p2pnet - rss feed: New SunnComm MediaMaxMess
p2p news / p2pnet: Alex Halderman originally revealed how SunnComm’s amazing MediaMax CD-3 Copy Management (V1) Digital Restrictions Management technology could be ham-strung by simply pressing the shift key when you were inserting a ‘protected’ CD.
SunnComm boss Jacobs said he’d sue Halderman, but quickly backed down. Jacobs also issued an official, and very public, press release loudly refuting a p2pnet spoof which no one could have taken seriously.
Now Halderman reveals that SunnComm’s MediaMax EULA means about as much as its DRM. >>>>>>>>>>>>>>>>>>>>>>>>
DRM MediaMax Permanently Installs and Runs Unwanted Software, Even If User Declines EULA
By J. Alex Halderman – Freedom to Tinker
In an earlier post I described how MediaMax, a CD DRM system used by Sony-BMG and other record labels, behaves like spyware. (MediaMax is not the same as XCP, the technology that Sony-BMG has recalled; Sony-BMG is still shipping MediaMax discs.) MediaMax phones home whenever you play a protected CD, automatically installs over 12 MB of software before even displaying an End User License Agreement, and fails to include an uninstaller.
Part of the software that MediaMax installs is a driver meant to interfere with ripping and copying from protected discs. I had believed that MediaMax didn’t permanently activate this driver - set it to run whenever the computer starts - unless the user accepted the license agreement. As it turns out, this belief was wrong, and things are even worse that I had thought.
In the comments to our last MediaMax story, reader free980211 pointed out that the driver sometimes becomes permanently activated if the same protected CD is used more than once, even if the user never agrees to the EULA. This wasn’t apparent from my earlier tests because they were conducted under tightly controlled conditions, with each trial beginning from a fresh Windows installation and involving only carefully scripted operations. I’ve performed further tests and can now confirm that MediaMax is permanently activated in several common situations in spite of explicitly withheld consent.
When this happens depends on what version of MediaMax is being used. An older version, called CD-3, was introduced in 2003 and is present on albums released as recently as this summer. There is also a newer version, MediaMax MM-5, which has been shipping for a little over a year. You can tell which version is on a CD by examining the files in the disc’s root directory. Albums protected by MediaMax CD-3 contain a file called LAUNCHCD.EXE, while MM-5 albums include a file named PlayDisc.exe.
When you insert a CD containing either version of MediaMax, an installer program automatically starts (unless you have disabled the Windows autorun feature). This installer places the copy protection driver and other files on the hard disk, and then presents a license agreement, which you are asked to accept or decline. In the following scenarios the driver may become permanently activated even if you always decline the agreement:
* You insert a CD-3 album, then later insert an MM-5 album
* You insert an MM-5 album, then later insert a CD-3 album
* You insert an MM-5 album, reboot, then later insert the same album or another MM-5 album
These steps don’t have to take place all at once. They can happen over a period of weeks or months.
This is bad news for people who like to play CDs in their computers. Many users are unaware that their CDs contain MediaMax until the license agreement appears on their screens, but by this time it may be too late to stop the driver from being permanently activated. Even if users are careful to decline the EULA every time, the circumstances when the software becomes active anyway are common enough to be practically inevitable.
This may be an annoyance to music fans - unless you disable the driver, you’ll have a hard time playing any MediaMax-protected titles, let alone copying them to your iPod - but it’s also a security risk, since the driver is loaded as part of the Windows kernel and has the ability to control virtually any aspect of the computer’s operation. We don’t know whether the MediaMax driver contains any vulnerability that can be exploited to do further damage, but the way it is installed creates a dangerous precedent.
Is this behavior illegal? It should be. Installation of system level software where the user has explicitly denied permission raises serious security concerns and is wrong.
