Sony DRM

tashi said:
I believe bitman was considering that in the rush to find a fix there was the possible potential to cause even more damage.
Click to expand...

True, nobody would want that. A potential approach might be for Spybot to detect and offer to remove the rootkit component only, as Microsoft is apparently safely doing. Removing the "rootkit component", i.e, the cloaking of files, appears straightforward, see Nancy McAleavy's post at: http://www.dozleng.com/updates/topic7048 Once the rootkit has been detected, Spybot could point the user to the eventual Sony uninstaller if a reliable one becomes available. My understanding is that Princeton is working with Sony on this, thus adding credibility which is badly needed. The alternative of course is for Spybot to stay out of this altogether and leave it in the hands of others like Microsoft. The drawback is that while the MS Malicious Software Tool will remove the cloaking, it will not warn users of the remaining XCP which has been classified as malware by CA and others.

Oh well.... no clear answer here, I realize :)
 
Last edited:
zak.wilson said:
Of these, I think CA's attitude is the most appropriate. I suspect they don't provide a fully functional uninstaller because they haven't properly tested it yet, not because they don't want to. Symantec and McAfee appear to believe XCP is legitimate, but a potential security risk. Microsoft condems the rootkit functionality, but seems ok with the rest of it. Only CA condems the whole package.
Click to expand...
el cpu said:
Oh well.... no clear answer here, I realize :)
Click to expand...
That's been my primary concern here all along and is part of the reason my own posts seem inconsistent, since they are discussing the situation from different angles as our knowledge of it has evolved over time.

After researching the ASC 'Anti-Spyware Coalition Definitions and Supporting Documents', I can see why some have decided to label it malware, based on the definitions of a rootkit.

Rootkits
  • System Modifying Software
    • Used to modify system and change user experience: e.g. home page, search page, default media player, or lower level system functions
      • Without appropriate consent, system modification is hijacking
      • Can compromise system integrity and security
      • Can drive user to spoofed web sites in order to steal their ID.
    • May be used for desirable customization
http://www.antispywarecoalition.org/documents/definitions.htm

I think it's interesting that many Blogs and other online news outlets have referenced something relating to the ASC definitions, but as yet, I've seen no anti-malware vendor that has, even anti-spyware. CA references that "this variant of the XCP.Sony.Rootkit program still violates the eTrust PestPatrol Scorecard" for example, and they are even a member of the ASC themselves. I'm not impressed with what I see as the first test of the decisions made and presented by the ASC, though I understand these are simply considered guidance at this point.

I also understand why many consider the Digital Rights Management itself to be undesirable, since nobody really wants their activities monitored, even for a legal purpose. However, that issue has become confused with the definitions of malware in this case, primarily due to the use of rootkit like hiding of files and modification of CD-ROM access. I don't personally see this as a malicious rootkit, since its purpose isn't truly to take complete control of your pc, though the line is admittedly extremely thin.

The issues of DRM technology itself has lead to much of the interest in this situation, since few would care if this were done to protect say, a database of personal picture files from deletion by mistake for example. Any DRM discussion is inherently rife with politics and opinions, which hasn't got a true home in these forums as of yet. Unfortunately, this decision can't be made without considering them as we've seen.

My final statement of opinion is that I feel it would be best for Sony to take the responsibility for removal of this software, both for their own education and the user community as a whole. However, there's nothing wrong with them asking the anti-malware community for aid in notification and distribution of the removal tool(s) developed. The result might be better choices and involvement by both communities in whatever Sony decides to try next. It's the adversarial situation which exists with DRM that is the true core problem that needs to be resolved.
 
Thanks bitman, good comments above. While I have disagreed with some of your opinions I have always appreciated your technical advise; I was a visitor to the old SB forum and used to see your comments there.

As we are now aware, this case has taken a legal turn; the Attorney General of Texas (among others) has filed a lawsuit, http://www.chron.com/disp/story.mpl/business/3476945.html. I wonder if Sony will issue the uninstaller any time soon due to the legal quagmire they find themselves in. This problem will be around for years to come as only a fraction of the XCP CDs now in circulation will eventually come in. They are still for sale here in Houston....
 
