November 21, 2024

CD Copy Protection: The Road to Spyware

Advocates of DRM (copy protection) have been keeping their heads down lately, while they try to figure out what went wrong in the SonyBMG DRM spyware fiasco. No doubt they’ll try to explain it away as an anomaly – just a little speed bump on the road to the effective, unobtrusive DRM future that they’re sure will be arriving any day now.

There are some problems with this story. For starters, we’re not talking about a single DRM system – we’re talking about two totally separate systems (XCP and MediaMax), developed by rival companies, both of which turned out to be spyware and to endanger users, in strikingly similar ways. Is this just a coincidence?

Of course it’s not. If we look carefully at CD copy protection as a technical problem, we’ll see why DRM designers are drawn to spyware tactics as their best hope of stopping copying. Let me explain why.

CDs store music files in Compact Disc Digital Audio (CDDA) format, which is easily readable by a wide range of devices. If the music is encrypted or stored in some other tricky format, ordinary audio CD players won’t be able to read it, and the disc will be useless to most customers. So backward compatibility requires that the music be stored in a format that is readable by computer software.

(Technical digression: There are actually small differences between how a computer reads a disc and how ordinary audio CD players read it. So-called passive protection technologies try to exploit these differences by putting things on the disc that try to confuse computers without affecting ordinary players. For our purposes, it will suffice to say that purely passive protection systems are not viable, because computers are not so easily confused. To my knowledge, purely passive CD DRM technologies aren’t being used any more, although some current vendors combine passive protection with active measures. For reasons too boring to go into here, passive protection doesn’t really affect my analysis; and so to streamline the discussion I’ll assume from here on that there is no passive protection.)

If the music is encoded on the disc in a format that any software program can read, the only way to stop programs from reading it is to install software on the user’s computer, and to have that software actively interfere with attempts to read the disc, for example by corrupting the data stream coming from the disc. We call this “active protection”.

For example, suppose the user wants to use iTunes to read the disc. But the DRM vendor wants to stop the user from doing this, because iTunes can be used to make copies of the disc. The active protection software will detect this and will interfere to ensure that iTunes gets a garbled copy of the music.

Here’s the key issue: Active protection only works if the DRM software is running on the user’s computer. But the user doesn’t want the software on his computer. The software provides no value to him at all. Its only effects are to stop him from doing things he wants to do (such as listening to the music with iTunes), and to expose him to possible security attacks if the software is buggy.

So if you’re designing a CD DRM system based on active protection, you face two main technical problems:

  1. You have to get your software installed, even though the user doesn’t want it.
  2. Once your software is installed, you have to keep it from being uninstalled, even though the user wants it gone.

These are the same two technical problems that spyware designers face.

People who face the same technical problems tends to find the same technical solutions. How do you get software installed against the user’s wishes? You mislead the user about what is being installed, or about the consequences of installation. Or you install without getting permission at all. How do you keep software from being uninstalled? You don’t provide an uninstaller. Or you provide an uninstaller that doesn’t really uninstall the whole program. Or you try to cloak the software so the user doesn’t even know it’s there.

Of course, you don’t have to resort to these tactics. But if you don’t, your software will have trouble getting onto users’ computers and staying there. If your whole business model depends on installing unwanted software and preventing its uninstallation, you’ll do what’s necessary to make that model work. You’ll resort to spyware tactics. (Or you’ll quit and go into another business.)

Having set off down the road of CD copy protection, the music industry shouldn’t be surprised to have arrived at spyware. Because that’s where the road leads.

Comments

  1. one of my largest complaints is how all of this is taken out of context. first copyright law is more overly abused than any other law. The copyright law isn’t for content holders. It’s meant to protect the public commons. Reread it. you will notice that it gives what the founding fathers consider a “resonable amout of time” for declared ownership. It also NEVER equates ownership with material gain, instead it specifically gives control and that’s it. Franklin was adamant about each inventor or artist giving the nod to those who came before and whose ideas were mined for new material. Until this little problem is fixed copyright will always be a problem.

    Second, as someone who used to have a BBS (boy am i dating myself) i know for a fact that those who normally download hacked bytes were never intrested in buying them in the first place. I don’t see that trend as having changed much. Also i noticed that once napster was up and running the music labels actually got an increase in sales, of course the indie labels got a bigger increase but hey that’s biz.

    Third and lastly, All DRM is suspect. I have no problem with content owners getting something for there content, but once you pay for it, it’s yours. The problem is not that the music cartel has problems selling you the music. The problem is that they see a steady revenue stream rather than a one shot stream. If you have to pay each week or month or every 6 playings it goes from buing it once and owning it to renting (thank you microsoft) which is a continual revenue stream and worth more. Isn’t greed nice.

  2. thank

  3. Today CD piracy is major problem the musical and software company are facing. The piracy of CD is being sold more than the original one. The companies are taking loss in millions. Although the CD is copyright but CD are copied to hard disk of computer and several CD are prepared. Some big companies of IT like Microsoft, IBM are taking consideration of this problem and trying to implement it in chip.

  4. (DMCA) = ROOT of DRM EVIL!!!

    http://www.copyright.gov/legislation/dmca.pdf ‘DMCA’

    IF any of the links don’t work try copying and pasting them.

    http://www.theregister.co.uk/2005/11/27/dmca_takedown_regs_abused

    http://blogs.zdnet.com/BTL/?p=2395

    http://www.openrightsgroup.org/orgwiki/index.php/Fair_but_Wrong

    READ this one: http://p2pnet.net/story/7602

    Us ‘little guys’ can only BOYCOTT all members of THESE organizations in the mean time:

    The RIAA:

    http://www.riaa.com/about/members/default.asp

    Cruise that site thoroughly and find out what the RIAA REALLY are about!!! Along with their member list(s), pay close attention to the physical address given on the page where ‘you’ can ”Join the RIAA”.

    The MPAA/MPA:

    http://www.mpaa.org/home.htm

    I only just recently found the MPAA site but am sure by what others in these message boards have said about it that it’s just as bad as the RIAA. I’m going to check it out. I suggest you do the same.

    EDUCATION/KNOWLEDGE is power!!!!!!!!!!!!!!!!

    THEN go and actually join the EFF:

    http://www.eff.org/

    to help fight the RIAA.

    These sites will also be of interest to those who want the RIAA, and those like them, brought down:

    http://www.anti-dmca.org/

    http://www.ricoact.com/

    http://p2pnet.net/story/6489

    Brittany Chan, a 14 year old targeted by RIAA:

    http://search.yahoo.com/search?fr=slv2-&ei=UTF-8&p=Britanny%20Chan

    About Patti Santangelo, the working mom of five kids being targeted by the RIAA:

    http://search.yahoo.com/search?fr=slv2-&ei=UTF-8&p=Patti%20Santangelo

    How to HELP her:

    Join the p2net ‘community’ and donate to her cause. FIRST the RIAA tries ripping her off then her ‘lawyer’ does, leaving her destitute and still fighting ALONE! She’s but one of THOUSANDS targeted by the RIAA…including MINORS! But SHE is the ONLY one so far to stand up to them!!!

    http://p2pnet.net/story/7467

    If you can’t contribute there then pass all this info along to all you can any way you can. Thanks @;}-

    P.S.: If p2pnet’s links don’t work properly it’s because they’re changing servers. Just keep trying and trying until you get there. They say NOW that their problems are fixed but I’d give them a bit more time. Their MAIN URL is:

    http://p2pnet.net/index.php

  5. Doug Lay said:

    “It may be acceptible for the iTunes package to include a component that “phones home” to Apple about what the customer is doing within the iTunes application …

    This has happened, and it is not considered acceptable by some people for Apple to watch what music you play (“doing within the iTunes application”), though there seems to be no widespread problem with Apple knowing what music you have purchased/downloaded from the iTunes Store. See http://www.boingboing.net/2006/01/11/itunes_update_spies_.html

  6. […] Freedom to Tinker has a fascinating post on copy protection and why the use of spyware with DRM is a logical progression. Felton gives a technical explanation of how DRM works and illustrates and why the problem of getting it on users’ computers and keeping it there is the same problem spyware pushers have.    People who face the same technical problems tends to find the same technical solutions. How do you get software installed against the user’s wishes? You mislead the user about what is being installed, or about the consequences of installation. Or you install without getting permission at all. How do you keep software from being uninstalled? You don’t provide an uninstaller. Or you provide an uninstaller that doesn’t really uninstall the whole program. Or you try to cloak the software so the user doesn’t even know it’s there. […]

  7. Well Ed, is this where the copy protection industry should go? Thanks to your constant bantering about how MediaMax is spyware (which I disagree with and I still have yet to se anyone who was harmed by mediamax’s software) we now have music CDs that obviously are not red book compliant and do not play correctly on many devices:

    http://www.boingboing.net/2006/01/01/coldplays_new_cd_has.html

    This is not a mediamax disc BTW, I think it is Macrovisions CDS copy protection.

