Dennis,

That's an interesting thought, but the prospectus says the product is aimed at commercial music CDs. I don't recall any mention of internal corporate applications.

Bruce,

You're right: "acknowledging" doesn't express my desired meaning. I edited the post to remove that phrase.

Anonymous SunnComm investor,

What exactly was inflammatory about Mr. Felten's remarks? How do you make a driver "completely invisible to users, programs and system components" (SunnComm's description) without using rootkit methods?

Anonymous:

Felton needs his 15 minutes of fame. He has nothing else going for him.

If you read his posts you will soon see he is anti MMXT. If he is supposed
to try and protect people from PC security loss, why then did he even go into the sec filing.

He should look at the software and then give us his reaction, which does not concur with the real experts in the field.

I think both he and Princeton are on a slippery path heading down to
what in myho may be legal action. It is easy to see he is really all about getting music free and since it's against th law to circumvent DRM he is
guilty of preaching how to go around it.

He has an agenda, tell us Felton how much work have you done on microvision and it's protection of cd's? Let us see some facts
about mvsn..........remember now some on the board of mvsn
may be related to Princeton is some fashion. Is that why you have never completed a report as once stated.

While I was out to lunch (for real, others say that I am perpetually out), Bruce Hayden posted my (planned) comments. Fortunately he is an attorney where I am not. Basically, this is an utterly amazing piece of detective work that clearly makes the activities of MediaMax knowing and intentional, the proverbial smoking every lawyer seeks. Who would think that an obscure filing with the SEC could be so useful? I hope that this information will make it into the various lawsuits that have been filed. Please keep up the good work.

The more these people post from Sunncomm, the more I think I want to avoid them at all costs. The only reason I can see for their aggression is that this post hits a bit too close to home for comfort for them.

Sunncomm has issues in the marketplace, serious issues. It doesn't want to be "spyware" but they are unable to define why they are not. They partake in all manner of activities that are spyware like. We posted all of those in the previous threads.

They are intrusive, unwanted, and only inflict their "protection" on legally purchased CD's. The pirated versions of mp3's are not at all affected by the sunncomm "protection".

More to the point, clearly the Sunncomm people here are saying that removal of their software is illegal. That, more than anything, means I don't ever want to see them near my computer.

Its my choice what software goes in, Sunncomm is permanently rejected.

It is currently illegal to circumvent the copy protection. But by removing the software from your computer, are you really circumventing copy protection? Removing the software from the CD, or cracking it on the CD would be circumventing the copy protection, but unlike DVDs the music on the CD is not encrypted. So you do not need to "crack" anything to play it. The CD isn't even really "copy protected". That's why they have to trick you or your computer into installing their software. So arguably, by removing unwanted software from your computer, you aren't circumventing anything. After all, there isn't any "copy protection" on the content to circumvent. Someone tell me if I'm wrong here?

Josh,

Your post is informative, and your point about "forever minus one day" copyright terms is well taken (though MediaMax has no way of turning itself off in 2160 or whenever a CD's copyright finally expires). I just have a few comments:

* A rootkit is a rootkit regardless of whether it trivially allows third parties to hide files (like XCP's $sys$). It still interferes with the fundamental operation of the computer, potentially causing security or stability problems. And hiding only "your" code may be harder than you think--how do you tell what's yours and what isn't? How do you prevent a third party from spoofing MediaMax software and hiding under the rootkit? What happens if the MediaMax binary gets infected by a virus and the AV software can't find it to clean it?

* Regarding your statement that "delcining [the EULA] does nothing as you’ve already agreed to the perpetual updates from the older CD.", this is incorrect, as it's been shown that the software will install and run even if you never accept the EULA.

Josh,

Thanks for the response. If what you say is an accurate representation of the thought process that SunnComm went through, I think that they may have not thought through the effect that installing the software regardless of assent to the EULA would do to the enforceability of the EULA.

In the First 4 / XCP case, the argument against the EULA being made by the plaintiffs' lawyers is that said EULA was misleading, not fully disclosing all that the small program being installed was going to do. In the SunnComm / MediaMax case though, plaintiffs have that argument plus the argument that since the DRM software is installing regardless of assent to the EULA, the installation is not a result of permission given by assenting to the EULA. And, indeed, if it happens independent of the EULA, it is likely that it happens before physical assent to the EULA, and thus the DRM software can't be covered by the EULA.

