Sony: Copy-Protection terrorists

[Fer Urbina]

Anyone who buys a Celine Dion CD deserves all this crap

Given the sales of jazz CDs and the income they represent for the major labels compared to the really big sellers (like Dion), it doesn't seem worthy to introduce some software that's basically a pain in the neck and alienate a group of mainly loyal (or is it compulsive?) buyers.

If the brains behind this is so concerned about copyright matters, he should be sent trekking in mid-Winter to the Pyrenees chasing Lone Hills.

F

Edited November 16, 2005 by Fer Urbina

[ejp626]

This is the latest list of Sony CDs with XCP protection (should be only US titles or CDs imported from the US. Slightly over 50, and some that were probably big sellers. Still no word on how the recall will work, particularly for those who bought over the internet or used. I imagine this will hurt them in the long run. It has certainly changed my buying habits.

  CD’s Containing XCP Content Protection Technology

"Note:  We will shortly be releasing new versions of these titles without the XCP software.  You therefore need to check this list for both the name of the album and the item number (which can be found on the spine of the CD).  If the item number is not listed below, your CD does not contain XCP content protection."

A Static Lullaby  Faso Latido

Acceptance  Phantoms

Amerie  Touch

Art Blakey  Drum Suit

The Bad Plus  Suspicious Activity?

Bette Midler  Sings the Peggy Lee Songbook

Billy Holiday  The Great American Songbook

Bob Brookmeyer  Bob Brookmeyer & Friends

Buddy Jewell  Times Like These

Burt Bacharach  At This Time

Celine Dion  On Ne Change Pas

Chayanne  Cautivo

Chris Botti  To Love Again

The Coral  The Invisible Invasion

Cyndi Lauper  The Body Acoustic

The Dead 60's  The Dead 60's

Deniece Williams  This Is Niecy

Dextor Gordon  Manhattan Symphonie

Dion  The Essential Dion

Earl Scruggs  I Saw The Light With Some Help From My Friends

Elkland  Golden

Emma Roberts  Unfabulous And More: Emma Roberts

Flatt & Scruggs  Foggy Mountain Jamboree

Frank Sinatra  The Great American Songbook

G3  Live In Tokyo

George Jones  My Very Special Guests

Gerry Mulligan  Jeru

Horace Silver  Silver's Blue

Jane Monheit  The Season

Jon Randall  Walking Among The Living

Walking Among The Living  EK92083

Life Of Agony  Broken Valley

Louis Armstrong  The Great American Songbook

Mary Mary  Mary Mary

Montgomery Gentry  Something To Be Proud Of: The Best of 1999-2005

Natasha Bedingfield  Unwritten

Neil Diamond  12 Songs

Nivea  Complicated

Our Lady Peace  Healthy In Paranoid Times

Patty Loveless  Dreamin' My Dreams

Dreamin' My Dreams  EK94481

Pete Seeger  The Essential Pete Seeger

Ray Charles  Friendship

Rosanne Cash  Interiors 

Rosanne Cash  King's Record Shop

Rosanne Cash  Seven Year Ache

Shel Silverstein  The Best Of Shel Silverstein

Shelly Fairchild  Ride

Susie Suh  Susie Suh

Switchfoot  Nothing Is Sound

Teena Marie  Robbery

Trey Anastacio  Shine

Van Zant  Get Right With The Man

Vivian Green  Vivian

"Note:  Two titles, Ricky Martin’s ""Life"" and Peter Gallagher’s ""7 Days in Memphis"" were released with a content protection grid on the back of the CD packaging but XCP content protection software was not actually included on the albums. "

[Claude]

Real Story of the Rogue Rootkit

By Bruce Schneier

http://www.wired.com/news/privacy/0,1848,69601,00.html

02:00 AM Nov. 17, 2005 PT

It's a David and Goliath story of the tech blogs defeating a mega-corporation.

