Tech Talk

[here]

FYI...

Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)
- http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx
Published: December 13, 2005
"...This cumulative security update sets the kill bit for the First4Internet XCP uninstallation ActiveX control. For more information about this ActiveX control, visit the SONY BMG Web site. Older versions of this control have been found to contain a security vulnerability. To help protect customers who have this control installed, this update prevents older versions of this control from running in Internet Explorer. It does this by setting the kill bit for the older versions of this control that are no longer supported. This kill-bit is being set with the permission of the owner of the ActiveX control..."

 

[Sony BMG To Settle One Copy Protection Class-Action Lawsuit]

FYI...

Sony BMG To Settle One Copy Protection Class-Action Lawsuit
- http://www.techweb.com/article/printableArticle.jhtml?articleID=175701269&site_section=700028
December 29, 2005
"Lawyers working the class-action lawsuit against Sony BMG Music filed a proposed settlement with a federal court Wednesday that if approved, would force Sony to stop making copy-protected CDs, pay affected customers a small fee, and provide replacement discs and/or other albums. Several class action suits were filed in New York and California during November that claimed Sony's copy-protection technology, which had come under fire earlier in the month, damaged buyers' computers. On Dec. 1, the court consolidated about 10 pending class-action cases, and appointed two law firms, Girard Gibbs & de Bartolomeo of California, and Kamber & Associates of New York, to handle the combined suit. According to the settlement papers filed with the U.S. District Court, Southern District of New York, "the parties engaged in virtual round-the-clock settlement negotiations" through most of December. "The primary and overriding concern of the parties over the course of these lengthy, arms’-length negotiations was an effort to provide prompt relief to consumers affected by XCP and MediaMax software, in order to limit the risk that these consumers’ computers would be vulnerable to malicious software," the papers continued. Among the provisions of the settlement, Sony BMG would be barred from using XCP or MediaMax technologies to copy-protect its music CDs, will continue to update the uninstall utilities for removing the XCP and MediaMax copy-protection schemes, and will offer two different incentive programs to buyers of XCP-protected discs so that they return copy-protected CDs. Furthermore, until 2008, any copy protection scheme Sony BMG uses on its audio CDs must meet a slew of criteria, including ones which require that it get users' explicit permission before installing rights software, that uninstallers for the copy protection be available, and that a third party verify that the copy-protection technology doesn't present any security risk..."

 

[Microsoft, Yahoo, others sued by Softvault over DRM]

FYI...

Microsoft, Yahoo, others sued by Softvault over DRM
- http://www.theinquirer.net/?article=28990
15 January 2006
"SEPARATE CASES were filed against Microsoft, Yahoo and a spate of other tech firms in the US last week, alleging patents covering digital rights management (DRM) were breached by the firms. The main action is against Microsoft, filed in the Eastern District Court of Texas, and relates to US patent 6,249,868, a method and system for embedded, automated, component level control of computer systems and other complex systems.
The patent covers security components for a PC which can enable or disable systems using a remote server. Softvault alleges that products with the feature include Windows Server 2003, Windows XP, Microsoft Office XP, Access 2002, Excel 2002, Vision 2002, Visual Studio Net, Office 2000 SR-1, Project 2000 SR-1, Powerpoint, and many other products including Word. Softvault also claims Microsoft infringes patent 6,594,765, with a long list of Volish software alleged to breach that patent. Softvault wants damages, injunctions, fees, costs, and the like. The other case against Yahoo, Microsoft, Napster, Creative Labs, Dell, Gateway, Iriver, Samsung, Toshiba, Digital Networks, Palm, Audiovox, Sandisk and Thomson also relates to the 868 patent and the 765 patent... Softvault alleges that Microsoft supplies Windows Media Digital Rights Management (DRM) which breaches its patent, and Yahoo's Music Unlimited to Go uses this DRM and so infringes its patents. The other firms named in the suit also infringe Softvault's patents by using Microsoft DRM, it's alleged. Softvault wants the defendants to pay up after a jury trial. Softvault, according to its web page, here*, is a Washington based IP firm which explains that by using its tech a device breaching digital rights can be turned into a brick. And, as we all know, bricks make houses. And gold bricks make gold houses."
* http://www.softvault.com/pages/1/index.htm

Hmmm...

[Sony BMG "rootkit" still widespread]

FYI...

Sony BMG "rootkit" still widespread
- http://www.securityfocus.com/news/11369
2006-01-16
"...Building on previous research that suggested some 570,000 networks had computers affected by the software, infrastructure security expert Dan Kaminsky used a different address used by the copy protection software to estimate that, a month later, 350,000 networks--many belonging to the military and government--contain computers affected by the software. "It is unquestionable that Sony's code has gotten into military and government networks, and not necessarily just U.S. military and government networks," Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains... Kaminsky's research uses a feature of domain-name system (DNS) servers: The computers will tell whether an address has recently been looked up by the server. The security researcher worked from a list of 9 million domain-name servers, about 3 million of which are reachable by computers outside their networks. Kaminskly sent DNS requests to the 3 million systems, asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches. During his first survey, carried out over three days in mid-November, he found 568,000 DNS servers had previously been asked to look up three different server addresses used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet. The most recent survey, which lasted between December 15 and December 23, he found 350,000 servers had the unique address in their caches. While other factors may increase or decrease the number, Kaminsky continues to stress that the experiment is about finding out the magnitude of the impact of Sony BMG's software..."

 

[Sony rootkit settlement finalized]

FYI...

Sony rootkit settlement finalized
- http://www.theregister.com/2006/05/23/sony_rootkit_settlement/
23 May 2006
"Federal courts have decided the penalty Sony BMG must suffer for exposing thousands of music fans' computers to hackers with dodgy DRM software last year. District court judge Naomi Reice Buchwald granted final approval for a settlement yesterday. Consumers will receive new malware and vulnerability-free CDs, a patch to remove the offending XCP or MediaMax code, and Sony will be dishing out free downloads. Electronic Frontier Foundation legal director Cindy Cohn said: "This settlement gets music fans what they thought they were buying in the first place: music that will play on all their electronic devices without installing sneaky software." Sony's pages about the settlement, including how to claim, are here*. The list of popular platters covered by the ruling is here**."

* http://www.sonybmgcdtechsettlement.com/

** http://www.sonybmgcdtechsettlement.com/CDList.htm

>>> http://www.eff.org/sony/