  8. i mean how do you sing a cd and then burn it

  9. . All this Root-Kit remote-install stuff kinda reminds me of the first tricks used to beat some of the early passive DRM. -Black Felt Pens!
    . A simple stripe on the inside edge of the disc blocks the _first_ files to load eg. autoruns’.

    . The first real music tracks (for a conventional CDA/Red Book) start further in–so it’s not even a real difficult trick. Any more, I’m adding this stripe to any new music I get (CDA’s anyway).

  10. What is going on at the moment is a sort of re-run of what happened in the 80’s with computers such as Sinclair Spectrums. Software was sold on audio casettes, and so was inherantly copiable. Then people started to copy games, either by audio to audio recording, or by loading the code to the computer and then saving it.

    A variety of strategies was tried to prevent copying.

    Sinclair had originally used chips which could execute instructions beyond their published specifications. So the cp people used those codes in some of their convoluted headers. Then there were arguments when later machines had chips that did not execute those codes. Some genuine software wouldn’t run on them. The computers met the spec – it was the programs that had been altered to try and cp them that departed from the spec. (There’s a sort of analogy there with attempts to implement passive cp by departing from red book.)

    Then they tried a system where the program created a distorted graphic on the sceen of some text which had to be entered via the keyboard. But the graphic had to be read with a specal lens. Then the system wouldn’t work with some monitors.

    There were numerous similar issues. In each case the cp increased the price to genuine customers and caused technical problems, whilst pirated games proliferated.

    Then there was a race between hardware copying devices, and attempts to foil them.

    And when a secure (at the time) ROM cartridge system was introduced where you just could not copy the games – sales were so poor that they were abandoned.

    The net result was that people who ran pirated games had no trouble getting what they wanted, no matter how sophisticated the cp. It was the people who paid for the genuine games that had most of the problems. And anything with cp that did work properly didn’t sell.

    Some things never change.

  11. Second part of the way into the hell…
    – About reasonable fair DRMs:Sun offers open-source DRM.At least this gives opportunity to everyone implement it so if all will implement it, devices will be compatible each others.Currently there is different closed-source DRMs incompatible each other with quite unfair licensing conditions manufacturers are not like to license ’em.So actually you’re unable to use what you’d bought in manner as you wish.Yes, you cannot upload music from Sony’s CD into your iPod, etc.And this unlikely to make you happy.If you cannot use thing you’d bought then it is unlikely you will buy it at all, right?But they choosed uncreadible ugly tactic to not to tell what you can and what you can not…

    – About drivers:it was always possible to install drivers without stupid digital signing crap.And even without asking user if there is enough rights.However this is kind of hacking.Proper software manufacturers should not use this method as it could alter from one Windows version to another and exactly nothing is guaranted here by microsoft.So such drivers loading style is not acceptable for programs officially released to wide public.
    However let’s mention that drivers signing is somewhat bad itself, because not everybode can pay for testing and signing.Signing is costs.Signing is takes some time.So small and even medium-sized companies can not release fresh and bug-fixed drivers painlessly.But hackers would be able to load drivers anyway.And they always will be able to get desired level of access – no matter what you’ll invent, this will be hacked if popularity is high enough.Saying directly, signing only does enforces hardware manufacturers to pay to M$ for their stupid tests.And it actually protects from nothing.If Microsoft will really want to protect your ass, it would be damn simple:do a system-wide check built in into the kernel which will request user’s permission to new add registry entries allowing new driver to be loaded.If user replyis NO then driver should be denied from installation and starting.If user hasn’t installed new hardware and software which is known to need drivers but system still asking for permission to install new driver, it is subject to say “Aha!There is some spyware or hacker who trying to f%%k me up!”

  12. Hey, dudes, DRM systems are systems which were designed to eliminate some your rights you had before, this is “by design”.So talking about ethics is good but when you’re assumed to be pirate “by default” there is no any ethics in mind.Only money$.This is strongly non-ethical anyway, no matter what sauce used to hide shit, it is shit anyway.Because “innocent unless proven guilty” principle still works even in courts.However some bastardish corporations are want to get more moneys.So they absolutely do not care about any stupid things like ethics at all.They care about profits only.If laws about to be created by such corporations, they’ll eliminate all crime at once.It is so simple:just jail everybody after heshe has borned, wua-ha-ha-ha, “because heshe potentially could kill someone in future, stole something, etc”.So, if these will won, music will be no longer ART at all.It will be kind of ware (shall I write “warez”?).I’m sure that if classical composers were alive in this moron time they’ll got awful shock.Probably next step should be to declare that I must pay for the air I’m using.

    Also there is following tactics:manufacturers are not willing to tell about limitations.They’re writing about cool features on their sites.But no any words about “you will be unable to do this, this and this”.To discover what your rights are crippled, you have to buy device first.Of course they are not like to write “you can not do this, this and this because we decided to assume you to be criminal and pirate!”.And … umm… what if after buying some device I do not like the way how my rights are crippled in given device?According to my country laws this probably could be classified like foolingcheating me :-E.I will investigate this further and possible issue lawsuit against some smart asses to make ’em sorry about such ugly tactics of cheating of buyers %E

  13. Could someone who knows what they are doing and has access to the DRM software figure this out for us – who digitally signed, or signed off on, the different DRM software? Shouldn’t be too difficult.

  14. Ned Ulbricht says

    Thanks, Ed, for gently pointing out that I’ve made a pair of off-by-one errors. The references should have been to page 25 in the 2005-04-08 document, and to page 30 in the 2005-11-04 document.

  15. the zapkitty says

    Armagon wrote::

    “The driver is
    1. …digitally signed by MS…
    2. …not signed…
    3. …installed via back door…”

    4. The driver is signed by a “Trusted Third Party” which gets paid for such service…

    … and this is of a piece with the anti-malware vendors giving Sony a free pass for entirely too long.

  16. the zapkitty says

    Armagon wrote::

    “The driver is
    1. …digitally signed by MS…
    2. …not signed…
    3. …installed via back door…”

    4. The driver is signed by a “Trusted Third Party” which gets paid for such service… and this is of a piece with the anti-malware vendors giving Sony a free pass for entirely too long.

  17. Interesting snipped from the Illinois lawsuit

    “Although Sony BMG has discontinued using MediaMax software, the company has not recalled its compact discs with MediaMax software”

    http://www.ag.state.il.us/pressroom/2005_12/20051208b.html

    From Investorshub board on the topic SunnComm (posted after the Ill lawsuit was posted there and partly in response to it)…

    ” stopped by the office today and spoke with a few different people. I don’t have a link to any of this info. If you don’t want to accept the info, then please don’t. If you have any questions, fire away and I will answer as best I can….

    The problems with the security were truly minor, but they have been addressed. Additionally, the software is being looked at by some independent security firms to determine if there are any more glitches to be found. After speaking with the company face to face, I do not have any concerns regarding any of the issues that have been brought up to date. If any more issues are discovered, they will be addressed in the same timely manner as the previous security/patch scenarios.

    Sony/BMG – They have had intimate knowledge of the software all along and indeed had asked for many of the components which are now found on the current version. Remember, SunnComm’s approach was to design software tailored to the wants and needs of their consumers (the record labels). The statement from Ill. Is incorrect in that Sony/BMG has not stopped using MM. As has been pointed out, we just had a new release out last week with our product. However, moving forward, Sony/BMG seems to be awaiting the results of the tests being run by the independent security firms. These firms are already acquainted with MM. The tests should not take too long (my impression was a matter of days to maybe a week). This will impact Q1, but if you look at last year’s Q1, there wasn’t much revenue to be had. Once the testing is complete, they fully expect Sony/BMG to continue to their previously stated commitment of complete copy management in the US in ‘06.

    Funding – Half of the funding is in. They are awaiting the second half. Per the agreement, they will be able to look elsewhere for funding after this Thursday IF they need to. It was stated that they are very experienced in raising funds (as we all know) and that if it came down to it, they were confident that they would be able to find additional funds. There are some investors in this company with very deep pockets that would not stand idly by and watch their investments be threatened simply because of a short term money crunch. Once the second half of the funding is in, the S-4 will be filed. Again, after the conversation, I am much more confident that we will see this happen in the near term (I qualify near term as in before the end of the year for the funding to be complete).

