What truly amazes me is that someone or some group actually valued that technology at $10 million. Hell, I'll develop something similar for one tenth of that price. Such a deal!

What's worse? Releasing that embarassing 'protection', threatening litigation when someone exposes it, or valuing something so trivial for $10M? I'd really like the phone number of the VC of SunnComm. I have some great opportunities for them to invest in. ;)

This truly amazes me, as a QA tester I have my Autorun turned off on all my drives. This wpould have been the first thing I would have tried if I was looking for a way around it.

As a programmer I also think about how a user that has Autorun disabled is going to install the software package.

Then again when I go to a user's desktop, most would not know how to run a CD without Autorun.

Brilliant.

You need to understand how a Valuation is derived from a listed company. It's worth realizing that value in shares for companies like this are hugely dependant on press releases. I think it's great to have freedom of expression, but by going for the glory, (I'm sure it will help his job hunting) Alex has caused great harm to honest, good people across the globe who speculate on Markets and track public/commercial interests & trends. Granted the truth would have come out in the long run about a crap product. But Alex did lead to a quick & premature demise of estimated $23M that average everyday investors gambled on. I know one person who has lost a substantial amount. Their fault not Alex's... but in life one should think about the ramifications and unitended victims before one acts / and then decide if person benefit outweighs harm onto others.

I wrote that on a whim and understand that I'm opening myselft up for some hate-mail; yes, I was a bit sour-grapes. With a moment to reflect I say: It's only that I question whether Alex was trying to make the world a better place or trying to inflict harm (academic research or not, he knew what the implications were). One thing I've learned in life is investing in negative energy never really pays off.

That's a load of hooey. If the "valuation" was based on smoke and mirrors, then it deserves to evaporate, and exposing the emperor's nudity is a public service -- even if it causes some foolish investors to lose their money now instead of later.

Alex is not responsible for anything. He didn't do anything wrong. This is good for the company. A little embarassment will ensure they turn out a better product in the future.

Pretty soon we will be sued by microsoft for finding a bug and then sued by other companys claiming our discovery made them loose ten billion. Wake up people and take a look at whats going on. Too many ridiculous law suites... and companys claiming they LOOSE money...that is crap. How, money falls out of their pocket? Spend it on escorts? They simply DON'T make the money they wanted. I can claim I've lost $x amount of money and blame it on anything. Companies come and go. I don't care if the music recording industry is suffering. If they collapse, a new company will rise. If you're not making the amount of money you would like, don't sue, and don't blame others. Improve your product, change your strategy.

Fine, I agree. But do you agree that Alex is no better than this evil company?
He either set out to Harm a company and any innocent people associated with it or to gain "glory" at the expense of others. Are either of these Honorable??
If he really wanted to help, there were numerous other paths he could of taken. I would like to think he was just Naive,, but looking at how bright this kid is.. I think it was pure malice. Someday soon he will probably cash in and develop a company that does us far greater dis-service than SunnComms bad product will.

My opinion is that Alex did the world a favor, and the sooner the better. When the world stops throwing money at stupid technology and starts putting it towards real technology, the strides that could be made will make people's heads spin. Maybe I'm a bit biased but for the last 10 years, I've seen a lot of good money thrown at many stupid ideas. I think its up to the investors to do a lot more due diligence on what they're investing in. They deserve to lose this money if they didn't/couldn't realize how weak the technology actually was. Maybe someday that money will transfer to someone who will actually put it to good use, rather than just throwing it at something that has a lot of sizzle but no steak.

After replying to you above, I appreciate the fact that responses can be based on emotion. I don't think Alex did this with any malice but only Alex could answer that. If I were in his position, I would've likely done the same thing, not necessarily to hurt SunnComm but to just expose how weak the technology actually was. But then again, I might not have because I'm pretty lazy and tend to stay out of the spotlight. I rarely ever post here but this topic hits pretty close to home with me.

I don't think anyone can accurately predict what the implications are of posting information. A pessimist may assume the worst will happen and the whole world will want to sue him/her. I don't believe most people are pessimists, but then again, I'm an optimist. In this day and age, as someone else already said, any company can claim losses for any number of reason and get litigation-happy. It seems to be the American way nowadays. Sue first, ask questions later. And why not, the RIAA is leading the way on that front. For some other companies, its the quickest easiest way to make money.

Posted by r&r
on October 15th, 2003 at 3:15PM ET

I think it's great to have freedom of expression, but by going for the glory, (I'm sure it will help his job hunting) Alex has caused great harm to honest, good people across the globe who speculate on Markets and track public/commercial interests & trends. . . . but in life one should think about the ramifications and unitended victims before one acts / and then decide if person benefit outweighs harm onto others.

I have no pity for the people that speculate on this type of technology, and invest without having some type of knowledge on the subject. They deserve to get exactly what they got. Saying that Alex should think about the ramifications is like saying that Ford should keep quiet about a flaw in their cars if one exists. After all, there are a lot of investors that invest in Ford. We wouldn't want to hurt the investors. Maybe if we keep quiet no one will notice the mistake.

I think a better approach would be before you put a lot of money into something like this, get someone like Alex on your payroll, and get a professional opinion of the technology BEFORE you invest tons of money in something that is total crap.

