Jump to content

Sony DRM on CD's

Rate this topic


disso

Recommended Posts

found this interesting article on boingboing.net

Sony DRM using Rootkits!

by Xavier Ashe at 04:02PM (CST) on October 31, 2005 | Permanent Link | Cosmos

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from the June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application...

Mark Russinovich goes into great detail on his on discovering this horrible truth. It looks like a company called First 4 Internet sells a technology called XCP. It's a DRM technology and they sold it to Sony. Let me be more specific: It's a rootkit whose purpose is DRM and Sony has already implemented it in CDs that are in stores now. This is a very bad approach and should be publicly shunned. Sony is probably unaware of the technical details of this software, but should be made aware. Put your person opinion aside about DRM for a second and look at the plain truth: Buy a CD with this technology and your system is modified on a kernel level without your permission. This extremely unethical software needs to be exposed for it really is. My hats off to Mark for taking the time to find out the real truth. Found on Boing Boing.

Thought it was interesting... md most probably uses a similar technology.

Link to comment
Share on other sites

^^^ Remember that Sony's Software and their entertainment divisions are two different things. I doubt SS and S-burner will do that crap.

However, this is the reverse of a person hacking a corporate server. It's illegal and wrong. Sony, how would you feel if I installed a data miner on your computers just because I suspect you *could* steal my ideas for a novel that I save to a Hi-MD in data mode? YOUR DRM ENDS WHERE MY FREEDOM BEGINS!

I'm sure Microsoft would like to have a word or two with you. Unless they get sold on the idea.

What a shame. A reputable company lowering itself to the levels of CoolWebSearch. I thought you had learned your lesson with Sonicstage. Seems not.

To any Sony personnel reading this: I know your media division puts impossible and draconian measures on your ideas, crippling your creativity. I don't hold anything against you. Otherwise we wouldn't have Hi-MD now with fair DRM application. But whoever is using this "guilty even when proven innocent" approach to protect their intellectual property, must be put to death. On the guillotine.

Ok. Kidding. A paddling will be enough. :P

Edited by Syrius
Link to comment
Share on other sites

A link:

http://www.sysinternals.com/blog/2005/10/s...tal-rights.html

The gory details.

Btw, Sony/BMGs behaviour is possibly illegal in Germany and would carry a serious monetary penalty or prison sentence.

Let's see, when the first virus uses the Sony-Rootkit to hide itself from a virus-scanner.

PS: I found it on the Heise-Newsticker, so now atleast one third of germans computerusers knows about that now.

Edited by jadeclaw
Link to comment
Share on other sites

Sony out did themselves on this one! As Russinovich notes: underhanded and sloppy. They don't deserve customers.

This is probably another good reason for running under a non-admin account. And if it don't run under non-admin; don't run it.

More information and instructions on how to uninstall here:

http://cp.sonybmg.com/xcp/

Edited by rirsa
Link to comment
Share on other sites

That sysinternals article made me shudder. Essentially Sony is providing a back door into the registry that a hacker could exploit to install malware that would be extremely hard to detect. And then they tried to cover their bases by changing the EULA after the fact. Wow.

If you read the posts that follow the article, you'll see lots of people talking about the laws that this breaks all over the world. I would be very surprised if litigation doesn't come out of it, and it's entirely possible that criminal proceedings will arise somewhere. There was already a poster on the sysinternals web site who appears to be an attorney asking for potential plaintiffs to come forward.

You can bet that we haven't heard the end of this, either.

I'm not trying to sensationalize anything, but IMHO this topic needs to be pinned. Anybody who buys CDs and plays them on their computer should read this. What Sony has done here is bad, bad wrong.

Strap

Link to comment
Share on other sites

XCP is truly evil. Early versions completely crashed a computer--newer ones simply refuse to play. I haven't seen any XCP discs sold commercially.

Sony/BMG is currently using "Copy Control"--the logo is a circle with a triangle enclosing a C--on its retail CDs. I believe it installs a special media player on Autorun (which I have disabled), and it won't simply play with Winamp. The disc I have includes OMG files for Sony music players--I don't know what bitrate--and WMA files. Isn't that nice: buy a CD and get lossy playback on your computer.

