sorry if this has already been post but i did a quick check on the board i find it too amusing to wait. apparently sony's in trouble again for it's piracy software. there was a second one that they kept using even when the other one was pulled and the fucking patch they posted made the problem worse. my favorite part of the story is that the software auto-installed even when the user clicks on the "discontinue installation" button. bastahds!

[New security flaw vexes Sony BMG piracy battle
Expert says patch makes problem worse
By Hiawatha Bray, Globe Staff | December 8, 2005

Sony BMG Music Entertainment has acknowledged a new security problem affecting nearly 6 million of its CDs, and a Princeton University computer expert said yesterday that a patch the company designed to fix the problem may only make things worse.

The new security problem is the latest embarrassment for Sony BMG, which last month recalled millions of CDs that contained a different antipiracy program that also was plagued with technical flaws.

Computer security experts say that Sony BMG's problems show the near-impossibility of writing software that will prevent consumers from making illicit copies of recorded music and sharing them over the Internet without posing risks to consumers' computer security.

''I think there are problems with compact disc copy protection that can't be resolved," said Edward Felten, professor of computer science and public affairs at Princeton. One security expert, Alex Stamos of Information Security Partners LLC in San Francisco, recommended that consumers should not play Sony BMG music CDs in their computers until further notice.

The problems for the company began last month, when computer programmer Matt Russinovich found that Sony BMG was shipping many of its music discs with a program called XCP. The program has no effect on standard CD players. But it installs itself on computers running Microsoft Corp.'s Windows operating system when a CD owner tries to play the disc on the computer.

XCP was designed to limit the number of times a user could copy the tunes on the disc, and to ensure that these copies could not be played on other computers. But the software also concealed itself on users' computers and was extremely difficult to remove. In addition, XCP secretly sent information about users' listening habits over the Internet to Sony BMG.

Russinovich published his discovery on the Internet, spawning an international outcry from computer users, and a spate of class-action lawsuits. In response, Sony agreed to withdraw about 4.7 million affected discs from stores, and set up an exchange program for consumers who had purchased about 2.1 million of the discs. Sony BMG kept on using a different anticopying program called MediaMax, produced by SunnComm Inc. of Phoenix.

But the Electronic Frontier Foundation filed a lawsuit against the company's use of both XCP and MediaMax, saying that the SunnComm program was also flawed. The EFF cited research by J. Alex Halderman, one of Edward Felten's students at Princeton. Halderman said MediaMax sends information about users over the Internet without their permission. He also claimed that although MediaMax installs itself even if the user clicks a button that's supposed to stop installation.

The EFF hired Information Security Partners to analyze MediaMax. In the process, the security company found a new problem with the software -- a vulnerability that could allow unauthorized users to take full control of the computer's operations.

Even though this new problem was unrelated to EFF's lawsuit, the group notified Sony BMG and SunnComm, which quickly moved to issue a patch that would solve the problem. The problem affected 27 Sony BMG titles, including Alicia Keys' ''Unplugged," and Cassidy's ''I'm A Hustla." The patch was posted Tuesday on Sony BMG's website.

But yesterday, Halderman struck again. He said that Sony BMG's patch was also flawed and could actually cause the security problem it was supposed to block. Thomas Hesse, president of Sony BMG's global digital business unit, said that his company's experts were working to verify Halderman's claim, and would issue a modified patch if necessary.

Hesse said the company is rethinking its antipiracy policies.

''We need to reevaluate where we go with CD content protection overall," said Hesse. ''I think we have definitely learned many lessons from this episode." But Hesse refused to speculate on whether Sony BMG would abandon efforts to put antipiracy software on its music CDs.

Beyond being a public relations nightmare for Sony BMG, these episodes have underscored how difficult it is for the recording industry to halt rampant piracy of recorded music. Other major music companies are working on their own solutions. EMI Group, which produces discs by such acts as the Rolling Stones, Lenny Kravitz , and Snoop Dogg, uses software from Macrovision Inc. of Santa Clara, Calif., to block piracy.

But two other major labels, Warner Music and Universal Music, have so far refrained from using similar software. A spokesman for Universal, Peter LoFrumento, said his firm is open to the idea. But Universal won't use any antipiracy products that make it harder for customers to enjoy music.
''It can't in any way hurt the user experience," LoFrumento said.