In short, what appears to be a case of taking the law into their own hands (as you almost suggest they did) may turn out and bite SunnComm / Media Max / Sony BMG in the tush by negating the EULA.

Ok... Installing their tools on my machine without my knowledge or consent. Isn't that the definition of spyware anyway? I don't agree with this DRM self-installing software and its prime 1 reason to switch to another operating system, such as Linux or even to a OSX (yes, buy a Mac). It's time that we stop letting these pricks try to install software on our machines without our knowledge. Not to mention, whos to say that this software could even install itself on a corporate network with a strict policy enforced for user installed applications. I believe that would block the software from being installed and users could easily implement a user policy and still copy the discs just as before.

Yes, until thats sorted out, Sony and Sunncomm stay out of my system. After its sorted out, they can still stay the hell out.

Your music just isnt worth the fuss.

There's a great opportunity here. How about a little resident program that blocks shitbag code like Mediamax from loading onto the computer. You're not bypassing the protection--you're blocking the shitty infection.

The question is: Did they break the law when taking the law into their own hands? That’s for the courts to decide. It’s going to come down to the definition of what is ‘install’ vs ‘run’ vs ‘terminate & stay resident’.

There's some other issues to consider. Will this software actually make money for Sony? Since it only impedes the most casual of pirates (the PC-using pirates that don't know how to disable autorun), file-sharing piracy will continue unabated. On the other hand, it will make life more difficult for the casual user who wants to (say) rip an MP3 party mix, or a throwaway for use in the car. There is no way that anyone can claim that this makes Sony's product better for those users. So what's in it for Sony? Why should they use this product?

Furthermore, other parties (e.g., Microsoft) have an incentive to disable this software. This sort of copy protection makes people (you can see remarks in the comments above) grumble about getting a Mac instead. Some of them will. Furthermore, the sort of things that Microsoft could/should do to prevent installation of spyware and rootkits, will also prevent installation of these copy protection programs. Sure, they are "not rootkits", it's just that they do things that rootkits do.

Sorry "to date" not "to day"

IANAL.. but IMHO..

MediaMax invades your computer without any consent at all and from a source you would not expect- an audio cd. I don't care if it's a bug. SunnComm are liable, regardless. It should be regarded as a class of malware for that 'feature' alone:

System Invader - Malicious software that automatically installs without the user's consent.

---

"The software is designed to be completely invisible to users, programs and system components."

This is malicious intent and totally undermines all security that the owner and system administrators may have put into place on the host system.

FYI: Windows XP 64bit edition and Vista will not allow kernel hooking that made the XCP rootkit possible.

Windows Vista will also not allow the installation of drivers that lack Microsoft's digital signature without the consent of the user complete with a scary warning message.

I wonder how the malware vendors such as SunnComm and F4I will crack Windows in their attempts to force their product down your throat. They have already collaborated with Antivirus companies to ensure they don't get redflagged as a virus. They will probably attempt to negotiate with Microsoft-

"Our software is not bad. We are the good guys. We love users. We want to bring joy to them by speading our software and enhancing their audio experience. We don't need to take any credit. For ease of installation we would prefer to remain *ahem* undetectable. Our little secret. What do you say, Steve? Just sign our drivers.."

From Mark's blog: http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want...

"1) Drivers can be installed/overridden/bypassed in such a way as to bypass the driver signing check. Would this not indicate that driver signing is essentially useless?"

Yes, the drivers are unsigned and installed in such a way that Windows never checks for a signature. Note that my ctrl2cap keyboard filter driver also gets installed without a signing check because of the same loophole. Vista will close the hole.
# posted by Mark Russinovich : 4:13 PM, November 12, 2005

Anon (2 back)

"They have already collaborated with Antivirus companies to ensure they don’t get redflagged as a virus."

Have you any proof of that? (BTW, In case you think my question is because I am a SunnComm troll, I am not. I think the company is corrupt from a business and ethics point of view, as well being responsible for badly written code that endangers users' systems).

