Bruce Hayden writes that MediaMax, the company associated with the CD-borne spyware product that Sony has not yet recalled, recently filed a prospectus with the SEC in connection with an upcoming stock offering. In the prospectus, the company is required to describe truthfully its business plans and associated risks. MediaMax’s prospectus is a window into the company’s business practices. It was filed on November 4, about a week before we first reported the security and privacy problems caused by MediaMax.

There’s more interesting material in the prospectus than I can cover here. Bruce Hayden describes some of it. You can read the whole prospectus yourself, but most of it is pretty dry. The most interesting parts are the discussion of business risks (note the conspicuous non-mention of security and privacy risks), and the description of the company’s products. The product description is all I’ll write about here.

Page 30 of the prospectus describes how the MediaMax CD copy protection product works. Remember, this is the company’s own description of its product. Here’s the core of the description:

When the disc is inserted, the auto launch feature will activate the MediaMax program on the second session. Depending on the DRM license implementation, this program is either activated directly or through another program. The program first determines if the LMT Software controls are installed on the computer. If not, or if the disc concerned contains a newer version, it will copy the controls from the disc concerned and will install same. The LMT Software controls consist of two dynamic link libraries. The controls are used by the MediaMax application.

Whenever the second session software is executed, the LMT Software controls will first determine if the content protection device driver is installed on the system. If not, it will extract it from the main LMT Software into a separate file and install it as a standard Windows device driver.

The driver first locates all CDROM devices installed on the computer. Then it polls each device to determine if a new disc has been inserted. If so, it reads various elements of the disc to determine if it is a MediaMax protected disc. It is important to note that the driver is completely idle (without any chance to affect the computer or CD/DVD drives), unless an actual MediaMax disc has been detected. Once detected, the driver will insert itself into the communication stream for that drive to prevent any non-authorized activities. While allowing the computer to access the second session and associated content without any limitations, the driver will interfere when applications try to access the first session only.

When the driver detects that the MediaMax disc is ejected, it will remove itself from the communication stream for that drive and switch back to the polling mode. Several enhancements have been implemented to make it very difficult to locate and/or remove the device drivers.

There are several things to note here. First, in describing the installation process, there is no mention of obtaining user consent, or of the possibility that the user might not consent, or of how the product would cope with a non-consent situation. The description is pretty straightforward: when the disc is inserted, they install the software. So the decision to install without consent seems deliberate.

Second, there is no mention of the phone-home feature, even though websites associated with the product talk about how the feature can be used to display third-party ads.

Third, they brag that “enhancements have been implemented to make it very difficult to locate and/or remove the device drivers.” So the decision to resist uninstallation seems deliberate.

Indeed, they make an even stronger statement elsewhere on page 30:

The software is designed to be completely invisible to users, programs and system components.

This is an exaggeration, but it shows that they do aspire to invisibility. Which is interesting because the only way to be “invisible to users, programs and system components” is to use rootkit methods. So it would appear that MediaMax at least planned to follow First4Internet’s lead in shipping a rootkit.

All of this just confirms what I wrote on Friday about how the technical problems with CD copy protection lead vendors to adopt spyware methods. MediaMax’s description of their own product describes software that installs without consent and resists detection and removal, along with an apparent plan to adopt rootkit methods. MediaMax set off down the road of CD copy protection, and they ended up with spyware.

Advocates of DRM (copy protection) have been keeping their heads down lately, while they try to figure out what went wrong in the SonyBMG DRM spyware fiasco. No doubt they’ll try to explain it away as an anomaly – just a little speed bump on the road to the effective, unobtrusive DRM future that they’re sure will be arriving any day now.

There are some problems with this story. For starters, we’re not talking about a single DRM system – we’re talking about two totally separate systems (XCP and MediaMax), developed by rival companies, both of which turned out to be spyware and to endanger users, in strikingly similar ways. Is this just a coincidence?

Of course it’s not. If we look carefully at CD copy protection as a technical problem, we’ll see why DRM designers are drawn to spyware tactics as their best hope of stopping copying. Let me explain why.

CDs store music files in Compact Disc Digital Audio (CDDA) format, which is easily readable by a wide range of devices. If the music is encrypted or stored in some other tricky format, ordinary audio CD players won’t be able to read it, and the disc will be useless to most customers. So backward compatibility requires that the music be stored in a format that is readable by computer software.