On Oct. 31, Mark Russinovich broke the story in his blog: Sony BMG Music Entertainment distributed a copy-protection scheme with music CDs that secretly installed a rootkit on computers. This software tool is run without your knowledge or consent -- if it's loaded on your computer with a CD, a hacker can gain and maintain access to your system and you wouldn't know it.

The Sony code modifies Windows so you can't tell it's there, a process called "cloaking" in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can't be removed; trying to get rid of it damages Windows.

This story was picked up by other blogs (including mine), followed by the computer press. Finally, the mainstream media took it up.

The outcry was so great that on Nov. 11, Sony announced it was temporarily halting production of that copy-protection scheme. That still wasn't enough -- on Nov. 14 the company announced it was pulling copy-protected CDs from store shelves and offered to replace customers' infected CDs for free.

But that's not the real story here.

It's a tale of extreme hubris. Sony rolled out this incredibly invasive copy-protection scheme without ever publicly discussing its details, confident that its profits were worth modifying its customers' computers. When its actions were first discovered, Sony offered a "fix" that didn't remove the rootkit, just the cloaking.

Sony claimed the rootkit didn't phone home when it did. On Nov. 4, Thomas Hesse, Sony BMG's president of global digital business, demonstrated the company's disdain for its customers when he said, "Most people don't even know what a rootkit is, so why should they care about it?" in an NPR interview. Even Sony's apology only admits that its rootkit "includes a feature that may make a user's computer susceptible to a virus written specifically to target the software."

However, imperious corporate behavior is not the real story either.

This drama is also about incompetence. Sony's latest rootkit-removal tool actually leaves a gaping vulnerability. And Sony's rootkit -- designed to stop copyright infringement -- itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library's license agreement. But even that is not the real story.

It's an epic of class-action lawsuits in California and elsewhere, and the focus of criminal investigations. The rootkit has even been found on computers run by the Department of Defense, to the Department of Homeland Security's displeasure. While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be. And lawsuits are never the whole story.

This saga is full of weird twists. Some pointed out how this sort of software would degrade the reliability of Windows. Someone created malicious code that used the rootkit to hide itself. A hacker used the rootkit to avoid the spyware of a popular game. And there were even calls for a worldwide Sony boycott. After all, if you can't trust Sony not to infect your computer when you buy its music CDs, can you trust it to sell you an uninfected computer in the first place? That's a good question, but -- again -- not the real story.

It's yet another situation where Macintosh users can watch, amused (well, mostly) from the sidelines, wondering why anyone still uses Microsoft Windows. But certainly, even that is not the real story.

The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us.

Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda.

What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.

But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.

McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." Thanks for the warning.

Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software."

The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization.

You might expect Microsoft to be the first company to condemn this rootkit. After all, XCP corrupts Windows' internals in a pretty nasty way. It's the sort of behavior that could easily lead to system crashes -- crashes that customers would blame on Microsoft. But it wasn't until Nov. 13, when public pressure was just too great to ignore, that Microsoft announced it would update its security tools to detect and remove the cloaking portion of the rootkit.

Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions. And Sysinternals, of course, which hosts Russinovich's blog and brought this to light.

Bad security happens. It always has and it always will. And companies do stupid things; always have and always will. But the reason we buy security products from Symantec, McAfee and others is to protect us from bad security.

I truly believed that even in the biggest and most-corporate security company there are people with hackerish instincts, people who will do the right thing and blow the whistle. That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.

Microsoft I can understand. The company is a fan of invasive copy protection -- it's being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers.

What happens when the creators of malware collude with the very companies we hire to protect us from that malware?

We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.

Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?

These questions are the real story, and we all deserve answers.

- - -

Bruce Schneier is the CTO of Counterpane Internet Security and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. You can contact him through his website.

Edited November 18, 2005 by Claude

[WD45]

If I buy one of these discs from BMG's yourmusic.com, can I exchange it? Hmm...

[neveronfriday]

I avoid anything with the Sony logo on it like the plague and have been ever since I had a TV and a DVD player (twice) blow about 2 to 3 weeks after purchase (both were only turned on once or twice and couldn't handle that. On the TV I didn't even get around to changing the channel once!). Absolutely shoddy quality control in the midrange product lines.