The free program called CDEx, which you can find here

http://cd-to-mp3.audiolaunch.com/cd-ripper/

can easily locate the .wav audio files on a Copy Control CD. But far be it from me to recommend using CDEx to copy the audio tracks as .wav files and then burning them to create a non-DRM CD, since that might violate the Digital Millennium Copyright Act. Definitely don't do that.

Link to comment
Share on other sites

From InfoWorld:

http://www.infoworld.com/article/05/11/02/...neakydrm_1.html

" Ironically, the invasiveness of the XCP software punishes users who pay for their music, said Fred von Lohmann, staff attorney with the Electronic Frontier Foundation, a digital rights advocacy organization based in San Francisco. "They are installing software in a way that makes it very difficult for you to know what was installed and makes it very difficult to uninstall it. And, worst of all, the software is not very well written," he said. "I think most computer users will find that to be very outrageous." Lawyers might also be interested in the software, von Lohmann said. The EFF attorney said a lawsuit was conceivable. "Sony is using a piece of your computer in a way that you didn't expect or authorize," he said. "Depending on how clearly this was disclosed, some consumers may be able to make an argument that this is actually an unauthorized intrusion," he said. "It's not beyond the realm of possibility that Sony BMG could be liable for this.""

Link to comment
Share on other sites

Thanks for the insight guys.

Looks like sony finally started feeling a little guilty about themselves... http://seattlepi.nwsource.com/business/170...Protection.html. Glad to see this story made it to main stream media, found this on google news australia this arvo.

It also made it to the front page of BBC news website today - full article at:

http://news.bbc.co.uk/2/hi/technology/4400148.stm

Link to comment
Share on other sites

Thanks for the info about the logo, jadeclaw. XCP has its own logo which sometimes appears on copy-protected CDs, so I was confused.

Everyone should disable Autorun on their CD player in Windows settings. There's just too much garbage out there.

Sony has posted a link that leads to a fix here:

http://updates.xcp-aurora.com/

And here's the doubletalk:

"This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

Not malicious and does not compromise security--yeah, right. I hope they are sued heavily and effectively.

Link to comment
Share on other sites

The article I read about this on BBC online indicates:

"About 20 titles are thought to be using the XCP software and in May 2005 Sony said more than two million discs had been shipped using the technology. XCP is just one of several anti-piracy systems Sony is trying..."

Has anyone yet discerned exactly which Sony BMG titles are thusly infected? I guess I'll have to investigate what my kids are buying and playing on *my* computers around here.

I hate (other) lawyers :rolleyes: , class-action lawsuits, and what they've done to our society and economy. I know this is wishful thinking, but in this case I hope Sony's conduct generates successful legal action. The article in the Inquirer cited above by jadeclaw is just devastating. It is just this kind of bullshit from Sony, and the support they and their ilk have bought themselves in Congress, that turns law-abiding folks into criminals or outright anarchists. Makes me want to go make 10,000 copies and stand on the corner of Times Square to give them away.

Link to comment
Share on other sites

I went through the hoops to try and uninstall the Sony garbage. That means going to this well-buried link:

http://cp.sonybmg.com/xcp/english/form9.html

Send an email, wait a day for a reply, use the link to an online uninstaller that only works in IE (but doesn't tell you that should you access it in Firefox).

And then, less than halfway through, it crashes IE and terminates the uninstall.

Sony all the way.

Maybe I'll try this when I have a lot of time.

http://www.sysinternals.com/blog/2005/10/s...tal-rights.html

Edited by A440
Link to comment
Share on other sites

My advice: Backup your data, flatten your windows installation - including repartitioning the HDD, then make a dual boot, Windows and Linux.

And get familiar with Linux.

Ubuntu is a very good, easy to use distribution.

I have degraded Windows to a runtime module for SonicStage to run on,

everything else is on the Linux side on my machine.

