedly so are many other people. This might ultimately be one of the best results of Sony BMG’s invasive attack on its customers. And you better believe I’m not giving that crooked company another cent of my money.

    Now I need to figure out how to stop their apparently ongoing theft of my (rather ancient) computer’s functionality and resources…

  60. David Harmon says

    “Who is stupid enough to use an account with administrator rights for normal use?”

    My 70-year-old mom, for one. I don’t give her flak about it, because she has enough trouble with double-click and right-click command sequences. Fortunately, she doesn’t use the computer to play music, as she has dedicated devices for that!

  61. Albert ARIBAUD says

    “Installation of system level software where the user has explicitly denied permission raises serious security concerns and is wrong.”

    Installation of *any* software where the user has explicitely denied permission is illegal, at least in France it is considered breach into a computer system (code pénal, art. 323-1 to 323-7), leading to up to 1 year in jail and a fine of 15000 EUR. If the intrusion results in an alteration and/or blocking of the system, make that three years and 45000 EUR. And that’s not including the fact that the facilities that helped such breach may be closed for up to five years, for instance.

    Of course, Sony might argue that the breach was not intentional. This would be difficult, given that installing such software was their declared intent, should the user have agreed.

  62. We know the big problem is most people run Windows as an administrative user. Does this software still get installed if the user is running as a non-administrative user? Aren’t non-administrative users generally restricted from being able to install kernel level software?

    The problem is bad enough, but it would seem the DRM is installed only because of poor practices followed by the vast majority of Windows users.

    I would like to know if the MediaMax software is able to install itself when used by a regular user (not an administrator). What about in a corporate/enterprise environment where the IS department has locked down the machines, not allowing users to install software? Does it install in that situation as well? Or does it just prevent the CD from playing?

    It would be quite funny if the best way to defeat some of these DRM issues were as simple as following best-practices that almost no one running Windows currently follows (short of managed enterprises).

  63. While I don’t appreciate what Sony is doing, I still don’t understand why this is much of a problem. Who is stupid enough to use an account with administrator rights for normal use?

  64. Thanks for writing this article. It was timely for me since I put in the latest David Gray CD to rip MP3’s for my player. I saw the MediaMax logo come up right away and before I could do anything about it – it came up with the End User License Agreement. I declined and ejected the CD. I was thinking it was the rootkit, so I put a piece of tape on the first 1/2 inch of the CD and put it in again. A window popped up to say to insert the David Gray CD even though it was already inserted. I went into my Task Manager and saw PlayDisk.exe in my memory, so I stopped the service and ripped the CD.

    I haven’t rebooted to see if PlayDisk has come back yet, so I’ll have to check. At least I know now it wasn’t the rootkit – no more Sony for me…

  65. Ned Ulbricht:

    There is a fundamental difference between the ElcomSoft and a (future) Sony/BMG case. ElcomSoft was a Russian company without a presence in the US, whose software (which was legal in Russia) appeared for sale on a website hosted in the US. ElcomSoft took swift measures to rectify the problems.
    Sony/BMG is a multinational with subsidaries in the US. Sony/BMG put the software, with dubious US legality, on CDs aimed at the US market. Sony/BMG still claims that “there is no problem”.

  66. Kyle Hamilton says

    I seem to be one of the relatively few private individuals who have extremely stringent software installation requirements — I was instrumental in getting Xfire to not only sign its installer, but also to sign its EXE file and its DLL files as well. (If a piece of code is running on my system, i want to know where it’s coming from and who installed it.)

    Does someone like me [a former sysadmin] have any right to bitch under these circumstances — especially when I run a Windows 2000 domain with security policies set?

  67. Well at least they can’t complain that you broke the EULA when you reverse engineer the program 🙂

  68. Funny I use debian linux and have no problem with the installer I guess it is a windows thing.

  69. Ned Ulbricht says

    Brent,

    Perhaps you’re remembering…

    ElcomSoft verdict: Not guilty” by Lisa M. Bowman, CNET, 17 Dec 2002

    Jury foreman Dennis Strader said the jurors agreed ElcomSoft’s product was illegal but acquitted the company because they believed the company didn’t mean to violate the law.