    Unfortunately, I have to get to a meeting. DVD and DVCD look to be the biggest part of our future, but CDs are the near term. I am hopeful that we will begin to see the future in Q1 or Q2 of ’06.

    It has been a long couple of weeks, but after my visit, I am feeling much better about my investment. Fire away with questions and I will get back o you later tonight.

    tj”

    http://www.investorshub.com/boards/read_msg.asp?message_id=8845268

    I would tend to think that tj is lying (as he has done in many previous posts) and this is just a planted post on behalf of the company to keep people from dumping the stock. One obvious giveaway if that much of the information would come under SEC Regulation FD and could not be divulged legally to just a single investor (it would have to be issued as a public statement first).

    Another giveaway is the posters who responded thanking him for his contribution and confirming everything was dinky dory immediately after are known SunnComm shills, probably employees (stingray, alj, screamingeagle) and all part of the “everything is fine, we are better than ever” plot.

    Since Prof. Felten and Halderman seem to have some contact with Sony-BMG either directly or through the EFF, are you able to confirm if Sony-BMG are still manufacturing MediaMax CDs

  18. MediaMax installs a driver, does it not? If so, then, for a Windows XP user, it must be installed in one of the following ways (IIANM):

    1. The driver is digitally signed by Microsoft, and the OS is happy to install it.
    2. The driver is not signed, and the user receives a notification to discourage them from installing it,
    or 3. The driver is installed via some back door mechanism.

    Do we know what happens?

  19. Mr. Borland responded to my email to him, which reviewed the issues I posted above. Here is his reply.
    ———————————————————————————
    Hi, Steve. In fact we have covered both sides of this issue in great detail. Our story on the Oberholzer paper, for example, is here:

    http://news.com.com/Music+sharing+doesnt+kill+CD+sales%2C+study+says/2100-1027_3-5181562.html

    If you read News.com consistently, you will see that we have often written about the other issues that are likely to be affecting CD sales. While the idea of “bad” music is a subjective one, and unlikely to be true across an extraordinarily diverse set of independent and major releases, it is very true that there is more competition for consumers’ dollars today in the form of DVDs, video games, etc. That itself is likely to have a fairly profound effect on sales.

    That said, it is just as reckless to dismiss completely the idea that the acquisition of music for free has zero effect on sales. Certainly the *perception* in the music industry, which was the focus of this story, is that people who burn CDs do not later buy that specific CD, no matter what the aggregate effect on sales. I have not seen good research to the contrary.

    Thanks for the note, and please let me know if you have continued concerns.

    Best regards,

    John Borland
    Cnet News.com
    http://www.news.com

    (415) 344-2055

  20. Has Mediamax been declared “spyware” by anyone else other than Ed Felton?

    If it looks like a duck, walks like a duck, smells like a duck, and quacks like a duck, it must obviously be a giraffe, right?

    I suppose a lot depends upon how exactly one defines spyware, but I would think such a term is applicable to software which installs itself without a user’s informed consent, monitors a system for activity it’s authors deem “interesting” and acts upon it (typically altering system behavior, reporting back to the author, or both), and generally tries to make itself hard to remove or disable.

    How would you define spyware, Mr. (Mrs.?) Anonymous?

  21. The Illinois Attorney General released a Consumer Alert for both the First4Internet and the Sunncomm DRM systems.

    http://www.ag.state.il.us/pressroom/2005_12/20051208b.html

  22. Ned Ulbricht says

    Anonymous asked whether the MediaMax privilege escalation vulnerability is remotely exploitable.

    According to the iSEC Partners report [PDF], on page 5, in an exploit scenario, “access could be remote, through Windows file sharing. “

  23. Does a hacker have to be physically present at the computer which has mediamax on it in order to exploit the privelege escalation attack bug?

  24. Given that developers at first4internet were, in 2003, seeking advice on software forums as to how to achieve some of their DRM objectives (this is well aired now on the Internet, but see, for example http://www.irishblogs.ie/?p=6045 ), I wonder if they will now be seen on self help legal forums, seeking legal advice.

  25. Lambros Lambrou says

    In response to this question:
    “Again, Ed are there any designations of Mediamax being “spyware” by those in the industry that can confirm this to be “spyware”? Like Symantec, McAfee, PC World etc? Just curious?”

    The EFF has alleged MediaMax to be Spyware in their court filing, which can be viewed at:
    http://www.eff.org/IP/DRM/Sony-BMG/sony_complaint.pdf

    See near the bottom of Page 4, for example.

  26. Looking at all the posts here and on the related threads, the pattern of the posts is so clear.

    Those supporting the sunncomm & f4i types of DRM seem to consider anyone not on their side as thieves, and dishonest in their opinions or reviews, and having some sort of “motives”. Of course, since they impose their products clandestinely that all other people operate in the same subversive manner.

    Being against sunncomm isn’t being for piracy. Its a statement against the manner in which they conduct their business and the manner of their software design.

    It really stikes me that they think this is all a witch hunt, yet I am almost entirely sure this is a Hero hunt. For myself, I want to hear about honest DRM, about innovation and about high ethics and high regard for the consumers who purchased the music. I want a Hero to come out of all this massive negativity generated by the sunncomm/f4i/sony products.

    I want to know who Sony’s exact opposite is. I think I would like doing business with them.

  27. Its spyware, in my eyes, if it goes into the system wether I agree to it or not, does so without being clear it does so, open up the system to security defects, and transmits unknown content to a host site.

    If they clearly show what information is sent back, then it relieves some of the issues. But when they encrypt the data and also don’t let you easily uninstall (ie without having to go to the web itself to do downloads and installation of yet more software), it is definitely close enough in “spyware” behavior for me to want it to stay the hell away from our computer network.

    Once its been removed, however, it happily reinstalls itself if you accidently re-insert your legally purchased music CD. Now you get to do the process all over again.

    Its not an honest way of doing business.

  28. It would be good to know there is at least one company out there trying to make a DRM application that also respects the consumers, their property, and their rights.

    If Macrovision is that sort of company, then reviewing them would be very helpful information. The consumers need to know which companies are open, honest, have high ethics, and a high standard of software testing.

    That helps us sort them out from the ones that seem to think the only way their software could be useful is if it installs under any circumstances, and against the express wishes of the owner of the computer.

    Chances are that someone out there does exactly that, and when they are reviewed it will make the difference between first4internet & sunncomm’s attitude even more pronounced.

    Its not that I personally want no DRM, its that I want honest DRM. When you look at the issues with sunncomm/f4i as well as the Sony EULA, you realize that you are selling a combo pack of your system security plus your fair use rights for the sum of $10. When someone supports these sorts of CD’s, all they are telling me is that they place no value in their security and rights. I do, they have value to me.

    At some point, someone will figure out that there is a way to make money here. Personally, I like the idea of being a registered user/consumer. Sony’s current scheme does absolutely nothing for me at all.

    I sorta like Apples iTunes system, but it could be better. They track which music you have bought, that is helpful if someone like Sony accuses me of having stolen something. iTunes could go further, by optionally flagging other mp3’s as “official” ones if it see’s the original disk in the CD drive.

    Is that perfect? No, but its better. Plus, it gives people the incentive to want to be honest, and show that they are.

    So far, DRM is a negative experience for consumers. Sony should toss that out, and make it positive. Use their huge electronics background plus world recognition to make something new, that includes a reasonable DRM tool within it. Something like a really inexpensive player that holds 100 songs or so, but is almost a give away at the consumer level. Its what cell phones are these days. Those players have to be cheap – as in “buy a Big Mac, get a 100 song player!” cheap, and then charge for the music.

    A year subsciption combined with a cheap player, and try to attract a lot of registered users.

    Until they have a viable alternative to CD players and the huge existing market, they will always have a battle between proprietary and general access.

  29. Typical of you folks to attack the poster when something is said without the ability to confirm, slashdot? Now there is a reliable source. Not a shill of any sort, but inqusitive of the “spyware” being thrown about without confirmation by those that give this designation.

    Again, Ed are there any designations of Mediamax being “spyware” by those in the industry that can confirm this to be “spyware”? Like Symantec, McAfee, PC World etc? Just curious?

  30. oliver bush says

    Has Mediamax been declared “spyware” by anyone else other than Ed Felton? PC World, McAfee, Symantec or anyone else? I can’t seem to find the “Spyware” designation anyware but here. Anyone?

    hey anon suncomm shill, surf on over to slashdot. you’ll find plenty of people who “declare” mediamax to be spyware.

    you’re welcome.

