Comments on: Sony CD protection sparks security concerns

Anticopying tools used by SonyBMG could be adapted by virus writers, researchers say.

[ballssalty]

It's still a joke

All you have to do in XP is disable autorun. With autorun disabled it cannot install anything. You would have to physically doubleclick the executable. And if you did that on a music CD you deserve to be stuck with this mess.

[Hernys]

Music

The CD doesn't play if you don't do either of what you say, so it is a reasonable expectation that most users did. Besides, Autorun is enabled on many, many machines and it's not a bad thing per se. It can be considered reckless if you left autorun configured and inserted CDs of unknown origin or untrusted sources, but music CDs hadn't ben considered dangerous material up to today, especially when coming from a supposedly reputable source.
What's more, Media Center computers should have autorun enabled in order to have reasonable functionality, such as playing a CD upon insertion as every stand alone CD or DVD player does.
In any case, it's a joke from Sony. Installing malware (wether it's a rootkit or spyware or whatever) on unknowing user's PCs just "protect" their contents aligns well with them not wanting to use strict copy protection with Blu Ray. I wonder if the technology they plan to use on Blu Ray is based on a Rootkit too.

[macslut]

Gee now that pirated music is a superior product...

Record companies need to realize that there is no such thing as copy protection. Unless they can invent a time machine, people will always be able to VERY easily copy CDs. All of these copy protection scams just cost them money for licensing and result in reduced sales along with increased returns.

The Audio CD has a spec that many non-conventional CD devices rely upon for compatibility. This includes not only computers of many platforms, but also high-end car stereo systems and so forth.

Many of us see these "fake" CDs as just paying more $$$ for a product that is inferior to what can easily be pirated off the net, since the net version can be with a lossless codec (FLAC/ALE/etc) and without the annoying copy-protection.

Dreadful reporting

This article misses the point. Highly invasive software that can corrupt Windows was installed by Sony without the user's knowledge or permission. The software is hidden, extremely low level, and impossible to remove by any malware tools. Normal use of the computer can cause Windows' devices to become inaccessible, forcing the user to reformat and reinstall Windows.

Involuntary installation of software on computers is explicitly illegal in numerous US states, and is an unsafe unprofessional way to implement DRM. To make matters worse, Sony seems to have employed this technique in thousands of their current CDs.

To gloss over these facts minimizes the severity and inappropriateness of Sony's actions.

[David Arbogast]

Correction

While I hate the idea as much as anybody, you seem to have missed a major point in the article.

<<Highly invasive software that can corrupt Windows was installed by Sony without the user's knowledge or permission.>>

In fact, the user did agree to the license agreement during the install. In addition, the outside of the CD case was labeled with a copy protection notice. This user had every indication that software was being installed. What I find dreadful, is that there is no uninstallation available unless you contact the company who wrote it.

[Had_to_be_said]

This is more than a mis-step... It is a criminal-offense.

Lets see. "Sony" has just admitted "hacking" peoples computers, installing hidden "viral" software, which "limits functionality", and cannot be easily removed without seriously-damaging software-installations. And, obviously, this will also effect the "private-data" on any affected systems if the, only real, "repair option" is "reformatting".

There are numerous State, and Federal, "Computer Abuse" statutes on the books, which are clearly being directly-violated by this intentional-action on Sonys part. In fact, these exact actions are quite expressly described, in great detail, in many of these laws.

Furthermore, Sony should be held liable for any "damages" that their illicit "software" causes, including lost-time, productivity, and any personal data-losses, just as these LAWS require.

And, guess what? I know from personal-experience that "XP" already has real problems with "CD I/O operations", being caused, by any software changing related "core drivers". So, it is only a matter of time before the lawsuits start rolling-in.

Id say that $3000.00 to $5000.00 per instance would be a reasonable "award". And, this should be on top of the Criminal-Proceedings.

And, I wont even go into the issue of the violation of my legal-rights, as a consumer.

Rootkit requires root, duh...

Why would anyone with this "victim's" huge amount of
knowledge about computers be running as the root user? Sorry,
"Administrator", in Window's terms. For 30 years users of
multiuser systems have been told, on day one of class, to never,
never, never log into your computer as root to do normal tasks.
You use root to administer your computer, and then get out
immediately and log in as a normal user.

So, when you don't run as root, programs you run cannot write
to sensitive areas of the registry, and rootkits are essentially
powerless.

Stop purchasing software to protect your computer against
malicious software that would otherwise be rendered useless if
you just ran as an ordinary user instead. The unix community is
laughing at you every day when you open your wallets.

Stop using the Administrator user. Save some money.

[zaznet]

Non-root users are virus free?

Plenty of users without administrator (root) rights cause virus infection and propogation every day.