(Technical digression: There are actually small differences between how a computer reads a disc and how ordinary audio CD players read it. So-called passive protection technologies try to exploit these differences by putting things on the disc that try to confuse computers without affecting ordinary players. For our purposes, it will suffice to say that purely passive protection systems are not viable, because computers are not so easily confused. To my knowledge, purely passive CD DRM technologies aren’t being used any more, although some current vendors combine passive protection with active measures. For reasons too boring to go into here, passive protection doesn’t really affect my analysis; and so to streamline the discussion I’ll assume from here on that there is no passive protection.)

If the music is encoded on the disc in a format that any software program can read, the only way to stop programs from reading it is to install software on the user’s computer, and to have that software actively interfere with attempts to read the disc, for example by corrupting the data stream coming from the disc. We call this “active protection”.

For example, suppose the user wants to use iTunes to read the disc. But the DRM vendor wants to stop the user from doing this, because iTunes can be used to make copies of the disc. The active protection software will detect this and will interfere to ensure that iTunes gets a garbled copy of the music.

Here’s the key issue: Active protection only works if the DRM software is running on the user’s computer. But the user doesn’t want the software on his computer. The software provides no value to him at all. Its only effects are to stop him from doing things he wants to do (such as listening to the music with iTunes), and to expose him to possible security attacks if the software is buggy.

So if you’re designing a CD DRM system based on active protection, you face two main technical problems:

1. You have to get your software installed, even though the user doesn’t want it.
2. Once your software is installed, you have to keep it from being uninstalled, even though the user wants it gone.

These are the same two technical problems that spyware designers face.

People who face the same technical problems tends to find the same technical solutions. How do you get software installed against the user’s wishes? You mislead the user about what is being installed, or about the consequences of installation. Or you install without getting permission at all. How do you keep software from being uninstalled? You don’t provide an uninstaller. Or you provide an uninstaller that doesn’t really uninstall the whole program. Or you try to cloak the software so the user doesn’t even know it’s there.

Of course, you don’t have to resort to these tactics. But if you don’t, your software will have trouble getting onto users’ computers and staying there. If your whole business model depends on installing unwanted software and preventing its uninstallation, you’ll do what’s necessary to make that model work. You’ll resort to spyware tactics. (Or you’ll quit and go into another business.)

Having set off down the road of CD copy protection, the music industry shouldn’t be surprised to have arrived at spyware. Because that’s where the road leads.

Was anybody surprised at Tuesday’s announcement that the MediaMax copy protection software on Sony CDs had a serious security flaw? I sure wasn’t. The folks at iSEC Partners were clever to find the flaw, and the details they uncovered were interesting, but it was pretty predictable that a problem like this would turn up.

Security is all about risk management. If you’re careful to avoid unnecessary risks, to manage the risks you must accept, and to have a recovery plan for when things go wrong, you can keep your security under control. If you plunge ahead, heedless of the risks, you’ll be sorry.

If you’re a parent, you’ll surely remember the time your kid left an overfull glass of juice on the corner of a table and, after the inevitable spill, said, “It was an accident. It’s not my fault.” And so the kid had to learn why we don’t set glasses at the very edges of tables, or balance paintbrushes on the top of the easel, or leave roller skates on the stairs. The accident won’t happen every time, or even most of the time, but it will happen eventually.

If you’re a software vendor, your software creates risks for its users, and you have a responsibility to your customers to help them manage those risks. You should help your customers make informed choices about when and how to use your software, and you should design your software to avoid exposing customers to unnecessary risks. Your customers expect this from you, and they’ll hesitate to buy your product if they think you’re leaving the cyberjuice on the corner of the table.

The design of the MediaMax/Sony software is a case study in risk creation. I wrote about these risks two weeks ago:

But even if all [the software’s spyware] problems are fixed, the MediaMax software will still erode security, for reasons stemming from the basic design of the software.

For example, MediaMax requires administrator privileges in order to listen to a CD. You read that right: if you want to listen to a MediaMax CD, you must be logged in with enough privileges to manipulate any part of the system. The best practice is to log in to an ordinary (non-administrator) account, except when you need to do system maintenance. But with MediaMax, you must log in to a privileged account or you can’t listen to your CD. This is unnecessary and dangerous.

Some of the security risk of MediaMax comes from the fact that users are locked into the MediaMax music player application. The player app evades the measures designed to block access to the music; and of course the app can’t play non-MediaMax discs, so the user will have to use multiple music players. Having this extra code on the system, and having to run it, increases security risk. (And don’t tell me that music players don’t have security bugs — we saw two serious security bugs in Sony music software last week.) Worse yet, if a security problem crops up in the MediaMax player app, the user can’t just switch to another player app. More code, plus less choice, equals more security risk.

Sure enough, these risks enable the new attack, which exploits the presence of extra code on the system, and the fact that that code runs with full Administrator privileges.