To clarify an earlier comment I made: "What Mr. Felten has posted today should be proof enough that SunnComm intended MediaMax - indeed, DESIGNED MediaMax- to install and run in perpetuity regardless of any user consent. This is of course, equivalent to the state “SunnComm designed and intended MediaMax to break the law and violate the rights of consumers who declined the EULA.” "

It is not speculation that MediaMax installs without consent. However, it may be disputable, perhaps with internal company records that this behavior was, in fact, a bug. After reviewing SunnComm's SEC filing, I don't quite buy this. However, to state unequivocally that MediaMax was designed to "break the law and violate the rights of consumers who declined the EULA" would, at this point, be a step too far.

I'd like to hear SunnComm's side of the case on this. Is it possible to clarify the SEC filing to show that this was a bug and not a design decision?

I do agree that the SEC filing is not definitive as to intent. Ultimately, it should be obvious one way or another from the code. Of course, since courts rarely have experience in reading code, experts will be utilized, and that leaves everything open to hiring the most articulate expert.

Nevertheless, the SEC probably is sufficient, in and by itself, to push the burden of proof back onto the defendant(s). This means that instead of the plaintiffs having to look through the code to find out whether or not it was intentional, the burden may indeed move to the defendants to show through the code that it was a mistake.

I agree with sm. I had no problem deleting all those files on my XP laptop, once I figured out where they were stashed.

Whether or not it is a bug or intentional makes no difference to me at all; I still don't want them on my system.

I simply don't trust software that fails (ie. "has a bug") in the only portion of the code that interacts with the end user, at such an absolutely critical time, and provides no tools whatsoever to remove itself. Those tools require going to the web and downloading the uninstallers (which also might contain bugs).

There is no guarrantee that the "minor" and well hidden changes to the drivers of my computer won't be an issue in the future. For example, upgrading to another operating system would very likely overwrite the current drivers with new ones, and there is no reason to believe that Sunncomm CD's as they exist in the market today will work/install properly in Vista or other future operating systems. That means that the disks have a very, very short lifetime in our house compared to "standard" CD's that don't suffer from these issues. For that matter, what if the CDrom manufacturer issues a new driver which bypass the sunncomm one without me even knowing? I am still criminally responsible even though I didn't even know what sunncomm does or why its there? Ignorance is no defense under criminal law, is it?

One problem I have is with the entire law regarding when I am permitted to remove this software, and when not. It sounds to me like its "once you have it, you need to be sure you never remove it". That means no more reformats (very, very frequent occurances), and no upgrading of operating systems, and no dual boot systems since those clearly bypass the sunncomm "protection" installed on another instance.

The easiest choice is to make no choice. Buying a sony product requires me to make a choice, therefore its rejected. It may, or may not contain clear labelling on the outside of the box indicating sunncomm is going to be installed. At least one title suffers from this further "bug" in the manufacturing process.

There are other alternatives if you want to purchase the artists music legally. When we say no to buying a CD these days, its much more than saying no to the artist. Its saying no to some well hidden sub contractor hired by a branch or sub label of the label with whom the artist signed a contract. I like simplicity when I buy music. I like to say "ooo nice song! Here is my money", and live happily ever after. Thats simple. Sony's system isn't.

Also, is making a backup or a "fair use" copy of a legally purchased item legal? It sure sounds so, based on copyright specific websites. So, if I purchase a copy of a CD but fear the copy protection, can I not just download an image of the CD from internet? Whats the difference between that and the identical image I get from the songs on the CD? Where is the law in this regard? It sounds like the *manner* in which the "fair use" copy is made might be the critical issue rather than the copy itself, yet I don't see why that should be. If I bought a CD but it got scratched on entry into the drive, thereby damaging only one song, can I not download that one song as my backup and still "be legal"?

From my perspective illegal downloading is when you take something you didn't pay the copyright holder for. These cases are not like that though, since I have paid the copyright holder.