  31. Has Mediamax been declared “spyware” by anyone else other than Ed Felton? PC World, McAfee, Symantec or anyone else? I can’t seem to find the “Spyware” designation anyware but here. Anyone?

  32. We’ll write about Macrovision once we’ve done enough analysis to give a reliable report.

  33. I don’t share the paranoia that at least one other poster has regarding complicity between Felten and Macrovision, but I would be interested in an examination of their CD DRM solution as well. How far down the road to spyware has MV gone?

  34. Ned Ulbricht says

    Steve R,

    Sony fixes security hole in CDs, again By John Borland, CNET, 8 Dec 2005

  35. Yet another NY Times article that only reports a half truth. The article shills that record companies are purporting to loose money due to “illegal” activity but the article then fails to expose the pruposeful “illegal” activities of the record industry to tresspass onto your computer.

    “Sony fixes security hole in CDs, again
    John Borland, Staff Writer, CNET News.com
    Published: December 8, 2005
    Sony BMG is replacing a patch for its CD copy protection software after Princeton University researchers found a security flaw in the update. … “The security space is a dynamic one, as we have learned,” said Thomas Hesse, president of Sony’s global digital businesses. “Our goal is to be diligent and swift, and we have gone to experts to handle this issue.””

    http://www.nytimes.com/cnet/CNET_2100-1002_3-5987776.html

  36. In my opinition I should be a really perfect idiot with a completely non-working brain to pay any of my money$ for CD-ROMs which are about to install unwanted software to my PC in spyware manner and put me at security risks.

    All this looks like in attempt to protect their damn rights some companies are ignoring the simple fact:user still has some rights too.And it is doubtful that lots of users willing to pay for such crap-ware which installs spyware.Ain’t this cool?I’m should pay, I will have almost no any rights and I will have spyware.So … what I bought for my moneys?Just exactly piece of plastic and no any other rights?Then, let’s pay for it as many as piece of plastic actually costs!And while piracy really sucks I still about to understand it.”If these companies are not respecting YOUR rights, why YOU should respect THEIR rights then?”

  37. Mike Birney says

    JB,

    Also, for all its worth, Macrovision have been certified Spyware Free.

    http://www.macrovision.com/consumer/index.shtml

    This means at least one 3rd party have looked at their product and concluded it doesn’t do spyware like activities.

  38. “why not review MacroVision’s clone (AKA TotalPlayCD)?”

    I’ve seen this question repeated several times on this site. Seems rather plaintive. As far as I am aware, the Macrovision “TotalPlay” DRM solution is dependant upon the installation and subsequent use of a software player and, unlike the SunnComm or F4i solutions, has not been publicly implicated in either:

    A) Installing software components against the express wishes of the end user or:
    B) Hiding itself from the end-user with the purpose of interfering with uninstallation

    Pardon my bluntness, but I really couldn’t care less about a DRM solution whose efficacy was predicated upon my use of a proprietary media player, was easily circumvented by declining to install that player, and didn’t require a Herculean effort on the end-user’s part to uninstall.

    This is why SunnComm and F4i are in the news… and MacroVision isn’t.

  39. Other Music Co's says

    Does anyone know if any of the other Music Companies are also using these technologies on their CD’s ?

  40. MacroVision says

    Since MediaMax is so bad, why not review MacroVision’s clone (AKA TotalPlayCD)?

    -They have banner adds (does it call home?)

    “Active Software is automatically updated over the
    Internet, or when newer versions are introduced to
    the PC via CD”

    Sounds like spyware to me, so why not review it? Or are your reviews limited to non-MacroVision products only?

  41. Randy Picker said:

    “So to with DRM: it is part of the package to get the content; the fact that the consumer might prefer it without the DRM doesn’t tell us whether or not DRM is sensible.”

    Continuing with the metaphor of DRM as part of a content package, I’d like to propose that packages generally have well-defined boundaries, and that consumers should be entitled to expect that packages downloaded to their computer should respect those boundaries. It may be acceptible for the iTunes package to include a component that “phones home” to Apple about what the customer is doing within the iTunes application, but it would be far less acceptible for the iTunes application to snoop on the customer’s use of the Windows Media Player application, or, worse yet, for iTunes to intentionally interfere with the normal operation of Windows Media Player.

    In the case of the Suncomm and F4I CD copy protection technologies used by Sony, the DRM component of the so-called content package is tampering with the interface to a major piece of hardware (the CD player) which is used by a wide range of applications, not to mention the operating system. This tampering is apparently done whether or not the customer accepts the EULA for the package. It’s hard to imagine any circumstances under which this would be condiered acceptible behavior for a content package!

    Please note that Dr. Felten’s post does not say, as you paraphrase, that “DRM leads to spyware.” The claim is that **CD** copy protection leads to spyware. This is a narrower and stronger claim, one that DRM proponents are going to have a very hard time countering. Because standalone audio CD players were not designed from the ground up to support DRM, the music industry does not have the option of applying a more well-behaved form of DRM (i.e. encryption) to CDs. So instead they have been using an approach that involves tampering with system components that they have no business modifying, especially against the express wishes of the system owner. The gentleman from DHS said it best – “It’s important to remember that it’s your intellectual property, it’s not your computer.”

  42. Attempting a rational thought says

    Posted this on another entry, thought it might be worth repeating here:

    1) Saying that including a DRM scheme that installs without consumer consent on CDs is perfectly okay because game companies include DRM programs in their software is a faulty argument. Usually, the games include an EULA that notifies you that the DRM components are being installed, give you the option to decline installation (if you do so, the game fails to install), and generally do not install the DRM components if you decline the EULA. Arguing that because game companies do so is like saying that because a group of drag racers regularly race through my neighborhood without getting caught by police, it’s perfectly legal to drag race anywhere, anytime, and not just drag race, but drive recklessly, drive while intoxicated, and generally break the law while driving, because others have done it. Never mind that these activites can kill and are illegal, others are doing it, so why shouldn’t we?
    Faulty programming aside, Sony BMG’s main sin has been in the way XCP and MediaMax make it onto a user’s system. Undetectable programs, incomplete EULAs, and programs that automatically install BEFORE an EULA can be read generally are considered to be legal infractions, and spyware or adware that installs under these conditions is considered illegal and the companies providing such malware can be — and are being — prosecuted. The difference between games and Sony BMG’s offerings are that the game EULAs inform the user and offer a chance to decline installation, while Sony BMG hides its software, misleads the user as to what is being installed, and installs its software REGARDLESS of what the consumer decides. At the very least this is incompetence and malfeasance, at the worst this is intentionally done and illegal. You can’t use the example of game companies to excuse Sony BMG’s errors, they’re two different examples that do not coincide.

    2) To Anonymous Company Stooge (not the sensible people who are posting under “Anonymous”):
    Unlike others, I do sympathise with you. You’ve been hired by Sony BMG, Sony’s legal arm, MediaMax, or perhaps an outside legal firm or PR firm contrated by Sony and/or MediaMax, to spread their views, and you have to do this job. You may even secretly agree with those of us who have pointed out Sony BMG’s programming and legal flaws, but because of your job, you can’t voice that allegiance.
    Given your specious arguments, needless repetiton, and condescending tone of voice, however, I suspect you are firmnly in the pocket of Sony, to the point where you are ignoring customers’ complaints. And this has been, and remains, Sony’s MAJOR Achilles’ heel throughout the XCP and MediaMax fiascos. As I’m sure you or your superiors learned in your introductory marketing class, to be successful, a company must seek out consumer input and reactions, and act on that information. Products are tailored to markets on the basis of consumer preferences and feedback, improvments in services are made based on consumer feedback, sales of a particular product can increase based on positive consumer word-of-mouth. There are even examples where, after a company has done something incredibly stupid, its willingness to LISTEN to customers and fix things BASED ON CONSUMER FEEDBACK has improved the guilty company’s standing and public image. Even just seeming to listen to customers withought actually doing so can improve a company’s image in the short-term.
    Setting aside all legal issues and Sony’s questionably legal installation practices, Sony BMG’s main failing is that it is not listening to its customers. There is emerging evidence that at least a month before sysinternals.com publised its study of XCP, a computer repairman contacted Sony BMG about XCP. Sony and First4Internet’s responses were basically to deny any problems and bury the situation. Once XCP became public, Sony and First4Internet’s responses basically turned into “Tough luck, we’re not going to do anything to fix the problem, if there even is a problem. You can complain and provide proof and threaten us with lawsuits as much as you want, we’re not doing anything.” Even the recent release of an uninstaller and pulling affected CDs from market isn’t doing much to respond to the customer, since Sony has openly stated that it will stop using XCP TEMPORARILY, and is working with First4Internet on new solutions to the problem of piracy — in other words, an improved (and perhaps similarly undetectable) version of XCP, or an even more draconian new DRM scheme.
    Sony BMG is taking the same attitude towards the MediaMax mess as it has to the XCP mess, down to continuing to produce CDs with the faulty encryption and the developing a newer version of MediaMax that will be hard to detect and therefore uninstall. Instead of listening to its customers, Sony is ignoring them. I know some out there are going to scream “It’s because of Sony’s Japanese corparate culture!”, but it’s not. Westerners now hold positions of importance within Sony, and even pure Japanese corporate culture encourages innovation and responsiveness to customer needs — it’s the same culture that gave us JIT delivery schemes, which are a perfect example of manufacturing and stocking responding to customer wants and needs by maufacturing and stocking only as much product as the consumer will buy at the moment it is needed or wanted. No, Sony BMG’s attitude is simply that of the bully who rules the school playground: It can do whatever it wants and to heck with those who complain. It’s this attitude of doing whatever it wants, even if that involves illegal means and the desturuction of a consumer’s operating system, that is digging Sony its grave.
    So Anonymous Corporate Scrooge, start actually LISTENING and READING what Sony customers are saying and writing instead of IGNORNING it and repeating the company line. And convince your superiors that Sony needs to do the same, otherwise you’ll find that no matter what you do to rectify the DRM mess, it won’t improve Sony’s public image. Bullies inspire fear and hatred, not love, and Sony will just inspire fervent dislike, boycotts, a perhas permanent drop in sales, lawuits, and a negative public image if it continues with its current attitudes and legal practices. So unless you and your bosses are willing to listen and act on its comsumers’ problems and suggestions, Anonymous Corporate Scrooge, shut up and spare us the official line.

