Sony Music Audio CD Anti-Piracy Software Triggers Uproar

[Marc]

From WAPO:

Study of Sony Anti-Piracy Software Triggers Uproar
File-Hiding Technique Alarms Security Researchers; Developer Offers Patch

By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, November 2, 2005; 6:50 PM

Irate music fans who posted to dozens of online blogs vowing to never again buy Sony CDs as long as the company keeps using a suddenly beleaguered anti-piracy software program may find that their outbursts have been partially rewarded today.

On the heels of the Internet uproar over security concerns with its copyright-protection measures, the company that developed the software for recording-industry giant Sony BMG Music Entertainment says it is providing computer users with a "patch file" that will mitigate some of the features that alarmed security researchers when they were discovered earlier this week -- especially the program's built-in ability to hide files on the user's system.

Privacy and security experts charged that the technology built into many of Sony's music CDs since March is unnecessarily invasive and exposes users to threats from hackers and virus writers.

"Here you have one of the biggest name-brand corporations on the planet getting into what many people in other circumstances would consider hacking," said Richard Smith, a security and privacy consultant based in Boston. "That's just not acceptable."

Earlier this week, computer security researcher Mark Russinovich published an analysis showing that some new Sony CDs install software that not only limits the copying of music on the discs, but also employs programming techniques normally associated with computer viruses to hide from users and prevent them from removing the software.

Russinovich's findings -- posted on the Web site ( http://www.sysinternals.com ) that he runs with another researcher -- indicated that the CDs in question use software techniques that behave similarly to "rootkits," software tools that hackers can use to maintain control over a computer system once they have broken in.

He found that traditional methods of uninstalling the program would not work, and that attempts at removing it corrupted the files needed to operate his computer's CD player, rendering it useless.

Sony spokesman John McKay said the technology has been deployed on just 20 titles so far, but that the company may include it on additional titles in the months ahead.

The music industry is aggressively defending its works from Internet and other forms of piracy, going so far as to sue individuals alleged to be trading large numbers of song titles online. The industry loses roughly $4.2 billion worldwide to piracy each year, according to the Recording Industry Association of America.

Russinovich discovered that the techniques employed by the Sony program to conceal its files from the user and to make them harder to remove could also be used by virus writers and hackers to hide malicious files on any computer running the anti-piracy program.

In response to criticisms that intruders could take such advantage, First4Internet Ltd. -- the British company that developed the software -- will make available on its Web site a software patch that should remove its ability to hide files, chief executive Mathew Gilliat-Smith said.

Russinovich called the offer of a patch "backpedaling and damage control in the face of a public-relations nightmare" and emphasized that users who try to remove the files manually after applying the fix will still ruin their CD-Rom drives.

Sony's move is the latest effort by the entertainment companies to rely on controversial "digital rights management" (DRM) technologies to reverse a steady drop in sales that the industry attributes in large part to piracy facilitated by online music and movie file-sharing networks like Kazaa and Limewire.

DRM technologies by their very nature need to be secretive, according to Peter Ullman, a partner with Woodcock Washburn, a Philadelphia law firm that specializes in intellectual property matters.

"If the software is put there to protect valuable content from being misused, then the software has to be able to protect itself from being subverted, so the companies that produce this security technology tend not to want to publicize how their technology works," Ullman said.

At issue is whether Sony has provided customers with adequate notice about what they can expect when installing the software, said Ari Schwartz, deputy director of the Washington-based Center for Democracy and Technology.

"Sony needs to be more transparent in how and what they're installing so that consumers can make informed decisions," Schwartz said.

Windows users cannot listen to tracks on the CD without agreeing to install the anti-piracy program, which merely advises that "it will install a small proprietary software program" that will remain there "until removed or deleted."

But according to Mikko Hypponen, director of research for Finnish antivirus company F-Secure Corp., users who want to remove the program may not do so directly, but must fill out a form on Sony's Web site, download additional software, wait for a phone call from a technical support specialist, and then download and install yet another program that removes the files.

Hypponen agreed that Sony's software could help hackers circumvent most antivirus products on the market today. He added that installing the Sony program on a machine running Windows Vista -- the beta version of the next iteration of Microsoft Windows -- "breaks the operating system spectacularly."

While the anti-piracy software allows consumers to make a limited number of additional copy-protected discs, it also imposes compatibility and portability constraints. Users of Apple Inc.'s iPod -- the dominant portable media player on the market -- have no way of transferring tracks from protected Sony CDs to their device, since Apple has not yet licensed its own DRM technology for use with copy-protected discs.

"We're still in this new digital era where the entertainment industry wants to protect ... their content, without due consideration of the consumer's right to use that content in a fair way," Russinovich said. "We need to have an open discussion as to where we should draw the line."