    “We didn’t understand why a million-dollar company would put on their Web page an illegal thing that would (ruin) their whole business if they were caught,” he said in an interview after the verdict. Strader added that the panel found the DMCA itself confusing, making it easy for jurors to believe that executives from Russia might not fully understand it.

  70. Mr. Halderman,

    Thanks for the heads-up on the uninstaller. I tried to uninstall it form the device manager, but that didn’t work. Finally, a safe way to be free of this garbage!

    I have definitely learned a big lesson (the hard way) about the dangers of auto-run. I will definitely take some time and figure out how to do that.

    I think the biggest lesson I have taken out of this whole experience is how important the academic process and public statement of findings really can be. More eyes on a topic can definitely expand one’s understanding of what is going on. I am happy to have served a small part in the process.

  71. free980211,

    Great work bringing this behavior to light. Thank you!

    The new SunnComm uninstaller doesn’t appear to expose users to the same kind of vulnerability that the old one did. It leaves a lot to be desired (for instance, MediaMax will be reinstalled if you try to use a SunnComm CD in the computer again and autorun is turned on), but at least SunnComm is distributing the tool without forcing users to jump through as many hoops as before.

  72. This strikes me as a mistake. I can imagine the conversation at the MediaMax 5 design meetings:

    “It looks like users sometimes find the service and turn it off. What should we do about this?”
    “Well, what if we look to see if MediaMax is already installed but deactivated, and if so activate it.”
    “Great idea, Johnson!”
    [villainous laughter]

    And meanwhile, nobody thought “what if it’s not actiavted because they clicked ‘No’?”

    Not that this makes them innocent. This sort of clumsiness cannot be permitted in a program which runs in kernel mode.

  73. Thank you, Mr. Halderman!

    I thought I was losing my mind when I saw the driver running in auto. Then I replicated it on another machine, and was hoping it was just an isolated problem, perhaps even limited to just my disc. It is a strange feeling indeed to feel happy that I wasn’t screwing up, and at the same time, disturbed about the true depth of the problem. Oh, well…

    I know you have taken a lot of abuse from various parties in breaking these stories, but I most certainly appreciate it. You guys have done a fantastic job with this story, and I only hope it helps Sony/BMG see the wrongs of their way. They still have a chance to fix this, in my eyes, but perhaps I am too kind.

    As a side note, it looked as if there might be an uninstaller available, but I was not about to fire up IE and try it until I heard something back. Does anyone have a confimation that the uninstaller is back and safe to use?

    Thanks again.

  74. Ned Ulbricht says

    Injured persons need to complain.

    Businesses seem the most likely to have documentable policies controlling software installation that would cause someone to refuse the EULA.

  75. David Harmon says

    So just what is it going to take before Sony’s corporate officers start facing arrest warrants?

  76. Ned Ulbricht says

    When someone explicitly indicates that they do not agree to an EULA, and a CD appears to eject without playing, then that user has a reasonable expectation that no software was installed on their computer.

    Sony-BMG knew or should have known that MediaMax software installed despite explicit refusal of their terms. Sony-BMG knew or should have known that software installed in those circumstances could become permanently activated in a common pattern of use.

    Sony-BMG intended that MediaMax software would be installed and permanently activated whether or not the system owner agreed.

  77. MediaMax copy protection does things behind your back!

    The music industry get up to more tricks straight out of the virus writers’ handbook!

    Alex Halderman at Freedom to Tinker  describes how the MediaMax copy protection software activates even if the user has declined the EULA (End User Lice…

  78. The first mistake is using an operating system which allows installation of kernel drivers/patches without explicit permission or acknowledgement from the user. All else follows… it’s like asking for abuse, then being completely surprised when you get it.