Is Sony really doing this?

[I_Broke_My_MHZ]

Sony sure is catching a lot of crap for this. Windows Media Player has DRM and it can't be removed (technically its about as hard as removing Sony's drm), why isn't MS catching s***? When the EU was suing microsoft everyone was crying that the EU was being unfair, but now Sony is pulling the same crap that MS is with their DRM technology (installed without prompt, not easily removed) and everyone is up in arms.

I know, im ranting, but people need to get real!

[Clint]

this is just the beginning folks, you just wait until Vista has been installed by the general public...

[suryad]

everyone who owns one of those cds should sue sony for as much as possible.

Everyone who owns those cds should be shot first!!!

But seriously, seems like SONY is suffering some retaliation which is better than none. But unless legal bodies in the USA get involved and hold them responsible for their stupid actions, this trend might actually cotinue. I think this is a time lawmakers got more actively involved and tried to make the Net a better place where people dont have to worry about spammers and malware writers. They should pass laws where these pieces of software becom illegal. THey need to pass a law where yes ok if they implement DRM then it should be like this. There are more legitimate purchasers of music than there are a few people who like to dopwnload their music and just for those people everyone else has to suffer. THat is not tolerable at all.

[Shark007]

Checkout Microsoft's position on this topic:

Anti-Malware Engineering Team

shark

Edited November 14, 2005 by Shark007

[DigeratiPrime]

this is just the beginning folks, you just wait until Vista has been installed by the general public...

you are probably reffering to "Trusted Computing".

http://en.wikipedia.org/wiki/Trusted_computing

http://www.lafkon.net/tc/

[HyperHacker]

Ohhh, BUSTED! Analysis of various parts of Sony's crudware have shown 2 very interesting things that could be pretty bad news for Sony.

1) The ActiveX control you need to 'uninstall' their rootkit is a HUGE security hole. It can't really be determined whether this is bad programming or intentional (I think we can guess which Sony would say ), but the control allows any random website to reboot your computer, and by the looks of it, execute code. Yes, you read that right. The control appears to allow any random web site to execute arbitrary code on your computer. (This isn't verified yet; the control has an ExecuteCode() function which can crash the browser - most likely trying to execute code with the wrong parameters - and an InstallUpdate() function which appears to download and install a DLL. It is verified that a website may reboot your system; a demo is posted on the site.)

2) The software (specifically go.exe) appears to contain chunks of LAME, which, if true, is in direct violation of the LGPL. Comparisons have shown that there are tables but apparently no matching code. This could mean just about anything - unintentional inclusion, compressed or encrypted code, or inclusion of the tables but not the code itself for the purpose of detecting LAME and/or programs using it.

If I only had a computer to test it on, I'd install that ActiveX control and see if it can indeed run arbitrary code. If this is the case, or if Sony is indeed found in violation of LGPL... things will get a lot more interesting.

Sony sure is catching a lot of crap for this. Windows Media Player has DRM and it can't be removed (technically its about as hard as removing Sony's drm), why isn't MS catching s***? When the EU was suing microsoft everyone was crying that the EU was being unfair, but now Sony is pulling the same crap that MS is with their DRM technology (installed without prompt, not easily removed) and everyone is up in arms.

I know, im ranting, but people need to get real!

This is one reason I avoid WMP. However, I have yet to hear tell of WMP's DRM systems spying on users or screwing up Windows.

[suryad]

Is ActiveX itself really a big security hole or is it that it is implemented in the IE browser poorly that is a cause of concern?

[HyperHacker]

Both. ActiveX has always been a source of security holes due to unchecked buffers, domain spoofing, things websites are able to do that they shouldn't, etc, but this control is even worse in that it allows websites to call any of these methods. Hence why this could be just a mistake (the programmers forgot or didn't realize that the methods were set to be useable by any site) or poor coding (specifically, no security considerations), but it could also be a deliberate hole (why does a control which simply reports your system and CD info need an ExecuteCode() method, whatever it does?).

[Tarun]

Planet Sony Rootkit Infections:

USA

Europe

Asia

[HyperHacker]

Wow.

In other news, LGPL violation is confirmed. There are reports that people have managed to download and run code via the installer, but I haven't seen any demonstrations. Apparently even the government is getting hit. To quote a blog entry:

It gets worse : Sony’s Web-Based Uninstaller Opens a Big Security Hole and the Sony / xcp-aurora rootkit have infected at least one machine on more than 500,000 networks , including military and gov networks! Way to go Sony! Scriptkiddes have nothing on you. Perhaps Sony should be charged with compromising National Security (pick a country, any country)

As a result, Sony is recalling the copy-protected CDs. Finally.

Also, it's reported that naming CD ripping tools $sys$whatever.exe doesn't actually hide them from the DRM.

Edited November 15, 2005 by HyperHacker

[snekul]

Sony is certainly getting themselves some bad press. I've seen articles on the main pages of many online news sites, like msnbc.com. Anybody see any TV coverage yet? I don't watch enough to know.

[XtremeMaC]

its really a shame on sony. even if they were going to add this kind of tracker on the computer they could at least made a better software from it. hide anything with $sys$ from windows?? that just plain stupid algorithm.

I think people shouldn't return at least 1 of their CD's. If everyone returns those there will be no one to claim that it was actually infected with the crap:D

the next step will obviously be drm'ed hardwares

all music cd's should be banned from this world along with floppy. Instead make programs like napster 2 and have higher quality wma's. and make each single track avaliable for purchase.