The biggest risk of all, though, is that the software can install itself without the knowledge or consent of the user. When you decide to install a program on your computer, you take a security risk. But you take that risk knowingly, because you have decided the benefit provided by that program outweighs the risk. If you change your mind about that tradeoff, you can always uninstall the program.

But if you decline the MediaMax licence agreement, and the software secretly installs itself anyway, you will face risks that you didn’t choose. You won’t even know that you’re at risk. All of this, simply because you tried to listen to a compact disc.

Experience teaches that where there is one bug, there are probably others. That’s doubly true where the basic design of the product is risky. I’d be surprised if there aren’t more security bugs lurking in MediaMax.

Sony is still shipping CDs containing this dangerous software.

iSEC, EFF, and SonyBMG issued a joint press release yesterday, announcing yet another serious security bug in the SunnComm MediaMax copy protection software that ships on many SonyBMG compact discs. (SonyBMG has recalled CDs that use another copy protection system, XCP, but they have not yet recalled discs containing MediaMax.)

As we’ve written before, the first time you insert a MediaMax-bearing CD into your Windows computer (assuming you have Windows autorun enabled, as most people do), MediaMax installs some software on your computer. Once this initial software is on your computer, you are vulnerable to the new attack. The gist of the problem is that MediaMax installs itself in a directory that anyone is allowed to modify, even users who otherwise run with heavily restricted security permissions. Any program that comes along can modify your MediaMax files, booby-trapping the files by inserting hostile software that will be run automatically the next time you insert a MediaMax-bearing CD into your computer. And because MediaMax is run with full administrator privileges, the hostile program gets to run with full privileges, allowing it to inflict any mischief it likes on your PC.

Alex Halderman has discovered that the problem is worse than the press release indicates:

• You are vulnerable even if you decline the MediaMax license agreement. Simply inserting a MediaMax-bearing CD into your PC paves the way for an attacker to come along and set a booby-trap. The trap will be sprung the next time you insert such a disc.
• SonyBMG has released a patch that purports to fix the problem. However, our tests show that the patch is insecure. It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch.
• The previously released MediaMax uninstaller is also insecure in the same way, allowing an adversary to booby-trap files so that hostile software is run automatically when you try to use the uninstaller.

  (These attacks are similar to the exploit described in iSEC’s report, but they involve a different modification to the MediaMax files.)

Because of these problems, we recommend for now that if you have a Windows PC, you (1) do not use the MediaMax patch, (2) do not use the previously released MediaMax uninstaller, and (3) do not insert a MediaMax-bearing CD into your PC.

We have notified SonyBMG and MediaMax about these problems. We assume they will develop a new uninstaller that safely rids users’ computers of the MediaMax software once and for all.

The consequences of this problem are just as bad as those of the XCP rootkit whose discovery by Mark Russinovich started SonyBMG’s woes. This problem, like the rootkit, allows any program on the system to launch a serious security attack that would normally be available only to fully trusted programs.

According to the press release, SonyBMG intends to use MediaMax’s banner ad display feature to warn users about these vulnerabilities. While this is a positive step, it will fail to reach users who have rejected the MediaMax license agreement. This group is at particularly high risk, since they are probably unaware that the software is installed on their computers.

Worst of all, it is impossible to patch the millions of MediaMax-bearing CDs that are already out there. Every disc sitting on somebody’s shelf, or in a record-store bin, is just waiting to install the vulnerable software on the next PC it is inserted into. The only sure way to address this risk is take the discs out of circulation.

The time has come for SonyBMG to recall all MediaMax CDs.

UPDATE (Dec. 9): Sony and MediaMax have issued a new patch. According to our limited testing, this patch does not suffer from the security problem described above. They have also issued a new uninstaller, which we are still testing. We’ll update this entry again when we have more results on the uninstaller.

Yesterday Alex wrote about how SonyBMG’s XCP CD copy protection software includes a feature – apparently built on illegally copied open-source code – to translate music files into the FairPlay format used by Apple’s iTunes and iPod, but the feature was not exposed to users. The details are interesting. But equally interesting, I think, is the question of how this situation came about. Why would Apple make compatibility so difficult? Why would First4Internet go to the trouble to make its software compatible? Why would First4Internet and/or SonyBMG then turn off this already-working feature? And why would SonyBMG then blame Apple for the difficulty of moving XCP files into iTunes and iPods?

Today I’ll try to answer these questions. My answers will be speculative, as I’m not privy to any special information about the companies’ plans. But the story I’ll tell should be plausible, at least, and it will shed some light on how companies use DRM (copy protection) as a weapon in struggling for market supremacy.

