Sony halts production of 'rootkit' CDs

Sony BMG Music Entertainment said Friday that it will suspend production of CDs with copy-protection technology that has been exploited by virus writers to try to hide their malicious code on PCs.

The decision by the music label comes after 10 days of controversy around the technology, which is designed to limit the number of copies that can be made of the CD and to prevent a computer user from making unprotected MP3s of the music.

Security experts blasted the technology because it uses "rootkit" techniques to hide itself on hard drives and could be used by virus writers to make their malicious code invisible. The first remote-control Trojan horses that took advantage of the cloak provided by Sony BMG surfaced this week.

Reader response
What should Sony do?

Debate how the debacle will
affect the label's policies.

"We are aware that a computer virus is circulating that may affect computers with XCP content protection software," the record label said in a statement Friday. "We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology."

The company said it is not halting production of all discs that contain additional copy-protection technologies. It also uses antipiracy technology from SunnComm and will keep manufacturing CDs carrying that software, a Sony BMG representative said.

The XCP software, created by U.K.-based First 4 Internet, is included on a limited number of Sony BMG titles, including recent releases from My Morning Jacket and Southern rockers Van Zant. When the discs are played on a computer, the listener is asked to click through a consent form and install the copy-protection software.

In response to the firestorm of criticism around the copyright protection software, Sony BMG has also provided a patch to fix the security problem and still allow CDs to be played on computers. Some antivirus software also detects the Sony BMG tool and can help users protect their PCs.

[System Tyrant]

An example...

of why companies, along with those who exploit, should be held liable for the problems they create.

The company that created this software should be held liable for the damage it could cause. Sony should be held liable for stupidly using this software. The people who would exploit the cracks in this software should also be held liable and prosecuted to the full extent of the law.

Of course there's all kinds of holes in that logic, but I hope you get the idea.

[rcrusoe]

The distributor is responsible

It is perfectly legal for me to write distructive viruses all day
long, but it is not legal for me to release them into the wild to
infect other people's machines.

IMO, the rootkit authors are acting as an agent of Sony, and
Sony should be held resposible for all damages caused by this ill
conceived, poorly written, piece of malware. At the very least
they should have to pay the cost of reinstalling Windows from
scratch on all their victims computers.

But on second thought, according to statistics 90% of all
Windows computers in the world are already infected with
viruses and/or spyware so most people wouldn't even notice the
Sony virus.

Never mind :)

[robanga]

Agreed

And its also a good example of how a grass roots uproar can stop these idiots from trying to so limit access to copy that it limits your rights to something you own. I emailed Sony the day after the story broke.

[Stan Johnson]

I will NEVER buy or use a Sony CD again.

I will NEVER buy or use a Sony CD again.

[thenet411]

I'll go a step further...

I am downloading every Sony artist I can find anywhere and sending it out to every P2P network I can find. Sony will SO regret the day they decided to use this BS technology.

[Stez]

No more SONY, period

I've been catching myself avoiding all Sony products. I don't want to put any more money into these guys' pockets. They make me feel like I'm a criminal simply for buying their products. This tells me one thing: they are more concerned about their bottom line than anything else, and if they had given a flying flick, they'd have kept this ludicrous idea in the circular file, where it belongs.

They apparently don't give a spit about me, so I can tell them now the feeling's mutual. I've never had such distaste for such a trusted brand as I do now.

Sony won't make it into this house any longer, that's for sure. Can't wait to sell my Sony stuff on ebay and replace everything from a brand that doesn't think I'm worthless!

[Get_Bent]

Not good enough

Stopping the production of these rootkit-equipped CDs is good. Providing a patch to unhide the rootkit's folder is good. However, Sony needs to make freely available a program to UNINSTALL their rootkit - none of this "beg and plead, and maybe we'll deign to send you the URL" garbage!

Personally, I hope that SonyBMG gets the living crap sued out of them.

[sell.com]

Sony: how about stopping the SunnComm CD production as well?

