Topic: Computer security issues with Sony music CDs.

[Nemesis]

I've been aware of this for a bit but was waiting for more information.  Now that a trojan has been released using the Sony software I felt it was mandatory to post a warning.  Sony CDs as from as far back as April 2004 may have the security issues.  A number of lawsuits have begun around the world.

Link to first article quoted below

Red in the quote below is my highlighting not the authors.

The parts that worry me are that they are putting uninstallable software that could have serious adverse effects on your system without notice or consent. They are doing this in the name of protecting their content, but for some reason I seem to be the last person on earth who seems to think their tendrils should not extend to places where my rights lie.

This is a very serious thing, if it happens to hose your machine when you try to get rid of it, tough luck. It is undocumented, and can cause problems, as it did to Mark, when you try to free yourself of it, and there is no tech support available that I could find. Oh yeah, it doesn't go away when you take the CD out either, it is there for the duration.

To make matters worse, to play your songs, you simply drop your legally purchased CD in your legally purchased computer, and you are infected with DRM, no choice in the matter. Imagine if you happen to do something as criminal as taking your legally purchased CD to work, where it conflicts with a piece of software. Who is responsible for the cleanup costs?

Link to article on trojan using the Sony installed DRM

The malware arrives attached in an email, which pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" to be used for the December issue. If the malicious payload contained in this email is executed then the Trojan installs an IRC backdoor on affected Windows systems.

3rd Article

If you look at the Sony rootkit, it does several things. It strips you of your rights, it potentially causes your computer harm, it breaks your computer if you remove it, and eats your CPU time. All of these things are bad, no question there. It also does the end user no good in any way, shape or form, not even by the most demented stretch of the imagination. It only hurts those who spent money to buy it.

Link to fourth article

WHICH SONY CDS have DRM implemented? One of our readers, after contacting Sony, was told that the DRM was first installed on Sony CDs since the 1st of April 2004.

[MrCue]

And yet again its the paying public NOT the pirates who get screwed.
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

[Nemesis]

And yet again its the paying public NOT the pirates who get screwed.

The standard rule of copy protection is that legitimate users and the company that uses it get screwed.  Pirates just bypass it.

This does give a good reason for disabling autoplay which I usually do.

[Commander Maxillius]

Just give the CD to someone with a Mac and have them burn a CD from iTunes for you


I'd find it easy to boycott Sony considering the only Sony hardware I own is a pair of headphones.

[Nemesis]

A Mac partition has been found on the CDs now.

[Commander Maxillius]

but what does it do?  I imagine it's much much more difficult to cripple a mac in that manner.

[Nemesis]

Quotes from -  Stewart Baker, recently appointed by President Bush as the Department of Homeland Security's assistant secretary for policy,

"I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples' [and] businesses' computers are secure. ... There's been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples' computers that even the system administrators can’t find."

"It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.

Hopefully the music, movie and software industry will get the point.

Link to source

Link to the Sony EULA

[Javora]

Quotes from -  Stewart Baker, recently appointed by President Bush as the Department of Homeland Security's assistant secretary for policy,

"I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples' [and] businesses' computers are secure. ... There's been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples' computers that even the system administrators can’t find."

"It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.

Hopefully the music, movie and software industry will get the point.

Link to source

Wow and that is from a Republican administration, that is a suprise they are usually a little more supportive of the RIAA/MPAA.  I found a couple of ways around the Sony DRM junk on the Internet, if anyone wants to make legal backups of their music send me a PM and I'll give you the information.

[Bonk]

Grrrr. This almost calls for retaliation. If I think that, then the less restrained are probably already attacking Sony servers.

Boycott Sony! 

[Nemesis]

Grrrr. This almost calls for retaliation. If I think that, then the less restrained are probably already attacking Sony servers.

Boycott Sony! 

I wouldn't condone attacking the Sony servers though I do understand the temptation.  On the other hand going into stores buying Sony music CDs and rejecting the EULA followed by returning them to the store for a refund with an explanation might put more direct and legal pressure on Sony if every music store in the world has a rash of that followed by a Sony boycott.

Note: I just did a quick look at the Sony EULA.  Using the search function of Firefox I could not find anything that allows you to return the CD for a refund if you reject the EULA.