Oh, and I don't think, that the rootkit uninstaller was ever meant to be functional.

Link to comment
Share on other sites

Ok, time to push this thread up again.

First, there is more to this than previously known.

The included player software phones home everytime the CD is played.

Plus, the deinstaller patch can BSOD your MS-Windows session, resulting in possible loss of data.

Windows doesn't like it, when a piece of code is pulled out, while the CPU jumps into it.

Russinovich's update on this: http://www.sysinternals.com/blog/2005/11/m...decloaking.html

Found in the comments:

I smell a class action lawsuit in the making.

See here: http://www.classcounsel.com/

Look under Consumer Protection.

One of the First4Internet programmers asked for help on an open source programmers mailing list,

in exactly the area, which is finally covered by the rootkit:

http://66.249.93.104/search?q=cache:hDmbqX.../showThread.cfm

Do we need another proof of their incompetence?

Edited by jadeclaw
Link to comment
Share on other sites

More fallout for the Sony/BMG artists was brought to light by a UK-based PC web site which reports:

Get Right with the Man by Van Zant is currently wallowing under a one-and-half star rating on Amazon.com, based purely on negative user reviews of the copy-protection technology.

Here it is...160 reviews and 1.5 stars:

http://www.amazon.com/exec/obidos/tg/detai...=music&n=507846

I guess Van Zant is bearing the brunt of the negative feedback because their CD was specifically named.

Isn't that what the Brits would call "hard cheese"?

And for the heck of it, here is Amazon's definition of copy-protected CDs, which makes no mention of malicious software installing onto your computer and reporting back to Sony what disc you are playing, and what computer it is playing on:

Content/ Copy-Protected CD

This product limits your ability to make multiple digital copies of its content, and you will not be able to play this disc or make copies onto devices not listed as compatible. Content/ copy protected CDs should allow limited burning, as well as ripping into secure Windows Media Audio formats for playback with most compatible media players and portable devices. In rare cases, these CDs may not be compatible with computer CD-ROM players, DVD players, game consoles, or car CD stereos, and often are not transferable to other formats like MP3.

So, for grins I just sent Amazon the following from the Suggestion Box at the bottom of the CD's listing:

Amazon.com's definition of Content/ Copy-Protected CD is incomplete to the point of being potentially hazardous to millions of PC users, particularly as it relates to releases by Sony BMG and the numerous labels it owns. In light of the revelations made by Mark Russinovich in his most recent report:

http://www.sysinternals.com/blog/2005/11/m...decloaking.html

I believe that the copy protection scheme employed by Sony BMG, which surreptitiously installs harmful software on user's computers without full disclosure of its actions, is dangerous and might well violate the laws of many states and countries as they pertain to computer abuse. As such, I would ask Amazon.com to make a determination of whether these Sony BMG CDs violate Amazon.com's policy against "illegal items".

Naturally, the reply page indicates that they cannot respond individually to my suggestion. But I'm just feeling a tad bit better.

Edited by smkranz
Link to comment
Share on other sites

There are interesting comments collected from various sources on Bruce Schneier's Security Blog:

http://www.schneier.com/blog/archives/2005...cretly_i_1.html

If you follow the links you'll find a company collecting information in prepartion for a lawsuit but it looks like lawsuits might start appearing like daffoldils in spring (see McCullagh story on CNet):

http://www.classcounsel.com/

And just to add to the fun, Declan McCullagh on CNet (follow link on Schneier's Blog page) observes:

"In a bizarre twist, though, it's not only Sony that could be facing a legal migraine. So could anyone who tries to rid their computer of Sony's hidden anticopying program. That's because of Section 1201 of the Digital Millennium Copyright Act, which bans the "circumvention" of anticopying technology."

Also here's a a response from a Sony exec that just leaves one speechless (this comes from a news story on eWeek, see link below):

"Most people don't know what a rootkit is, so why should they care about it," Thomas Hesse, president of Sony BMG's global digital business, said in an interview with National Public Radio on Friday."