Also read:-
ham-strung - MediaMax protected CD online, June 18, 2004
backed down - Sunncomm cites ‘chilling effect’, October 14, 2003
loudly refuting - SunnComm falls for p2pnet spoof, November 9, 2005
p2pnet spoof - Apple, Microsoft p2p collaboration, November 5, 2005
>>>>>>>>>>>>>>>>>>>>>>>>
================
Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local political representatives. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance.
November 29th, 2005 at 3:03 pm
The EFF filed suit against Sony for both the XCP and the MediaMax…
http://djtechnocrat.blogspot.com/2005/11/eff-files-class-action-lawsuit-again.html
-Todd
November 29th, 2005 at 5:02 pm
What a mess ? I’m sure lots of execs will walk away from this.
And what ever happened to Kevin M. Clement ?
SunnComm hires Sony BMG guy
http://p2pnet.net/story/7068
November 29th, 2005 at 9:07 pm
It’s just this sort of sloppy programming coupled with intense desire to protect the product that are turning off people buying. No where in all of this are you rewarded as a faithful customer for either doing the right thing or for getting a product that does what the customer expects; simply the playing of that purchased product. More than anyone else, the faithful customer is the one stuck with a product that doesn’t do as it is billed and that expections will be rarely met. No other type of business could survive in the physical world with these sort of attitudes and with this type of shabby and shyster product and expect to sell it big.
The cartels first off think you are a thief. No one that thinks otherwise would come up with such a scheme to protect the goods and at the same time expect the customer to just accept it as part of the deal. Anyone that buys these substandard products is just asking for more trouble where they least expect it. In a world where a fresh install of windows isn’t expected to last through the install and upgrade patch process before being attacked by hackers and probes, these sort of methods by well known and what should be respected companies is just unbelievable to the average Joe that just wants to play his music. As was said, “It’s your product, it isn’t your computer” and this is part of where these businesses are losing it. After the Sony debacle, I no longer trust any of these companies not to try and insert malware of some sort on my computer. No matter the name or the method, no matter how it is presented; a rose is still a rose and a pigs ear is still a pigs ear. Hiding it in a 1000 word or greater EULA, written in legalise isn’t what I call respected either (nor is not directly mentioning what will be done in the EULA). This sort of behavior should, if our lawmakers were really truthful about it, trigger a legal requirement that a popup, plain and simple, tell the user of any intented modifications to be done to their computer and directly ask for a yes or no. Further, if you say no, that’s what it means. It doesn’t mean no today and yes sometime in the future.
This sort of slimy underhanded tactics are what I have come to expect from the industry and it is a sign that things have gone far to far in their favor. They are to the point of its ok to do anything to your computer in the effort to collect every last penny.
Meeting and exceeding your customer base expectations should be the goal of any business that is intending to have a future. By the contrary, those that don’t meet those expectations will suffer the result of such. Is it any wonder that p2p is gaining and continues to gain inspite of all that the cartels are doing and attempting to do?
November 29th, 2005 at 10:09 pm
I hope this gets as much attention as the sony fiasco is.
November 30th, 2005 at 4:26 am
Don’t EVER buy a CD from the music cartel. If you really want anything they sell - for gawds sake, DOWNLOAD IT! Protect yourself and punish them at the same time.
Support the “other” labels and artists. Buy their music - it’s better product anyways…
Just my opinion. Your mileage may vary.
December 1st, 2005 at 9:51 pm
say, i’m rather curious,(and i have similiar anti-corporate pimp views) isn’t making a statement like that grounds for a lawsuit/criminal investigation/riaa buttfuck on the person who posted it? I’d imagine it is in the U$A, but would the site operators/owners of p2p.net be forced (and would they comply?) if some legal leech/corporate interest ‘demanded’ the person’s ip address who posted that?
I’d not be surprise if that post would be considered some crazy legal bullshit like ‘conspiracy to commit copyright theft’ or ‘incitement of theft’ with an insane mandatory 20 year prison stretch for each count.
eh, that’s the great thing about america, you’ll do more time for copying a movie than for setting a retarded kid on fire. That’s what i call priorities.