Mac users are not affected by this particular XCP rootkit, primarily because there's no auto-run under OS X. However, if you've read my post on Macintouch, Sony licenses other software as well, with similar (albeit slightly less intrusive) behavior. Sony: do we really need kernel extensions similar DRM technology on audio CDs?
-Darren Dittrich
sell.com

http://www.macintouch.com/#tip.2005.11.10.sony

[bobby_brady]

Sony should have listened to customers before all this

This fiasco wouldn't happen if Sony had half a clue. But they don't. I will continue to NOT recommend any Sony products to friends and family. Sony can't even play MP3's without converting it to their lame and DRM infested format!

well ain't they nice

Well this is good, I guess, especially since you can use the same trick to hide your own cd burning app, and since sony's junk won't see that either, you can burn cd copies to your heart's content! But I will also make sure to NEVER buy a cd with sony anywhere on the label, that is if I ever buy a cd again anyway.

[LisaO]

Punish the ones Paying for the CDs ?

They complain about people stealing their music and yet who do they punish? Those actually paying for their goods. Make any sense?

[n3td3v]

I will buy more Sony products

I will buy more Sony products. This was a just something that went badly wrong for Sony. I don't think we should blame anyone for wrong doings. Shouldve, wouldve, Coulda doesn't work after something bad happens. I think Sony have paid a high enough price already. I mean they'll need to hand out alot in damages for people who bring charges against them. Plus, the on-going public relations disaster is enough payback. Let this one play out, but as for buying future products from Sony, I think after all this is over, Sony will have learned some lessons, and won't repeat what they've done again.

[Stan Johnson]

Sony does not CARE about YOU...get it?

Sony does not CARE about YOU...get it?

Sony only wants your cash. That's not going to ever change. Sony does not deserve a second chance.

[aabcdefghij987654321]

Timid first step by Sony

The next thing they need to do is issue a recall for all the CDs using that rootkit.

[ColinMackay]

That's what I was thinking!

Stopping production is one thing. They should issue a recall. Like a car with a defective and potentially dangerous part gets recalled to be fixed, Sony's discs need to be recalled and replaced with a disc that is not going to damage your machine.

[swgoldwire36]

Our concerns about Sony are over. . .

. . .Or so I thought. At least as far as Sony BMG Music Entertainment and the Sony Corporation concerns me and the CNET membership crew, we will not have to worry our little heads big time regarding all sorts of scenarios.

[jdbwar07]

They still don't care about us consumers...

Not making any more of these CDs is one thing, but it's still not nearly enough. Unless Sony gets its act together, I sure won't be buying any more Sony products. If you care about the rights of consumers, you shouldn't either.

To do the right thing, Sony would have to completely apologize for this, state it won't do anything like this again, and of course easily provide a program (publicly on its web site) to completely uninstall the software. It hasn't done any of this.

It's more likely they'll just take whatever steps they can to limit their legal liability over this incident and then keep on shoving this DRM crap down our throats in any other way they possibly can.

We consumers can and should stand up for ourselves.

Sony should realize the best way to continue making profits in the long-term is to offer innovative, high-quality products at good prices.

As this instance showed, simply penalizing consumers with draconian and unethical restrictions (especially when what they sell is mostly over-priced crap to begin with) will eventually backfire.

[heystoopid]

Temporary? Ha! Ha! gottcha yet again!

Temporary, says what it means,means what it says! This shows SONY, is and will always remain unrepenitent, and continue to illtreat all it's consumers any way it so chooses! It is a sad day that one is now required to prescan all new optical disc's even from legitimate sources, to detect deviant malware etc, whilst simultaneously maintaining an uncorrupted system backup copy, to reinstall in case of infection. Nah!, this be but another straw apology, until an actual physical recall of all infected media,without billing the costs to the recording artist together will full compensation for loss earning from reduced sales(pay the artist royalties in full, for all the audio discs unsold and/or recovered!), damages to artists' reputation etc. Further adequate compensation to all windows computer users thus infected both now and in the future from this malware of cloaked files technology supplied courtesy of SONY! Oh well, let the consumer ire continue unabated, and SONY be well and truly fried by a 100 million small cuts, by both Government lawyers(infecting all computers is use by state and federal agencies by innappropiate malware software is a felony offence) and every other lawyer, including small claims compensation for repair to all damaged and compromised computers, illegal removal of consumer rights etc!!!!!!!! ALL I SAY IS DON'T BUY ANYTHING WITH SONY'S LOGO PERIOD FROM THIS DAY FORTH!!!!

