New MediaMax vulnerability disclosed, patched

December 7th, 2005

Sony BMG issued a joint announcement with the EFF yesterday that a new security vulnerability had been identified in Sony BMG’s other DRM software, MediaMax, and that a patch was available. The vulnerability has been known for a while but not publicly disclosed until SunnComm was able to create the patch, which can be downloaded from Sony’s site. If you have played any of the CDs listed on Sony’s site, you should probably download the patch. Users who play the CDs will get prompted through a banner displayed in the MediaMax software to download an upgrade.

For those of you just joining us, this is not the DRM package containing the rootkit and all the code stolen without attribution from various open source projects; it’s the other one. Just wanted to set that straight.

Thanks to Mike for pointing out this latest development in the comments last night. There’s a pretty active discussion thread on Slashdot around it right now too.

For the record: I’m certainly glad that Sony BMG is getting more on top of this, with quite a lot of prodding from the EFF. But the EFF shouldn’t have to prod. Sony BMG shouldn’t be getting any praise for doing what they are supposed to be doing as a responsible company.

Update: And maybe they don’t deserve any praise at all: see Freedom to Tinker for a report that the patch installation is also vulnerable to exploits. Thanks to Dave in the comments for the link.

XCP uninstaller out

December 6th, 2005

According to BoingBoing, Sony BMG has finally released an XCP uninstaller that appears to address the exploit issues with the previous, web based uninstaller. Given their past track record, I would wait for further analysis by Freedom to Tinker or Mark Russinovich before using this uninstaller.

Plot thickens: Did Sony try to break Apple’s DRM?

December 5th, 2005

Via Freedom to Tinker and Boing Boing comes a startling suggestion about XCP. Remember the allegation that DVD Jon’s iTunes DRM busting code appeared in XCP? Alex Haldeman at Freedom to Tinker says that it was put there on purpose: so that Sony BMG could get its music into iTunes and onto the iPod by transparently adding Apple’s DRM to music files from XCP CDs.

This is a complex allegation, and is made a little more hysterical than it needs to be in the BoingBoing write up. You could always put plain old MP3s on the iPod. What you couldn’t do was to play music files that required competing DRM formats on it. Not sure I see the value of doing so, either.

The bigger question it raises is the question of intent. Did First4Internet put the functionality in, or did Sony BMG? Who turned it off (it’s present but disabled in all shipped XCP CDs)? Was this a negotiation ploy to strong arm Apple into accepting competing DRM schemes on iPods? If so, it appears never to have been used, since the code wasn’t updated to keep up with post iTunes 4.8 changes that rendered it inoperable.

As I’ve said before: every time it seems like everything is clear in this case, things just get more interesting. Stay tuned…

BusinessWeek: Sales impact not likely

December 2nd, 2005

BusinessWeek Online: For Sony, a pain in the image. The article weighs the customer reaction to the rootkit fiasco and concludes that the effect on Sony’s bottom line will not be great. BW reporter Olga Kharif interviewed me for the article yesterday, and while the article doesn’t link to this site, I think my comments are fairly represented. (Oh, about that cellphone–bought it this summer, a long time before the news broke. If anyone has a suggestion for a good replacement for a Sony Ericsson 710a, I’m all ears.)

I want to offer a counter view to the comments from analyst Mark Stahlman in the article, however. I don’t know that the boycott is going to have a material effect on Sony’s corporate bottom line, but the activity that we are generating is encouraging outraged customers to file class action suits and has forced Sony BMG to recall affected discs, both of which will have material impacts on Sony BMG’s bottom line. The problem for a stock analyst is that Sony BMG, as a corporate joint venture that does not trade separately from its parents, is that those impacts will be largely invisible unless they affect overall market valuation or drag down Sony’s corporate earnings.

Lawsuit roundup: Oklahoma

December 2nd, 2005

An additional lawsuit since I last wrote about the topic. In addition to the DC lawsuit announced earlier this week, a class action suit was filed in Oklahoma on Monday on behalf of Oklahoma residents who purchased a CD infected with either XCP or MediaMax or who were infected with either XCP or MediaMax.

No Xmas for Sony

December 1st, 2005

Check out this nifty “no Xmas for Sony” badge, via BoingBoing. If you use it, please link to this blog. I don’t know why Cory Doctorow doesn’t know that exists, but a general info blog like this seems a better thing to bring the general public to than Mark Russinovich’s post.

Lawsuit in DC?

December 1st, 2005

Jiri posts in my comments that there is a “just filed” lawsuit in the District of Columbia that covers both XCP and MediaMax. Anyone have a link?

Update: Thanks to Mike, who found the pointer to the DC lawsuit. It’s a private lawsuit, filed by Finkelstein, Thompson & Loughran on behalf of a DC resident, who is acting as a “private attorney general” under DC law on behalf of the general public. They are apparently still seeking people affected by the rootkit in DC.

Sony BMG announces Canadian mail-in recall

November 30th, 2005

CBC: Snail mail fix to Sony’s XCP problem. The Canadian recall is announced, finally; presumably recalls in other markets will follow. From the article:

Under the mail-in program, consumers will get a replacement CD thatdoesn’t have the XCP software and an MP3 file of that CD. Sony says itwill handle all mailing costs.

The only access to the exchange program appears to be through Sony’s website.

One wonders what took them so long. This isn’t rocket science.

Artists outraged

November 30th, 2005

Rolling Stone: Sony XCP Bomb Sparks Rage. Good review of the perspective of the artists affected by the fiasco, including quotes from Trey Anastasio and the manager of the Bad Plus. This is where the impact to Sony’s pocket starts; unless there are a lot more people boycotting Sony than there are signing the petition, it’s the withdrawal of the XCP CDs from the market that will have the biggest economic impact in the short term.

Russinovich to join New York lawsuit against Sony BMG

November 30th, 2005

According to Security Fix, Mark Russinovich, whose blog post started the storm over Sony BMG’s rootkit DRM, will be joining the legal team for the New York class action suit. Though the attorneys aren’t commenting on Mark’s role, he’s said on his own blog that he’ll be “serving as an expert” for the legal team.

In somewhat related news, Mark has blogged that he’s “wondering if I jumped the gun” in declaring victory in the rootkit case. He’s specifically concerned about the same retail channel management issues I raised following Eliot Spitzer’s warning: to wit, infected discs are still out there and finding their way into the hands of customers. Not only that, but there is no evidence that they are producing a secure, safe XCP uninstaller despite their promise to do so.

My $0.02: the boycott isn’t over until Sony gets the corrupted product out of the channel, swears off DRM on audio CDs, and stops treating its customers like criminals.