Alex Stamos said that making reliable antipiracy software is tough because such programs are designed to interfere with the normal operation of other software on computers.

''That will never be reliable," said Stamos, ''and it will be very, very difficult to make secure."

Sweet Jesus, these guys are jerks. How exactly did they think this was going to go unnoticed?

[url=http://www.sonybmg.com/mediamax/titles.html]CDs Containing SunnComm MediaMax Version 5 Content Protection Software

Note: We encourage you to check this list for the artist name, name of the album, as well as the selection number (which can be found on the spine of the CD). If the selection number is not listed below, your CD does not contain SunnComm MediaMax Version 5 content protection. Please note, DualDiscs and DVDs do not use SunnComm MediaMax content protection.[/url]

List is for U.S. and Canada. Particularly of interest to the board:
Black Rebel Motorcycle Club, Howl | 8287671601 [US]
My Morning Jacket, Z | 82876710672 [US] / 82876710672 [CAN]

It's Sony. I'm not at all surprised.

Also Stellastarr* 82876688812

I bought my mom the Melissa O'Neil CD for Christmas. I also noticed the new My Morning Jacket on the shelf at my favourite indie store. The thing is, these discs were supposed to be recalled, but the people at these stores knew nothing about it.

It's a real shame about that MMJ CD. I might have bought it a while ago if I hadn't been hearing about it containing copy protection software. And now this confirms it.

Not these - these are not the XCP-riddled discs that caused the uproar a month or so ago. This is just the run-o-the-mill copy-protection, just a new version of it.

Here's hoping for a disasterously bad Christmas sales season for Sony!

Wrong. It's not XCP, but it's malware in the form of a program called MediaMax from Suncomm.

From J. Alex Halderman, whom I believe is employed by Princeton.
To summarize, MediaMax software:

* Is installed onto the computer without meaningful notification or consent, and remains installed even if the license agreement is declined;
* Includes either no uninstall mechanism or an uninstaller that fails to completely remove the program like it claims;
* Sends information to SunnComm about the user's activities contrary to SunnComm and Sony statements and without any option to disable the transmissions.

Does MediaMax also create security problems as serious as the Sony rootkit's? Finding out for sure may be difficult, since the license agreement specifically prohibits disassembling the software. However, it certainly causes unnecessary risk. Playing a regular audio CD doesn't require you to install any new software, so it involves minimal danger. Playing First4Internet or SunnComm discs means not only installing new software but trusting that software with full control of your computer. After last week's revelations about the Sony rootkit, such trust does not seem well deserved.

[img][650:434]http://www.sawf.org/newedit/edit03212005/SONY-CELEBRATES-LAUNCH-OF-P.jpg[/img]
SONY



BONY

its a bad Christmas season for all major labels. compared to last year, sales are down 13%. but they're also not releasing much of anything this month that's worth a damn.

i bought the mmj & stellastarr before this scandal hit, but luckily i disabled autorun by then.

Luckily they only program their shitty CDs with these files.

I find it pretty interesting that the guy from Princeton says that this whole debalacle shows that ''there are problems with compact disc copy protection that can't be resolved."

Begs the question, "what's next?" There is clearly a pretty steady relationship between time and free music downloading. What is the industry going to look like in a few years, as piracy becomes MORE rampant?

Of course more music is going to be distributed online, so CD protection may not matter as much. Seems to me tho that the same problems apply to all digital file protection.

Doesn't excuse Sony unleashing malware on our asses, but you have to be able see what the panic is all about: Producing music costs $; Less people pay for music than they used to; The trend does not look like it's going to stop; efforts to stop it are inherently flawed.

They're fucked unless they come up with something quick. Thus the rush to release software that was not ready and is now fucking everyone's computer.

What I think they will do is start releasing music on a new medium, such as DVD that is encrypted. Then unlicensed software for extracting digital copies will be illegal under the DMCA, and they can go after software distributers instead of users, giving them fewer chokepoints.

I have a hunch they will continue to blame this on music piracy, as per the new standard-issue playbook..

I tried to buy my mom the new Neil Diamond at Circuit City, but their computers wouldn't let me buy it. It took them about 20 minutes to confirm they couldn't sell it and that they were recalled, but there was a whole bunch on the shelf.

Why not encrypted CDs?

volvo: boxy, but good.

You mean, like SACD?

jaguar: for rich men who want hand jobs from fast women.

Just keep thinking that...