March 19, 2024

Inside the MediaMax Prospectus

Bruce Hayden writes that MediaMax, the company associated with the CD-borne spyware product that Sony has not yet recalled, recently filed a prospectus with the SEC in connection with an upcoming stock offering. In the prospectus, the company is required to describe truthfully its business plans and associated risks. MediaMax’s prospectus is a window into the company’s business practices. It was filed on November 4, about a week before we first reported the security and privacy problems caused by MediaMax.

There’s more interesting material in the prospectus than I can cover here. Bruce Hayden describes some of it. You can read the whole prospectus yourself, but most of it is pretty dry. The most interesting parts are the discussion of business risks (note the conspicuous non-mention of security and privacy risks), and the description of the company’s products. The product description is all I’ll write about here.

Page 30 of the prospectus describes how the MediaMax CD copy protection product works. Remember, this is the company’s own description of its product. Here’s the core of the description:

When the disc is inserted, the auto launch feature will activate the MediaMax program on the second session. Depending on the DRM license implementation, this program is either activated directly or through another program. The program first determines if the LMT Software controls are installed on the computer. If not, or if the disc concerned contains a newer version, it will copy the controls from the disc concerned and will install same. The LMT Software controls consist of two dynamic link libraries. The controls are used by the MediaMax application.

Whenever the second session software is executed, the LMT Software controls will first determine if the content protection device driver is installed on the system. If not, it will extract it from the main LMT Software into a separate file and install it as a standard Windows device driver.

The driver first locates all CDROM devices installed on the computer. Then it polls each device to determine if a new disc has been inserted. If so, it reads various elements of the disc to determine if it is a MediaMax protected disc. It is important to note that the driver is completely idle (without any chance to affect the computer or CD/DVD drives), unless an actual MediaMax disc has been detected. Once detected, the driver will insert itself into the communication stream for that drive to prevent any non-authorized activities. While allowing the computer to access the second session and associated content without any limitations, the driver will interfere when applications try to access the first session only.

When the driver detects that the MediaMax disc is ejected, it will remove itself from the communication stream for that drive and switch back to the polling mode. Several enhancements have been implemented to make it very difficult to locate and/or remove the device drivers.

There are several things to note here. First, in describing the installation process, there is no mention of obtaining user consent, or of the possibility that the user might not consent, or of how the product would cope with a non-consent situation. The description is pretty straightforward: when the disc is inserted, they install the software. So the decision to install without consent seems deliberate.

Second, there is no mention of the phone-home feature, even though websites associated with the product talk about how the feature can be used to display third-party ads.

Third, they brag that “enhancements have been implemented to make it very difficult to locate and/or remove the device drivers.” So the decision to resist uninstallation seems deliberate.

Indeed, they make an even stronger statement elsewhere on page 30:

The software is designed to be completely invisible to users, programs and system components.

This is an exaggeration, but it shows that they do aspire to invisibility. Which is interesting because the only way to be “invisible to users, programs and system components” is to use rootkit methods. So it would appear that MediaMax at least planned to follow First4Internet’s lead in shipping a rootkit.

All of this just confirms what I wrote on Friday about how the technical problems with CD copy protection lead vendors to adopt spyware methods. MediaMax’s description of their own product describes software that installs without consent and resists detection and removal, along with an apparent plan to adopt rootkit methods. MediaMax set off down the road of CD copy protection, and they ended up with spyware.

Comments

  1. […] Freedom to Tinker has a new post today about MediaMax and SunnComm, another excellent read. The comments on Felton’s blog are interesting as well. A comment from another of Felton’s MediaMax posts: I’ll have to hand it to you Eddie and Alex, you certainly have a penchant to deride Mediamax and an obvious distaste for any kind of audio copy protection in the market place. What are your feelings on game, software and DVD copy protection? Do you feel it is your right to copy those as well? […]

  2. To Steve K., SunnComm investor and apologist;

    Your Windows Update comment was probably one of the most idiotic, moronic, and just plain stupid comments ever posted to this blog. That is quite an accomplishment! For one thing, Mr. K., if I tell Microsoft to turn said updates off, that is what they do. So far, they haven’t gotten the testosterone to try pulling what Sony and Sunncomm has done, which is ignore the customer. I know, give them time, and it will happen, but we’ll cross – and burn – that bridge when we come to it.

    Now, a few other points. Exactly how did companies like SunnComm and First4Internet come about? They are nothing but a solution to a trumped up, non-existent problem. Countless studies have conclusively shown that more exposure to music creates more sales. The ONLY reason the recording industry is trying to restrict people and their purchased music is they can’t control the digital information. With the Internet, artists don’t need the RIAA cartel anymore. It is rather telling that, even in this modern era, the typical recording contract steals 10% of the gross sales, right off the top, for “breakage”, which has been written in since the days of records being made from shellac. I’d like to see what those shellac compact discs look like!
    Perhaps your investment dollars would be better suited in tobacco companies – instead of just screwing your customers, you actually get to kill them, and make a killing at the same time. The ethics of anyone investing in either company is questionable at best, and despicable at worst.

    (P.S. Ubuntu Linux rocks!)

  3. At least MSFT allows you to turn off automatic updating, which I do automatically – about the same time I turn off autorun.

  4. Ned Ulbricht says

    Microsoft® Windows uninstaller

  5. Steve K

    That is the most pathetic and childish comment to date in this debate. If you can’t tell the difference, then ask your kindergarden teacher.

  6. I turned on my PC today and found out that last night windows automatically downloaded and installed updates in my PC without my knowledge!!

    Help, Windows is now spyware! The conspiracy against us grows…..

    Is there an unistall windows program?

  7. I reckon that Sony themselves are on borrowed time as far as music is concerned.

    I envisage a future where artists can sell their wares on the internet and bypass the labels altogether.

    And that is possibly what the labels are worried about.

    But what if the means of securing entertainment data through the Internet is controlled by the big boys?

    When you look at the current copy protection arguments going on with monitors, is it really about copyright. Or are the large media lables worried that unless they control entertainment secure data methods on the Internet, they will become superfluous to requirement.

  8. JB - Stating the Obvious says

    Poor SunnComm. I feel their pain. No, really. I mean that. The way I see it, here’s a company employing mostly innocent developers, whose entire business model is based upon a product that no end-user in their right mind would ever want to purchase. From the Joe Consumer standpoint they have absolutely no value-add to speak of, and if companies like Sony weren’t willing to cram this crapware down our throats whether we like it or not, they wouldn’t have any -customers- to speak of either.

    Borrowed time. That’s what a product like Mediamax lives on while companies like Sony come to the slow realization that their junk is simply not worth the effort.

  9. Scott,

    Written like a SunnComm pro. It shouldn’t be hard for you to ask someone in the office for the web address of the client that signed your biggest order to date. I’ll await the outcome of your search on that.

  10. Scott,

    Dude, you are so off base it’s not even funny. I am a monitor engineer for Clair Bros.. F or over twenty years I have toured all over the globe with 100’s of major label bands including many Sony acts. Since I work right on stage with the members I know most of the musicians pretty well and I can’t remember any of them ever saying anything positive about this whole copy protection business.

    I have watched Robbie and John from the Goos wince when kids show up at the meet and greets asking for them to sign burned disks. You know what though they still sign them. The kid still paid for the ticket to come to the show. Rob Thomas told me once that he’s always very humbled by the fact that people are willing to steal his work just so they can experience it. I can go on and on.

    Most of the musicians that I know dont think that copy protection is a good thing and I know a lot of them. The merch guys hate it to because people give them shit about it at the shows. Some of them wont even put copy protected disks out on the table. You are totally off the deepend if you think the whole music biz is dropping because of downloads. It aint. The concert biz aint never been stronger. The bands are making more money than ever. The guys that are hurting are the old boys networks that have always controlled the distribution. They got run over by the computer revolut

  11. Scott, I can’t believe you wrote those last two paragraphs with a straight face.

    You feel that we have to at least be willing to hear the other side, otherwise what’s the point, plus DRM is staying no matter what and that’s final.

  12. Scott,

    As I indicated in my previous post, I do think that the type of DRM sold by SunnComm to Sony BMG may go away. In the end, I think that it will alienate more people and lose money that way than make it back through lowering sharing, etc.

    Maybe DRM is the wave of the future. But right now, it is too easy to circumvent, if you understand it, and those most likely to “steal” music are precisely those most likely to know how to circumvent it.

    That is why I think that it really needs to move into the OS where it is much harder to circumvent. But that, of course, means that Sony, et al., have to figure out how to make it worthwhile for MSFT, in particular, to jump on board.

  13. I think that the big problem faced is that Sony BMG, et al. find themselves on the wrong side of the ball in a stagnet or declining industry – not music per se, but rather the sale of music CDs.

    I see the Apple business model for music working. You pay $1 or so for a tune. Not $15 for a CD with only one or two tunes you really want. But Apple is squeezing the music companies like Sony BMG, as can be expected. And a lot more people are willing to pay a $1 for a legitimate copy of a tune than are willing to pay at $15. This is especially true when they discover that the artists aren’t getting all that much out of the $15. (I have heard a lot of different things here – whether it is effectively zero, after deducting costs, or a $1 or so per CD).

    So, the recording companies like Sony BMG are getting desperate. They see a lot of sales disappearing, and are thrashing around trying what they can do in multiple directions. And one of these is to try to cut down on songs ripped from CDs. SunnComm, et al. saw a market opportunity and jumped in.

    My guess though is that this episode with Sony and its DRM software has effectively put an end to this endeaver. Why? Because those most likely to rip songs and share them are the most likely to have picked this up. All they need to do to circumvent these DRM systems is to turn off Autorun (which many have probably done already). That leaves the legal users who tend to be less sophisticated. And installing DRM software on their computers is unlikely to reduce the type of “theft” that the DRM software is intended to prevent – because they weren’t the ones doing it in the first place. So, in the end, I expect Sony BMG, et al. to drop this just like software companies dropped copy protecting their floppys years ago. In the end, it will make them look good, instead of bad, as this does.

    What should they do then in the long run? First and foremost, acknowledge that they have to change their business model. Secondly, work with Microsoft and Apple at enticing them to build in DRM software into their operating systems. (Linux I think is a lost cause for them). Maybe some way to cut these companies into the revenue stream would work as an incentive.

    Just my thoughts as a somewhat outside observer (I haven’t bought a music CD in years, nor have I downloaded music online, legally or not, in years either).

  14. This is for SunnComm Scott;

    I have 2 mp3 players; an Archos Jukebox Recorder 20, and an Iriver iFP-795. I also have 2 PCs and 1 laptop, and I use my mp3s on all of them. Furthermore, I use Exact Audio Copy, in conjunction with LAME, to rip my cds to higher VBR tracks. I don’t do 128 kbps, nor do I allow wma crap on my equipment. With this in mind, how am I supposed to do this legally protected activity with my legally purchased hardware, when your surreptitiously-installed software prohibits me from doing it, even if I tell it explicitly not to?

