Mr. Kevin M. Clement
President and Chief Executive Officer
MediaMax Technologies, Inc.
As you know, we have already discovered one security concern arising from the MediaMax software, resulting in the patch issued on Tuesday and the revised patch issued yesterday.
The Electronic Frontier Foundation (EFF) remains concerned that additional security flaws will be discovered in MediaMax software, in both version 5 and version 3. EFF isn't alone in this concern. Indeed, as Professor Ed Felten has noted, "Experience teaches that where there is one bug, there are probably others. That's doubly true where the basic design of the product is risky. I'd be surprised if there aren't more security bugs lurking in MediaMax." See http://www.freedom-to-tinker.com/?p=944.
While Sony BMG has taken some steps to address the security vulnerabilities in the MediaMax software, we are very concerned about consumers who purchase "MediaMax'd" CDs from labels other than Sony BMG, such as Cuban Link's "Chain Reaction" by Men of Business Records, Peter Cetera's "You Just Gotta Love Christmas" by Viastar Records or MediaMax'd releases on KOCH Records. Many of these consumers have not been notified of this security issue, and indeed may be unaware that they even have a security vulnerability.
To ensure that all affected consumer received notice of the problem and to reduce the possibility that such problems will re-occur, we urge SunnComm International, Inc. and MediaMax Technology Corp. to promptly:
- Publish a list of every CD, regardless of label, that employs the MediaMax technology, including the version.
- Provide every other label using MediaMax with information about the vulnerability, and confirm this to EFF.
- Work with those labels to quickly and effectively resolve the security vulnerability.
- Publicly commit to ensuring that MediaMax software does not install when the user clicks "No."
- Publicly commit to including true uninstallers in all versions of MediaMax software.
- Publicly commit to providing all future MediaMax software to an independent security testing firm, and to the public release of the results of such test.
We look forward to a prompt response affirming your intent to take the above steps and setting forth a timeline for their completion.
Staff Attorney, Electronic Frontier Foundation