Last edited:
bitman said:
I also understand why many consider the Digital Rights Management itself to be undesirable, since nobody really wants their activities monitored, even for a legal purpose. However, that issue has become confused with the definitions of malware in this case, primarily due to the use of rootkit like hiding of files and modification of CD-ROM access. I don't personally see this as a malicious rootkit, since its purpose isn't truly to take complete control of your pc, though the line is admittedly extremely thin.
Click to expand...
I think that distinction is critical if you're filing a lawsuit or criminal charges. I find it relatively unimportant to the question of how Spybot should classify the software: it's hidden software with harmful effects that's difficult to remove and unlikely to be installed on purpose if the user actually understands what it's going to do. That's exactly the sort of thing people run antispyware software to get rid of.
bitman said:
The issues of DRM technology itself has lead to much of the interest in this situation, since few would care if this were done to protect say, a database of personal picture files from deletion by mistake for example. Any DRM discussion is inherently rife with politics and opinions, which hasn't got a true home in these forums as of yet.
Click to expand...
Quite right about the political issues. I think most people would be unhappy if they installed a program that was intended to prevent accidental deletions and it cloaked itself, could not be removed safely and contacted its distributor without notifying the user or administrator. The problem here is not so much with DRM but with the methods used by XCP.
bitman said:
My final statement of opinion is that I feel it would be best for Sony to take the responsibility for removal of this software, both for their own education and the user community as a whole.
Click to expand...
I agree with you there, though I think they should ask First4Internet to share that responsibility as they're the ones who created the product. It would be nice if they offered assistance to the anti-malware community to develop their own solutions as well; after the first two removal utilities, I suspect many people aren't too inclined to trust Sony.
 
There is nothing really new in the following article for an upcoming issue of Newsweek International, but it is interesting (non-technical) reading. Hopefully the article will keep the issue in the public eye and expand the awareness of the problem. I can only hope that the continued attention on the issue will help prevent similar abuses in the future.

Sony Gets Caught With Slipped Discs
http://msnbc.msn.com/id/10217704/site/newsweek/

By Steven Levy
Newsweek International

Dec. 5, 2005 issue - Benjamin Franklin once remarked that the definition of insanity is doing the same thing over and over and expecting a different result. In that case, someone should immediately dispatch a cadre of psychiatrists to the headquarters of Sony. Its efforts to protect the music it sells have resulted—again—in unmitigated disaster. After infuriating its customers, alienating its artists and running afoul of the U.S. Homeland Security Department, Sony recently announced a recall of 52 CD titles—everyone from Dion to Celine Dion—protected with a flawed scheme that left customers' computers vulnerable to viruses and vandals. …
Click to expand...
Also:

Since Sony's new CEO Howard Stringer is a smart guy, one might have assumed that he cautioned the company's music division, which recently merged with Bertelsmann's BMG label, that future efforts should not turn off customers by erring on the side of protection. ...
Click to expand...
My view, if Sony's new CEO Howard Stringer is a smart guy, one might assume that he would fire Thomas Hesse, President of Sony BMG's global digital business division, for this inane remark during a National Public Radio (NPR) interview on November 4, 2005 which demonstrated his contemptible disregard for the company's customers:

Most people, I think, don't even know what a rootkit is, so why should they care about it?
Click to expand...
 
According to the following article, F-Secure notified Sony BGM about the potential dangers of their XCP DRM software long before Mark Russinovich posted the problem on his Sysinternal's Blog and they failed to act:

Sony BMG's Costly Silence
The label was alerted to the secret, virus-vulnerable software on its CDs long before the scandal broke. Trouble is, it didn't act immediately to alert consumers
http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm

For Sony BMG Music Entertainment, it has become a public-relations nightmare -- and it shows no signs of abating. On Oct. 31, computer-systems expert Mark Russinovich posted a message on his blog revealing that Sony BMG had placed anti-piracy software on music CDs that was difficult to detect and that made customers' PCs vulnerable to hacker attacks …
Click to expand...
SLOW TO ACT? Sony BMG is in a catfight with a well-known computer-security outfit that became aware of the software problem on Sept. 30 and notified the music company on Oct. 4 -- nearly a month before the issue blew up. F-Secure, a Finland-based antivirus company that prides itself on being the first to spot new malware outbreaks, says Sony BMG didn't understand the software it was introducing to people's computers and was slow to react. ...
Click to expand...
 
md usa spybot fan said:
I can only hope that the continued attention on the issue will help prevent similar abuses in the future.
Click to expand...
With the excellent and informed reporting such as we have seen here; one could indeed hope any such company will not further assume the public is completely uneducated in such matters.
 