    (And quit telling us it’s not a bug, it’s a feature!)

    By the way, I am also a “basher” of the SCO Group; a company with much the same ethical quality as that of the members of the RIAA, SunnComm, and MSFT. (Anyone remember the South Park episode?
    Quote of smarmy record exec; “I AM ABOVE THE LAW!”)
    It’s interesting to note that the recording industry is already fighting tooth and nail when it comes to the digital age – adapt or die… and when they go, so will the middlemen hangers-on like SunnComm. It can’t happen soon enough for me.

  15. to be honest, i didn’t know about it, nor would i have had occasion to, like you said, it was before my time. that being said, on the outside it looks like it looks, but until i have any kind of factual information of motive or otherwise, i’ll reserve my personal judgement. but you are of course free to think whatever you like 😉

    i know the people that i actually worked with, and they are neither evil nor corrupt, but optimistic that they can help provide a possible solution to an even larger problem. i never saw any of the corruption or nefarious plots everyone here seems so eager to portray them as. it’s easy to throw stones at what is perceived to be a huge company, however the people that i worked with are normal people. they laugh at funny emails, get upset when trashed, trying to get through college, having babies, and try to do their jobs the best way they know how. i was proud to work with them and the project and am still. at lot of sleepless nights and heartache and, believe it or not and as corny as it may sound, love, went into that product. here’s a little known fact: all of us there love the music, most if not all play some sort of instrument, and some of us were in bands.

    besides, i had my hands entirely full doing what i was doing, and believe me, my time was non-existent.

    ultimately you’ll draw what you wish from the company, the posts, the product, and DRM in general, but i think a little objectivity is in order here, instead of the rampant hysteria based on little or no facts. most if not all of the concerns have been addressed or are in the process of being addressed.

    in a perfect world there would be no need for DRM, but alas there is. do i like it personally? of course not, but wishing it away doesn’t make it so. i mean, seriously, let’s take a look at something. we *all* know when we’re doing something wrong, and i’ll take that a bit further, we *all* know when we’re doing something questionable. it’s that little twinge you feel before you hit the ‘burn’ button, or when we ‘loan’ out a disc, dvd or vhs or download music off of the p2p networks. at least, there should be a twinge.

    i’m curious, set aside the company and the software a sec. what exactly is it that you think is owed to you? (and please try to keep that statement in the context in which it was given) the music? you don’t think that the musicians that make the music from nothing but their own creativity, deserve to make a few bucks? or the roadies and stagehands? the artists and the printing companies that make the cd covers? do you really think there is that much money left per unit to *really* get rich? most of the musicians i know are in serious debt the first few years of a contract (if they ever really get out from under), paying back fronted money for tours, or gear, or recording fees etc. i can see it from their side. there’s nothing wrong with wanting to make a decent living doing what you love, and making money at it.

    by the same token, i can see it from the consumer’s side as well. and to be honest, i’m a complete bear when it comes to getting what i want when i want it (consumer rights). i want software, that *if* i have to have it on my system, that it works, first off, without compromising my ‘safety’ as it were. and i’m not saying that people shouldn’t have concerns one way or the other, it’s healthy to question. what’s *not* healthy is a mob minded mentality based on little or no facts, thrown around by people that may or may not have an agenda. all i ask is that a little common sense prevail, tempering with wisdom so-to-speak, and by all means ask questions! i’m more than willing to help anyone that has an issue or problem with the software.

    the thing is this: you can’t ask a question that you don’t want to hear the answer to, simply because it doesn’t fit with what your preconceived notions might be. there has to be a little management of expectations here. you have to be at least willing to hear another side, otherwise, what’s the point?

    and finally (whew)
    DRM’s not going away folks. it’s simply in what form it takes in the future.

    do you want DRM that locks something down so tightly that it really *does* become a serious issue?, or…. MediaMax, which actually tries to find some sort of happy medium between the two. slamming me, josh, the company, the people there, the shills (hi shills), isn’t going to make piracy or the need to stop it, go away.

  16. Scott

    Since you are a SunnComm employee you should be able to answer this.

    If there have been many complaints to SunnComm on issues other than iPod compatibility, then the only way we will know that there were many is if SunnComm acknowledges that fact. IMO SunnComm is corrupt and will not release any information that doesn’t make them look good.

    5 Years ago SunnComm, with the same CEO and President as today, issued this press release:

    SunnComm Inks $20+ Million Copy Protection Deal With Major Pacific Rim CD Manufacturer

    http://cdmediaworld.com/hardware/cdrom/news/0012/sunncomm_cd_protect.shtml

    Could you provide us with the URL of the web page of the company that is the other party to that deal, Will-Shown Technology Co. Ltd of Taipei, Taiwan. If you cannot provide us with the company’s web page, can you provide one link, anywhere on the web, that references Will-Shown Technology, that is not in some way connected to that SunnComm PR.

    This company is described in that PR as a Major Pacific Rim CD Manufacturer so that should not be hard to do, considering the PACRIM includes the US, China, Taiwan, Korea and Japan. For example, Google gives 7,290,000 hits on TDK, a competitor of Will-Shown, assuming Will-Shown exists.

    If you cannot do that, then you will have to accept that your company, SunnComm International, issued a press release that was a complete fabrication.

    In which case, why should we accept anything that SunnComm says about error rates, or for that matter that the install without user consent was a bug.

    I know it was before your time, but it was a $20M deal and I’m sure as an employee you must have been curious about that issue, since it is all over the web. Josh can answer too, if he has the links.

  17. I still think the larger point is being missed, as far as comparing MediaMax to other programs that users *choose* to install. In the case of other programs, whether an entire OS like Windows or, say, a spyware removal utility, people *choose* to install and run them due to some perceived benefit to them from use of the program. In the case of MediaMax, no one asked for or wanted it. They just wanted to listen to a CD on their computer, just like they’ve done for the past 10 or more years. They didn’t expect anything to install. Why should they? If they’re running Windows, they already have Media Player and probably other things that can play back CD audio. Why would they need or want another player — especially one that makes their personal, legally purchased possessions less useful?

    The other, tepid defenses of MediaMax seem even more irrelevant to me beyond the main point that no one asked for or wanted it in the first place.

  18. Scott:

    Why are you installing software at all when I haven’t accepted the EULA? That is completely unacceptable.

    And your argument about the lack of user complaints is specious. Users seldom know they have a vulnerability on their systems, until that vulnerability is exploited.

  19. To: Kris Thorn:
    “This is an issue, the consequences of which have not really being highlighted in the debate so far. If something stops functioning correctly due to MediaMax being installed by stealth or otherwise on the computer and the owner places a technical support call to the wrong people”

    How true, how true. Not only do we call the wrong people to resolve our problem, but the universal pavlovian response by tech support is: “not our fault”. Its amazing that we haven’t had a societal meltdown yet.

  20. ok, point taken.. not exactly what i was trying to say, but point taken..

    actually, that argument could be used on several companies.

    *any* software that you install, do you *really* know what each component does? of course not. when you update your OS after MS accidently had the source for part of win2k leaked onto the internet, do you know what parts were affected? which were patched, what the patch actually did? and further more, do you believe them? and it’s not just with MS, it might very well be McAfee or some other software. IE *constantly* crashes and sometimes takes down the OS when it does..

    it wasn’t ‘stealth’ or ‘rootkit’… there was no knowledge of forethought, nor intent to defraud or anything of the kind. lumping MediaMax in with XCP and the methods used by the other guys, might make you feel better, just like me saying that all lawyers are ambulance chasers, but it’d be just as wrong, because of course, they’re not..

  21. Scott, isn’t this a variation on the “what they don’t know won’t hurt them” argument?

    That is, by the way, a strong argument that Sony could use in a court defense. Countering it will require that it be explained to the jury as to why the stealth software is potentially dangerous, and that the jury understand the implications. The fact that no planes have yet fallen from the sky because of the software could, with some jurors, be a strong argument. After all, who really knows how their around-the-house technology really works?

    This issue seems to be one of the downsides of the legal approach being taken — there is a strong risk that arguments such as this (the fact that the general public hasn’t taken up pitchforks and torches) will be effective.

    I’d rather see an effort put into making people more aware of their rights and of the risks associated with what they install on their computers (whether they know it or not).

  22. btw moo, i’m Scott, he’s Steve K.. no relation.. i’m not posting under anon or a pseudonym..

    as for this bit:
    “That’s an interesting guess, but I think you’re wrong. I think the REAL reason there aren’t 100’s of thousands of irate and disgruntled consumers, is that they don’t KNOW their computers were hijacked by your software.”

    first of all, to counter my statement with a bunch of ‘i think’ s, does not dissuade the actual argument. in fact, if there *were* 100’s of thousands of users with problems, we’d all know *factually* a bit more about it, right? how could a company keep something like that quiet? answer: they couldn’t.

    to the second part of your argument, which deals with the *knowing*. *if* the software broke something or caused system failure etc, don’t you think they would ‘know’? and further more, contact technical support or *someone* to seek help or complain? don’t get me wrong, there have been support calls, and those consumers have been helped or are in the process of being helped, but the amount of tech support needed has been minimal compared to the amount of discs out in the market.

    btw, what exactly was ‘hijacked’ again? it doesn’t disable burning software, nor does it disable the cd/dvd roms.. hell, the filter driver is not even running if a MediaMax disc isn’t in the cdrom.

  23. “know who”, not “no who”. Sorry

  24. To Steve R

    “I have had problems where no error message or other usable informative message was displayed to resolve the problem. Consequently, I am left scratching my head wondering what caused the problem: was it a recently updated driver, was it a recent update to the program, has the CD drive itself failed, did the recent Windows update contain an incompatiblity, is the CD dirty, do I have permission to run the program, etc.??? ”

    This is an issue, the consequences of which have not really being highlighted in the debate so far. If something stops functioning correctly due to MediaMax being installed by stealth or otherwise on the computer and the owner places a technical support call to the wrong people (the supplier of the computer, or of the CD-ROM, or Microsoft), then the owner may be liable for the costs of the technical support they received, if the problem is diagnosed as coming from another source. Usually if you add some component (h/w or s/w) to a computer and something then starts to go wrong, you can be fairly sure that the addition was the cause and no who to call for a resolution. But who would think that placing a music CD on your PC and accepting an incomprehensible EULA could cause problems later. Worse still if you rejected the EULA and the s/w was still installed.

  25. Ned Ulbricht says

    I posess exactly one music CD. It was copied for me by a friend—the singer who recorded the session.

    Like my friend, the singer, I too am a copyright owner. I prefer to license my works on reasonable terms. Does that stop all copyright infringement? No. But for the most part, when you treat people fairly, honest people stay honest.