As for Alex "set out to Harm a company and any innocent people associated with it or to gain "glory" at the expense of others.", I can see this being his soul reason for researching computer security:

Alex: 'thinking to himself' Hmmm. What can I do today? I got it!! Lets take a look at some new copy protection schemes (or scams in this case) and see if we can totally render it worthless therby causing all the irresponsible investors to loose all their money that they have put into a technology that a 2 year old could have broken sooner or later. Yeah, thats a good idea.

Yeah, that sounds like some kind of a sane human thought to me.

Just my 2 cents worth.

MrElectro!

Instead of mindlessly filing a law suit, they should have thanked him for bringing up this flaw to their attention, unless they wanted s*** key to disable it on purpose. If that is the reason, a company shouldn't be allowed to release such a faulghty product and complain that somone found a way to bypass it. Someone sooner or later would have stumbled on it by pure accident.

Pretty soon we'll be sued for finding a bug and reporting it.

Yes, exactly.. they need to invest some of that dough in a good PR manager.

no, you got it all wrong. if you know anything about autorun, then you'd know that it could be disabled by a mere pressing of s*** for a few seconds. i'm sure SunnComm was quite aware of this vulnerability, which is why they chose the words and phrases they did for their EULA and on how to run the CD. Alex didnt show them anything that they didnt already know from day 1, he just made it very quickly and very publicly and most likely costs them millions of dollars.

No I don't have it all wrong. I know how auto run works. That company has crappy software engineers. And they didn't lose 10 million. They just didn't make 10 million. Just like the recording industry is claiming loses of millions of dollars on mp3s. They're not making the money they would like. If I don't make 100 grand a year, I don't go claim that a competitor made me loose 100 grand.

I think you're onto something. I can claim those losses to the IRS and save myself a bundle in taxes.

Hey it's a free market.

If it's a good product with good service, people will buy.

It's obvious suncomm did a half-ass job of developing and testing it's application.

Maybe professional testers are bad for this kind of application, try some geeks or teenagers.

God this whole RIAA and all are on the wrong side.

They are persecuting customers, instead of finding more profitable ways to provide better quality or services.

Emuluate Japan in some ways, they use all kinds of media, all over their country.

We should be innovative, not trying to to maintain control, when control is such a fiction, a non-reality.

I for one would like to thank him for both releasing the method of bypass but particularly for having the courage to publish it.
However, may I once again take the opportunity of criticising those respondents who pass findings off as "oh so simple" and "anyone could do it". As is usual, I failed to see their findings which no doubt they released from their rock solid place in obscurity!

Probably one reason they dropped the lawsuit is that it's very embarrassing to publicly admit that you are installing an unwanted program on people's computers without informing them beforehand.

It seems to me that the very act of doing that could be illegal. It amounts to putting spyware on a computer and/or crippling it. That should not be done without providing users with some sort of license or consent form to agree to.

I was wondering about this myself. I mean, unless the user is somehow asked to agree to a EULA (and come on, most of us don't actuall read those damned things anyway), this would be inhibitting the use of the computer. Also, I'm curious - is this permament, or temporary. i.e Once the CD is removed from the drive, does it unload the "driver"? Or does it remain resident after the disc is remove? Does it interfere with the ripping of other CDs, as well? These are all questions that I'd like answered.

So basically if I found a bug in Microsoft's OS (which there are many) and I publish a paper informing others about the BUG would MS sue me?

no

"SunnComm believes that by making erroneous assumptions in putting together his critical review of the MediaMax CD-3 technology, Halderman came to false conclusions concerning the robustness and efficacy of SunnComm's MediaMax technology,"

one reason they dropped it was because they KNEW his fidndings weren't 'erroneous assumptions' or 'false conclusions' but rather 100% true. they also knew they would lose the court battle =P

Why bother with the s*** key? Just turn off autorun completely.

As a documented part of the Windows operating system, holding down the s*** key prevents any AUTORUN.BAT file on a CD-Rom from executing. This code has been in Windows for a decade.

It's ludicrous to create a copy-protection system that relies on people not knowing this Windows functionality, then threatening litigation on someone who informs people of the feature. This is like suing someone who tells people that they can press the red button on their VCR to record DVDs.

I'd like to see SunnComm try to sue Microsoft for putting in the s***-bypass code itself. This would be amusing, as it would be the first time a publisher tried to sue a company for distributing DRM-evasion technology before the DRM implementation was even invented.

Hehe; it doesn't take a brainer to figure out something like that. Just a little bit of computer savviness. But yeah; this just goes to show how lazy I. T. Personnel can get (those who developed the MediaMax "technology") if you don't pay em enough and motivate them with benefits :P
"Lazy" as in they did a poor job and probably noticed that you can disable the technology ever so easily.

ok, 1st, it is very difficult to create digital protection for CDs because they werent designed to incorporate it. DVDs are a different story, wont even go there. but with CD's you have very limited options, theres not much else you can do to a CD to make it copyright protected besides hiring someone to watch the consumer at all times and make sure he doesnt rip the songs and share them over p2p etc.

it's not the programmers faults, dammit. didnt any of you read his paper, or did you skip it and just read this article?

There is no possible way to protect people from copying CDs to somewhere else. It is simple fact. It is SunnComm's fault for puting something like this to public and claim that it works.
The worst yet, they tried to make money for something that doesn't really work. What has this world gone into anyways?

test