  43. If I had Sony’s rootkit on my computer, I wouldn’t trust a patch from anyone. What I would do is reformat and reinstall windows if I were using windows. Well, you might say, that reformatting is out of the question because I have too much data that I will loose. My answere to you would be, you will never be sure that the rootkit has been removed, if you don’t.

  44. Lol, here is a link to a post at The Washington Post that also is having a hard time regardng which software is getting which patch version and which new unistall pathc version is the version to get for which product 🙂

    http://blogs.washingtonpost.com/securityfix/2005/12/sony_issues_too.html#comments

    I am not alone in my confusion.

  45. Does Sony use Sunncomm inhouse? Do they love this technology and support it so throroughly that the Sony Blueray R&D lab is encouraged to listen to SonyBMG copy protected CD’s? Or do they have some sort of security attached to those computers that contain sensitive information?

    Sony has huge R&D labs, they have huge marketing departments with information regarding products about to be released, they have a president of their corporation. Does everyone use SonyBMG DRM disks within Sony? Is it ok for the janitor to pop in a Sony disk to listen while the clean up after hours?

    What are Sony’s own rules within its corporation regarding the security issues as they exist today on CD’s bought off the shelf in all parts of the world?

    If Sony itself is completely unconcerned, it sure would go a long way to relieve my concerns regarding their software. But, if we find they are also avoiding the disks internally, well then … what are they trying to impose on us?

    Sony released software that is defective from a security perspective. If they changed their policy internally regarding access to their own music products, when did this happen? Was it recently, or long ago?

    Whatever rules they have to protect themselves should be acceptable to the consumers who buy Sony’s products.

  46. As I understood it, F4I didn’t install if you decline the EULA, but Sunncomm does.

    Either way, its such a blatant error that should have been caught by Sunncomm as well as Sony before the disks shipped. Thats part of the problem … is this working as intended? It sure seems that way. If it isn’t the disks clearly need to be recalled since they inaccurately seem to react in the same manner.

    It shouldn’t be up to the consumers to try to figure this mess out. Which DRM software on which disks, which flaws, which uninstalls, which EULAs work, what data is sent to which site …

    This is a Sony mess, it has Sony’s name on it. Who they subcontracted to paint which elephant is largely irrelevant to me. I just want the elephants out of my front yard, and I don’t want them back no matter how many times I am told I ordered them. They are elephants, and they wreck my fence.

    “Ahhh, but this is our NEW and larger elephant!!”

  47. Edward Kuns says

    tRellium,

    Both SunComm and F4I install whether you agree to the EULA or not. In both cases, if you don’t agree to the EULA, the player is not installed but the DRM is. Which kind of makes it clear that this behavior is desired by Sony.

  48. the zapkitty says

    The answer is simple…. as far as Sony is concerned when you insert one of their CDs into a PC you have committed a crime, and they have every right to punish you by seizing control of your PC and trashing it.

    And that’s all.

  49. Thanks for this excellent analysis. Looking forward to the thoughts you promised in reponse to Randy.

    It’s now totally clear, both from your analysis and from the gems which Ned Ulbricht has posted, that all the really objectionable aspects of this software are fully intended: phone home, sneak installation, cloaking, uninstallablilty, etc. I think some lawyers need to look at this again: surely we are now in the area of potential criminal activity,and not just civil damages, in terms of illegal intrusion into IT systems, and conspiracy to do the same between SunnComm and its record company customers.

    That said I agree with Randy that the content owners are probably entitled to take reasonable technical steps to defend their material against unfair copying. Is the logic of your argument here that there can be no simpler, less offensive approach that does not inevitably lead to excesses like these? Or are there possible irritating devices, like some of the iTunes tools, which would eg stop or seriously slow down multiple copying from a CD, or from a ripped version on a hard drive or player, forcing the user to re-insert the CD every time. can we specify the content of an acceptable middle-of -the-road tool?

  50. Sony should also release software that makes this entire mess a lot simpler for us. Combine the uninstallers into one download that works on all types of their DRM.

    If I reject their EULA, don’t I reject their EULA? Isn’t that what I am saying? They can get rid of ALL of their encroaching spyware, thanks. It shouldn’t be up to the consumer to have to uninstall every possible combination of spyware.

    Its completely reasonable to assume that someone will buy more than one CD at a time, so you might end up with both Sunncomm and F4I on your system, plus others (yet unknown perhaps) by Sony or another label. How is it reasonable that we understand these different uninstall procedures and how sure are we that they don’t interfere with each other during either the installation or the uninstall processes?

    We reject Sony, so Sony should get ALL of their software off the system. Its just that simple. I don’t give a damn who wrote the actual chunks … I just want them gone.

    And, once I tossed them out I don’t want them back even if I accidently stick the disk into my computer. Simply making a minor mistake of inserting a Sunncomm disk is enough to re-infect my computers since it installs before I can even stop the app.

    Looking at this, I think I prefer F4I to Sunncomm as far as disgusting spyware goes. At least I can say no to that and know that it doesn’t install anyway. Sunncomm … well thats a whole new kettle of fish.

    By the way, Mr. Sunncomm, since you know so much about all their fine products, perhaps you can tell us who this mistake exists in the product? I mean, if you accept the EULA Sony displays does that information (acceptance) get sent to Sony? And if you decline, you still get the software installed, so is it unreasonable to assume that perhaps the Decline button is accidently mapped to the same code as the Accept? So, does it show as an Accept in the logs?

    If such a failure exists, then there is no way that the EULA should ever be enforceable. You might as well not even show it, or show it for only a millisecond and call it “legally binding”.

    Yes, I think if I had to choose between evils, I might just prefer F4I to Sunncomm. At least I feel I have some control over the damage.

  51. Quote:
    “a series of accusations relating to security issues and code infringement against one of our competitor’s products”

    These relate to the problems with F4I.
    —————–

    This is a big part of my issue as well. Sony uses many different types of copy protection, from many different software companies. Their EULA demands that they be able to change/update the software after it has been installed. Does that mean they can add/change over to another companies DRM? So, if I let Sony in with a very solid and well tested DRM system, can they “upgrade” that tot he defective versions released by Sunncomm and F4I?

    The EULA is so far reaching that it certainly doesn’t seem like Sony has any limits at all in that regard, so for reasons of system security we need to assume the worst. We must also assume that Sony might change the rules at any time in the future. The EULA permits them that.

    Furthermore, why should the people who purchased something as simple as music (previously a fairly simple purchase decision) be required notjust to understand the legal implications of the EULA (not available outside the box, hence only seen after purchase) as well as understanding the underlying and well hidden relationships between Sony, Sony BMG, other Sony labels, First4Internet, and Sunncomm?

    We never went out shopping for XCP and Mediamax, those products where thrust on us when making a completely different purchasing decision.

