[Toshiro]

Well that is just adding fuel to the fire, there is enough ppl that are not fond of RIAA. Besides, Rikki is right about the greed part, not a lot of ppl are content with what they have it is kind of saddening, but that is the way we humans work.

 

[Toshiro]

It would seem the EFF (Electronic Frontier Foundation) is also sueing Sony BGM, but not only for the XCP but also SunnComm MediaMax software.

EFF Files Lawsuit Against Sony BMG
By Nate Mook, BetaNews
November 22, 2005, 1:29 PM

Not long after Texas Attorney General Greg Abbott announced he had sued Sony BMG over its invasive copy-protection scheme, the Electronic Frontier Foundation said it filed a class action lawsuit against the record label in Los Angeles. The EFF's suit goes beyond the rootkit and includes SunnComm DRM used by Sony as well.

While acknowledging that Sony has taken steps to recall CDs affected by First 4 Internet's rootkit DRM, known as XCP, the EFF says "these measures still fall short of what the company needs to do to fix the problems caused to customers."

The organization also chided Sony for ignoring altogether concerns about the SunnComm MediaMax software. MediaMax is used on over 20 million CDs -- ten times the number of discs containing XCP. The EFF claims that the software installs on a user's PC even if they do not accept the license agreement and has no uninstall facility.

SunnComm's software tracks when a user listens to CDs and reports the information back to the company. Security researchers have also discovered that an uninstaller provided by SunnComm opens the door to security risks, just like the XCP uninstaller provided by Sony.

"Sony BMG is to be commended for its acknowledgment of the serious security problems caused by its XCP software, but it needs to go further to regain the public's trust," said Corynne McSherry, EFF Staff Attorney, in prepared remarks.

"It is unconscionable for Sony BMG to refuse to respond to the privacy and other problems created by the over 20 million CDs containing the SunnComm software."

The EFF says Sony has not widely publicized the XCP problem, and "has failed to compensate users whose computers were affected and has not eliminated the outrageous terms found in its End User Licensing Agreement (EULA)."

"Regular CDs have a proven track record -- no one has been exposed to viruses or spyware by playing a regular audio CD on a computer. Why should legitimate customers be guinea pigs for Sony BMG's experiments?" remarked EFF Legal Director Cindy Cohn.

Sony is facing six other class action lawsuits in addition to the Texas suit, according to the EFF. The group has posted information about the litigation on its Web site.

http://www.betanews.com/article/EFF_Files_Lawsuit_Against_Sony_BMG/1132684198

 

[Toshiro]

Well Sony seem to love making a challenge for themselve when it comes to DRM. Looks like they had a new patch, but even that had its own problems.

Oops -- New Sony DRM Patch Insecure
By Nate Mook, BetaNews
December 8, 2005, 11:40 AM

Just one day after jointly announcing a patch to correct a security flaw in the SunnComm MediaMax copy protection included on 27 CDs, Sony BMG and the Electronic Frontier Foundation are urging users not to install it. The update includes a vulnerability similar to the one it attempted to fix.

SunnComm's MediaMax version 5 software does not properly protect a directory it installs, opening the door for a privilege escalation attack. Thus, a restricted user account could replace the executables within the MediaMax directory with malicious code, which would then be executed by an administrator upon inserting a CD.

Sony said it would notify customers of the SunnComm problem through an advertising banner within the MediaMax software, and via an online ad campaign. It also began distributing an update on the Sony BMG Web site and to security vendors.

But despite claims that "independent software security firm NGS Software have determined that the security vulnerability is fully addressed by the update," Princeton researcher Alex Halderman has found otherwise.

"It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch," Princeton professor Edward Felten explained. "The previously released MediaMax uninstaller is also insecure in the same way."

Halderman and Felten also discovered that even if a user declines the MediaMax license agreement, the vulnerable software is still installed on their computer. However, those users will not see the advertising banner Sony is using to notify customers.

"The consequences of this problem are just as bad as those of the XCP rootkit whose discovery by Mark Russinovich started SonyBMG's woes," added Felten. "This problem, like the rootkit, allows any program on the system to launch a serious security attack that would normally be available only to fully trusted programs."

This isn't the first time Sony's fix for vulnerable DRM has done more harm than good. Last month, Felten reported that the Web based uninstaller for the XCP copy protection contained a security flaw that could enable malicious software to be automatically installed on a PC.

Sony has recalled all CDs with XCP due to the furor surrounding the software's rootkit, but much to the chagrin of security experts, it is not following suit with SunnComm.

"Every disc sitting on somebody’s shelf, or in a record-store bin, is just waiting to install the vulnerable software on the next PC it is inserted into. The only sure way to address this risk is take the discs out of circulation," warns Felten. "The time has come for SonyBMG to recall all MediaMax CDs."

http://www.betanews.com/article/Oops_New_Sony_DRM_Patch_Insecure/1134060047

Well I wonder how long Sony will drag its name in the mud.