    Yet, from time to time, otherwise reasonable-sounding people make proposals such as:

    Ideally there would be perfect knowledge of the law by all those inclined to follow it, but in the real world, Section 1201 may allow us to replace the norm “copying music is wrong, except when you have permission, or it’s fair use, which has a 4-factor test, or it’s public domain, which is not as straightforward as it seems…” with “don’t use illegal decryption tools” — assuming TPMs someday become widespread enough that most content that the owner is serious about protecting is protected by a TPM.

    In other words, these reasonable-seeming people appear to suggest that neither I nor my friend should be given the benefit of society’s sanctions against copyright infringement—unless we choose to distribute our works on unreasonable terms.

  26. someone247356 says

    Red book – CD-ROM audio disks are data folks. _Not_ programs, data. You don’t need an EULA to play it on your stereo, you don’t need one to play it on your DVD player, you don’t need one to play it in your car, and you sure as heck don’t need it to play on your computer.

    The record companies would like you to _think_ you need to run their software, or agree to a license in order to listen to an audio CD-ROM on your computer.

    Spread the word folks, as far as I can tell you don’t. Ed please correct me if I’m wrong on this. _Never_ accept an EULA in order to listen to an audio CD-ROM on your computer. If you’ve never accepted an EULA then any DRM that gets installed on your computer does so without your consent.

    Josh said;

    “The argument was that in the ‘grey’ area during the time when the EULA was displayed for the very first time and the CD was in the drive, the copyright holders were in their right to run a ‘terminate and stay resident’ program that would run and protect their intellectual property.”

    Let me see if I can say this clearly and simply, um, no. There is no convenient ‘grey’ area. If I say no, then you don’t have the right to run a program, ‘terminate and stay resident’ or otherwise. When I close the program that displays the EULA I expect all of your program to quit. Not to leave a sneaky little program hanging about in memory.

    Then Josh said;

    “If the terminate-and-stay-resident program did not run, the user could simply open another program, rip the disc, and then decline the EULA. No matter how advanced the DRM technology became, it always could be defeated by the EULA requirement.”

    Actually it’s even worse for the pro-DRM people than that. If I don’t ever accept the EULA and terminate the program the displayed it, then the DRM software should _NEVER_ be installed, and I can rip it to another format with the program of my choice as before. Josh hits the proverbial nail on the head with that simple statement.

    Let me see if I’m understanding this correctly. Record companies and their DRM contractors know that audio CD-ROM disks are data disks. They can’t change that and expect all of the non-computer devices to still be able to play them if they change that too much. If a computer can play an audio CD-ROM it can make a copy of that music. The only way they can change that is to get people to install software that removes functionality from their otherwise perfectly functional computers. Initially they tried that with custom CD-ROM players that didn’t allow you to copy. People just didn’t use them, they used whatever CD-ROM player they wanted. Worse they used programs specifically designed to copy and convert CD-ROM audio files to other file types (.mp3, .ogg, etc.). Then they started various tricks to hide the audio session from the computer. People weren’t fooled for long. Then they’ve gone to including other data on the disk (videos clips for example) and then tricking people into agreeing to an EULA that removed their rights in order to see it (CD-Extra disks anyone). When people didn’t fall for that, they resorted to showing scary EULA’s when the disk is inserted. Hoping people would either be cowed into submission, or would just click OK like they’ve gotten used to. Unfortunately some people actually read the EULA so they can’t simply say,

    “Agreeing to this means allowing us to install whatever software we feel like in order to maximize the amount of money we can extract from you. You agree to give up rights you already have and to hold us blameless for any crashes, problems, or other bad things that might happen to you because of this software we are installing.”

    Because then no one would install it.

    Finally, as Josh so eloquently put it, “No matter how advanced the DRM technology became, it always could be defeated by the EULA requirement.” In other words people could still just say, no. So SunnComm decided that the solution to that problem is to just install their program on your machine whether you agreed to it or not. If they are caught, just claim it was a _bug_, or a _grey_area_. Does that about sum it up?

    In the end DRM companies ignore the simple truth of computers and CD-AUDIO (From SunnComm’s FAQ http://www.sunncomm.com/support/faq/)

    “#9. How do I play this CD on my computer?
    Place the CD in your computer´s CD-Rom drive. Allow the disc time to start (no more than a minute), accept the end user license agreement and the music should begin to play!”

    If that isn’t spreading misinformation, what is?

    The way I suggest others play audio CD-ROMS in their computers:
    Place the CD in your computer´s CD-Rom drive. If you mistakenly left Auto-Play on and a program starts, never accept any ELUA’s presented. Close the program that spawned the EULA and consider turning Auto-Play off on your computer. Listen to the CD-ROM in the player of your choice. Enjoy.

    Just my $0.02 (Canadian, before taxes)
    someone247356

  27. Too reiterate the comments of Supercat and Moo; I have had problems where no error message or other usable informative message was displayed to resolve the problem. Consequently, I am left scratching my head wondering what caused the problem: was it a recently updated driver, was it a recent update to the program, has the CD drive itself failed, did the recent Windows update contain an incompatiblity, is the CD dirty, do I have permission to run the program, etc.??? When a product “fails”, I would like to see the programers (both Microsoft and the product vendor) provide informative error messages. The stealth installation of programs strongly suggests that the vendors had no intent of informing users should the vendors program cause problems to the operating system or other applications.

  28. Doug, because they can’t get their music to an iPod without a few extra steps.

    BTW, Switchfoot was not a MediaMax protected disk.

  29. Scott said:

    “why aren’t there 100’s of thousands of irate and disgruntled consumers?”

    How do you know there aren’t? Why would Dave Matthews Band, Foo Fighters and Switchfoot be apologizing to their fans if no one was complaining? Why would My Morning Jacket be sending out replacement disks?

  30. Regarding Scott’s further comment:

    >i’d just like to ask this though:
    >if there are millions of cd’s on the market, and let’s say that only 1% of
    >those have actually put the disc in a computer and accepted the eula. why
    >aren’t there 100’s of thousands of irate and disgruntled consumers? i’ll tell
    >you why. because in some small way, bugs or no bugs, security risks or no
    >security risks, the software works. AND might actually be helping to curtail
    >illegal swapping/copying.

    That’s an interesting guess, but I think you’re wrong. I think the REAL reason there aren’t 100’s of thousands of irate and disgruntled consumers, is that they don’t KNOW their computers were hijacked by your software.

    Many of them might have noticed that their CD burning software sometimes doesn’t work now, and some of them might even have CD drives that have stopped working–but many people will not connect these events to a boilerplate EULA dialog box they clicked ‘Yes’ to (probably without reading) that one time they tried to listen to a music CD in their computer.

    If this story were to receive more mainstream coverage, more ‘non-techies’ might be complaining about it. For myself, I will wait to see how big the class action lawsuits against Sony end up being (i.e. how many people get identified as members of the class). I expect it to be at least in the thousands for each affected State. I am personally grateful to Sony for their incredibly anti-consumer approach to this whole DRM stuff, as well as their grossly inept handling of the resulting PR mess. Sony has probably singlehandedly set the ‘pro-control’ DRM/TCPA agenda back by years. I’m not grateful enough to actually buy their products though–I don’t want to deal with the risk of my computer being infected by some malware from music CDs. And they do deserve to be punished in the marketplace for treating their customers so badly. We don’t want DRM, it makes your products LESS USEFUL to us. Because of their sneaky efforts to force it on us, I say Boycott Sony this christmas.

  31. if there are millions of cd’s on the market, and let’s say that only 1% of those have actually put the disc in a computer and accepted the eula. why aren’t there 100’s of thousands of irate and disgruntled consumers?

    Perhaps because the software generally does not call attention to itself even when if/when it causes system security or stability problems. If your mailman sneaks into your house without your knowledge, messes with your stuff, and leaves, are you going to express any rage at your mailman? You may express rage about the burglar, but wouldn’t express rage at the mailman for the simple reason that you didn’t know he was the burglar. Your lack of rage at the mailman, however, would clearly not by any moral standard indicate that his actions were acceptable.

  32. Regarding Scott K’s comment:

    >The funny part is that I bet each and every one of you “whiners” have at
    >some point in time copied or ripped a disc from a friend or even given a
    >friend or relative a copy of your own music CDs (this is all illegal by the way).

    I happen to live in Canada, where actually, this is all NOT illegal. It is legal for me to lend a CD to a friend, and it is legal for *him* to make a copy of my CD and keep that copy when he returns the original to me. The specific reason for this is that he already paid a levy on the blank CD-R media which assumes some degree of piracy by the purchasers of CD-Rs.

    Anyway, here is my question to Steve K. Suppose you visit my web site in your web browser, and I secretly install hidden software on your computer (even though you habitually clicked “No” to a badly-worded legalese dialog box that popped up). Should I be liable? What if I installed hidden software that hobbled your Internet connection and caused it to fail every time (or even just some of the time) when you tried to download a file with the extension .MP3, .MPG or .AVI ? What if this hidden software had known security vulnerabilities, but you couldn’t protect yourself and your computer from the vulnerabilties because you DIDN’T EVEN KNOW THE SOFTWARE WAS THERE because it used rootkit techniques to make itself as invisible as possible and none of your normal due dilligence detected it was there? Should people like me be allowed to install random software on your computer like this?

    Okay, now what if you are the administrator for a corporate network with 500 computers on it, and some of them are used to visit my malicious web site and thereby become infected by this hidden software? You don’t know about it, because I have worked with anti-virus vendors to make sure they don’t “accidentally” detect my hidden software. So your anti-virus scans give the infected computers a clean bill of health. Then a hacker discovers the vulnerability in the hidden rootkit software and exploits it to hack your network and steal a bunch of private customer data from the network you administrate. (Actually, I can’t believe this hasn’t happened already to some corporate network infected with XCP or MediaMax. Or maybe it has, and we just haven’t heard about it). Who should be liable in this situation? Is it somehow your fault that my malicious software hijacked your computers and completely broke your security posture and you didn’t know? Or is it my fault for writing the hidden software and installing it on your computers without your knowledge?

    I’m genuinely interested in the answer because problems like this are inevitable as long as active DRM solutions are the norm (which I think is demonstrated clearly by Ed’s main post).

  33. Sony/BMG, First4Internet and Sunncomm have demonstrated their total disregard for the rights of the consumer with the DRM infested wares.
    I am hoping that the Vx writers turn their attention to the security holes created by Sony. Once a malicious virus/trojan brings down a major network then the M$/AV/antispyware cabal will have to address the security holes created by the initial Sony intrusion.

    I am boycotting Sony/BMG until they recall all the DRM infected disks.