    Why should we have to deal with this mess? Sunncomm and F4I both create similar software, have similar deficiencies regarding security, similar failings regarding software testing issues, similar distribution networks (Sony BMG), so grouping them together isn’t really all that much of a stretch.

    As far as our security goes, Sunncomm isn’t running on a higher ground than F4I. They both suck up a great deal of time to ensure that our computers are safe.

    Sorry, Sunncomm and F4I are much more alike than they are dissimilar.

  52. Ned Ulbricht says

    From MediaMax Technologies Corp Form SB 2 Post Effective Amendment No. 5 2005-11-04, Description of Business, p.29:

    The MediaMax License Management Technology, “LMT”, provides a security platform that is able to monitor and control activity on all CD/DVD drives or burners when it determines that content protection could be compromised. The software is designed to be completely invisible to users, programs and system components. […]

    When the disc is inserted, the auto launch feature will activate the MediaMax program on the second session. Depending on the DRM license implementation, this program is either activated directly or through another program. The program first determines if the LMT Software controls are installed on the computer. If not, or if the disc concerned contains a newer version, it will copy the controls from the disc concerned and will install same. […]

    Several enhancements have been implemented to make it very difficult to locate and/or remove the device drivers.

  53. There is one further aspect to this debate that I would like to point out, that is to do with the fact that DRM techniques generally require a special player (hardware or software) to play the protected music.

    People with disabilities often require special software or hardware of their own to do the things that normal software or hardware does, because the normal software or hardware requires an ability the disabled person doesn’t have. Okay, we are talkig about music players, so we must discount the disability of (profound) deafness. But a player supplied with a DRM system may well not, for example, be able to respond to voice commands. Some disabled people may not be able to use it, therefore.

    I suspect that companies which use DRM systems could find themselves very badly at the wrong end of the law, when the disabled start finding themselves unable to play music any more. The EU already has directives outlawing this kind of discrimination.

  54. Ned Ulbricht says

    From MediaMax Technology Corp Form SB-2/A, 2005-04-08 under Description of Business, p.24:

    Several enhancements are currently under development to make it
    very difficult to locate and/or remove the device drivers.

  55. “a series of accusations relating to security issues and code infringement against one of our competitor’s products”

    These relate to the problems with F4I.

  56. Mike Birney says

    Can anyone throw some light on this statement from Clement

    “Recently, our software has come under intense scrutiny from the technical community following a series of accusations relating to security issues and code infringement against one of our competitor’s products.”

    I haven’t read anything concerning “code infringement against one of our competitor’s products”. Could he have inadvertently disclosed an issue no one is aware of (he is only with MediaMax Technology 3 weeks, so mightn’t be on top of things, spilling the beans by accident)

  57. Mike Birney says

    Of course Clement has to be excited and rah rah SunnComm and MediaMax Technology. He was instrumental in getting BMG to use MediaMax in the first place when he was with BMG, so he is hardly going to come out and say he was the guy who caused the major screw up. I noticed he left out a very important piece of information and that was intentional….

    Why did he not state that Sony-BMG were continuing to issue CDs with MediaMax on them. Since the company has no cash or assets of note (apart from an arbitrary value placed on their license agreement with SunnComm), investors know that the company cannot survive for long with no income coming in. Last year they even reneged on a well publicized dividend distribution of 96M shares in MediaMax to SunnComm shareholders, after only distributing 24M, because they said they needed to keep the remaining shares to sell on the marker to help pay their auditors and help finance the costs of the two companies merging.

    It is clear why he neglected that very important info for investors. They investors wouldn’t like what he had to say.

  58. MediaMax CEO, Kevin Clement, Comments on Recent Events
    “I am incredibly excited to be here at MediaMax Technology. MediaMax and SunnComm are two fantastic organizations defined by talented and dedicated team members. These organizations have consistently delivered solid, tested and certified technology solutions for years,”
    —————

    Ok, maybe I am missing something here. They say they tested it and are happy with the results overall. Thats super, but didn’t they write an application that consists of only two buttons, one of which doesn’t work?

    As far as the user interface goes, 50% of it not “working as intended”, and very obviously so.

    I know there is a lot more to the application they created, but when half of the user interface is clearly broken, its reasonable to assume there is a possibility that something else is also not working.

    When an application has such a limited user interface, I don’t really understand how any obvious errors can be brushed off. To me it indicates a low standard of testing criteria.

    Its damaged software, it contains security issues, and it needs to be fixed. They need to accept the responsibility for the issues, and reduce the risk of them for the customers who bought music (and not software) who infect their systems. They need to be told, without having to delve into these sites. The information needs to me readily accessible immediately upon inserting a defective CD.

    The CD’s out there should be recalled, and re-issued with fixed software (or even better, none as per Sony current policy).

    Anything less that simply makes me believe they are trying to push more of this infected code into the marketplace. Automobile manufacturers recall vehicles all the time for safety reasons, these music CD’s should follow the same principle. Pull them from shelves, issue a public recall, replace them with properly working parts.

  59. Randy Picker says

    On the supercat comment:

    About grading exams: yes, that is precisely the point; I have to take the bad with the good; I don’t get to say I want the research, the teaching and the salary but I reject the grading.

    It is a package, and the fact that I don’t like part of the package, doesn’t tell me anything about whether the part of the package I don’t like is useful, when we consider both the interests of professors and students.

    So to with DRM: it is part of the package to get the content; the fact that the consumer might prefer it without the DRM doesn’t tell us whether or not DRM is sensible.

    On the notice point, yes, I basically agree; I think we have to figure out what disclosure of DRM works; I bought one each of the Sony xcp and mediamax CDs (but have yet to take them out of the shrink wrap); even knowing exactly what I was looking for–I walked into my local music store and said “I don’t care what the music is but I want it to be copy-protected”–it wasn’t obvious to me that I had found it.

  60. Rant part 2

    It’s like we need a bill of rights to protect computers. The XCP rootkit technology- this should be criminal. Rootkit is such a small word. Just sweep it under the carpet.

    The XCP software is hacking the Windows kernel and reprogramming your computer to LIE to you. It deliberately modifies the output of your computer- removing itself from directory listings and running processes to mask its presence.

    There’s a knock on the front door. Some guy from SunnComm wants to enhance your entertainment experience with software called MediaMax. You tell him to get lost. During your short conversation- his partner in crime as already broken in through the backdoor and now your home is infected. DRM has got you and it’s here to stay.

    To our wonderful ‘content providers’: It’s MY computer. Treat it with respect. Keep me informed of your software’s intentions. Be clear about it , too. I am not a lawyer. You know that I will not read the EULA. Don’t mess with the kernel. Don’t be installing device drivers. Don’t force me to run as admin. Don’t phone home without my permission. Don’t constantly use CPU time. I own the music that I buy. I don’t want an ongoing relationship requiring security updates and patching incompatibilities. I own my system. I am responsible for its security. No cloak and dagger on my computer. No smoke and mirrors. These are all reasonable requests. I do not trust you and you only have yourself to blame.

  61. Anonymous wrote:
    ‘…
    MediaMax CEO, Kevin Clement, Comments on Recent Events
    “I am incredibly excited to be…’

    …excited to be spamming this penny stock pep-rally speech three times over three articles in this tech blog?

    Sunncomm shills… *sigh*

    Of course Clement airily skipped over the proven problems of the Mediamax malware.

    Mr. Clement has not addressed the problem of the vast majority of people who are unaware that their PCs were infected with the Mediamax malware by simply putting a Mediamax-afflicted disk in their CD drive even if they declined the EULA… repeatedly.

    Please note also that the issue of the Mediamax “Perfect Placement” spyware has not been addressed by Mr. Clement.

    And do please note that Mr. Clement failed to mention the non-Sony/BMG Cds that are infected with Mediamax, and yet do not carry any warning that they are so afflicted.

    “Rah-Rah buy more stock we’re going to infect millions more PCs over Christmas without their owners knowledge!”… that is the message of Kevin Clement, Sunncomm, and Mediamax.

  62. “MediaMax and SunnComm are two fantastic organizations defined by talented and dedicated team members.”

    Notice how SunComm will survive should MediaMax Technologies be sued out of existance..

    There are still huge answered questions:

    SunnComm has not responded to the fact that MediaMax will install despite declining the EULA.
    What does that tell you about their QA? Does QA even exist in their malware company? It also took 2 patches to get their update secure.

    F4I still has not responded to the fact that it is breaching copyright by stealing DRM circumvention code in its own DRM XCP product.

    Now:
    Company A secretly installs DRM software onto your PC. You don’t know you have it until you cannot copy your music onto your portable device.

    The future (almost happened but the code was disabled):
    Company B secretly installs DRM software that also circumvents Company A’s DRM efforts.

