Foster, Student to Be Sued for Reporting Security Flaw, CHE 10-10-03

Chronicle of Higher Education, Friday, October 10, 2003
http://chronicle.com/prm/daily/2003/10/2003101001t.htm
Maker of CD-Encryption Software Says It Will Sue Student Who Reported Security Flaw
By ANDREA L. FOSTER
SunnComm Technologies Inc. said on Thursday that it plans to sue a Princeton University graduate student, and possibly the university itself, because the student issued a report saying that anyone can easily defeat software the company designed to thwart music piracy.

The graduate student, John Alex Halderman, is studying computer science. He says he discovered the security weakness by testing SunnComm's MediaMax CD-3 technology on a music disk, Comin' From Where I'm From, by the R&B artist Anthony Hamilton.

Mr. Halderman says consumers can defeat the MediaMax copyright-protection technology simply by holding down the shift key for a few seconds after inserting a CD into a computer that runs Microsoft's Windows operating system. This disables the Windows "autorun" feature, which starts up SunnComm's encryption software, he says.

"I find that the protections may have no effect on a large fraction of deployed PCs," he says on his Princeton Web site, "and that most users who would be affected can bypass the system entirely by holding the shift key every time they insert the CD."

David L. Kahn, a Los Angeles lawyer representing SunnComm, said on Thursday that the company plans to file a lawsuit against Mr. Halderman, although he did not say when. He said Mr. Halderman had violated a provision of the Digital Millennium Copyright Act that makes it illegal to bypass a technology designed to limit the copying of electronic material.

Asked if Princeton would be a defendant in the lawsuit, Mr. Kahn replied, "We are evaluating that as one of the options."

A news release issued by SunnComm says that Mr. Halderman made "erroneous assumptions" in reviewing MediaMax, which led to "false conclusions concerning the robustness and efficacy" of MediaMax.

"Halderman and Princeton University have significantly damaged SunnComm's reputation and caused the market value of SunnComm to drop by more than $10-million," the release says.

It continues with a comment from Peter Jacobs, chief executive officer of SunnComm. "This cat-and-mouse game that hackers and others like to play with owners of digital property is over," he says. "No matter what their credentials or rationale, it is wrong to use one's knowledge and the cover of academia to facilitate piracy and theft of digital property."

Mr. Halderman could not be reached.