Last week, in my posting about the Grokster case, I mentioned at the bottom my disdain for DRM, a necessary but controversial copyright protection method that is used in digital media files and copy-protected CD’s to prevent unauthorized duplication of digital assets.
As the music industry continues to transform itself from reliance on a physical product to digital distribution, it has enlisted the help of various companies developing copy protection schemes to fight piracy, a venom that affects anyone dependent on the music industry supply chain. From labels who lose millions in sales to artists who gain exposure but lose control of where their music is sold. Music piracy has severely impacted the music industry in recent years, contributing to lay-offs and mergers affecting thousands of real people who depend on those revenue streams, everyday.
Eventually, piracy affects you. As a consumer, by purchasing pirated CD’s, you’re usually geting a low-quality product with poor fidelity from those vendors on Canal Street in New York City or download sites based in Russia. What you pay for and what you get may be two different things, because they don’t care about quality. All they care about is profits. The rules of fair trade don’t apply, because they aren’t followed by music pirates.
In the history of intellectual property, laws have been passed and technologies developed to protect creators and content owners of media, but they can only do so much. Wherever there is a demand for content, there will always be piracy. It has been reported in the press that countries like China turn a blind-eye to the ongoing problem as music piracy (and digital media piracy in general) makes some of its citizens and government officials wealthy at the expense of the Western world.
Of course, there are pirate operations on our shores as well, but they’re riskier to start here than over there. We can arrest street vendors, shut down bootleg warehouses, fine record stores and file lawsuits against file sharing operators here, but we are at the mercy of foreign goverments when it comes to international piracy.
Unfortunately, with the race to protect content from piracy comes serious mistakes made by music companies protecting their bottom line. Yesterday, Sony BMG announed a recall and exchange of compact discs from at least 20 artists on various labels. The CD’s contain copy restriction software automatically installed on a PC once the disc is put in the drive, as I undertand it, without the permission of the computer’s owner. Although labels make an effort to inform you copy protection mechanisms are on your disc, many computer owners are unaware that means allowing installation of programs that run in the background, potentially affecting your computer’s security and tracking your music listenting habits when you’re connected to the Internet.
A list of Sony BMG CD’s affected can be found in a blog posting on the Electronic Frontier Foundation weblog.
The software, referred to as a “rootkit” in many of the articles I’ve come across today, auto installs the Sony DRM, but it leaves the computer vulnerable to malicious root-kit spyware and viruses that are especially well hidden from the operating system, making it very hard to detect. Computer security experts are already reporting that virus writers are already sending out trojan-horse programs that hijack and exploit the security flaw left by the Sony DRM platform, XCP created by their technology partner, First4Internet.
In addition, this puts Sony BMG squarely in the position of installing spy-ware on your computer to track what you do with your music, while leaving your system open to vulnerability. For Sony BMG, this poses a legal conundrum as well.
Sony BMG have released a patch, but some bloggers are already starting to criticize those efforts because the patch, while removing the DRM from your computer, doesn’t removed the vulnerability to malicious software.
Large corporations are taking note of the vulnerability and issuing patches and warning to their employees. Microsoft will update its AntiSpyware tool and Malicious Software Removal tool in response to the problem. In a November 13, ZDnet.com article, Joris Evers writes:
Microsoft will update its security tools to detect and remove part of the copy protection tools installed on PCs when some Sony music CDs are played.
The software maker has determined that the “rootkit” piece of the XCP software on some Sony BMG Music Entertainment CDs can pose a security risk to Windows PCs, according to a posting on Saturday to a Microsoft corporate Web log.
The Sony BMG software installs itself deeply inside a hard drive when a CD is played on a PC. The problem does not affect Apple Computers or stand-alone compact disc units. The technology uses rootkit techniques to hide itself. Experts blasted the cloaking mechanism, saying it could be abused by virus writers. The first remote-control Trojan horses that take advantage of the veil provided by Sony BMG have surfaced.
To protect Windows users, Microsoft plans to update Windows AntiSpyware and the Malicious Software Removal Tool as well as the online scanner on Windows Live Safety Center to detect and remove the
Sony BMG software, the software maker said in its blog.
Windows AntiSpyware is Microsoft’s spyware-fighting software that is currently available as a test version and used by millions of people worldwide. Microsoft provides weekly updates for Windows AntiSpyware.
The Windows Malicious Software Removal Tool is updated monthly and is part of Microsoft’s monthly patch releases.