Article 8.  UPDATES TO THE LICENSED MATERIALS

The SONY BMG PARTIES may from time to time provide you with updates of the SOFTWARE in a manner that the SONY BMG PARTIES deem to be appropriate.  All such updates shall be deemed to be part of the SOFTWARE for all purposes hereunder.  In the event that you fail to install an update, the SONY BMG PARTIES reserve the right to terminate the term of this EULA, along with your rights to use the LICENSED MATERIALS, immediately, without additional notice to you.  The SONY BMG PARTIES shall not be liable for any loss or damage caused by reason of your failure to install any such update or your failure to do so in the manner instructed.

You can't refuse updates (without losing the rights to use the CD) once you agree to the EULA.  I originally stopped using IE because an update to IE made it impossible for me to access the internet.  Without the right to refuse updates you can't handle problems caused by the update.

Article 6.  LIMITATION OF LIABILITY

NO SONY BMG PARTY SHALL BE LIABLE FOR ANY LOSS OR DAMAGE, EITHER DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR OTHERWISE, ARISING OUT OF THE BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, TERM OR CONDITION, BREACH OF CONTRACT, NEGLIGENCE, STRICT LIABILITY MISREPRESENTATION, FAILURE OF ANY REMEDY TO ACHIEVE ITS ESSENTIAL PURPOSE OR ANY OTHER LEGAL THEORY ARISING OUT OF, OR RELATED TO, THIS EULA OR YOUR USE OF ANY OF THE LICENSED MATERIALS (SUCH DAMAGES INCLUDE, BUT ARE NOT LIMITED TO, LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF DATA, LOSS OF USE OF THE PRODUCT OR ANY ASSOCIATED EQUIPMENT, DOWN TIME AND USER’S TIME), EVEN IF THE SONY BMG PARTY CONCERNED HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.  IN ANY CASE, THE ENTIRE LIABILITY OF THE SONY BMG PARTIES, COLLECTIVELY, UNDER THE PROVISIONS OF THIS EULA SHALL BE LIMITED TO FIVE US DOLLARS (US $5.00).  SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CERTAIN INSTANCES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.  THIS ARTICLE WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING DISCLAIMER, EXCLUSION AND LIMITATION.

I so love the way companies accept the consequences of their actions and try to make good on their foul ups.

[Nemesis]

A small update:

Link to full article

It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license.

This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

To be fair to Sony this "utility" was produced for them by another company and Sony may not have been aware of the violation and may not be responsible for it.

This discovery can have far-stretching consequences for the music giant, who claims only to protect copyrights. Previously, judges in Germany already forced various companies to release source code to the public and to deliver the goods necessary for compiling. It is also possible to demand financial compensation for damages.

It is however somewhat amusing that a DRM "tool" that is used to protect Sonys copyrights is (apparently) being made by violating the copyrights of others.

[Nemesis]

Another facet of the situation is revealed.

Link to article

Consumers and their attorneys are not the only ones miffed at Sony BMG's tactics. One label distributed by the media giant, ATO Records, said its artists and customers have complained about the surreptitious software installation and stressed that it never agreed that the media giant could put copy protection on its CDs. Currently, the company is not considering legal action, said a spokesperson, who asked not to be named.

"Our artists and our customers are pretty upset, but we are in talks with Sony BMG about this issue," the spokesperson said. "We are not pursuing any legal avenues yet."

It appears that Sony is acting as publisher for other companies and adding the DRM to those CDs without agreement.  Of course it is also possible that the other companies knew and approved but are trying to let Sony take the fall alone.

[Nemesis]

A blog has now been set up specifically to follow this issue.

Link

[Javora]

Looks like Microsoft is fed up with this as well:

http://www.pcpro.co.uk/news/79781/microsoft-declares-war-on-sony-drm.html

Microsoft declares war on Sony DRM 10:53AM
Microsoft plans to issue detection and removal signatures to Sony's controversial DRM code through its anti spyware software programme. The software has been heavily criticised for using techniques more associated with hackers rather than corporate giants.

Declaring war on the rootkit in the company's malware blog, Jason Garms Architect & Group PM of the Anti-Malware Technology Team said that Microsoft regards the Sony DRM as malicious code and planed to treat it as such.