  34. it wasn’t intentional Bruce, as i’m stating and as stated by Josh before.

    i’d just like to ask this though:
    if there are millions of cd’s on the market, and let’s say that only 1% of those have actually put the disc in a computer and accepted the eula. why aren’t there 100’s of thousands of irate and disgruntled consumers? i’ll tell you why. because in some small way, bugs or no bugs, security risks or no security risks, the software works. AND might actually be helping to curtail illegal swapping/copying.

    i’m not so naive as to believe that it will ever be totally stopped, however there *has* to be a first step. *both* sides need to come together and compromise a bit, which i think the MediaMax solution does. is it perfect, no. but look at the alternatives, do nothing, in which case you have rampant pricing to make up for the lost revenue, or lock it down so tight that it’s a complete nightmare just to listen to a music cd.

    it’s easy to throw stones, but i have yet to hear any possible alternatives or solutions, from any posters, Mr. Felton, Mr. Halderman or anyone else.

    if you guys want to have an informed and rational discussion about all of this, i am more than willing to help set the record straight.

  35. I got the same javascript / caching error, so I don’t think that that had anything to do with you personally. I just resubmitted, and it went fine.

  36. what exactly does posting the ‘prospectus’ of SunnComm/MediaMax actually have to do with the music or the software you’re supposedly ‘testing’? just curious..

    I think I mentioned when we started this whole thread that one reason for the relevance of the document is that it seems to negate the defense of programming error as to the automatic installation of the MediaMax software, regardless of assent to the EULA. Rather, it makes it look intentional.

  37. ahhh see how that just played out?

    my post mysteriously needs moderating now, i refresh to see if it’s now ‘moderated’, but it’s gone. so i get upset, and wrongly assume the post was deleted, and post about it’s removal.

    in the meantime, i get this javascript error talking about caching. sounds like a bug, or better yet, might be a security risk. i click refresh yet again and the post is back.

    this is the kind of thing, on a much larger scale, that is happening right now, not only with SunnComm etc, but DRM and anti-piracy software in general.

    assuming you know a thing doesn’t make it so…

  38. Zapkitty

    I have a number of blog entries on the Sony EULA in my Sony Blog. You will have to go into the Nov. archives to get to them.

    But in short, EULAs and other shrinkwrap and clickwrap licenses have been tending towards being enforceable over the last couple of years since the ProCD decision. However, I suspect that the trend may be about to reverse, with all the pending Sony litigation.

    In the current litigation, two different approaches are being utilized to overcome the EULAs:
    1) that the small software program being installed is not fully disclosed – either that the EULA itself is misleading, or the deceptive description of the code negates assent, and
    2) ignoring the EULA altogether, except to the extent that it grossly overreaches. This argument is primarily available to state Attorneys General.

    Here, of course, we have potentially a third argument – that since the software is apparently installed regardless of agreeing to the EULA, and to some extent in advance of that agreement, that there is no real connection between the two, and, thus, the installation of the software is not protected by the EULA.

    Needless to say, the later in particular, is just my own take on the subject. Other attorneys are likely to disagree. Nevertheless, I forsee the Sony litigations working to reverse the legal trend of accepting EULAs as enforceable given all of the above.

  39. ok, ok i finally get it now.. my post appears to have been removed.

    [Nope. It was held for moderation, as you noted above. Please forgive me for not clearing the moderation queue immediately upon the arrival of your comment at 11:35 PM. — Ed]

  40. Zapkitty seems to be right about what is going on right now with SunnComm’s investors. Volume is up, and the price is down with the company’s stock. It is now down to 1/8 of its high a year and a half ago, and about 1/4 what it was a year ago. If you look at the last month or so, it looks to me like it dropped when the Sony situation started to come out, went up a bit when Sony pulled the First 4 CDs, and has dropped back to its lowest point when it became obvious that the SunnComm DRM code was also implicated.

    I have the last two years of stock prices, or, you can go directly to Yahoo! Finance so that you can manipulate the information however you wish.

    Given that the current SunnComm stock price is 1/8 its historic high of some 1 1/2 years ago, something besides the Sony situation is probably also implicated here, such as increasing competition.

  41. just out of curiousity, why would my post ^^^ all of a sudden need to await moderation before posting?

    should i now exhibit the same paranoia shown on this forum of Ed’s nefarious plot to change the text on my post? (sarcasm)

    [The site’s spam filter holds all posts over a certain length for moderation. If we didn’t do this, you’d see lots of overlong spam comments here. Your post was not spam, so I approved it. — Ed]

  42. jeez, sounds like a conspiracy theory to me. may i ask a question? what has the software or MediaMax done to you personally? did it destroy your system? did it break something? does it stop you from doing anything legally?

    btw, for zapkitty:
    on the older version, yes, they were already encoded at 128 bit. but encoding on the fly is not the only way you can backup a disc. secureburn is a cool little tool (on that darned second session) that will allow a 1-1 cd copy of the entire disc, 3 times in fact (or as many as the content owner wishes it to be copied). which brings up an interesting question. how many copies should a person be allowed to have? unlimited? 25? 3? why would you need more than 3 copies of the same disc anyway?

    while i agree that the *potential* security risks definately need to be addressed (which they have been, according to not only BMG/Sony and MediaMax, but independent security specialists as well).

    looking from the outside in is dangerous business if applied to *any* company, since you have nothing but suppositions and innuendos to really go on.

    one of the main problems i see reading thru the barrage of misinformation on this forum, is that everyone thinks they know what’s what. everyone is an expert, everyone knows how things ought to be run, at the same time, with this weird paranoia. do you guys know how you sound? i mean seriously, read thru all the posts on this subject and a few things start becoming glaringly apparent.

    1) most of the posters are the same, trying to convince each other that they are the one that ‘really’ knows what’s going on. here’s your answer: nothing. it was a potential security risk and it’s been fixed. nothing shady, nothing covert. but to listen to you guys tell it, we all need to start wearing aluminum hats or something, to keep SunnComm from stealing our brain waves.

    2) why are the most ardent folks against SunnComm, also either brokers, or stock bashers from ihub? obviously trying to drive the stock down? to save music? please….

    3) where is macrovision’s complimentary software apprisal? isn’t it kind of hard to convince people that on the one hand you’re trying to be unbiased and remain objective and give your ‘research’ credibility, but on the other hand you don’t review all the players in the market. why? are you implying that macrovision’s software does not suffer from issues? or that they don’t install anything either? sorry to disappoint you, but they do.

    ok, for the technically challenged:
    if a hacker *really* wanted to get something onto your system they could, and they wouldn’t need MediaMax or SunnComm’s supposed evil scheme to do it. however, why would they want to? to look at your bills? porn? steal your brainwaves? jeez…

    remember where *your* last virus came from? i do, microsoft outlook. does that mean that i need to now yell at MS for allowing a virus to be sent? must be a security risk eh?

    give it a rest already…

  43. Neil, the workaround is to get your music onto an iPod. Apple’s DRM is locked up and they have not let anyone else in. So, only itune songs or CDs ripped into itunes can be placed on the iPod at this time. As soon as Apple gives the go ahead, this problem will be solved and you will be able to move protected songs directly to your iPod.

  44. what exactly does posting the ‘prospectus’ of SunnComm/MediaMax actually have to do with the music or the software you’re supposedly ‘testing’? just curious..

    In deciding the threat implied by a security weakness, it is often worthwhile to ascertain the state of mind of the person or persons creating the weakness. In particular, did the person:

    -1- Deliberately create the weakness, in which case one must be on the lookout for other weaknesses the person planted and hid.

    -2- Create the weakness as a result of gross negligence or cluelessness, in which case the person’s other efforts should be examined, but for other signs of sloppiness rather than of covert tampering.

    -3- Create the weakness as a result of a typo or other such one-off mistake.

    The prospectus makes clear that Suncomm’s business model entails deliberately putting their malware on the machines of people who do not want it; Suncomm apparently thinks they have the right to install whatever malware they want on whatever machines they want. Given that, it would hardly seem unlikely that Suncomm would leave open back-doors that they could use for additional software “upgrades”. Indeed, I would suggest that any uninstaller and “security fix” tools they provide be regarded with extreme caution, since it would be easy for such tools to enable other back-door methods of system intrusion, and the prospectus would suggest Suncomm would have no objection to using such techniques.

  45. the zapkitty says

    A correction:

    the zapkitty wrote:

    “Because what Sunncom wants you to copy is not the actual CD tracks… instead they want you to copy the heavily restricted, proprietary, compressed, and lower-quality copies of the actual CD tracks that the malware will shove at you in the place of the legitimate cd tracks… if you let it.

    These pseudo-tracks are stashed on the disk in the same area the malware is… “

    Apparently that was the old version of Mediamax… the latest version claims that these crippled pseodo-tracks are now created on-the-fly from the legit tracks…

    So the EULA is for the malware and crap audio tracks that doesn’t even exist unless you let the malware run its course?

    Still a valid question, methinks… 🙂

  46. the zapkitty says

    Neil wrote:

    (re: Sunncomm’s continuing advocation of DCMA violation)

    “If if doesn’t prevent you from making copies for personal use, what’s the workaround for exactly?”

    Because what Sunncom wants you to copy is not the actual CD tracks, which would be perfectly legal to do under those circumstances… instead they want you to copy the heavily restricted, proprietary, compressed, and lower-quality copies of the actual CD tracks that the malware will shove at you in the place of the legitimate cd tracks… if you let it.

    These pseudo-tracks are stashed on the disk in the same area the malware is. They add no value to the CD for the user.

    In fact… could it be that the EULA, if even remotely valid (% snowball > hell), would only apply to those pseudo tracks and not the actual CD tracks themselves… ?

    (The zapkitty looks inquiringly over at Bruce Hayden… 🙂

  47. Ed,

    what exactly does posting the ‘prospectus’ of SunnComm/MediaMax actually have to do with the music or the software you’re supposedly ‘testing’? just curious..

  48. “saltydogmn, what you describe is completely legal and can be done with MediaMax on board. If your choice for mp3 players is an iPod, then there is a workaround. If the work around is a problem, then take it up with Apple. MediaMax does not prevent you from making copies for personal use.”

    If if doesn’t prevent you from making copies for personal use, what’s the workaround for exactly?

  49. the zapkitty says

    Kayliegh, don’t blame these folk.

    The problem lies with Sunncomm, one of the two “hatchetmen” companies hired by Sony to do the dirty work on Sony’s grab for control of the user PC when it comes to music.

    Sunncomm… and investors who are puzzled, investors who are asking questions that Sunncomm cannot afford to have answered, and investors who are increasingly angry as they realize that they have been lied to nonstop by Sunncomm/Mediamax.

    http://www.geocities.com/zapkitty/

    By the way, WP-Hashcash is being extroverted again…

  50. Kayliegh Enco says

    I’ve just been Terminated.

    Fired, due to outsourcing.

    My employer doesn’t want to pay me to perform a job that others perform for free.

    I’m a highly paid professional stock basher. I’m paid by MM’s and hedge fund’s to give the smackdown to certain companies on stock chat boards. Then Prof. Felten and Mr. Halderman come along and crush my assigned target for free. Now I’m out of a job. How am I, a 60 YO transvestite, supposed to pay for my sex change operation now?

    Thanks a lot guys.

    Love and kisses,

    Kayliegh

    p.s. I hate you!