I applaud everytime someone rips a Sony (or associated label) CD to mpc or flac and peddles it on the Internet.

And, no, I don't have a bad conscience at all. They screwed me for several hundred Euro and provided the absolute worst service I've ever encountered and to be quite honest, if one could submit targets to certain terrorist organizations via e-mail, I would submit Sony so often that it would look like a coordinated denial of service attack.

Sony.

Sucks!

Edit: There was a DVD stuck in the broken player and they kept it. Upon inquiry they simply denied that there had been one and called me a liar. It wasn't worth fighting them. Bastards.

Edited November 18, 2005 by neveronfriday

[Daniel A]

AFAIK, there were no SonyBMG XCP releases in Europe so far. Sony had planned to introduce them in 2006, but has now abandonned these plans.

I just spoke with a friend who is working for SonyBMG in Sweden. The matter of copy protection came up (of course) - I hadn't followed this thread for the last couple of days - and he confirmed what you already knew: that the CDs distributed outside the US do not have any copy protection. He also said that they were to introduce some kind of copy protection scheme for all European discs in 2006. Either the decision Claude mentions has not reached him, or they are still working on "improved" solutions.

Claude, have you seen an official statement that SonyBMG Europe will not introduce copy protection?

[Claude]

I thought I had seen a statement, but it was by SonyBMG Germany.

In the middle of the "Sonygate", SonyBMG Europe has stated that they want to have a "fair" copyprotection system for Europe, allowing for a limited number of copies.

That is the purpose of XCP (allowing for 3 copies, unlike EMI's scheme which makes CDs uncopyable). But with the current DRM-free computers and operating systems, it is technically impossible to have a protection limiting the number of copies without seriously tampering with the user's PCs by installing low-level DRM software.

Sony BMG Copy Protection System Comes to Europe

The article is from November 11, when Sony US was still hoping to solve the problem with their rootkit uninstaller. Now they have gone further and are recalling the XCP CDs in the US, so it is extremely unlikely that the same CDs will be introduced in Europe. It would be commercial suicide.

Edited November 18, 2005 by Claude

[Claude]

CD woes may have had roots in merger (USA Today)

[Claude]

Welcome to the Sony BMG XCP Exchange program

http://www.upsrow.com/sonybmg/

[Claude]

Claude, have you seen an official statement that SonyBMG Europe will not introduce copy protection?

←

The boss of SonyBMG Europe has stated in this interview for "Die Welt (german) that there have not been and there will not be any XCP releases in Europe.

Ich möchte nochmal betonen, daß wir in Europa kein Produkt mit diesem Kopierschutzsystem produziert haben und auch keines damit produzieren werden.

But that does not exclude other types of copyprotection.

[Claude]

Texas is now sueing Sony:

http://news.yahoo.com/s/nm/20051121/tc_nm/sony_texas_dc

[king ubu]

Claude, I have to confess that with your current avatar I have trouble reading what you're posting...

[Claude]

Flurin, that's my revenge for your distracting giant signatures of the past

[Mr. Gone]

Paranoid guy that I am, from now on I'll be playing&copying new CDs via virtual OS only.

Another view on this issue (sorry if this has been posted before): http://www.wired.com/news/privacy/0,1848,69601,00.html

[Claude]

Paranoid guy that I am, from now on I'll be playing&copying new CDs via virtual OS only

How do you make the CD available to the virtual OS only?

[Mr. Gone]

Paranoid guy that I am, from now on I'll be playing&copying new CDs via virtual OS only

How do you make the CD available to the virtual OS only?

I think you've got a good point here. Must think my strategy over...

[king ubu]

Flurin, that's my revenge for your distracting giant signatures of the past

Want one of those again?

I was thinking of using Vince W., my great hero - that pic I posted elsewhere today! What a great drummer! Ask couw: a drummer fired by slime cannot be *that* bad, can he?