David Eisner, a blogger and software developer at the University of Maryland's Computer Aided Life Cycle Engineering Center, believes the record label's actions will ultimately backfire and drive otherwise legitimate customers to download pirated music from the online file-sharing networks.

"The people they're trying to stop from stealing their music are always going to find a way around these types of technologies," Eisner said. "Sony is just hurting people who obtain their products legally, and many of these same people are now going to think twice about doing so."

 

[Marc]

Sony DRM is worse than you might think

From The Inquirer:

Sony DRM is worse than you might think

By Charlie Demerjian: Thursday 03 November 2005, 09:40

SONY SCREWED UP WITH its rights removal to protect its profit margins philosophy and there is no way the use of rootkits can be justified.

Caught with its pants down, what did it do? Make things right? Heck no, it blamed the user, and doesn't do anything more than window dressing to deflect what are valid criticisms.

If you read the Sony PR spin masquerading as a FAQ, the tepid responses it gives are laughable. Number one states that the technology is used to prevent copying, but that is true for only Windows boxes, so why the discrimination? It only affects legitimate users. If you want to copy the music, all you need to do is hold down the shift key when inserting it and you are free to copy. That or have a non-Windows computer.

To make matters worse, a cursory check of the file trading networks shows that the Van Zant album is available for download on a whim. The pirates who don't want to pay will have no trouble getting it, but those who abide by the law will get punished. Also, if you look at FAQ Number 4 under equipment compatibility, it cuts iPod users out of the mix. Hmm, Sony only sells Windows based computers, and sells a competitor to the iPod. Sense a conflict of interest there that you are paying for?

So to Number 2. "How do I know if a Sony/BMG disc is" DRM infected? It says it is clearly marked on the label, and yup, it's right, it is. I went over to Best Buy tonight and found it on the label plain and clear. There was also absolutely no listing of rootkits being forcibly installed on your PC, and not being uninstallable, however.

There was no warning that you had to play it through their player, or that it would spit out the disc if you had programs open that it did not like. If you don't like these terms and rights removals, and you try to return it, those few places that will take back open recordings tend to charge a restock fee. In the case of Best Buy tonight, it is 15%, I asked. I don't think Sony will refund you that money.

Number four tells you to consult the EULA when you want to copy the disc. Which madhouse did we step into that now means a CD needs a EULA? I stopped buying CDs so I wouldn't have to give money to rapacious weasels years ago, and none of the CDs I own have a EULA on them. It is madness. So, at Best Buy tonight, I tried to consult the EULA before I bought the Van Zant CD.

It wasn't on the CD package, not on the shelves near by, and the blue shirted aisle trolls had no idea what I was talking about. No, they could not provide me with one, I did ask though. So, if you are dumb enough to buy a Sony CD, and don't want to rootkit your machine, you can't find out beforehand, have to agree to a one sided contract that you can't read before you say yes, and can't get your money back. Wonderful, thank you Sony.

The last part of the FAQ is Number 6, which claims that its CDs are not spyware/malware infected. The prefix 'mal-' according to Merriam-Webster means 1) bad 2) abnormal 3) inadequate. -ware is short for software. This means malware is defined as bad software.

If you look at the Sony rootkit, it does several things. It strips you of your rights, it potentially causes your computer harm, it breaks your computer if you remove it, and eats your CPU time. All of these things are bad, no question there. It also does the end user no good in any way, shape or form, not even by the most demented stretch of the imagination. It only hurts those who spent money to buy it.

It does Sony no good either because the files are rippable on a whim by anything more intelligent than a half-drunk monkey. So, you have software that does you flat out harm, and no good for the producer. What isn't malware about this, and how can Sony claim this? This is the service pack from ****.

If you want to look at this another way, take a different example. Imagine that you walked up to a person that you know and said: "Hey friend, check out this new cool CD I made". He drops it in his computer, and without his permission, it installs a rootkit on his machine. Good joke, right?

Say you want to remove the Sony stuff. According to no less a source than The Washington Post, the bare minimum you have to do to remove the rootkitted DRM infection is give up your privacy. If you go to the Sony page you have to give Sony your email at the very least, and according to the WP story, Sony then grills you about your reasons for not liking being rootkitted.

So, if you want to remove it, go here and click the link. Don't use Firefox though, it won't work, it's Internet Explorer only. If you are concerned enough about security, you probably know enough not to use IE. Once again, brilliant Sony, just brilliant.

The funniest part is that you don't actually remove the software with this tool, only make it visible, and you are still infected up and down with DRM. Should you be lucid enough to realise that you don't want this crap within a few miles of your system, you have to go through the grilling process above. Want to make it seem even more surreal? If you remove the malware and DRM infection, you can't play the CD anymore. Nope, the money you spent on Sony products is gone. Mal-way or the highway.