[ipodman143]

Security now

only because the security now podcast did a whole episode on Rootkits the another episode "Sony Rootkit DRM"

[R Me]

Only Because...

... exploits are now in the wild taking advantage of sony sponsored and distributed malware. If no exploits were released they would continue with their present course and require that the software designer attempt to make it yet again invisible some other way. You can be they are moving on to plan "B", which by now is plan "A". sony will never get it, even after it costs them $1B in damages and costs.

BOYCOTT ALL THINGS SONY!!!
FREE THE MUSIC!

Next on the agenda is...

Total recall/replacement/reimbursement of affected disks, reimbursement for cost of all repairs to every affected system and a public flogging of all management level personnel involved in this fiasco.

[corelogik]

Just one more reason...

to like my Mac. Mac and Linux were and are unaffected by this
"rootkit". :D

I am still waiting for Microsoft to get a clue and make a real OS
where things like this aren't possible or at the very least a hell of a
lot harder,... until then I have OS X! Enjoy!

[kvkx71]

MAC OS X FOR PCs YA

I heard that apple is going to make Mac OS for PCs and is switching to Intel Prossesers. Now I can finnaly have my VooDoo Pc with Mac OSX YAYAYAYA!!

Actually MAC's are affected...

http://www.macintouch.com/#tip.2005.11.10.sony
Sony's DRM CD's install two kernel extensions, although I don't think anyone's sure yet what exactly they do.

[microsoft slayer]

Microsoft will become irrelevant

The network is the the operating system. The closes operating system that is actually RUNNING the network is linux/unix based.

[skeptik]

Oh they are

They are indeed working on fulfilling your wish. But be careful what you wish for - the cure may be worse than the problem. The first name for this "solution" was Palladium...

[SqlserverCode]

No more Sony workout music

I will remove all the Sony cd's from our club
All the classes will be taught without Sony music in sight
Hell, next time I buy head-phones I will make sure I won't buy Sony

http://www.work-out.blogspot.com/

[djhomeless]

What consumers need: a bill of rights

The problem we are facing is people like Sony feel we as consumers have no rights. They think they can arbitrarily dictate what we can or can't do with someting we own. The evil, is down to the EULA. Maybe there has always been a EULA of sorts and we never recognized it? Or maybe companies never tried to enforce it?

I agree with calls to boycot Sony, but remember Sony-BMG is a multitude of artists, lables, and sub labels. Will people boycott them all?

Personally, I think we need declare a bill of rights of what we expect, no, demand. I started one, hopefully something like this will pick up steam while the story is still in the public's eye:

http://www.idiotabroad.com/2005/11/music-consumers-bill-of-rights/

[skeptik]

Another good idea

Why don't we all send Sony a little email every time we buy a piece of electronics, software, CD or DVD and tell them we elected not to buy the Sony brand, choosing another brand instead because we're still upset over the rootkit incident.
Let them actually see each time they lost a sale because of this. I would think it would be especially effective when the item purchased is something like a phone which has nothing to do with rootkits. Let them know that we don't trust them as a company in the whole and will avoid doing business with them on any level.

I have already sent them an email telling them of my intentions to avoid all Sony products. Let's keep the pressure up and let them see the effects of our boycott.

[Captain-Atari]

Boycott all Music CD Vendors

I have a read a lot good ideas here for trying to change Sonys practices. The thing you have to keep in mind is they aren't the only ones doing this. Consumers want true Redbook audio cd's. We don't want some strange HYBRID that plants "cloak dagger" applications on our computers and refuse to play in some of the older cd players. The only way to send that message is not to buy any CD's from any label this holiday season. Starting on black friday and continuing through the end of the year. That would send a clear message to all the music LABELS. At some point you've got to vote with your wallet. Loss of Money is the only thing these corporations understand.

[coisa]

How can you help and I did

I managage a small network of 60 PC's with an Intranet. All users know of Sony's breach of consumer trust and security recklessness. I took a new Sony CD / DVD player back to the retailer on Sunday. I have two Sony TV's and an Amp - the old Amp and 1 TV will be replaced before xmas but not with Sony. I have blank Sony media, CD's DVD's floppies - never to be purchased again. I also consult for other small busness and home consumers - 2 have been disuaded from buying Sony Vaio PC's.

And still the infected CD's stay on the Retailers Shelves