[bertrand]

OK, last time I ask, but I'm chicken.

I have a copy of Woody Shaw's Steppin' Stones from yourmusic.com. I plan to put it in my PC tomorrow and upload it to iTunes. The case says nothing about copy protection, and this title is not on the Sony recall list.

So, my questions:

1. Can I put it in my PC without infecting it and introducing god knows what bugs?

2. Can I upload it to iTunes?

3. Can I make a copy for my 5-year old (who is the world's biggest Woody Shaw fan) for him to listen to on his portable boom box? He still has a tendency to put (often buttery) fingerprints on his CDs, so I don't want to give him the master copy to play quite yet

Item # 1 is the one that worries me the most, of course.

Thanks,

Bertrand.

Edited November 24, 2005 by bertrand

[ejp626]

Bernard,

If it is not on the list, it should be safe. It also is not on the Sony exchange program (I just double checked), so it should be clean. A few people noted that due to the length of the Shaw CD, it didn't have copy protection on it. If you did put it in the computer, and it asks you to approve of a media update or to load on some program, you would immediately cancel and complain to Sony. Again, I'm 96% it is clean.

Eric

[Claude]

My copy of the Woody Shaw CD, which I got from CD Universe, is not copyprotected. The XCP discs should all be marked, on the back cover and/or on the CD.

[bertrand]

Thanks.

Claude, did you put it in your PC? Is there anyone here who put it in their PC and can confirm that the message did not pop up? In that case, I will feel safe.

I'm just worried because if that bug does slip in, it will take me forever to get rid of it.

Bertrand.

[Claude]

Yes, I put it in my PC to add it to my CD database. It is a regular CD.

[bertrand]

It's playing right now on my PC - no problems! Whew.

Bertrand.

[Rosco]

Anti-piracy CD problems vex Sony

Sony BMG is being caught up in a row about more of its anti-piracy software.

Digital rights groups warned the music maker about vulnerabilities its MediaMax copy protection system created on users PCs.

The same groups have now found that a patch Sony produced to close these holes is itself insecure and leaves users open to a separate attack.

The MediaMax system has been used on more than 5.7 million CDS spread across 50 titles sold in the US and Canada.

On 6 December Sony BMG and digital rights group the Electronic Frontier Foundation (EFF) issued a joint statement about the discovery of problems with the MediaMax anti-piracy system made by SunnComm.

The statement warned that anyone putting a music CD bearing the MediaMax software in their PC introduced a vulnerability that malicious hackers could hijack to win control of a machine.

Users were vulnerable to this loophole even if they did not install the copy protection system on the music CD on their home computer.

This problem was discovered by iSEC Partners following a request from the EFF to analyse the SunnComm software.

The statement also pointed users to a software patch that was supposed to close this loophole.

"It's a security vulnerability and therefore needs to be dealt with," said Thomas Hesse, president of global digital business for Sony BMG in the statement.

However, the EFF has now urged users not to apply this patch as separate work by security researchers Ed Felten and Alex Halderman shows it too introduces vulnerabilities.

"We take any security problems identified by these security researchers very seriously," said the EFF.

Dr Felten and Mr Halderman called on Sony BMG to recall all the CDs bearing the MediaMax software.

Sony BMG said the MediaMax copy protection system, which is supposed to stop people making illegal copies of CDs, has been used on 50 titles sold in North America.

It said approximately six million CDs using MediaMax have been shipped to stores. Affected artists include Alicia Keys, Britney Spears, Black Rebel Motorcycle Club and Faithless.

The news comes just as the furore about Sony BMG's XCP copy protection system was starting to die down. The row over the virus-like abilities of XCP forced Sony to recall all the CDs using it and issue new discs to consumers.

Sony is also facing legal action over its use of XCP.

http://news.bbc.co.uk/1/hi/technology/4511042.stm

Edited December 8, 2005 by Rosco

[Eric]

I understand this format is free from all security issues ...