lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: jeremiah at nur.net (Jeremiah Cornelius)
Subject: SunnComm to sue 'Shift key' student for $10m

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ahhh...  The wildest, satirical speculations on FullDisclosure come to 
fruition in a court of law.  Let the games begin!

http://www.theregister.co.uk/content/6/33322.html
SunnComm to sue 'Shift key' student for $10m
By Tony Smith
Posted: 09/10/2003 at 20:47 GMT

 
SunnComm has threatened Princeton PhD student Alex Halderman with the Digital 
Millennium Copyright Act (DMCA) for exposing a key weakness in the company's 
latest CD copy protection technology, MediaMax CD3.

The company said today it will take legal action against Halderman for 
revealing how MediaMax CD3 can be bypassed by holding down a Windows PC's 
Shift key when a protected disc is inserted.

Doing so temporarily disables Windows' Autorun facility - which many Reg 
readers have turned off anyway, they tell us - which prevents a small 
installation app from being launched off the CD. That software installs a 
device driver which detects the presence of a copy-protected disc and 
prevents attempts to copy such CDs.

The installer apparently asks for the users permission to install the file, 
and does not do so unless the user clicks on the equivalent of an OK button. 
If the UK rejects the 1800-word End User Licence Agreement (EULA), the disc 
is automatically ejected.

The EULA says: "This audio compact disc utilizes MediaMax technology by 
SunnComm to deliver enhanced features to your computer. In order to properly 
utilize this CD on your computer, it is necessary to install a small software 
program on your computer hard drive."

It's worth noting that the BMG distributed CD Halderman tested lacks the 
familiar CD logo. Thanks to the inclusion of SunnComm's technology the disc 
can no longer be described as a CD - an item that has a very specific 
description as detailed in the standards documentation written by the 
format's creators, Sony and Philips. A disc that doesn't follow the standard 
to the letter can't be described by its supplier as a CD.

Odd, then, that the EULA, as quoted above, claims it is a CD - and is arguably 
in violation of the CD licensing regulations. Just a thought...

Bypassing Autorun allows full access to the CD's songs.

As revealed by The Register yesterday, Halderman detailed his discovery in an 
online paper published after he analysed a CD - Anthony Hamilton's Comin' 
- From Where I'm From - which incorporates the technology.

SunnComm today said the paper was "erroneous" and contains "false 
conclusions". On the back of said, "Halderman and Princeton University have 
significantly damaged SunnComm's reputation and caused the market value of 
SunnComm to drop by more than $10 million," the company alleges.

And then there's the DMCA angle. SunnComm claims Halderman broke the law by 
revealing the name of the driver the app installs.

In a statement released today, SunnComm said: "SunnComm intends to refer this 
possible felony to authorities having jurisdiction over these matters 
because: 1. The author admits that he disabled the driver in order to make an 
unprotected copy of the disc's contents, and 2. SunnComm believes that the 
author's report was 'disseminated in a manner which facilitates infringement' 
in violation of the DMCA or other applicable law".

SunnComm's statement is, of course, a tacit admission that Halderman's 
information is correct: "Once the file is found and deleted according to the 
instructions given in the Princeton grad student's report, the MediaMax copy 
management system can be bypassed resulting in the copyright protected music 
being converted or misappropriated for potentially unauthorized and/or 
illegal use," it says.

If Halderman is incorrect, then the outcome described above can't happen, and 
the DMCA hasn't been violated. Yet SunnComm claims the law has been broken - 
ergo Halderman's conclusion is correct.

In which case, SunnComm's technology is indeed flawed, and the company can't 
argue the student has damaged its reputation. We'd say it did that itself by 
relying on a technology that any user - and indeed many already do - can 
circumvent perfectly legally. Bypassing Autorun by holding down the Shift key 
is a documented feature, after all.

"Critical reviews written in part as an attempt to pressure the record 
industry into abandoning further development of technically protected audio 
CDs are ethically suspect when based on inaccurate assumptions," says 
SunnComm - without stating what those assumptions are or in what way they are 
inaccurate.

Of course, legal action was a possibility Halderman was well aware of when he 
published his paper. "I hardly think that telling people to push shift 
constitutes trafficking in a (copy-protection technology) circumvention 
device," Halderman yesterday told US newswires. "I'm not very worried." ? 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/hdx9Ji2cv3XsiSARAlXRAJ9LVUIketgdFwfSayCGy6Ye1ZcfggCfdtuy
+5kZzRSgU+93h76pk92zWXY=
=tAPo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