SLOW TO ACT? Sony BMG is in a catfight with a well-known computer-security outfit that became aware of the software problem on Sept. 30 and notified the music company on Oct. 4 -- nearly a month before the issue blew up. F-Secure, a Finland-based antivirus company that prides itself on being the first to spot new malware outbreaks, says Sony BMG didn't understand the software it was introducing to people's computers and was slow to react. ...
Click to expand...

"Sony didn't _understand_ the software" is an understatement of galactic proportions. Someone just needs to be honest and truthful about Sony and say "Sony sucks." Their laptops suck. Their attempts at software development suck. Their technical support sucks. Their digital cameras suck. Their CD/DVD-ROM/RAM drives suck. And now their attempt at DRM sucks. Sony is on my blacklist of companies to not buy anything from for 10 years.
 
Well, I wouldn't say "Their CD/DVD-ROM/RAM drives suck" since they are made by Lite-On, but the retail versions are not a great value...just get a Lite-On and you have a Sony, or an HP, now that Lite-On has their new Lightscribe contract. :)
 
FYI...

- http://www.wired.com/news/print/0,1294,69763,00.html
Dec. 07, 2005
"...The software used a Microsoft Windows feature called AutoRun that executes software on a CD without the user's knowledge or consent. Holding down the Shift key stopped AutoRun and prevented the software from being installed. Halderman wrote about the software, and the "infamous Shift key attack," in an academic paper and posted it online. Within 24 hours, SunnComm was threatening a $10 million lawsuit, and vowing to refer Halderman to authorities for allegedly committing a felony under the controversial Digital Millennium Copyright Act, or DMCA. By the next day, the company had backed down in the face of public outrage. Looking back, Halderman says, "The whole experience was a whirlwind.... The response was way bigger than (anything I'd) expected"..."

:rolleyes:
 
FYI...

Not Just Another Buggy Program
- http://www.freedom-to-tinker.com/?p=944
Thursday December 8, 2005 by Ed Felten
"Was anybody surprised at Tuesday’s announcement that the MediaMax copy protection software on Sony CDs had a serious security flaw? I sure wasn’t. The folks at iSEC Partners were clever to find the flaw, and the details they uncovered were interesting, but it was pretty predictable that a problem like this would turn up...if you decline the MediaMax licence agreement, and the software secretly installs itself anyway, you will face risks that you didn’t choose. You won’t even know that you’re at risk. All of this, simply because you tried to listen to a compact disc. Experience teaches that where there is one bug, there are probably others. That’s doubly true where the basic design of the product is risky. I’d be surprised if there aren’t more security bugs lurking in MediaMax...."

(More detail at the URL above.)

:(
 
Apparently no one here has been watching the Sony BMG pages:
http://cp.sonybmg.com/xcp/english/form14.html
UNINSTALL REQUESTS

The uninstall software can be downloaded here.

If you have already run the uninstaller and still have problems or questions, please click here to complete a customer service request.
Click to expand...
This takes you to a page explaining the options, including:
http://cp.sonybmg.com/xcp/english/updates.html
INFORMATION ABOUT XCP PROTECTED CDs

CDs containing XCP content protection software developed by First4Internet for SONY BMG may increase the vulnerability of your computer to certain computer viruses. To address these concerns, we are providing you with a software tool for download that offers you two options.

You may either:

Update the XCP software on your computer.
This option installs an update which removes the component of the XCP software that has been the subject of public attention and will alleviate concerns you may have about the software posing potential security vulnerabilities. It will also enable you to continue using the protected disc(s) on your computer.

Completely uninstall the XCP software and associated content protection files.
This option will remove all XCP and associated content protection files, including service/processes, registry entries and folders from your computer. Note that once you delete the XCP content protection software, if you wish to play a CD protected with XCP it will be necessary to reinstall the XCP software in accordance with that CD's End User License Agreement after you insert the disc into your computer.

Please note that you must reboot your computer after running the software tool.

If you have previously uninstalled the XCP software using the Sony BMG customer support website, and you are concerned about security issues relating to the delivery of ActiveX controls, both options will result in the deletion of these controls.