According to Garms, Redmond's position on the Sony rootkit DRM could not be any clearer. Microsoft will add a detection and removal signature for the rootkit component of the XCP software to the current Windows AntiSpyware beta. This signature will be provided to the millions of AntiSpyware users through the normal weekly Windows signature update process.

The Microsoft malware team has gone further and said that the Detection and removal of this rootkit component will also appear in Windows Defender - the new version of AntiSpyware when the first public beta becomes available.

Microsoft will also include this signature in the December monthly update to the Malicious Software Removal Tool. Furthermore, it will be included in the signature set for the online scanner on Windows Live Safety Centre.

In other words, Microsoft will do everything in its power to prevent the DRM software working on PCs.

Microsoft's announcement came 24 hours after Sony declared that it was 'suspending' the production of CDs with the rootkit DRM installed. Quite where this leaves the Sony DRM is unclear although the Microsoft move seems to have killed the copy protection dead at least in its present form.

This is the second time in as many months that Microsoft has taken issue with Sony over DRM. In late September Microsoft criticised the Sony backed Blu Ray next generation DVD format for inflexibility over its DRM. This latest spat is unlikely to endear the two giants to each other, already locked in a war over the future domination of the gaming console market.

Steve Malone

[Bonk]

Good to know, I'll be updating my MS antispyware...

More dirt:
http://hack.fi/~muzzy/sony-drm/
Possible LPGL violation... Have they no respect? I'm tempted to smash my Sony TV...

[Nemesis]

Another and different Sony spyware issue.

Link to full article

What few people realize is that Sony uses another copy protection program, SunnComm’s MediaMax, on other discs in their catalog, and that this system presumably is not included in the moratorium. Though MediaMax doesn’t resort to concealing itself with a rootkit, it does behave in several ways that are characteristic of spyware.

[Nemesis]

Link to full list of Sony CDs with the DRM installed.

52 CDs on the list.

[E_Look]

Awful!  Dexter Gordon and Gerry Mulligan are on the list!

But at least SONY has reconsidered and is going to release clean versions.

[Dracho]

AUSTIN, Texas (AP) - The state sued Sony BMG Music Entertainment on Monday under its new anti-spyware law, saying anti-piracy technology the company slipped into music CDs leaves computers vulnerable to hackers.

The lawsuit is over the so-called XCP technology that Sony had added to more than 50 CDs to restrict to three the number of times a single disc could be copied.

After a storm of criticism, Sony recalled the discs last week.

Without asking users, the CD automatically installed the copy-protection program when discs were loaded into a PC - a necessary step for transferring music to iPods and other portable music players.

Attorney General Greg Abbott accused Sony BMG of surreptitiously installing "spyware" in the form of files that mask other files Sony installed as part of XCP.

This "cloaking" component can leave computers vulnerable to viruses and other security problems, Abbott said, echoing the findings of computer security researchers.

"People buy these CDs to listen to music," Abbott said. "What they don't bargain for is the consumer invasion that is unleashed by Sony BMG."

Security researchers say XCP is spyware because it secretly transmits details about what music the PC is playing. Manual attempts to remove the software, which works only on Windows PCs, can disable the PC's optical drive.

Sony executives have rejected the description of their technology as spyware. A spokesman for the New York-based label did not immediately return a telephone call seeking comment on Abbott's lawsuit.

Sony BMG initially rejected the uproar over XCP as technobabble.

But after security experts discovered that XCP opened gaping security holes in users' computers - as did the method Sony BMG offered for removing XCP - Sony BMG agreed last week to recall the discs.

Some 4.7 million had been made and 2.1 million sold. CDs that had XCP included releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.

The Texas spyware law allows the state to recover damages of up to $100,000 in damages for each violation. Abbott said there were thousands of violations, and that any money would go to the state.

http://apnews.myway.com/article/20051121/D8E11QVG0.html

[Javora]

I don't have much time to comment but I thought you all would find these links amusing:

Texas sues Sony over copy-protected CD's


Open source spotted in Sony/BMG copy-protected CD's


RIAA chief defends Sony Rootkits

Boy this story just gets better and better doesn't it.      


Edit:  I just saw Dracho's post, I'm going to leave the link since they are different sources.