More Sony BMG C.R.A.P.
p2pnet.net News:- Sony BMG’s SunnComm MediaMax and First4Internet XCP spyware has been a problem not only for Sony, but for many thousands of former Sony customers, since Day One.
The company hid the DRM (digital restrictions management) C.R.A.P. (Cancellation, Restriction, and Punishment) software on its music CDs and when buyers loaded them, the spyware was automatically installed without their knowledge or permission and just as bad, it was also literally dangerous to their computers.
And it’s still posing a threat to computer users running certain versions of AOL or PestPatrol anti-spyware software, says the Associated Press, going on that the “glitch” can cause a CD-ROM drive to be disabled.
Quoting the Texas attorney general’s office, it said this latest Sony BMG spyware mess problem was, “discovered by officials who have been testing the XCP copy-protection technology as part of the state’s lawsuit against Sony BMG.
“State investigators found that if a CD with XCP technology is loaded on a computer running AOL’s ‘Safety and Security Center’ software, the program’s antispyware feature will attempt to delete the XCP components, but often while also disabling the CD-ROM’s configuration in the PC’s operating system. The same glitch surfaced on computers running CA Inc.’s PestPatrol separately from AOL, the state said.”
Sony BMG said it’d worked with AOL and CA “to resolve the issues with their software and noted it has made a software patch and uninstaller program for XCP available on its Web site”.
Nor does it end there.
Canadian IP and Net expert professor Michael Geist unearthed what’s come to be known as the Missing Sony Exhibit.
“The Canadian Sony rootkit class action settlement heads to court next week amid mounting questions about the deal,” he says. “The EFF calls attention to a number of missing provisions, including no security reviews and no ongoing obligations to provide uninstallers for the rootkit. There is also a financial hit in Canada, with Canadian consumers receiving roughly ten percent less than U.S. consumers due to currency differences.
“By far the biggest difference, however, is that the U.S. agreement is subject to injunctive relief linked to actions brought by several U.S. agencies and attorneys general. The Canadian agreement, by contrast does not include such relief. The justification for this difference is contained in Exhibit C, the only key settlement document that Sony has not provided to the public.”
Meanwhile, two lawsuits were filed against Sony BMG by the Texas attorney general and the EFF, blogged Princeton professor Ed Felten, last November, going on:
The Texas suit claims that Sony’s XCP technology violates the state’s spyware law. The EFF suit claims that two Sony technologies, XCP and MediaMax, both violate various state laws.
One interesting aspect of the EFF suit is its emphasis on MediaMax. Most of the other lawsuits have focused on Sony’s other copy protection technology, XCP. The EFF suit does talk about XCP, but only after getting through with MediaMax. Emphasizing MediaMax seems like a smart move – while Sony has issued an apology of sorts for XCP and has recalled XCP discs, the company is still stonewalling on MediaMax, even though MediaMax raises issues almost as serious as XCP.
As Alex wrote last week, MediaMax is spyware: it installs software without notice or consent; it phones home and sends back information without notice or consent; and it either doesn’t offer an uninstaller or makes the uninstaller difficult to get and use. MediaMax lacks the rootkit-like feature of XCP, but otherwise MediaMax shares all of the problems of XCP, including serious security problems with the uninstaller (mitigated by the difficulty of getting the uninstaller; see above).
But even if all these problems are fixed, the MediaMax software will still erode security, for reasons stemming from the basic design of the software.
For example, MediaMax requires administrator privileges in order to listen to a CD. You read that right: if you want to listen to a MediaMax CD, you must be logged in with enough privileges to manipulate any part of the system. The best practice is to log in to an ordinary (non-administrator) account, except when you need to do system maintenance. But with MediaMax, you must log in to a privileged account or you can’t listen to your CD. This is unnecessary and dangerous.
Some of the security risk of MediaMax comes from the fact that users are locked into the MediaMax music player application. The player app evades the measures designed to block access to the music; and of course the app can’t play non-MediaMax discs, so the user will have to use multiple music players. Having this extra code on the system, and having to run it, increases security risk. (And don’t tell me that music players don’t have security bugs — we saw two serious security security bugs in Sony music software last week.) Worse yet, if a security problem crops up in the MediaMax player app, the user can’t just switch to another player app. More code, plus less choice, equals more security risk.
Worse yet, one component of MediaMax, a system service called sbcphid, is loaded into memory and ready to run at all times, even when there is no disc in the CD drive and no music is being played. And it runs as a kernel process, meaning that it has access to all aspects of the system. This is another component that can only add to security risk; and again the user has no choice.
It’s important to recognize that these problems are caused not by any flaws in SunnComm and Sony’s execution of their copy protection plan, but from the nature of the plan itself. If you want to try to stop music copying on a PC, you’re going to have to resort to these kinds of methods. You’re going to have to force users to use extra software that they don’t want. You’re going to have to invoke administrator privileges more often. You’re going to have to keep more software loaded and running. You’re going to have to erode users’ ability to monitor, control, and secure their systems. Once you set off down the road of copy protection, this is where you’re going to end up.
Also See:
C.R.A.P. – Apple and its C.R.A.P., March 4, 2006
Associated Press – Sony’s ill-fated CD copy protection still causing problems, September 13, 2006
Missing Sony Exhibit – Sony BMG Canadian DRM scam, September 14, 2006
blogged – More Suits Filed; MediaMax Insecurity Remains, November 22, 2005
p2pnet newsfeeds for your site.
rss feed: http://p2pnet.net/p2p.rss
Mobile – http://p2pnet.net/index-wml.php