Detection and removal of the rootkit component will also be in Windows Defender, the forthcoming update to Windows AntiSpyware that will also be part of Windows XP successor Windows Vista, Microsoft said.
In its move to detect and remove the Sony BMG rootkit, Microsoft follows other makers of security software. Symantec and Computer Associates are among those that offer at minimum detection
capabilities in their products. Sony BMG itself has also provided a patch to fix the security problem and still allow CDs to be played on PCs.
On Friday, Sony said it had halted production of CDs with the controversial technology, which is designed to limit the number of copies that can be made of the CD and to prevent a computer user from making unprotected MP3s of the music. Sony does still produce CDs that use a different copy protection scheme.
Representatives of Microsoft UK privately expressed concern last week that the storm of protest over Sony’s actions was damaging the public image of digital rights management.
Copyright (c) 2005 CNET Networks, Inc. All Rights Reserved.
You can download a free copy of Microsoft’s AntiSpyware tool from their web site. Currently, it’s in BETA release, but it’s probably good to have it installed, just in case you don’t have any SpyWare tools.
Sony BMG posted the following statements on their corporate site at SonyBMG.com:
SONY BMG STATEMENT
We are aware that a computer virus is circulating that may affect computers with XCP content protection software. The XCP software is included on a limited number of SONY BMG content protected titles. This potential problem has no effect on the use of these discs in conventional, non-computer-based, CD and DVD players.
In response to these events, SONY BMG has swiftly provided a patch to all major anti-virus companies and to the general public that guards against precisely the type of virus now said to exist. The patch fixes the possible software problem, and still allows CDs to be played on personal computers. It can be downloaded at http://cp.sonybmg.com/xcp/. Starting today, we will also be adding this link to the SONY BMG label and corporate sites. We deeply regret any possible inconvenience this may cause.
We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at: http://cp.sonybmg.com/xcp.
Today, this posting appeared on the Sony BMG web site:
November 16, 2005
To Our Valued Customers:
You may be aware of the recent attention given to the XCP content protection software included on some SONY BMG CDs. This software was provided to us by a third-party vendor, First4Internet. Discussion has centered on security concerns raised about the use of CDs containing this software.
We share the concerns of consumers regarding these discs, and we are instituting a program that will allow consumers to exchange any CD with XCP software for the same CD without copy protection. We also have asked our retail partners to remove all unsold CDs with XCP software from their store shelves and inventory. We will make further details of this program available shortly.
We deeply regret any inconvenience this may cause our customers and we are committed to making this situation right. It is important to note that the issues regarding these discs exist only when they are played on computers, not on conventional, non-computer-based CD and/or DVD players.
Our new initiatives follow the measures we have already taken, including last week’s voluntary suspension of the manufacture of CDs with the XCP software. In addition, to address security concerns, we provided to major software and anti-virus companies a software update, which also may be downloaded at http://cp.sonybmg.com/xcp/english/updates.html. We will shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer.
Ultimately, the experience of consumers is our primary concern, and our goal is to help bring our artists’ music to as broad an audience as possible. Going forward, we will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music.
Please click here for an FAQ on this topic.
Emails are flying back and forth on the popular digital music industry listserve, Pho. John Parres, one of the moderators of the list posted an article from TheInquirer.net, which highlights concerns about the XCP DRM removal tool that removes the DRM, but still leave your computer vulnerable.
By: Charlie Demerjian Tuesday 15 November 2005, 20:45
SONY PULLS OFF ANOTHER blatant stupidity in the ‘cure is worse than the disease’ category. No, not the DRM infection itself, not the security compromising removal agreement, but the removal tool itself.
Yes, this one appears to put you in MORE danger than the original rootkit. Silly Sony, no cookie.
According to Freedon To Tinker, the web based installer is a worse vulnerability than the original rootkit. More on the story here, FTT goes into detail. It seems the ‘cure’ from Sony involves downloading
an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine.
See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole
you can drive a truck through on your system, silently of course.
The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC? Moral, if you bought Sony products,
you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder. If you uninstall it yourself, you are a criminal under the DMCA. If you use an antivirus
program to uninstall it, you spent money to fix Sony’s problems, and you are still a criminal. That’s what you get for buying music.
Washington Post computer security journalist and blogger, Brian Krebs covers the details of the ongoing vulnerability and problems with Sony’s DRM, XCP on his blog at:
Class-action lawsuits and boycotts are being threatened by various groups who are concerned that Sony BMG has gone too far in installing software on your computer without your knowledge.