Dear EMI: Please Let Security Researchers Protect You From A Rootkit Fiasco
from the an-open-letter dept
Following the huge mess involving both of the copy protection systems Sony BMG uses on CDs having serious security vulnerabilities, it’s about time that people started paying attention to the other record labels as well. For some reason, Universal Music has gotten away unscathed, despite having a deal in place with First4Internet, the makers of the terribly flawed XCP rootkit copy protection that kicked off this whole story. Now, some are starting to look at EMI, but have realized that the DMCA does create something of a “chilling effect” as security researchers can be accused of breaking the law for investigating the copy protection. This situation is made worse by the fact that malicious hackers now know that copy protection schemes are a fertile area to mine for possible vulnerabilities. So, the EFF has put together an open letter to EMI, asking them to publicly state that they won’t go after security researchers who discover security holes in the Macrovision copy protection EMI has been using. While we wait for their answer (which we get the feeling may take a while) can someone please explain why the EFF insist on putting content like that in PDF format, rather than making an HTML version as well?
Comments on “Dear EMI: Please Let Security Researchers Protect You From A Rootkit Fiasco”
Maybe
they fear someone changing what they write? PDF can not be changed, whereas the hmtl could be hacked?
Re: Maybe
PDF can’t be hacked? Puhleeez.
Re: Maybe
I guess clicking “Export PDF” in OpenOffice Writer is that much easier than making a freaking web page that annoys 95% less people.
Re: Re: Maybe (The Remix) ft. Notorious ZO-M-G
I think it’s because, for some odd reason, corporate people have it in their head that pdf is the cat’s whiskers. When most sane people realize that is only the case when it’s a huge freaking chunk of data.
I was talking to my boss’ boss earlier today (small talk) and he brought up how he wished we could all work in nothing but pdf’s. I explained to him the cons of that and why pdf isn’t good for everything. I’m still working here so that’s a good sign 😀 Just goes to show that some people think pdf is the new html.
Re: Maybe
Maybe they ripped a DRM unprotected version from an Adobe CD.
PDF = Control (Perceived)
To most people PDF = Control. Oh yeah and it’s easier.
So to recap: Lazy control freaks like PDF
That’s why lots of managers like it!
Re: PDF = Control (Perceived)
To most people PDF = Control.
Yeah, but you would think, of anyone, the EFF would recognize how silly that idea is.
Re: PDF = Control (Perceived)
My father is the manager of an architech buisness, and he insists that all the documents are in pdf. now that we are on a vacation at Lake Tahoe and he is doing work from his laptop via emailed documents and files from his employies, with incredibly slow (48 kbs) internet access with no printer, he realizes how dumb of an idea it was to require pdf files. It takes him about half an hour to load one, and he can’t even work on it! He had to send an email out to all his staff telling them no more pdf’s. I guess one of his staff had explained all this to him beforehand, and my father cut his pay and almost fired him for “Opposing company policy”.
pdf
It’s cause PDF loads up so much better and faster and looks So much better….
Hang on while I stop gagging myself.
On a side note, does anyone know why Adobe is hell bent on making the reader slower and slooower to load with every new version?
I have a good question...
Why the heck hasn’t the British Government started a serious criminal investigation of First4Internet? Why haven’t any states here taken them to court? It is possible to take foreign companies to court, but it takes a lot of paperwork and diplomatic hoop-jumping to do it. I hear all this stuff about boycotting Sony and rebelling against companies using DRM but what about going after the jerks who developed XCP in the first place. I haven’t heard a thing about going after them at all despite the fact that its been confirmed that they stole Open Source code to make it.
Re: I have a good question...
Because First4Internet merely developed the software. It was Sony BMG that implemented the software. It’s like suing gun manufacturers for murder or automotive manufacturers for vehicular homicide.
Re: Re: I have a good question...
I disagree with the analogy. Guns can be used for many other things aside from killing people. First4Internet developed this software with a rootkit built in ON PURPOSE. The purpose of a gun is not neccessarily illegal (the end user makes that choice), while the rootkit is illegal (and the end user has no choice).
Sony still deserves some blame for not investigating First4Internet before they decided to distribute their software, but First4Internet should still be liable.
Re: Re: Re: I have a good question...
Yes, the real people who we need to go after are the makers of this crappy software. Do you think the Sony execs who decided to go to XCP (I think that’s the company’s name) had any clue what a rootkit was? Or that XCP even told ANYONE at Sony how their software worked? No, they probably just released some “fact” sheet that advertised only the good things.
I guess you can blame Sony for not acting sooner and not really trying very hard in the beginning of this thing.
PDF vs HTML
With the PDF, we can see exactly what EMI sees in the letter, formatting, letterhead and all, within the limits of our monitors. There is no reliable way to do this in HTML other than embedding a graphic in the page, with the usual problems with lower-resolution screens. Every PDF reader I’ve ever used starts up with the document scaled to fit the screen/window.