    How long before DRM is built into hardware and linked to the operating system? (Mac and Windows).
    Linux be outlawed from playing music and video by the content providers because it will not be in compliance and there will be ‘the underground’.

    Linux will be illegal after being branded as a medium for the duplication of copyrighted works and tinfoil hats passed out. The governments lobbied (paid) by content providers will fix up anti-terror law to ensure that all ISPs be legally bound to snoop your connection. The open source community will speak in code and all communications via end-to-end encryption.

    It’s already started..

    Music biz to ‘hijack’ Europe’s data retention laws
    From terrorism to filesharing
    By Lucy Sherriff
    Published Friday 25th November 2005 17:40 GMT
    http://www.theregister.co.uk/2005/11/25/data_retention/

  63. 4. That gets us to the central point: namely the fact that consumers don’t want it doesn’t tell us anything about whether it is in the joint interests of consumers and producers. I spent the morning writing my exam and then will have to grade it after the students take it (no grad student graders for law profs). By far and away the worst part of the job, and I certainly don’t want it as part of the job, but that doesn’t mean that it isn’t jointly sensible.

    You are PAID to produce your tests, grade them, and basically certify that students have learned the material thereon. That is what students pay you for. Historically, DRM companies have not paid consumers (depending upon lawsuit outcomes, that could change…)

    5. Putting that point slightly differently, consumers may gain more from a DRM world than they would from whatever alternative world emerges without DRM; those subject to restrictions rarely want them but restrictions are frequently welfare maximizing; the fact that one party would like to get rid of the restrictions tells me little (nothing, probably) about whether the restriction is in the joint interest of the parties to the transaction.

    In cases where DRM is in consumers’ interests, content providers should be upfront and truthful about any and all conditions they are imposing. In such fashion, consumers may then decide whether they find the conditions acceptable or unacceptable. What Mediamax has sought to do, however, is impose their conditions on consumers without their informed consent (or even, for that matter, over their explicit non-consent). I can see no justification whatsoever for such behavior.

  64. MediaMax CEO, Kevin Clement, Comments on Recent Events

    “I am incredibly excited to be here at MediaMax Technology. MediaMax and SunnComm are two fantastic organizations defined by talented and dedicated team members. These organizations have consistently delivered solid, tested and certified technology solutions for years,” comments Kevin Clement, MediaMax’s recently appointed and on-the-job president and CEO. “I intend to develop a world-class technology organization focused on delivering high-quality, secure, consumer friendly content protection solutions.

    I have been working closely with our record label customers, security firms and other industry groups to ensure that we are addressing any and all concerns regarding our industry-leading MediaMax product. Recently, our software has come under intense scrutiny from the technical community following a series of accusations relating to security issues and code infringement against one of our competitor’s products. We take all potential security issues very seriously. As such, our teams respond immediately upon notification of any potential security vulnerability.”

    SunnComm is a software company. Software companies routinely issue patches and updates. This is not uncommon and is an accepted practice. Due to the structure of current operating systems, we all are constantly reminded of the need to upgrade software for various reasons. This process applies to software that we use every day including media players, browsers, word processors and even the operating systems themselves. The reality is that we will be called upon from time to time to issue patches and updates to our software. We understand and accept this responsibility. We always strive to deliver well designed code that is 100% bug free and provides secure solutions. As history has shown, this is not always possible to do, even for the largest software companies.

    The true worth of a software company is not how perfect their code is, it can never be perfect, but rather how quickly they respond to valid concerns regarding the security and stability of their product and more importantly, how quickly and efficiently they deliver a solution. MediaMax Technology takes potential security vulnerabilities very seriously. This will never change. Recent news events along with an increased level of scrutiny have created challenges for our entire industry. MediaMax Technology, along with our strategic partner, SunnComm International, has responded quickly and with decisiveness. SunnComm has consistently worked with its partners and multiple software security firms in order to thoroughly test and ultimately deliver completed secure resolutions. We have delivered these in a timeframe of days where the norm in the software industry is to respond within a month. We will always strive to deliver corrective solutions in a period of time that exceeds the expectations of our customers and their consumers.

    There are very vocal groups and individuals who do not believe in the use of DRM technology. This is a philosophical debate that will not be settled anytime soon. MediaMax Technology’s responsibility is to deliver content protection solutions that balance protecting the intellectual property owner’s rights and the expectations of their consumers. We are focused on delivering high-quality, secure, consumer friendly content protection solutions.

    Kevin concludes, “Our software solutions are being improved every day. You have my word that we will not stop working to make our products better, more secure, more consumer friendly and more valuable to our customers. As we emerge from this period of intense scrutiny, our solutions and, more importantly, our company will be better because of it. I would like to point out that no other CD or DVD copy protection technology has ever undergone the type of intense scrutiny that MediaMax has encountered. The development team has addressed every valid issue that has been presented and has made the necessary adjustments. The current MediaMax product is now the most secure, tested and scrutinized copy protection technology available anywhere in the world. We intend to immediately begin leveraging this incredibly stable, well-tested core technology in our plans to develop and deploy new content protection solutions in new markets and industries. Our mission is clear – develop a world-class technology organization focused on delivering high-quality, secure, consumer-friendly content protection solutions. These recent events have served to make us battle tested and better then ever.”

  65. Randy,

    Your comment deserves a longer response than I can give here. I hope to respond in a post next week.

  66. Andrew,

    If you already ran the v1 patch and nothing terrible happened, then you don’t need to do anything else. The two patches get you to the same destination; the only difference is that the v2 patch gets you there by a safer route. Having run the v1 patch, you’re already at that destination.

    The MediaMax software is still on your machine. You would need to run an uninstaller if you want to get rid of it.

  67. Randy Picker says

    1. A great series of posts on all of this.

    2. You are right to say that the pro-DRM folks want to make sure that we understand what happened here; that is the right thing to do, yes?

    3. Assume for now that you are right that DRM leads to spyware; all that means is that we need to figure out whether we should or shouldn’t favor active protection/supervision environments.

    4. That gets us to the central point: namely the fact that consumers don’t want it doesn’t tell us anything about whether it is in the joint interests of consumers and producers. I spent the morning writing my exam and then will have to grade it after the students take it (no grad student graders for law profs). By far and away the worst part of the job, and I certainly don’t want it as part of the job, but that doesn’t mean that it isn’t jointly sensible.

    5. Putting that point slightly differently, consumers may gain more from a DRM world than they would from whatever alternative world emerges without DRM; those subject to restrictions rarely want them but restrictions are frequently welfare maximizing; the fact that one party would like to get rid of the restrictions tells me little (nothing, probably) about whether the restriction is in the joint interest of the parties to the transaction.

  68. Mr. Felten,

    Thank you for testing the both the SunnComm patch (v2) and the uninstaller so thoroughly to ensure that both do their jobs well. I wish to raise the following question(s) about the v2 patch that I think might be relevant:

    If you’ve already installed the v1 patch, would installing the v2 patch take care of the problem? What should someone who has already installed the v1 patch do to be sure that her/his computer is secure?

    I’d also like to say that I was quite impressed with the quality of this article. A better explanation of the tactics that are neceassary to deploy “effective” active-protection DRM, in my opinion, probably cannot be found elsewhere.

  69. See my August 02, 2005 blog entry : “Remote Attestation” and content access monopolies

    http://itheresies.blogspot.com/2005_08_01_itheresies_archive.html

    ALL third party and more importantly operating system based DRM puts the user at greater risk. If the DRM code itself is not exploited then there are always new vulnerabilities being discovered in the media players and browsers used to play and display encoded content,

    Don’t just go after Sony. The REAL THREAT comes from the operating vendors themselves.

  70. The frequent repetition of this quote: “It’s a fairly common issue often found in PC games,” puzzles me.

    I’m not sure why this would be considered a high point. If it’s a common (and presumably well documented) issue, does this not suggest that the creators of the software in question are either poorly educated, or incompetent? I think it does.

    Throughout this debacle, it has been made abundantly clear to even the lay-person that SunComm and F4i could really only be counted upon to produce shoddy merchandise whose cost to their customer (Sony) has yet to be calculated… but will probably outweigh any real or even theoretical savings. I am not surprised that Sony has done everything it can in the PR department to deflect questions of liability concerning their decision to use these DRM solutions. I can only assume that they are waiting for the lawsuits to be settled before they pursue damage claims of their own against SunnComm and F4i.