  51. the zapkitty says

    Anonymous Wrote:

    “saltydogmn, what you describe is completely legal and can be done with MediaMax on board.”

    And it is perfectly legal to do it while ignoring the malware on the CD and NOT letting it install on your PC.

    You can have both the music in a high-quality rip, and a complete lack of Sunncomm spyware… legally.

    By far the most attractive option 🙂

  52. Sadly enough for Sony/MediaMax/SunnComm there is a effect (but not easy) way to remove their intrusion into our systems. We just wipe and install windows fresh. After I spent three hours trying to fix (what I thought at the time) a simple windows glitch; instead turned into the old reinstall windows and all your software mess. Had I know beforehand that my daughter had bought a new CD, it might have occured to me that this was “other trouble”. Thank goodness I had set up multiple partitions for data, music, and pictures seperate from the OS – she only lost her DRM.

    Sony and thre rest of the big media giants – it’s my computer, stay the fuck out!

  53. the zapkitty says

    Sunncomm… It Is As Always

    That is, Sunncomm is lying again. The iSec Partners report explicitly states that the Mediamax vulnerability is remotely exploitable. No ifs, no ands, no buts… so what does Sunncomm tell the victims of its malware?

    Sunncomm lies, of course:

    http://www.sunncomm.com/support/faq/

    #7. What is the technical nature of the security vulnerability in SunnComm MediaMax Version 5?

    A local privilege escalation vulnerability exists which could allow a locally logged on user to gain higher privileges by overwriting certain files used by the installed MediaMax software.

    Way to go when you’re headed for court, idiots.

    Y’know… Sunncomm/Mediamax seems to be trying to prove it’s possible to try to cover one’s ass so tightly that one dies from the resultant impacted colon…

  54. saltydogmn, what you describe is completely legal and can be done with MediaMax on board. If your choice for mp3 players is an iPod, then there is a workaround. If the work around is a problem, then take it up with Apple. MediaMax does not prevent you from making copies for personal use.

  55. “I guess I am one of the “Sunncomm” shills you folks are criticizing in your posts. I could care less what label you give me, the fact is people here just like to whine about copy protection. The funny part is that I bet each and every one of you “whiners” have at some point in time copied or ripped a disc from a friend or even given a friend or relative a copy of your own music CDs (this is all illegal by the way).”

    Steve K:

    So your whole argument is based on the idea that everyone is a criminal? And on top of that you believe that your misconception makes it right to install spyware in other people’s computers? (which is illegal by the way)

    So what on earth happened to being innocent unless proven guilty? Does it not matter in your own personal little world?

  56. Boy, I thought it was fun bashing the “ESL” Sony shills at the SNE Yahoo stock board… I had no idea SunnComm would be unleashing their own shills here!

    I have just one question for said shills; how is it illegal for me to rip music I PAID FOR, into an mp3 file, and place them on the mp3 player of my choice?

    Guys and gals of SunnComm, get a clue – it’s a PLAY button, not a PAY button.

  57. I too looked at the Windows certification of the SunnComm product, and after digging through a lot of MSFT pages, all I could determine was that it installed and ran on the varous Windows versions and doesn’t do anything bad to Windows itself (which is why the First 4 DRM product shouldn’t qualify). But nothing beyond that. Nada.

  58. 1) How many people’s computers get hacked because of Windows?

    2) How many people’s computers get hacked because of the Internet?

    3) How many thousands of other software vulnerabilities have caused peoples computers to get hacked?

    4) How many people’s computers got hacked because of MediaMax?

    Ok, in the entire scheme of things, the SunnComm code probably didn’t result in that much hacking. And, yes, MSFT code is notorious for this sort of thing, and indeed, it is to some extent, vulnerabilities in such that bring us to where we are right now. After all, if MSFT hadn’t left gaping security holes in Windows in the first place, Sony, et al. wouldn’t have been able to install their DRM code in the first place, and it woudn’t have been nearly that bad.

    But that doesn’t get SunnComm and Media Max off the hook. They had installed on potentially millions of computers software that was not agreed to. You might want to look at my article on Tresspass to Chattels.

  59. the zapkitty says

    Steve K Says:

    “I guess I am one of the “Sunncomm” shills you folks are criticizing in your posts.”

    The surprise is overwhelming. Really.

    “…. just as you would expect from any windows software program that is certified.”

    That again.

    You are referring to this, of course:

    http://testedproducts.windowsmarketplace.com/item.aspx?idItem=1ce9faac-4ccb-a566-c539-a2e49be380b4

    Sunncomm shills seem to believe that that MS certification somehow makes their covertly installing malware “ok” in some way… but then Sunncomm shills seem to believe a lot of strange things.

    I know it’s going to come as a shock to you, but all that “windows certified” tag means is that MS sorta not really guaranteed that Sunncomm’s Mediamax spyware will run on the Windows version it is certified for.

    And that’s all it means.

    And MS even tells you as much right below the “Compatible with” listing:

    “Microsoft makes no representations or warranties regarding the merchandise, manufacturers or compatibility of the merchandise depicted or described.”

    Time to find another yet another straw to grasp at.

  60. Joe Starr

    Your maricopa court url doesn’t work – but it appears to be a problem with their search engine. I also tried to check on my girl friend’s litigation there, as I do every month or so, and it doesn’t work either.

    That said, that Media Max and/or SunnComm are not parties to any of these DRM lawsuits against Sony is not that relevant as to their ultimate liability, and thus, arguably, as to whether or not they should report this in their next SEC filings (in the case of Media Max).

    The thing is is that while they may not have direct liability to third party’s buying the Sony CDs (and then again, they might), they are most likely, esp. Media Max, to have potential liability to Sony. Unless the Sony attorneys negotiating the contracts with these companys were brain-dead, it is likely that Sony got an indemnification from them. At worst, the contracts could have been silent – which would mean that they would be liable to Sony for negligence, etc. It is highly unlikely that they sold or licensed the code to Sony “as is” or without warranties.

    Who has responsibility for this sort of thing is almost always a power game – with the party with the least power (typically the smaller company) taking financial responsibility for products sold to or bought from the more powerful (usually bigger) company. I say this from experience – from negotiating a lot of contracts and licenses between companies, and by now, I am pretty good at guessing at which party is going to have the liability in case something goes wrong based on the respective negotiating power of the two companies involved.

    Here, of course, you have one of the biggest companies in the world negotiating with companies with at best a fraction of Sony’s value and market power. That Sony utilized two different DRM vendors indicates that they were the ones with the power, and were most likely playing the two companies off against each other. In any case, Sony’s business was much more important to Media Max than the reverse.

    Let me add the obvious – that if Sony loses any of these suits, and goes back on the DRM vendors, as is probably their legal right, said DRM vendors would most likely be wiped out.

  61. Steve K,

    What’s your definition of “hacked”? Does it include the installation without notice or consent of unwanted software that interferes with lawful uses of the computer?

  62. Whether or not it is a bug or intentional makes no difference to me at all; I still don’t want them on my system.

    I simply don’t trust software that fails (ie. “has a bug”) in the only portion of the code that interacts with the end user, at such an absolutely critical time, and provides no tools whatsoever to remove itself. Those tools require going to the web and downloading the uninstallers (which also might contain bugs).

    There is no guarrantee that the “minor” and well hidden changes to the drivers of my computer won’t be an issue in the future. For example, upgrading to another operating system would very likely overwrite the current drivers with new ones, and there is no reason to believe that Sunncomm CD’s as they exist in the market today will work/install properly in Vista or other future operating systems. That means that the disks have a very, very short lifetime in our house compared to “standard” CD’s that don’t suffer from these issues. For that matter, what if the CDrom manufacturer issues a new driver which bypass the sunncomm one without me even knowing? I am still criminally responsible even though I didn’t even know what sunncomm does or why its there? Ignorance is no defense under criminal law, is it?

    One problem I have is with the entire law regarding when I am permitted to remove this software, and when not. It sounds to me like its “once you have it, you need to be sure you never remove it”. That means no more reformats (very, very frequent occurances), and no upgrading of operating systems, and no dual boot systems since those clearly bypass the sunncomm “protection” installed on another instance.

    The easiest choice is to make no choice. Buying a sony product requires me to make a choice, therefore its rejected. It may, or may not contain clear labelling on the outside of the box indicating sunncomm is going to be installed. At least one title suffers from this further “bug” in the manufacturing process.

    There are other alternatives if you want to purchase the artists music legally. When we say no to buying a CD these days, its much more than saying no to the artist. Its saying no to some well hidden sub contractor hired by a branch or sub label of the label with whom the artist signed a contract. I like simplicity when I buy music. I like to say “ooo nice song! Here is my money”, and live happily ever after. Thats simple. Sony’s system isn’t.

    Also, is making a backup or a “fair use” copy of a legally purchased item legal? It sure sounds so, based on copyright specific websites. So, if I purchase a copy of a CD but fear the copy protection, can I not just download an image of the CD from internet? Whats the difference between that and the identical image I get from the songs on the CD? Where is the law in this regard? It sounds like the *manner* in which the “fair use” copy is made might be the critical issue rather than the copy itself, yet I don’t see why that should be. If I bought a CD but it got scratched on entry into the drive, thereby damaging only one song, can I not download that one song as my backup and still “be legal”?

    From my perspective illegal downloading is when you take something you didn’t pay the copyright holder for. These cases are not like that though, since I have paid the copyright holder.

    Why can’t I simply register my CD with the record company the day I bought it, as an optional process? That builds communication, trust, and a positive business relationship. Does that exist using the sony/sunncomm/first4internet systems? Not at all. Those DRM systems are negative in nature; they assume the worst by their very nature and provide no tools for the honest consumer and several negative features (such completely invalidating their ability to say no to the EULA). Why is it that I am under constant scrutiny of their “polling” ever after?

    Also, does copyright pertain to the specific media it is delivered on? Its copywritten specifcally for CD rather than for tape or LP? Is owning one of those (ie a cassette tape) what makes it legal. I paid for use of the copyright of that music, what difference does it make if I also have it on CD then? And, is this law the same in all states, provinces or countries?

    I think it makes a difference in that the DRM can actually be used to make it so that you need to buy a CD specifically for a windows version (ie possibly Windows95 to XP, but not Vista). Is that really what I bought for my CD purchase? If it is, thats fine but it should be CLEARLY identified what the expected lifetime will be of the product before I buy, since uncopy protected CD’s have a much, much longer expected lifetime of use.

    Its not comparing apples to apples anymore.

    Sunncomm also seems to be confused as to who it’s selling to. The end user of their software has a very different perspective of whats right and fair than the company that paid for the work to be done. Yet, sunncomm thinks we should all get along. There has been a very long history of mediation between the copyright holders, and the public. Sunncomm wants to sell to one side, and expect the other to be happy (or, at least to shut up and accept this situation quietly in ignorance, and certainly not to hold the software up to critical inspection).