Why can't I simply register my CD with the record company the day I bought it, as an optional process? That builds communication, trust, and a positive business relationship. Does that exist using the sony/sunncomm/first4internet systems? Not at all. Those DRM systems are negative in nature; they assume the worst by their very nature and provide no tools for the honest consumer and several negative features (such completely invalidating their ability to say no to the EULA). Why is it that I am under constant scrutiny of their "polling" ever after?

Also, does copyright pertain to the specific media it is delivered on? Its copywritten specifcally for CD rather than for tape or LP? Is owning one of those (ie a cassette tape) what makes it legal. I paid for use of the copyright of that music, what difference does it make if I also have it on CD then? And, is this law the same in all states, provinces or countries?

I think it makes a difference in that the DRM can actually be used to make it so that you need to buy a CD specifically for a windows version (ie possibly Windows95 to XP, but not Vista). Is that really what I bought for my CD purchase? If it is, thats fine but it should be CLEARLY identified what the expected lifetime will be of the product before I buy, since uncopy protected CD's have a much, much longer expected lifetime of use.

Its not comparing apples to apples anymore.

Sunncomm also seems to be confused as to who it's selling to. The end user of their software has a very different perspective of whats right and fair than the company that paid for the work to be done. Yet, sunncomm thinks we should all get along. There has been a very long history of mediation between the copyright holders, and the public. Sunncomm wants to sell to one side, and expect the other to be happy (or, at least to shut up and accept this situation quietly in ignorance, and certainly not to hold the software up to critical inspection).

I don't think that is a fair way to mediate such a long standing battle. It's declaring victory by the use of hidden tools, and we know they are intentionally hidden since sunncomm's corporate Prospectus tells us so.

I don't trust sunncomm and sony with my rights as those rights have existed in copyright law up until this time. I don't believe sony works fairly, I don't believe they work in my best interest, I don't believe this will be a long and happy relationship; in summary - I don't trust them.

They also don't appear to trust me. I think that is a fair assessment, since they are hiding software on my system and tracking my useage regarding items I have already purchased from them, they are not open and honest about what data is being transmitted, and they do not have a clear policy in this regard at their website from what I can see. I think its fair to say that they don't trust their customers. Thats why they think we steal 22 billion dollars a year from their pockets, and state so in their business prospectus.

So, we have a situation in which neither party trusts each other.

Why should those parties be in business together? Is this not a situation that will only get worse? And, why is it a strong possibility that its illegal for me to withdraw from the situation by removing the software from my computers, burning the disks, and kissing my money goodbye? Why is even THAT illegal?

Its far, far safer to simply say "no" up front, and then decide when the time is right to go in to business with sony/sunccomm/first4internet. All this fuss just to listen to music that is often available by radio.

The biggest issue I have with sunncomm software is that it is based on the assumption that everyone needs policing, and that they should be the police. Someone out there will figure out that the positive way to handle this is the more powerful, and I prefer to use their software, thanks.

If a competitor of sunncomm implements a similar system, will these two coexist on my computer? Will new defects be obvoiusly attributeable to one or the other? How does staying hidden help me locate bugs? And, why are you only going to refund me up to $5 for all these problems? Why can't I say "This is an astonishngly bad deal for me, in every possible context, and I want out".

The sunncomm people are irrate that websites like this one "take a close look". But, didn't the president of SonyBMG make the statement regarding users who don't know about root kits shouldn't care about them? Isn't he saying that he wants/expects/prefers/caters to ignorance? Not all of us wish to live in a world of blind ignorance, some of us ask questions, and sometimes those people are university professors or lawyers. If you don't want it scrutinized by the public, then remove it from sale to the public. Or are the sunncomm people saying that unviersity professors are not part of the public? You see why I get confused.

Just because one particular product is under scrutiny does not mean that all products must also be under scrutiny at the same time, or by the same people. There are plenty of universities to go around.

Why does any company fear a close examination of their product? I believe it is because they fear what might be found. So far, bugs have been found and significant ones at that. Sure, sure, they say they are minor ones, but they were only found because of close inspection and they were only fixed because of pressure to do so. If they had never been publicly found out, will Sony have ever relased a "fix"? Sunncomm and Sony might say yes, but the problem is that they can't say when that would have occurred, and it requires a level of trust to believe it would have been so. Yet, they don't come in to the business relationship under a sign of "trust", do they? The entire issue exists purely because of lack of trust on their part. If they trusted the purchaser of the CD, it wouldn't need the DRM (like many sony competitors do).