For users who have previously uninstalled XCP software using the uninstaller made available prior to November 18, 2005, we recommend that you run the currently available uninstaller, to eliminate a potential security vulnerability presented by the earlier uninstaller that was brought to our attention.​

Please note that uninstalling from your computer the XCP software and associated content protection files loaded from an XCP-protected CD will NOT delete or affect your use of any audio files that you have previously transferred from an XCP-protected CD. Such files remain subject to the digital rights management rules in the End User License Agreement: namely that you may rip the audio into the secure formats provided on the disc, move these tracks to compatible portable devices, and make up to three copies of each track on to CD-Rs.

Please be advised that this program is protected by all applicable intellectual property and unfair competition laws, including patent, copyright and trade secret laws, and that all uses, including reverse engineering, in violation thereof are prohibited.

The XCP software tool is available for download here as an EXECUTABLE (2.3 MB) or ZIP FILE (1.03 MB)
Click to expand...
<<< Added with Edit >>>This appears to be the executable uninstaller recommended by Mark Russinovich, though I haven't done anything to confirm this myself. At this point I don't see any new comments on Mark's Blog either, so it must have just released. We'll see how this fares over the next few days.
 
Last edited:
FYI...

Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)
- http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx
Published: December 13, 2005
"...This cumulative security update sets the kill bit for the First4Internet XCP uninstallation ActiveX control. For more information about this ActiveX control, visit the SONY BMG Web site. Older versions of this control have been found to contain a security vulnerability. To help protect customers who have this control installed, this update prevents older versions of this control from running in Internet Explorer. It does this by setting the kill bit for the older versions of this control that are no longer supported. This kill-bit is being set with the permission of the owner of the ActiveX control..."

.
 
FYI...

Sony BMG To Settle One Copy Protection Class-Action Lawsuit
- http://www.techweb.com/article/printableArticle.jhtml?articleID=175701269&site_section=700028
December 29, 2005
"Lawyers working the class-action lawsuit against Sony BMG Music filed a proposed settlement with a federal court Wednesday that if approved, would force Sony to stop making copy-protected CDs, pay affected customers a small fee, and provide replacement discs and/or other albums. Several class action suits were filed in New York and California during November that claimed Sony's copy-protection technology, which had come under fire earlier in the month, damaged buyers' computers. On Dec. 1, the court consolidated about 10 pending class-action cases, and appointed two law firms, Girard Gibbs & de Bartolomeo of California, and Kamber & Associates of New York, to handle the combined suit. According to the settlement papers filed with the U.S. District Court, Southern District of New York, "the parties engaged in virtual round-the-clock settlement negotiations" through most of December. "The primary and overriding concern of the parties over the course of these lengthy, arms’-length negotiations was an effort to provide prompt relief to consumers affected by XCP and MediaMax software, in order to limit the risk that these consumers’ computers would be vulnerable to malicious software," the papers continued. Among the provisions of the settlement, Sony BMG would be barred from using XCP or MediaMax technologies to copy-protect its music CDs, will continue to update the uninstall utilities for removing the XCP and MediaMax copy-protection schemes, and will offer two different incentive programs to buyers of XCP-protected discs so that they return copy-protected CDs. Furthermore, until 2008, any copy protection scheme Sony BMG uses on its audio CDs must meet a slew of criteria, including ones which require that it get users' explicit permission before installing rights software, that uninstallers for the copy protection be available, and that a third party verify that the copy-protection technology doesn't present any security risk..."

:(
 
Symantec Norton Protected Recycle Bin Exposure

January 10, 2006
Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer.

Symantec has released a product update that will now display the previously hidden NProtect directory in the Windows interface.
Click to expand...
http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html

January 12, 2006
Symantec just admitted that the "Norton Protected Recycle Bin," or "NProtect" feature of Norton SystemWorks, deliberately conceals a directory from Windows APIs to protect the files from accidental deletion. A commercial security vendor using rootkit technology? Unbelievable. Symantec explained its thinking in a security bulletin. "When NProtect was first released, hiding its contents helped ensure that a user would not accidentally delete the files in the directory. In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory. We have released an update that will make the NProtect directory visible inside the Windows Recycler directory. With this update, files within the NProtect directory will be scanned by scheduled and manual scans as well as by on-access scanners like Auto-Protect."
Click to expand...
http://www.computerworld.com/blogs/node/1573
 
You must log in or register to reply here.
Back
Top