    I don’t think that is a fair way to mediate such a long standing battle. It’s declaring victory by the use of hidden tools, and we know they are intentionally hidden since sunncomm’s corporate Prospectus tells us so.

    I don’t trust sunncomm and sony with my rights as those rights have existed in copyright law up until this time. I don’t believe sony works fairly, I don’t believe they work in my best interest, I don’t believe this will be a long and happy relationship; in summary – I don’t trust them.

    They also don’t appear to trust me. I think that is a fair assessment, since they are hiding software on my system and tracking my useage regarding items I have already purchased from them, they are not open and honest about what data is being transmitted, and they do not have a clear policy in this regard at their website from what I can see. I think its fair to say that they don’t trust their customers. Thats why they think we steal 22 billion dollars a year from their pockets, and state so in their business prospectus.

    So, we have a situation in which neither party trusts each other.

    Why should those parties be in business together? Is this not a situation that will only get worse? And, why is it a strong possibility that its illegal for me to withdraw from the situation by removing the software from my computers, burning the disks, and kissing my money goodbye? Why is even THAT illegal?

    Its far, far safer to simply say “no” up front, and then decide when the time is right to go in to business with sony/sunccomm/first4internet. All this fuss just to listen to music that is often available by radio.

    The biggest issue I have with sunncomm software is that it is based on the assumption that everyone needs policing, and that they should be the police. Someone out there will figure out that the positive way to handle this is the more powerful, and I prefer to use their software, thanks.

    If a competitor of sunncomm implements a similar system, will these two coexist on my computer? Will new defects be obvoiusly attributeable to one or the other? How does staying hidden help me locate bugs? And, why are you only going to refund me up to $5 for all these problems? Why can’t I say “This is an astonishngly bad deal for me, in every possible context, and I want out”.

    The sunncomm people are irrate that websites like this one “take a close look”. But, didn’t the president of SonyBMG make the statement regarding users who don’t know about root kits shouldn’t care about them? Isn’t he saying that he wants/expects/prefers/caters to ignorance? Not all of us wish to live in a world of blind ignorance, some of us ask questions, and sometimes those people are university professors or lawyers. If you don’t want it scrutinized by the public, then remove it from sale to the public. Or are the sunncomm people saying that unviersity professors are not part of the public? You see why I get confused.

    Just because one particular product is under scrutiny does not mean that all products must also be under scrutiny at the same time, or by the same people. There are plenty of universities to go around.

    Why does any company fear a close examination of their product? I believe it is because they fear what might be found. So far, bugs have been found and significant ones at that. Sure, sure, they say they are minor ones, but they were only found because of close inspection and they were only fixed because of pressure to do so. If they had never been publicly found out, will Sony have ever relased a “fix”? Sunncomm and Sony might say yes, but the problem is that they can’t say when that would have occurred, and it requires a level of trust to believe it would have been so. Yet, they don’t come in to the business relationship under a sign of “trust”, do they? The entire issue exists purely because of lack of trust on their part. If they trusted the purchaser of the CD, it wouldn’t need the DRM (like many sony competitors do).

    Those CD’s are continuing to penetrate the market, since they haven’t been recalled and still have issues regarding essential features such as the acceptance of the EULA contract. Yet, here is an ex-sunncomm developer who clearly identifies this issue as a bug. So, we know a defect exists and that defect makes it unclear if the person ever agreed. Its in sony’s best interest to recall these disks and at the very least replace them with an updated EULA/sunncomm install that functions properly.

    Why is it so critical? Because Josh also says that the upgrades go in to the system via previous EULA acceptance … which never occured in these cases. “Upgrades” are being pushed out without any form of user acceptance, either originally or subsequently. Can sony tell the difference between the ones that went in via acceptance vs decline? If not, how can they claim to have been authorized?

    Sony is counting on further consumer ignorance to further penetrate their DRM, knowing it is faulty. They claim it’s faulty, yet the prospectus says otherwise. You get the sense of “officially faulty” and privately “acceptable”. They can have that attitude anywhere except on my property. If the software is faulty, and the manner of its fault removes rights or imposes failures on to a consumers system, those disks should be recalled so that sony minimizes damage.

    But, this doesn’t sound at all like a company looking to minimize damages to their clients … it sounds like they want Mr. Felton to shut up, and stop giving reasons why consumers should be questioning what goes in to their computers, and making a rational & informed decision after reviewing the situation. Especially given that you are required to give away all right to say “no” in the future. Can’t say no to sunncomm upgrades, can’t say no to removing DRM software on your computer, and can’t say no to the original agreement.

    Clearly, sony doesn’t want us to say No. The only time we ever can say no, is before we buy.

    Smart users will be able to look for the strange little trail that leads to the Sony web site and know when to download a viable patch (and when to avoid ones that make it worse). Nothing is simple though. Thats what Sony is banking on: users who are ignorant of issues such as root kits, ignorant of their previous rights, ignorant of the implications of the EULA, ignorant of new copyright laws being made. Just plain ignorant.

    Thats fine, sony can target that market … but as I have said I am not one of them (or, at least, I try not to be). So, I simply avoid sony/sunncomm/first4internet. I somehow get the feeling that this particular perspective is even more “ignorant” to sony since I am making a wide and sweeping decision based on a few facts. Yet, to me they are powerful facts.

    Stay out of my computer, sony/sunncomm/first4internet. You are not wanted here, not greeted, and not respected.

    Can we submit our own version of a EULA to sony? One that says that unless we are given full information, we consider whatever tactics they use to force a EULA on us as pre-declined? Why should sony be the first one to have a EULA? I need a EULA to protect my own intellectual property that exist on my computer (something sony/sunncomm has access to if they have their DRM on my computer and use it to inspect more than they clearly state as their limits), should they wish to “inspect” my system for “information”). This forces me in to a whole new realm of “trust” that makes me uncomfortable, to say the least.

    Sony never clearly and publicly state exactly how far their DRM systems invade our computers, what information is extracted. We have to trust them, when they place no caps on the extent of their invasion. Sony needs to clearly and formally define what information is being removed from your system and sent back to them, and they need to make that publicly verifiable. They could make the communication system open source, wo everyone knows what data they are sending back.

    They are clearly saying they intend on being “hidden” to the end user, yet don’t place any formal caps on what information they take. Doesn’t that leave them open to suspicion if a competitors private information becomes public? How many sony competitors are comfortable knowing their computers might have these sorts of sunncomm systems on their development computers? Isn’t it a very wise choice to simply ban these drm CD’s from the workplace?

    I think businesses really need to say no, and have the right to say no, to the EULA and be able to override an employee who accepts it our of ignorance. Or, as in the sunncomm case, declines it out of knowledge of the implications. In either case, the business now has their competitor on their computers. The only possible safeguard they would have is the open publication and commitment sony makes regarding what information EXACTLY is being removed by each version they create. Oh wait, thre isn’t any.

    Yet, we must all blindly trust sony/sunncomm.

    This is a really bad deal for everyone except sony/sunncomm/first4internet, and I say No.

  63. I guess I am one of the “Sunncomm” shills you folks are criticizing in your posts. I could care less what label you give me, the fact is people here just like to whine about copy protection. The funny part is that I bet each and every one of you “whiners” have at some point in time copied or ripped a disc from a friend or even given a friend or relative a copy of your own music CDs (this is all illegal by the way).

    I have a few questions for all the people that have been “saved” by Felten’s and Halderman’s research:

    1) How many people’s computers get hacked because of Windows?

    2) How many people’s computers get hacked because of the Internet?

    3) How many thousands of other software vulnerabilities have caused peoples computers to get hacked?

    4) How many people’s computers got hacked because of MediaMax?

    The whole premise of this website “Freedom-to-tinker” is Hacker friendly in my opinion, hackers love to tinker and work their way around copy protections. Heck, Felten enjoys listing workarounds to Mediamax’s products, but not Macrovision’s for some reason, maybe he is one of the “Hackers” he is “saving” all of you from??

    The fact is with a MediaMax disc, nobody has had their computer hacked and any security issue has been addressed in a timely manner, just as you would expect from any windows software program that is certified.

  64. I agree with sm. I had no problem deleting all those files on my XP laptop, once I figured out where they were stashed.

  65. Josh,

    I’ve seen that article before and it’s not talking about rootkit methods at all. The desktop.ini file tells Explorer to display a higher level abstraction (such as a list of sites visited in the Internet cache and the time they were visited) instead of the actual files in the folder (which have names that look like gibberish and aren’t informative to the casual user). In any event, this technique only hides files from Windows Explorer. It does not interfere with the kernel. It does not hide files from the Win32 FindFirstFile/FindNextFile APIs, and would not hide malicious programs from antivirus software. If you go to a command prompt (Start | Run and type “cmd”), you can view the files yourself.

  66. I do agree that the SEC filing is not definitive as to intent. Ultimately, it should be obvious one way or another from the code. Of course, since courts rarely have experience in reading code, experts will be utilized, and that leaves everything open to hiring the most articulate expert.

    Nevertheless, the SEC probably is sufficient, in and by itself, to push the burden of proof back onto the defendant(s). This means that instead of the plaintiffs having to look through the code to find out whether or not it was intentional, the burden may indeed move to the defendants to show through the code that it was a mistake.

  67. I think that the underlying problem is just the same, no matter how pro-drm people try to dress it up. For reasons well aired, the red book standard did not cater for copy protection, and it is not possible to retrofit copy protection whilst maintaining that standard, unless the user is hoodwinked into installing software on their own computer which, given an informed choice, they would not do.

    That is why the road to copy protection leads to spyware methods.

    The expression “spyware” is defined differently in various places, and it is all too easy to select a narrow definition, and then argue that this cp or that cp is not spyware.

    I think the starting point is to define “spyware” as per in the Wikipedia article:

    “Spyware covers a broad category of malicious software designed to intercept or take partial control of a computer’s operation without the informed consent of that machine’s owner or legitimate user. While the term taken literally suggests software that surreptitiously monitors the user, it has come to refer more broadly to software that subverts the computer’s operation for the benefit of a third party.”

  68. To clarify an earlier comment I made: “What Mr. Felten has posted today should be proof enough that SunnComm intended MediaMax – indeed, DESIGNED MediaMax- to install and run in perpetuity regardless of any user consent. This is of course, equivalent to the state “SunnComm designed and intended MediaMax to break the law and violate the rights of consumers who declined the EULA.” ”

    It is not speculation that MediaMax installs without consent. However, it may be disputable, perhaps with internal company records that this behavior was, in fact, a bug. After reviewing SunnComm’s SEC filing, I don’t quite buy this. However, to state unequivocally that MediaMax was designed to “break the law and violate the rights of consumers who declined the EULA” would, at this point, be a step too far.

    I’d like to hear SunnComm’s side of the case on this. Is it possible to clarify the SEC filing to show that this was a bug and not a design decision?

  69. Rockincatdaddy says

    Anyone contacted attorneys general for states that have already filed suit against sonys other work of art? Seems like the sooner the suits are filed on media max the sooner we will get a real uninstall program.