Those CD's are continuing to penetrate the market, since they haven't been recalled and still have issues regarding essential features such as the acceptance of the EULA contract. Yet, here is an ex-sunncomm developer who clearly identifies this issue as a bug. So, we know a defect exists and that defect makes it unclear if the person ever agreed. Its in sony's best interest to recall these disks and at the very least replace them with an updated EULA/sunncomm install that functions properly.

Why is it so critical? Because Josh also says that the upgrades go in to the system via previous EULA acceptance ... which never occured in these cases. "Upgrades" are being pushed out without any form of user acceptance, either originally or subsequently. Can sony tell the difference between the ones that went in via acceptance vs decline? If not, how can they claim to have been authorized?

Sony is counting on further consumer ignorance to further penetrate their DRM, knowing it is faulty. They claim it's faulty, yet the prospectus says otherwise. You get the sense of "officially faulty" and privately "acceptable". They can have that attitude anywhere except on my property. If the software is faulty, and the manner of its fault removes rights or imposes failures on to a consumers system, those disks should be recalled so that sony minimizes damage.

But, this doesn't sound at all like a company looking to minimize damages to their clients ... it sounds like they want Mr. Felton to shut up, and stop giving reasons why consumers should be questioning what goes in to their computers, and making a rational & informed decision after reviewing the situation. Especially given that you are required to give away all right to say "no" in the future. Can't say no to sunncomm upgrades, can't say no to removing DRM software on your computer, and can't say no to the original agreement.

Clearly, sony doesn't want us to say No. The only time we ever can say no, is before we buy.

Smart users will be able to look for the strange little trail that leads to the Sony web site and know when to download a viable patch (and when to avoid ones that make it worse). Nothing is simple though. Thats what Sony is banking on: users who are ignorant of issues such as root kits, ignorant of their previous rights, ignorant of the implications of the EULA, ignorant of new copyright laws being made. Just plain ignorant.

Thats fine, sony can target that market ... but as I have said I am not one of them (or, at least, I try not to be). So, I simply avoid sony/sunncomm/first4internet. I somehow get the feeling that this particular perspective is even more "ignorant" to sony since I am making a wide and sweeping decision based on a few facts. Yet, to me they are powerful facts.

Stay out of my computer, sony/sunncomm/first4internet. You are not wanted here, not greeted, and not respected.

Can we submit our own version of a EULA to sony? One that says that unless we are given full information, we consider whatever tactics they use to force a EULA on us as pre-declined? Why should sony be the first one to have a EULA? I need a EULA to protect my own intellectual property that exist on my computer (something sony/sunncomm has access to if they have their DRM on my computer and use it to inspect more than they clearly state as their limits), should they wish to "inspect" my system for "information"). This forces me in to a whole new realm of "trust" that makes me uncomfortable, to say the least.

Sony never clearly and publicly state exactly how far their DRM systems invade our computers, what information is extracted. We have to trust them, when they place no caps on the extent of their invasion. Sony needs to clearly and formally define what information is being removed from your system and sent back to them, and they need to make that publicly verifiable. They could make the communication system open source, wo everyone knows what data they are sending back.

They are clearly saying they intend on being "hidden" to the end user, yet don't place any formal caps on what information they take. Doesn't that leave them open to suspicion if a competitors private information becomes public? How many sony competitors are comfortable knowing their computers might have these sorts of sunncomm systems on their development computers? Isn't it a very wise choice to simply ban these drm CD's from the workplace?

I think businesses really need to say no, and have the right to say no, to the EULA and be able to override an employee who accepts it our of ignorance. Or, as in the sunncomm case, declines it out of knowledge of the implications. In either case, the business now has their competitor on their computers. The only possible safeguard they would have is the open publication and commitment sony makes regarding what information EXACTLY is being removed by each version they create. Oh wait, thre isn't any.

Yet, we must all blindly trust sony/sunncomm.

This is a really bad deal for everyone except sony/sunncomm/first4internet, and I say No.