This way everyone will buy their favorite track. I don't buy Cd's that much. Just because an artist made a cd with only 1 good song in it, tells me that i'm not going to pay for the whole thing!. I don't really consider that to be effort and because of a single track they get richer and richer. make a single then!.

[I_Broke_My_MHZ]

This is one reason I avoid WMP. However, I have yet to hear tell of WMP's DRM systems spying on users or screwing up Windows.

It isn't quite spying because they do tell you, but WMP prompts if you want to send information on what you have been playing to microsoft, your GUID and other info.

[svasutin]

Considering Sony said on Tuesday they will recall the CDs, I figured they would shoot an email to their vendors.

http://news.com.com/Sony+recalls+risky+roo..._3-5954154.html

Nope, today I went to a few music and tech stores and asked if they were familiar with the "Sony Issue". Only 1 person, in a PC repair department, out of 30 people, across 5 stores was familiar with the issue.

I was looking over the Foo Fighters CD, and couldn't tell if it had copy protection; some of the CDs are clearly marked with "xcp" but some are not. The "information on the back" of the Foo Fighters is written in white blurry text, on a light ginger background. Nowhere can you tell it contains a rootkit; much less read the requirements; I do have good eyes. However, there is a hugh mark about "copying being illegal"<-a load of garbage.

Anyway, since the malware is poorly written, and is a driver, it causes issues with devices connected to an ATA channel, but wait, there are also SATA devices....

Here's the thing,

Go to tech and music stores and tell them about the issue. Point out

1) A customer plays the CD in a Windows or Apple system; does not need to copy, just listen

2) a customer clicks cancel at the prompt

3) the driver is installed anyway

1) the driver allows viruses, spy-ware, and spamming tools to be installed undetected by any AV or AS (anti-spy)

2) Since this is a known issue, however, some AV compaines have provided a link to Sony's site to download a patch

3) For users whom downloaded the patch, their browsers now allow anyone to download, install, and run anything. Sony has pulled the malware from their site, but have left users hanging while they (sony) come up with another fix.

4) Only current subscriptions of ZoneAlarms AV, Computer Associates AV (not mcafee), and the free until 31 December Msft Anti-Spy correct the issue. Caution against Msft AS as reInfection is always possible.

1) it is unknown how many CD titles are effected, to date, between 15-47 CDs.

1) Tell the owners/managers to google or yahoo! sony rootkit

2) Let the owners/managers know that Sony has already recalled the CDs, and is working with Amazon

1) customers might think their drives are bad, and so they purchase a replacement

2) the issue still exists so they return the device

3) the store drops the prices and increases its inventory

4) Ensure the techs are aware of this issue, and note the issue on any reciept, so any paid support provided can be re-embursed to their clients, or be charged to Sony directly.

5) this issue has existed since late May.

It is number 2, 3, and 5 that get the attention from Tech and Support stores.

Here's the other weird thing, today I recieved a pre-approved application for a Sony Credit Card. The last time I bought anything from Sony, with a credit card, was 5+ years ago, and I don't think the card had my name. However,

1) I have used my name and address for downloading the 'patch' for clients.

I am wondering, if Sony could pre approve me for a card, why couldn't they also inform me of the recall?

After searching the sony website, i found:

http://www.upsrow.com/sonybmg/

Is an official list of titles that can be returned to Sony. However, it does not appear to be a recall, more of a, If-you-want-to-return-your-disc-send-it-to-us

You will receive an e-mail with a link to your MP3 downloads upon receipt and verification of your XCP CDs. Once we receive your XCP content protected CD(s), we will process your exchange. Please allow 3-6 weeks for delivery of the replacement(s). To check the status of your MP3 downloads, please email our Download Help Desk at xcpexchange@sonybmg.com. Please note your link will not be emailed to you until your return has been received and processed.

I guess I need to pay for the shipping and packaging. Some how I thought "recall" meant take it back to your vendor.

Here is another concern. Once the DRM is removed, what is going to happen to all the encoded content. Will people need to rerip their music?

[svasutin]

I am wrong in my last post, news agencies are reporting Sony will pay for the shipping both ways. I suppose I didn't submit enough informaiton to get to the point where they said they would pay for shipping.

My Bad

svasutin

http://blog.sonymusic.com/sonybmg/archives/111505.html

***

November 18, 2005

To Our Valued Customers:

You may be aware of the recent attention given to the XCP content protection software included on some SONY BMG CDs. This software was provided to us by a third-party vendor, First4Internet. Discussion has centered on security concerns raised about the use of CDs containing this software.

We share the concerns of consumers regarding these discs, and we are instituting a mail-in program that will allow consumers to exchange any CD with XCP software for the same CD without copy protection and receive MP3 files of the same title. We also have asked our retail partners to remove all unsold CDs with XCP software from their store shelves and inventory. Please click here for exchange program details.

We deeply regret any inconvenience this may cause our customers and we are committed to making this situation right. It is important to note that the issues regarding these discs exist only when they are played on computers, not on conventional, non-computer-based CD and/or DVD players.

Our new initiatives follow the measures we have already taken, including the voluntary suspension of the manufacture of CDs with the XCP software. In addition, to address security concerns, we provided to major software and anti-virus companies a software update, which also may be downloaded at http://cp.sonybmg.com/xcp/english/updates.html. We will shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer.

Ultimately, the experience of consumers is our primary concern, and our goal is to help bring our artists' music to as broad an audience as possible. Going forward, we will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music.

Please click here for an FAQ on this topic.

***

Here's the FAQ Link

http://cp.sonybmg.com/xcp/english/faq.html

Edited November 19, 2005 by svasutin