    Don’t loose sight of the fact that this is a boycott sony christmas.

    Thanks
    RCD TCB

  70. Anon (2 back)

    “They have already collaborated with Antivirus companies to ensure they don’t get redflagged as a virus.”

    Have you any proof of that? (BTW, In case you think my question is because I am a SunnComm troll, I am not. I think the company is corrupt from a business and ethics point of view, as well being responsible for badly written code that endangers users’ systems).

  71. In reply to Joe Starr:

    I agree that Josh was the only person affiliated with SunnComm to date to have actually said something of at least mild value on this blog. Like yourself, I have a certain respect for that. So, thank you, Josh, for at least trying to think and write objectively.

    Unfortunately, some of Josh’s comments are just plain wrong. Specifically, the first section I quoted from his post reads:

    “This program would run but not be installed unless the user agrees to the EULA. The EULA language itself is a part of the technology, as it states it allows perpetual updates. You may already have MediaMax installed and be prompted with the EULA again by a new CD; delcining it does nothing as you’ve already agreed to the perpetual updates from the older CD.”

    What Mr. Felten has posted today should be proof enough that SunnComm intended MediaMax – indeed, DESIGNED MediaMax- to install and run in perpetuity regardless of any user consent. This is of course, equivalent to the state “SunnComm designed and intended MediaMax to break the law and violate the rights of consumers who declined the EULA.”

    Josh – unintentionally or intentionally – gets that fact wrong. And on that point, at least, I believe that he needs to be corrected.

  72. IANAL.. but IMHO..

    MediaMax invades your computer without any consent at all and from a source you would not expect- an audio cd. I don’t care if it’s a bug. SunnComm are liable, regardless. It should be regarded as a class of malware for that ‘feature’ alone:

    System Invader – Malicious software that automatically installs without the user’s consent.

    “The software is designed to be completely invisible to users, programs and system components.”

    This is malicious intent and totally undermines all security that the owner and system administrators may have put into place on the host system.

    FYI: Windows XP 64bit edition and Vista will not allow kernel hooking that made the XCP rootkit possible.

    Windows Vista will also not allow the installation of drivers that lack Microsoft’s digital signature without the consent of the user complete with a scary warning message.

    I wonder how the malware vendors such as SunnComm and F4I will crack Windows in their attempts to force their product down your throat. They have already collaborated with Antivirus companies to ensure they don’t get redflagged as a virus. They will probably attempt to negotiate with Microsoft-

    “Our software is not bad. We are the good guys. We love users. We want to bring joy to them by speading our software and enhancing their audio experience. We don’t need to take any credit. For ease of installation we would prefer to remain *ahem* undetectable. Our little secret. What do you say, Steve? Just sign our drivers..”

    From Mark’s blog: http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

    “1) Drivers can be installed/overridden/bypassed in such a way as to bypass the driver signing check. Would this not indicate that driver signing is essentially useless?”

    Yes, the drivers are unsigned and installed in such a way that Windows never checks for a signature. Note that my ctrl2cap keyboard filter driver also gets installed without a signing check because of the same loophole. Vista will close the hole.
    # posted by Mark Russinovich : 4:13 PM, November 12, 2005

  73. To Bruce Hayden

    “I am not a securities expert by any means (I haven’t done anything in that area since I took a class in law school), and this isn’t legal advice, but, yes, I think that both companies will have to disclose this in the SEC filings. ”

    Neither SunnComm nor MediaMax Technology Corporation are defendents in any of the lawsuits, so I would not think there would be a requirement to file.

    SunnComm itself is a non-reporting company so even if they were party to one of the lawsuits, they still would not have to file that with the SEC. In fact SunnComm are currently defendents in several lawsuits (unrelated to DRM) and have not filed with the SEC declaring that fact. Here is a link to those lawsuits (AZ only).

    http://www.superiorcourt.maricopa.gov/docket/civil/caseSearchResults.asp?lastName=&FirstName=&bName=sunncomm&x=86&y=6

  74. Sorry “to date” not “to day”

  75. Andrew,

    Give Josh a break. He already stated that he is an ex-SunnComm programmer. He also stated that the install against the user’s wishes was a bug.

    He is the only SunnComm related person to day that has made any attempt to talk rationally about the issues. The rest have attacked the integrity of Alex and Ed or have ignored the points raised in this debate and called anyone who criticized the implementation of MediaMax as a pirate lover.

    At least Josh argues intelligently.

  76. The question is: Did they break the law when taking the law into their own hands? That’s for the courts to decide. It’s going to come down to the definition of what is ‘install’ vs ‘run’ vs ‘terminate & stay resident’.

    There’s some other issues to consider. Will this software actually make money for Sony? Since it only impedes the most casual of pirates (the PC-using pirates that don’t know how to disable autorun), file-sharing piracy will continue unabated. On the other hand, it will make life more difficult for the casual user who wants to (say) rip an MP3 party mix, or a throwaway for use in the car. There is no way that anyone can claim that this makes Sony’s product better for those users. So what’s in it for Sony? Why should they use this product?

    Furthermore, other parties (e.g., Microsoft) have an incentive to disable this software. This sort of copy protection makes people (you can see remarks in the comments above) grumble about getting a Mac instead. Some of them will. Furthermore, the sort of things that Microsoft could/should do to prevent installation of spyware and rootkits, will also prevent installation of these copy protection programs. Sure, they are “not rootkits”, it’s just that they do things that rootkits do.

  77. Josh says: “This program would run but not be installed unless the user agrees to the EULA. The EULA language itself is a part of the technology, as it states it allows perpetual updates. You may already have MediaMax installed and be prompted with the EULA again by a new CD; delcining it does nothing as you’ve already agreed to the perpetual updates from the older CD.”

    My analsys is: Josh is either a “somewhat-better-mannered” SunnComm troll, or just doesnt know what he’s talking about.

    We’ve known since November 28th, 2005 [i.e., over two weeks ago, see http://www.freedom-to-tinker.com/?p=936 ] that MediaMax installs without any kind of consent. You can decline the EULA, reboot your computer, and then re-insert the CD and have MediaMax set itself to run perpetually, all without consent. This completely negates the above-quoted text, because, well, I didn’t agree to any EULA, and I didnt agree to perpertual updates – but I still got MediaMax on my computer.

    I can’t emphasize how nefarious this is! If companies like SonyBMG expect people to respect their property, they had better respect the property of others. You can’t waltz around claiming that I have agreed to a contract that I haven’t agreed too. You can’t claim that because I spent $1000 on a computer, you can install any software you like on it. My computer is my PROPERTY – i.e., mine. I get the final say on what is installed. You took that right away from me, and I’m not particularly happy about.

    Normally, I would expect someone who utterly violates the spirit of contract law (which is an extremely important brethren of copyright law – our system of copyright law would be entirely gutted without contract law) as badly as SonyBMG and SunnComm have to be either a hardened criminal or a con-artist. I hope both companies are roundly punished for behaving in this manner.

    To further critque Josh’s comments: “Shooting the messenger (DRM companies) won’t get you anywhere in the long run. As long as there exists content there will exist premium content, and the only thing that will keep it premium is copy protection technology.”

    I agree that the unprecedented power at the hand of consumers of copyrighted content probably warrants some kind of (ideally government regulated, standardized, balanced) controls, either directly on the distributed content, on computer operating systems, or on the infrastructure of the internet. (I also think that the idea of “perpetual copyright” is terrible: see Lawrence Lessig’s “Free Culture”.) It is just too easy for just about anyone to illegally distribute just about any kind of “electronic good” today. However, I would contend that the reverse of what Josh claims is happening is occurring: the messenger is shooting ME!

    Here’s what I’ve learned from the SonyBMG fiasco of XCP and MediaMax (as well as from the excellent research and commentary of Mr. Felten, Mr. Halderman, and Mr. Russinovich): our current generation of “active protection DRM technology” violates the consumer’s basic right of control over his/her property. In other words: if you really do intend to stay in the DRM market after all of this, it’s time to go back to the drawing board, SunnComm.

  78. Mediamax Victim says

    There’s a great opportunity here. How about a little resident program that blocks shitbag code like Mediamax from loading onto the computer. You’re not bypassing the protection–you’re blocking the shitty infection.

  79. Thanks for the clarity Josh.

  80. Yes, until thats sorted out, Sony and Sunncomm stay out of my system. After its sorted out, they can still stay the hell out.

    Your music just isnt worth the fuss.

  81. sm –

    And hiding only “your” code may be harder than you think–how do you tell what’s yours and what isn’t? How do you prevent a third party from spoofing MediaMax software and hiding under the rootkit? What happens if the MediaMax binary gets infected by a virus and the AV software can’t find it to clean it …

    http://www.fuckmicrosoft.com/content/ms-hidden-files.shtml

    Microsoft themselves do it, and that ‘rootkit’ can’t be uninstalled. What’s to keep a hacker from hiding their virus files in those directories? I’m not trying to say it’s right, but I don’t think DRM should be singled out for doing it either.

    —-
    * Regarding your statement that “delcining [the EULA] does nothing as you’ve already agreed to the perpetual updates from the older CD.”, this is incorrect, as it’s been shown that the software will install and run even if you never accept the EULA.

    That’s a bug. It only happens if you take the exact steps documented. Switch the versions around and it doesn’t work. Reboot at different times and it doesnt work. IIRC only a few releases had that bug so it was pretty much a non-issue. Only somebody like Alex testing the EULA functionality would come across it. It had been fixed in later versions, but instead of recalling the CDs, the fix was to send the removal tool if anybody complained. Again the likelyhood of that happening in a real-world situtation is pretty small.

    —-

    to Bruce –

    In short, what appears to be a case of taking the law into their own hands (as you almost suggest they did) may turn out and bite SunnComm / Media Max / Sony BMG in the tush by negating the EULA

    They are in fact taking the law into their own hands. That’s the point of ALL copy protection, is it not? To enforce copyright law? 😉 The question is: Did they break the law when taking the law into their own hands? That’s for the courts to decide. It’s going to come down to the definition of what is ‘install’ vs ‘run’ vs ‘terminate & stay resident’.

  82. DigitallyStoned says

    Ok… Installing their tools on my machine without my knowledge or consent. Isn’t that the definition of spyware anyway? I don’t agree with this DRM self-installing software and its prime 1 reason to switch to another operating system, such as Linux or even to a OSX (yes, buy a Mac). It’s time that we stop letting these pricks try to install software on our machines without our knowledge. Not to mention, whos to say that this software could even install itself on a corporate network with a strict policy enforced for user installed applications. I believe that would block the software from being installed and users could easily implement a user policy and still copy the discs just as before.

  83. TomCS

    I am not a securities expert by any means (I haven’t done anything in that area since I took a class in law school), and this isn’t legal advice, but, yes, I think that both companies will have to disclose this in the SEC filings.