  71. I’ve been reading this site for a long time, and this is by far the smartest, most insightful article yet. Thanks.

  72. The best way to avoid the hassle and confusion is to avoid Sony, Sunncomm and first4internet entirely.

    That is also a very common fix 🙂

  73. “It’s a fairly common issue often found in PC games,” said Robert Horton, a security expert from NGS Software brought in by Sony to vet its latest patch.

    “Its fairly common and the fix is easy to provide through a software update.”

    He said it was unlikely that any attacker would have been able to exploit the bugs in MediaMax and its patch.

  74. Ed,

    Thanks for all the good work – I’m sure glad someone has the time, energy, and knowlege to do this…

    In keeping with the spirit, I’ve started a new site, http://www.FairUseLaw.com, that monitors the continued erosion of our fair use (and other) rights. It’s small but growing, thanks to the continued efforts of the music and film industries in conjunction with the best government money can buy.

  75. UPDATE (Dec. 9): Sony and MediaMax have issued a new patch. According to our limited testing, this patch does not suffer from the security problem described above. They have also issued a new uninstaller, which we are still testing. We’ll update this entry again when we have more results on the uninstaller.

    http://www.freedom-to-tinker.com

  76. http://news.bbc.co.uk/1/hi/technology/4511042.stm

    (Psst… SunnCom stockholders… dump ’em if you got ’em.)

  77. Protección de CDs, el camino al spyware

    Muy buen análisis de Ed Felten de porqué los sistmas DRM como ambos de Sony acaban en spyware, a pesar de haber sido desarrollados por compañías distintas y competidoras. La explicación de las dos razones fundamentales que llevan a ello son geniales.

  78. It is rather Curious that Sony is using mutiple DRM solutions from closed source DRM providers when it is a member of the Coral Consortium and it owns Intertrust with Phillips .

    The Coral Consortium is a industry group that is pushing for the development of a shared source Interoperable DRM solution and Intertrust is the company developing the technology to enable a interoperable DRM .

    http://www.intertrust.com/main/research/initiatives.html

    http://www.intertrust.com/main/research/papers.html

  79. Update on the Sony/MediaMax patch:

    As of today (Friday December 9) Sony is distributing a new patch and a new uninstaller for MediaMax. The patch is designed to fix the privilege escalation vulnerability that iSEC discovered, but to leave MediaMax in place. The uninstaller is designed to remove MediaMax entirely.

    The patch, based on our limited testing, appears to work as advertised. It appears to fix the iSEC-discovered bug, without exposing users to the attack we described on Wednesday. At present we know of no security problems with the patch.

    We are still working on testing the uninstaller, so we can’t give a verdict on it yet. We’ll let you all know when we have more to say about the uninstaller.

  80. … what Apple is doing with its iPod-only copy restriction technology

    Except that Apple’s protection is entirely optional — iTunes and the iPod are both compatible with MP3. If I don’t like protected AAC, I simply buy the CD, and rip it myself. Or I use JHymn to strip the protection; it’s easy, it lets me play iTunes-store-purchases on my car’s MP3 CD player. Or I rip from analog.

    Any system intended to really stop piracy, must necessarily ONLY play music in the protected format. Apple’s protection merely impedes casual piracy via the iTunes store.

  81. Fortunately for my fair use rights DRM will never succeed.

    Really the best that can ever be achieved with DRM is to
    make it too awkward for individuals to make copies of the
    media to bother. Achieving that goal will also kill their
    business as it will make their product too awkward to
    bother with at all.

    It will never really slow down the big pirates for a moment
    as all they have to do is break the DRM once and then make
    many copies of the results.

    As long as it has headphones or speaker cables, I can
    make copies of the media with only very minor bother.

    How about a new business model were quality product
    that people want to buy is produced at a resonable price
    with most of the earnings going back to the artist that
    produced it.

  82. Bill exactly captures the entertainment industry’s strategy — entice us to new formats that have DRM built in. They believe that by giving us additional fidelity or resolution, they can take away the convenience to do what we want with our media.

    Fortunately, if Super Audio CD’s are any indication, they will fail. SACD’s demonstrate that customers value convenience and flexibility much more than they value incremental increases in fidelity.

  83. JohnR (UK) says

    I took the view that I did not want any cd or dvd to autoplay when I put it in my pc. So (in XP) I right clicked on the cd drive icon in My Computer and then selected the autoplay tab. From there, I was able to tell the computer not to autoplay anything. I then did the same with the dvd drive.

    As regards altering pcs and operating systems to enforce drm, I imagine that you end up with a pc which can play a genuine music cd ok, but takes a year to calculate 2+2.

  84. The future for DRM lies beyond CDs. If the music and recording industries can find a compelling reason to move us to a new format, they can try to embed the DRM from the getgo.

  85. Does anyone know if these same things can rootkit or otherwise compromise a Windows 2003 server and/or the Vista Betas?

    Being able to subvert XP is bad enough, but I was thinking about Linux and MacOSX, and unless I’m doing something stupid like running as root instead of as a normal user, there aren’t that many exploitable holes.

    Any operating system that can be rootkitted merely by the act of inserting an Audio CD is, well, I can’t even think of the right word. And I worry about someone sending out millions of music CDs with something extra.

    Sony/BMG and co. might not be very nice, but I keep thinking of the automobile industry before they needed ignition keys. Imagine if GM kept saying we needed stronger grand theft auto laws while refusing to put locks in the cars saying they were inconvienient and an unnecessary expense.

    I wonder if the next MS security update will disable or at least add an OK box to the autoplay feature.

    But if WinXP was secure enough to prevent or interfere with the DRM being installed upon insertion, how would they get it onto the systems? Or would they just have to pay Microsoft to install it into XP (2k3, etc.) from the beginning or with the next SP or software update? And could they discriminate between the paid protection and public domain discs (Sony pays, but a small band doesn’t want the DRM limitation, or someone sending recordings of their wedding)?

    Would a secure but heavily DRMed OS be much better than the current spyware tactics?

  86. JohnR (UK) says

    As regards Sony’s latest (rev2?) patch for the MediaMax, they do not actually say on their web site what someone should do who downloaded and installed the December 6th patch, or whether installing the latest patch addresses the vulnerabilities introduced by its predecessor.

    Also, it seems odd that Sony has been uniquely unfortunate in having this problem with two separately developed “products” from two different vendors. Makes you wonder what else is lurking on other DRM systems, and on other labels.

    I am reminded of something Sir Walter Scott said:

    “What a tangled web we weave, when first we practice to deceive”

  87. Steve R.: sounds like that “proprietary approach” you talk about is what Apple is doing with its iPod-only copy restriction technology. (Also, if you think about this for a while, you begin to understand why every now and then someone comes up with a “media auto-destruct” technology that would make the product unusable after a while.)

  88. Very well said, Mr. Felten.

    I think one point that hasn’t been well made in the media is the fact that all CD DRM software works–of necessity–by interfering with the normal operation of the computer.

    For this reason, I’ve considered MediaMax to be malware years ago when it was introduced. Upon reading that several labels planned to copy-protect all their CD releases, I stopped buying CDs entirely. It’s nice to see that my decision was vindicated.

  89. Mike B,

    We’ll check on the new patch and uninstaller, and report here later.

  90. Stephen Cochran says

    I find it funny that everyone keeps comparing DRM to spyware, when there is a much more apt comparison: Trojan software. Trojans enter your system by tricking you – pretending to be something else.

    CD DRM enters your system the same way. It pretends to be software that allows you to listen to your protected music (as if the actual music was stored in a special format), when in fact it prevents you from listening to normally encoded music, by disrupting the correct operation of your system.

    Any other industry would be strung up for this, and a lynching of the practices of the entertainment industry is long overdue.

  91. Mike Birney says

    Sony are advising of a new patch from SunnComm that fixes the original security problem (patch dated 12/8) – http://sonybmg.com/ – but the EFF website are still advising not to use the SunnComm patch (which I assume means Tuesdays 12/6 patch).

    Do we know if this latest SunnComm patch is secure, since they cannot be relied upon themselves to get it right?

  92. free980211 says

    Just an additional thought…

    The only thing any of this software does is punish the legitimate consumers who buy the discs. I’m sure the songs are available on any P2P network anyway, free from the DRM restrictions.

    Perhaps it’s just me, but it seems kinda stupid to bite the hand that feeds you.

    Of course, the end result will be a push for a new medium that will be designed to enforce the DRM at the hardware level, and those thought keep giving me flashbacks to the cold war at this point because it probably won’t be long until that new system is cracked wide open, and the cycle will begin again.

  93. Very good article. I would add that we might have some vertical “integration” behind this process. By vertical integration, I mean a proprietary system where the owner of a CD is required (forced) to use only the CD companies CD player.