SonyBMG Rootkit case still rumbles on as SunnComm agrees to the terms of the Electronic Frontiers Foundation Open Letter

March 2006

Record labels

In response to an open letter written by the Electronic Frontier Foundation (EFF), SunnComm Technologies, Inc., has outlined what it has done and will do to address potential security problems caused by its MediaMax CD copy-protection software and to help protect against future vulnerabilities. Use of the software on CDs released by Sony BMG has received significant media attention, but many consumers are unaware that the software was also used by several independent music labels. SunnComm says it will ensure that future versions of MediaMax will not install when the user declines the end user license agreement (EULA) that appears when a CD is first inserted in a computer CD or DVD drive. SunnComm has also agreed to include uninstallers in all versions of MediaMax software, to submit all future versions to an independent security-testing firm for review, and to release to the public the results of the independent security testing. SunnComm and EFF are discussing how to ensure that legitimate security researchers who have been, are, or will be working to identify security problems with MediaMax will not be accused of copyright violations under theDigital Millennium Copyright Act (DMCA). In January, SunnComm published a complete list of all music CDs that employ the MediaMax technology and sent a letter to the independent labels using MediaMax with information about a security vulnerability in MediaMax version 5. Music label Sony BMG has separately committed to addressing security concerns arising from CDs using MediaMax. The EFF continues to “disagree with SunnComm on the wisdom of CD copy protection in general”. EFF wrote the open letter to SunnComm because of its concerns about the MediaMax software, which is included with a wide variety of music from independent labels, such as Cuban Link’s “Chain Reaction” by Men of Business Records, Peter Cetera’s “You Just Gotta Love Christmas” by Viastar Records, and several releases on KOCH Records.The problems with MediaMax came to light in November and December 2005, after independent security analysts discovered problems on Sony BMG CDs that included MediaMax. EFF and others subsequently brought legal actions against Sony BMG based on its distribution of the MediaMax titles, and a settlement in that case provided a remedy for music fans who bought Sony BMG MediaMax CDs. SunnComm’s response to EFF’s open letter commits the company to addressing the potential vulnerability for fans who bought such CDs on independent labels and to a continuing process that should help protect fans against future vulnerabilities.

The Director of Law Enforcement at the US Department of Homeland Security, Jonathan Frenkel. has made it clear that the organization will now monitor the situation and make industry and consumers aware of the dangers of rootkit technology and push for regulation if necessary (although the DHS does not have the power to regulate itself).

EFF’s open letter to SunnComm:

SunnComm’s response:

List of CDs with SunnComm MediaMax 5:

List of CDs with SunnComm MediaMax 3:

No Comments

Comments are closed.