    Part of the reason is that the pending lawsuits, plus any number of other potential lawsuits, are extremely material to the well being of the two companies (and, thus, to any present and future investers, thereof).

    Sony may not be so constrained to report this, both because of their foreign ownership, and that this is far less material for them, due to their worldwide sales in so many different areas.

  84. Josh,

    Thanks for the response. If what you say is an accurate representation of the thought process that SunnComm went through, I think that they may have not thought through the effect that installing the software regardless of assent to the EULA would do to the enforceability of the EULA.

    In the First 4 / XCP case, the argument against the EULA being made by the plaintiffs’ lawyers is that said EULA was misleading, not fully disclosing all that the small program being installed was going to do. In the SunnComm / MediaMax case though, plaintiffs have that argument plus the argument that since the DRM software is installing regardless of assent to the EULA, the installation is not a result of permission given by assenting to the EULA. And, indeed, if it happens independent of the EULA, it is likely that it happens before physical assent to the EULA, and thus the DRM software can’t be covered by the EULA.

    In short, what appears to be a case of taking the law into their own hands (as you almost suggest they did) may turn out and bite SunnComm / Media Max / Sony BMG in the tush by negating the EULA.

  85. Great research. But the real joy of it is that this shambles could not have happened at a worse time for the aggressive marketeers at SunnComm/Mediamax, since it must risk blowing their hopes of cashing in big on their toys right out of the water. Of course they are “shilling” like fury: over a million bucks in expected share sales must be looking a lot further away now.

    Incidentally (IANAL) are they now required to update their SEC filing to reflect new material facts – that they are in danger of being sued into non-existence?

  86. Josh,

    Your post is informative, and your point about “forever minus one day” copyright terms is well taken (though MediaMax has no way of turning itself off in 2160 or whenever a CD’s copyright finally expires). I just have a few comments:

    * A rootkit is a rootkit regardless of whether it trivially allows third parties to hide files (like XCP’s $sys$). It still interferes with the fundamental operation of the computer, potentially causing security or stability problems. And hiding only “your” code may be harder than you think–how do you tell what’s yours and what isn’t? How do you prevent a third party from spoofing MediaMax software and hiding under the rootkit? What happens if the MediaMax binary gets infected by a virus and the AV software can’t find it to clean it?

    * Regarding your statement that “delcining [the EULA] does nothing as you’ve already agreed to the perpetual updates from the older CD.”, this is incorrect, as it’s been shown that the software will install and run even if you never accept the EULA.


  87. Indeed, they make an even stronger statement elsewhere on page 30:

    The software is designed to be completely invisible to users, programs and system components.

    This is an exaggeration, but it shows that they do aspire to invisibility. Which is interesting because the only way to be “invisible to users, programs and system components” is to use rootkit methods. So it would appear that MediaMax at least planned to follow First4Internet’s lead in shipping a rootkit.

    Using rootkit methods and shipping a rootkit are two different things. A rootkit will hide any file you tell it, which makes it easily exploitable. When done correctly using rootkit methods only hides your file. $SYS$ is definately not done correctly.

    Ed, your bias can be so completely blatant at times that it’s hard to believe you’re genuine. The facts are damaging enough as it is that you don’t need to bias it any further. There is no spying in MediaMax, even the tech analysis disputes this, no more than Mac OSX phoning home ( http://dekstop.de/weblog/2005/12/osx_10_4_3_phoning_home/ ) so please quit calling it that. Malware would be a less slanderous term.

    In any event I worked at SunnComm because I believe in intellectual property and copyright even if the laws have been unfairly tilted towards the copyright holders. The imbalance between copyright and public domain is a seperate issue to copyright volations and copyright enforcement. Shooting the messenger (DRM companies) won’t get you anywhere in the long run. As long as there exists content there will exist premium content, and the only thing that will keep it premium is copy protection technology. Copyright expiring 125+ years past the death of artist is what’s broken guys, not DRM (well Ok maybe XCP, and the infamous MediaMax EULA ).

    I never agreed with the install-before-the-EULA nonsense. I always thought it wasn’t worth the trouble it would cause if you could just hold the shift key anyway. Now look what’s happened… heh.

    The argument was that in the ‘grey’ area during the time when the EULA was displayed for the very first time and the CD was in the drive, the copyright holders were in their right to run a ‘terminate and stay resident’ program that would run and protect their intellectual property. This program would run but not be installed unless the user agrees to the EULA. The EULA language itself is a part of the technology, as it states it allows perpetual updates. You may already have MediaMax installed and be prompted with the EULA again by a new CD; delcining it does nothing as you’ve already agreed to the perpetual updates from the older CD.

    If the terminate-and-stay-resident program did not run, the user could simply open another program, rip the disc, and then decline the EULA. No matter how advanced the DRM technology became, it always could be defeated by the EULA requirement. The copyright holders therefore felt they were in the right to run it.

    There are examples of many other programs that continue to run in the systray when uninstalled, until you reboot. Their argument isn’t too far fetched, but again IMO it wasn’t worth the risk when you have the shift-key issue.

  88. It is currently illegal to circumvent the copy protection. But by removing the software from your computer, are you really circumventing copy protection? Removing the software from the CD, or cracking it on the CD would be circumventing the copy protection, but unlike DVDs the music on the CD is not encrypted. So you do not need to “crack” anything to play it. The CD isn’t even really “copy protected”. That’s why they have to trick you or your computer into installing their software. So arguably, by removing unwanted software from your computer, you aren’t circumventing anything. After all, there isn’t any “copy protection” on the content to circumvent. Someone tell me if I’m wrong here?

  89. John Costello says

    “More to the point, clearly the Sunncomm people here are saying that removal of their software is illegal. That, more than anything, means I don’t ever want to see them near my computer.”

    IMO, it shouldn’t be illegal to remove software that you did not agree to have installed. The law needs to be changed if it actually says that is illegal.

  90. The more these people post from Sunncomm, the more I think I want to avoid them at all costs. The only reason I can see for their aggression is that this post hits a bit too close to home for comfort for them.

    Sunncomm has issues in the marketplace, serious issues. It doesn’t want to be “spyware” but they are unable to define why they are not. They partake in all manner of activities that are spyware like. We posted all of those in the previous threads.

    They are intrusive, unwanted, and only inflict their “protection” on legally purchased CD’s. The pirated versions of mp3’s are not at all affected by the sunncomm “protection”.

    More to the point, clearly the Sunncomm people here are saying that removal of their software is illegal. That, more than anything, means I don’t ever want to see them near my computer.

    Its my choice what software goes in, Sunncomm is permanently rejected.

  91. Anonymous Howard says

    Just a request to the people genuinely interested in intelligent discussion:
    Please stop responding to the shills in this forum. It makes reading the posts much harder.
    If you really need to beat on these bb stock scammers, feel free to get yourself a RagingBull login and go spam their discussion boards (MMXT, SCMI) to your heart’s content.
    Also, congrats to Dr. Felten/Alex Halderman, not just on the excellent technical work, but also on the remarkable restraint demonstrated by not ip-banning the shills. It would only reinforce their paranoid delusions — after all, their speech is as free as yours or mine, if not as well-reasoned or honest.

  92. While I was out to lunch (for real, others say that I am perpetually out), Bruce Hayden posted my (planned) comments. Fortunately he is an attorney where I am not. Basically, this is an utterly amazing piece of detective work that clearly makes the activities of MediaMax knowing and intentional, the proverbial smoking every lawyer seeks. Who would think that an obscure filing with the SEC could be so useful? I hope that this information will make it into the various lawsuits that have been filed. Please keep up the good work.

  93. You Suncomm shills keep saying the same boring things over and over, and they aren’t convincing anyone. Give it a rest already and quit junking up the comment threads of what are otherwise informative and important postings for concerned computer and music consumers.

    I’d like to thank Ed and Alex for their work, since it is clear that the SonyBMG/Suncomm/MediaMaxes of the world don’t have our interests at heart, only their perceived profits.

  94. Anonymous:

    Felton needs his 15 minutes of fame. He has nothing else going for him.

    If you read his posts you will soon see he is anti MMXT. If he is supposed
    to try and protect people from PC security loss, why then did he even go into the sec filing.

    He should look at the software and then give us his reaction, which does not concur with the real experts in the field.

    I think both he and Princeton are on a slippery path heading down to
    what in myho may be legal action. It is easy to see he is really all about getting music free and since it’s against th law to circumvent DRM he is
    guilty of preaching how to go around it.

    He has an agenda, tell us Felton how much work have you done on microvision and it’s protection of cd’s? Let us see some facts
    about mvsn……….remember now some on the board of mvsn
    may be related to Princeton is some fashion. Is that why you have never completed a report as once stated.

  95. Mr. Felten you wrote…

    “MediaMax set off down the road of CD copy protection, and they ended up with spyware.”

    Please post a link to one spyware vendor out there that lists MediaMax as “spyware”, just one that includes mediamax in their spyware signatures.

    Also,

    How often does Microsoft certify “spyware”

    http://testedproducts.windowsmarketplace.com/item.aspx?idItem=1ce9faac-4ccb-a566-c539-a2e49be380b4

  96. Anonymous SunnComm investor,

    What exactly was inflammatory about Mr. Felten’s remarks? How do you make a driver “completely invisible to users, programs and system components” (SunnComm’s description) without using rootkit methods?

  97. You have got to be kidding me.

    “So it would appear that MediaMax at least planned to follow First4Internet’s lead in shipping a rootkit.”

    Where is the correction of your statement that the program posed a serious security threat? It was qualified as a minor security threat by the security experts. It is sad when a representative of Princeton qualifies his research with inflammatory remarks not because they are true, but simply to promote his own agenda.

  98. Bruce,

    You’re right: “acknowledging” doesn’t express my desired meaning. I edited the post to remove that phrase.

  99. Ed, a tiny little quibble. I am not sure that “acknowledge” is quite right, rather I pointed some of the things out that you did here from the prospectus, plus one or two more. “Acknowledge” to me means that I take some responsibility for Media Max’s actions, and I most surely do not.

    That said, as an attorney, I can see the prospectus being almost a smoking gun, as to Media Max, SunnComm, and Sony BMG in the pending litigation. For one thing, they essentially admit that they intend to install the DRM software REGARDLESS of whether or not the Sony EULA was accepted. It was not an oversight or a programming mistake. It was intentional. Also, since it was intentional, I would suggest that the EULA for these thirty or so CDs is negated. Since acceptance of the installation of the DRM software was intentionally not tied to acceptance of the EULA, it arguably shouldn’t protect these companies from the affects of the software installation.

  100. Dennis,

    That’s an interesting thought, but the prospectus says the product is aimed at commercial music CDs. I don’t recall any mention of internal corporate applications.

  101. Ed – I wonder if failure to mention the lack of user consent in the filing might also be related to possible plans to sell this system to a corporate market for internal security purposes, a situation where “consent” is arguably less relevant. – Dennis