Elsewhere in the same eWeek story:

"CA is adding detection for the First 4 cloaking technology to an update of its PestPatrol anti-spyware product on Nov. 12, and will label the program a "rootkit," Curry said. Customers should be able to play Sony CDs using their preferred media player, not one dictated by the music company, Curry said. "Customers bought [music] content, not software …They're not bargaining on their $2,000 PC being turned into a media extension for their $20 CD," he said."

http://www.eweek.com/article2/0,1895,1883820,00.asp

Some serious legal analysis here:

http://blog.ericgoldman.org/archives/2005/...onys_drm_sp.htm

Edited by rirsa
Link to comment
Share on other sites

"Most people don't know what a rootkit is, so why should they care about it," Thomas Hesse, president of Sony BMG's global digital business, said in an interview with National Public Radio on Friday."

:OMG: That is the most irresponsible comment :mad: I have ever freaking heard! I don't want to trivialize the plight of people with AIDS but it is almost like saying "Most people don't know what AIDS is (back in the 80's), so why should they care about it,"

Link to comment
Share on other sites

Yup.

Aside from the blatant ineptitude displayed by Mr. Hesse in the NPR-interview,

a lot of what we hear from Sony-BMG and First4Internet could be attributed to the legal implications in this case.

Anything they say, can be used in a lawsuit against them, so they naturally dance around the issue.

Remember the SCO vs. IBM lawsuit?

Remember the loudmouthed CEO of SCO, Darl McBride?

Remember his publicity stunts?

That will come back soon and will bite SCO in a real nasty way.

Edited by jadeclaw
Link to comment
Share on other sites

More news:

First, Mark Russinovich reports about his experiences with the uninstaller.

Yes, it is nasty...

Sony’s Rootkit: First 4 Internet Responds

Looks like the First4Internet-Programmers cannot program their way out of a very soggy paperbag.

Second, the first trojan using the Sony rootkit has appeared in the wild:

http://news.bitdefender.com/NW193-en--Firs...M-Detected.html

And Sony-BMG still claims, it is no security risk. *BARF*

The trojan info: http://www.bitdefender.com/VIRUS-1000058-e...IRC.Snyd.A.html

Now things get ugly.

And even uglier: http://www.eff.org/deeplinks/archives/004145.php

Btw, EULAs like this are illegal in Germany.

Edited by jadeclaw
Link to comment
Share on other sites

Yup.

Aside from the blatant ineptitude displayed by Mr. Hesse in the NPR-interview,

a lot of what we hear from Sony-BMG and First4Internet could be attributed to the legal implications in this case.

Anything they say, can be used in a lawsuit against them, so they naturally dance around the issue.

Remember the SCO vs. IBM lawsuit?

Remember the loudmouthed CEO of SCO, Darl McBride?

Remember his publicity stunts?

That will come back soon and will bite SCO in a real nasty way.

Let's not go that far from home. Remember how Mr. Playstation himself, Kutaragi, got demoted because he didn't know how to keep quiet.

I hope Sony gets hit with the same sentence they'd ask for a hacker who did a similar job in their computers.

Link to comment
Share on other sites

Sony-BMG violating copyrights and distributing stolen software?

According to the dutch Magazine Webwereld, parts of the LGPL-licensed LAME-MP3 codec have found their way into the software, installed from the XCP-protected CD.

Despite the requirements set forth in the LGPL, Sony hasn't included the sources of the libraries used and hasn't informed the end user about the rights the LGPL provides.

By searching around, an unnamed individual found these strings: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 " from the version.c source inside the Sony software.

Also data structures from Lame's Tables.c are found back in the Go.exe application.

Looks like Sony-BMG has dug themselves into a real deep nasty hole.

For those able to read dutch, the original article is here:

Spyware Sony lijkt auteursrecht te schenden

Let's see, what kind of excuses we get now.

I hope Sony gets hit with the same sentence they'd ask for a hacker who did a similar job in their computers.

Possibly not. Rich people and corporations have better lawyers.

Edited by jadeclaw
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...