Joe Starr

Your maricopa court url doesn't work - but it appears to be a problem with their search engine. I also tried to check on my girl friend's litigation there, as I do every month or so, and it doesn't work either.

That said, that Media Max and/or SunnComm are not parties to any of these DRM lawsuits against Sony is not that relevant as to their ultimate liability, and thus, arguably, as to whether or not they should report this in their next SEC filings (in the case of Media Max).

The thing is is that while they may not have direct liability to third party's buying the Sony CDs (and then again, they might), they are most likely, esp. Media Max, to have potential liability to Sony. Unless the Sony attorneys negotiating the contracts with these companys were brain-dead, it is likely that Sony got an indemnification from them. At worst, the contracts could have been silent - which would mean that they would be liable to Sony for negligence, etc. It is highly unlikely that they sold or licensed the code to Sony "as is" or without warranties.

Who has responsibility for this sort of thing is almost always a power game - with the party with the least power (typically the smaller company) taking financial responsibility for products sold to or bought from the more powerful (usually bigger) company. I say this from experience - from negotiating a lot of contracts and licenses between companies, and by now, I am pretty good at guessing at which party is going to have the liability in case something goes wrong based on the respective negotiating power of the two companies involved.

Here, of course, you have one of the biggest companies in the world negotiating with companies with at best a fraction of Sony's value and market power. That Sony utilized two different DRM vendors indicates that they were the ones with the power, and were most likely playing the two companies off against each other. In any case, Sony's business was much more important to Media Max than the reverse.

Let me add the obvious - that if Sony loses any of these suits, and goes back on the DRM vendors, as is probably their legal right, said DRM vendors would most likely be wiped out.

1) How many people’s computers get hacked because of Windows?

2) How many people’s computers get hacked because of the Internet?

3) How many thousands of other software vulnerabilities have caused peoples computers to get hacked?

4) How many people’s computers got hacked because of MediaMax?
Ok, in the entire scheme of things, the SunnComm code probably didn't result in that much hacking. And, yes, MSFT code is notorious for this sort of thing, and indeed, it is to some extent, vulnerabilities in such that bring us to where we are right now. After all, if MSFT hadn't left gaping security holes in Windows in the first place, Sony, et al. wouldn't have been able to install their DRM code in the first place, and it woudn't have been nearly that bad.

But that doesn't get SunnComm and Media Max off the hook. They had installed on potentially millions of computers software that was not agreed to. You might want to look at my article on Tresspass to Chattels.

Boy, I thought it was fun bashing the "ESL" Sony shills at the SNE Yahoo stock board... I had no idea SunnComm would be unleashing their own shills here!

I have just one question for said shills; how is it illegal for me to rip music I PAID FOR, into an mp3 file, and place them on the mp3 player of my choice?

Guys and gals of SunnComm, get a clue - it's a PLAY button, not a PAY button.

"I guess I am one of the “Sunncomm” shills you folks are criticizing in your posts. I could care less what label you give me, the fact is people here just like to whine about copy protection. The funny part is that I bet each and every one of you “whiners” have at some point in time copied or ripped a disc from a friend or even given a friend or relative a copy of your own music CDs (this is all illegal by the way)."

Steve K:

So your whole argument is based on the idea that everyone is a criminal? And on top of that you believe that your misconception makes it right to install spyware in other people's computers? (which is illegal by the way)

So what on earth happened to being innocent unless proven guilty? Does it not matter in your own personal little world?

Sunncomm... It Is As Always

That is, Sunncomm is lying again. The iSec Partners report explicitly states that the Mediamax vulnerability is remotely exploitable. No ifs, no ands, no buts... so what does Sunncomm tell the victims of its malware?

Sunncomm lies, of course:

http://www.sunncomm.com/support/faq/

#7. What is the technical nature of the security vulnerability in SunnComm MediaMax Version 5?

A local privilege escalation vulnerability exists which could allow a locally logged on user to gain higher privileges by overwriting certain files used by the installed MediaMax software.

Way to go when you're headed for court, idiots.

Y'know... Sunncomm/Mediamax seems to be trying to prove it's possible to try to cover one's ass so tightly that one dies from the resultant impacted colon...