Saturday, December 10, 2005

EFF: An Open Letter to SunnComm/MediaMax

Via The EFF.

December 09, 2005

Mr. Kevin M. Clement
President and Chief Executive Officer
MediaMax Technologies, Inc.

Mr. Clement:

As you know, we have already discovered one security concern arising from the MediaMax software, resulting in the patch issued on Tuesday and the revised patch issued yesterday.

The Electronic Frontier Foundation (EFF) remains concerned that additional security flaws will be discovered in MediaMax software, in both version 5 and version 3. EFF isn't alone in this concern. Indeed, as Professor Ed Felten has noted, "Experience teaches that where there is one bug, there are probably others. That’s doubly true where the basic design of the product is risky. I’d be surprised if there aren’t more security bugs lurking in MediaMax." See http://www.freedom-to-tinker.com/?p=944.

While Sony BMG has taken some steps to address the security vulnerabilities in the MediaMax software, we are very concerned about consumers who purchase "MediaMax'd" CDs from labels other than Sony BMG, such as Cuban Link's "Chain Reaction" by Men of Business Records, Peter Cetera’s “You Just Gotta Love Christmas" by Viastar Records or MediaMax'd releases on KOCH Records. Many of these consumers have not been notified of this security issue, and indeed may be unaware that they even have a security vulnerability.

To ensure that all affected consumer received notice of the problem and to reduce the possibility that such problems will re-occur, we urge SunnComm International, Inc. and MediaMax Technology Corp. to promptly:

  1. Publish a list of every CD, regardless of label, that employs the MediaMax technology, including the version.
  2. Provide every other label using MediaMax with information about the vulnerability, and confirm this to EFF.
  3. Work with those labels to quickly and effectively resolve the security vulnerability.
  4. Pulicly commit to ensuring that MediaMax software does not install when the user clicks "No."
  5. Publicly commit to including true uninstallers in all versions of MediaMax software.
  6. Publicly commit to providing all future MediaMax software to an independent security testing firm, and to the public release of the results of such test.

We look forward to a prompt response affirming your intent to take the above steps and setting forth a timeline for their completion.

Sincerely,

Kurt Opsahl
Staff Attorney, Electronic Frontier Foundation

1 Comments:

At Sat Dec 10, 12:17:00 PM PST, Anonymous Anonymous said...

MediaMax Technologies Corp Form SB-2 Post Effective Amendment No. 5 2005-11-04, Description of Business, p.29:

"The MediaMax License Management Technology, “LMT”, provides a security platform that is able to monitor and control activity on all CD/DVD drives or burners when it determines that content protection could be compromised. The software is designed to be completely invisible to users, programs and system components. […]

"When the disc is inserted, the auto launch feature will activate the MediaMax program on the second session. Depending on the DRM license implementation, this program is either activated directly or through another program. The program first determines if the LMT Software controls are installed on the computer. If not, or if the disc concerned contains a newer version, it will copy the controls from the disc concerned and will install same. […]

"Several enhancements have been implemented to make it very difficult to locate and/or remove the device drivers."

(Emphasis added).

 

Post a Comment

<< Home