If you try to remove it yourself, you risk breaking your optical discs, or it kills them for you. Mark from Sysinternals is more than smart enough to figure out how to fix this, but are you? Off the top of your head, how do you do that again, no looking it up? To make matters worse, it installs itself so it runs in safe mode, and if it conflicts with something, you are really hosed. Sony's response? "This component is not malicious and does not compromise security.". There are already exploits out there that take advantage of this.

Sony compromised your system and will not directly allow you to remove it without compromising your privacy. It also will not replace your defective CDs with non-infected ones. If you hose your computer or network with this infection, and want to play your music, do not pass go, do not collect $200. Really, it won't help customers who simply don't want this, read #3 in the FAQ.

Sony is generously working with anti-virus companies on this. Now, this means to deal with the problem, you have to know it's there, and that's kind of hard because the malware rootkit that Sony infects you with is designed to prevent this.

Now, let's just pretend we don't realise that the the antivirus companies themselves are not complicit. If you want to mass-rootkit people, just ask Symantec beforehand. Look at what Cnet had to say about it. "The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case." But there are active exploits already, as we pointed out earlier.

All this makes you wonder a lot about Microsoft's upcoming security software, doesn't it?

So, rather than come clean, Sony minimises the problem, blames the user, and refuses to help you out. If you have CDs infected with this rootkit and DRM, Sony has to replace them. They are, flat out, a danger to computing. Don't believe me? Look at that Washington Post article again. The head of F-Secure says that the Sony malware, when running on Windows Vista "breaks the operating system spectacularly". Nope, that can't be right, just ask Sony, because it said so in the FAQ. It won't fix the problem, they won't let you work around it legally and still listen to the music you paid for, and won't help you.

As of four hours ago, these things were still on the shelf at Best Buy.

To end on an up note, just think about these two things. What you are seeing is the light and happy side of rights removing DRM infections. There is a bill going through congress to remove more of your rights. Yes, they can't control the analogue hole, and can't legally force you to bow to them, so they are buying government to change the laws and accomplish both goals. No good will come to the end user because of this, but it sure will make a lot of people rich.

More happy news? These merchants are designing the next generation drives called Blu-Ray with much more DRM built into the hardware. It is bad enough to make me back the views of Bill Gates on the subject with absolute open arms. These are scary times people, and if we let Sony get away with this now, it will only get worse and harder to stop later.

 

[wmarhel]

Sometime in the next 2-3 weeks there will be a "work-around" for this sort of nonsense.

Fortunately, I'm still using Windows2000 and won't be migrating to the next generation of Windows anytime in the foreseeable future. To me this seems to be an even bigger with the growing number of wireless of networks. Little Johnny has his own system which is connected by wireless to his Dad's that just so happens to have all the financial information for the family and their business.

From a hacker's standpoint, controlling root-access is like Moses being able to part the Red Sea. It is power. Many of the older virii would use the "dot.dot" method to work into the root directory.

Record companies, and musicians, really need to understand that if they keep putting out "crap" people will only be more likely to keep pirating the good stuff. Where is the incentive for a teenager with limited funds to spend $12-14 on an 12 track CD when only two of the songs are even wanted. Most of the people out there sharing music aren't sharing the entire albums, just the one or two songs that are half-way decent.

Let Sony and the rest of the recording industry spend their millions of dollars to protect their material, only to have a group of people with too much time on their hands break the code over some pizza and take-out Chinese. It happened with the DVD encryption and it will happen with this.

Wayne

 

[chergh - 2008]

Not seen this copy protection yet but I assume if you use linux it would be circumvented.

 

[wmarhel]

Not seen this copy protection yet but I assume if you use linux it would be circumvented.

I believe it is OpenBSD or something along those lines. A friend of mine who is in the computer security field swears by it on his home systems. The only systems of his that aren't running it, are for testing purposes.

Wayne

 

[JerryStem]

"Sony's move is the latest effort by the entertainment companies to rely on controversial "digital rights management" (DRM) technologies to reverse a steady drop in sales that the industry attributes in large part to piracy facilitated by online music and movie file-sharing networks like Kazaa and Limewire."

They can attribute all they want. Try putting out decent music, at a reasonable price, that once we purchase a copy we can do with it what we want. I have a computer, a laptop, a CD player in my car and a stereo in my house. How many copies should I have to purchase??

"But according to Mikko Hypponen, director of research for Finnish antivirus company F-Secure Corp., users who want to remove the program may not do so directly, but must fill out a form on Sony's Web site, download additional software, wait for a phone call from a technical support specialist, and then download and install yet another program that removes the files."

Are you kidding me?? I can't remember the last time I bought a CD, there's been a few lately, but with all this mess, the he11 with them! XM radio suits me just fine. (Until they screw that up too).

I vaguely remember when they complained that VCR's would kill the movie industry too.......