Let’s start by reviewing why Apple makes it hard for others to encode files in the Apple FairPlay format that is used by iTunes and the iPod. Apple could easily facilitate such encoding if it wanted to; but it doesn’t. Instead, Apple seems to be trying to ensure that customers are locked in to a particular DRM scheme. This is the strategy we would expect from a company with high market share – customers try to avoid lock-in, but if they must be locked in they typically choose to be locked in to the dominant vendor. So the dominant vendor – Apple in this market – often tries to foster market structures with lock-in.

Recall that when RealNetworks, an Apple rival, created its Harmony software, which could translate Real-format files into FairPlay, Apple cried foul. Apple hung the dreaded “hacker” label on RealNetworks and threatened to sue on some vague DMCA theory. When Real didn’t back down, Apple just changed the FairPlay format, rendering Real’s software incompatible once again. Apple was willing to use both legal threats and technical changes to frustrate compatibility.

First4Internet (F4I), in developing its XCP copy protection software, started out with no market share. F4I knew that customers wouldn’t want its software, because the main effect of the software is to stop customers from doing things they want to do. F4I wanted to reduce the unpleasantness of using its software, and one way to do that was to give customers a way to transfer XCP music files into iTunes or an iPod. And that meant translating the files into FairPlay format. To do this, F4I could have reverse-engineered iTunes and written code to do the translation. Instead, it apparently just swiped some open-source code called DRMS (written by Sam Hocevar and DVD-Jon), in violation of the DRMS license. Using this code, F4I built a working translate-to-FairPlay function as part of its software.

At some point, F4I licensed its software to SonyBMG. F4I would surely have told SonyBMG about the FairPlay compatibility feature. But when SonyBMG CDs shipped with F4I’s XCP software on them, the compatibility feature was disabled and hidden from users. Somebody must have decided to disable the feature, and it’s hard to believe it was anybody but SonyBMG. SonyBMG was F4I’s first major customer. SonyBMG was putting its name on the CDs. And SonyBMG would have been the main target for hacking accusations and/or lawsuits from Apple. So we have to conclude that SonyBMG chose not to make the software on its CDs FairPlay-compatible.

Why would SonyBMG do this? It would have been easier to retain compatibility, and SonyBMG’s customers would have benefited. So SonyBMG must have thought compatibility would hurt it, somehow. How might that happen? Perhaps SonyBMG was afraid Apple could bring a successful lawsuit against it; but that seems unlikely given the apparent weakness of Apple’s legal claims. Two other theories seem more likely.

The first theory is that SonyBMG wanted to avoid the public spectacle of two DRM companies fighting with each other. DRM advocates like to argue (against the evidence) that the only impact of DRM is to prevent infringement. When DRM companies fight over compatibility, this just emphasizes the role of DRM as a strategic tool companies use to lock other companies out of markets, and that sets back the cause of DRM. Much better from SonyBMG’s viewpoint, perhaps, to maintain the fiction of one big happy DRM family, even if customers suffer.

The second theory is that SonyBMG was trying to fragment the world of music-file formats, in order to reduce Apple’s negotiating power. Record companies have been complaining lately that Apple, as the biggest seller of Internet-delivered music, has too much market power. Apple’s market power helps it drive a hard bargain with record companies in negotiating the price and terms of Apple’s online music sales. SonyBMG, as a record company, would like to see Apple’s market power shrink.

Whichever explanation is right, it certainly appears that SonyBMG decided that XCP shouldn’t be compatible with FairPlay.

What SonyBMG did next showed a particular sort of genius. It blamed Apple for the incompatibility. Indeed, SonyBMG went so far as to ask its customers to petition Apple to solve the problem. Here’s SonyBMG’s web site:

Sony BMG wants music to be easily transferable to any device that supports secure music. Currently, music from our protected CDs may be transferred to hundreds of such devices, as both Microsoft and Sony have assisted to make the user experience on our discs as seamless as possible with their secure formats.
Unfortunately, in order to directly and smoothly rip content into iTunes it requires the assistance of Apple. To date, Apple has not been willing to cooperate with our protection vendors to make ripping to iTunes and to the iPod a simple experience.
If you believe that you should be able to easily move tracks from your protected CD to your iPod then we encourage you to use the following link to contact Apple directly and tell them so. http://www.apple.com/feedback/ipod.html

If you were SonyBMG, and you were clever but not overly concerned with telling the truth in public, this is exactly what you would say in this situation. Why pass up a chance to paint Apple as the bad guys?

Running through this whole convoluted tale are two consistent threads. DRM is used as a weapon not against infringers but against market rivals. And when companies use DRM to undermine compatibility, law-abiding customers lose.