[Hernys]

Because the disk requires it

Picture this scenario:
You buy a CD with the sole intention of playing it on your computer. You don't want it for your car and you don't own a stereo, you just want to listen it while working on your PC.
You put the CD in and it tells you "in order to play this CD you must log on as an administrator". You might claim that would indicate there's something fishy right from the start, but there's so much software out there that requires admin just because the developers didn't care to test it as a standard user that you end up accepting it. You logoff, log on as an admin, install the app, and everything works. At that point you have a rootkit and you don't even know it.

[Jahntassa]

Use Windows much?

Unfortunately, even people who run multi-user in a 2k or XP environment typically have to run with Admin privledges. Anything less (including the somewhat misleading 'Power User') most often creates situations where the users can't run some or many programs.

XP by default sets you up with Admin access, and unfortunately companies who program for Windows usually don't keep in mind that some people aren't logged in with an Admin account, making their software impossible to use with any other type of user.

In a perfect world, Windows would be like a Unix environment, where everyone had their own protected setup, and Admin could be just that.. but right now..it just ain't.

[E34touring]

Yes, needs Root access.

Agreed for Unix. But fi a consumer just purchased a music CD for his home XP consumer machine. Then, as non Administrator, it would NOT work then!. So the buyer would have to return it rather than login to root and install it.

In any case, I feel that Sony has violated many laws doing this and should be procecuted to the maximum extend of the law. No exceptions. Class Action, MicroSoft IP suit, etc, Consumer punitive suits. bring these on!. I am sure the attorneys are having a field day on this!. Bring it on people!.

[CagedAnimal]

Taking the law into their own hands....

So I guess if it prevents something illegal, anything the music industry is justified in its actions. It is just like saying I have the right to hack into a person's bank account to wire their unpaid debts to my account.

[Methuss]

not really...

Not taking the law into their own hands...breaking the law. In Illinois the installation of software that can potentially damage the compauter without the owner's knowledge or consent (The EULA does not mention anything about the rootkit or what it does to your system) violates the Illinois Computer Faud and Abuse Act, a class 4 FELONY. It is probably illegal in other States as well.

I read over the details of what this rootkit does and the way it works certainly qualifies.

[JohnGlenn]

Sony has LOST its DIRECTION as an ELECTRONICS company

Sony has LOST its direction as an ELECTRONICS Giant and trend-setter. This was once a proud company on whom consumers could count on to deliver the most imaginative ELECTRONIC products, but today all we ever hear about Sony seems to be more about how to protect the contents of a CD and less and less about the types of products its rivals (Read APPLE Computer) are able to churn out at will.

Sony (SLOWLY!) do you remember your Mission Statement? I do not think you were created as a record company; to the contrary, you were created as an electronics company first and foremost. Lest go back to making great ELECTRONIC products people want to buy instead of the lackluster (Me Too\Catch-up) products you seem to be forcing on your customers these days. Perhaps it's time that you UNLOAD the record division and FOCUS on your CORE business.

I am a devoted, but sad fan.

[zaznet]

Well enough put, one thing I'd like to point out...

Sony's music division is not at the core of their business. You make that point pretty clearly. Their problem (Sony) is that they are very big and many non-harmonious divisions that each have to make decisions that best suite the departments needs and not the needs of the parent company.

You say they would be better off dropping their media division. I don't think it would make that much of a difference. Their hardware will still be tailored towards the recording industry to some extent. Just look at the battle over the next generation video and data format Blue-Ray. They are pushing a technology that many in the industry that would use it are holding out against it. While the tech is great, they tend to want something cheaper with a more immediate ROI.

The CD-ROM was created by Sony. It's funny how they are now buying technology from a third party to protect music.

[ballssalty]

I disagree

There is no benefit to autoplay, none whatsoever. I can't imagine how anyone can leave it active and not be so insanely infruriated everytime they insert a disc.

I have a media center PC and have autorun disabled. No benefit.

[zaznet]

Your choice...

It's a matter of being easier to use. Of course that is the root of a bigger problem, just computer malware in general. Your choice may be a good one, and one I agree with, however it does not mean autoplay has no use.

[zaznet]

Typical: Hurt the consumer, not the theif.

The typical solution for copyright owners is to cause harm and prevent fair use by the end user. The true consumer who paid is the one who is harmed by such copy protections.

Someone seeking to copy and distribute the media online would never install the DRM software to begin with. The installer should ask "Do you want to disable certain features in your computer to protect OUR rights?" when installing.

[mariusthull]

How about this.....

If you see a music cd or Movie DVD and it says it has copyright protection don't buy it. Or, write your state and federal officals to have a law passed that requires a written explaination of exactly what form the copyright protection takes be put right on the case. While there at it they can clearly define the terms under which the purchaser my make copies, how many and the purposes for said copies. All of us should also get into the habit of reading the ELUAs that come with our software.

If this story upsets you the best thing to do is to become an educated consumer.

[CagedAnimal]

Or there shouldn't be EULAs at all

Usually EULAs exist because the company wants to get around having to acknowledge that you have certian rights as a purchaser of software or entertainment. If they license it instead of sell it, they effectively lock you into giving up those rights.

We already have a system to define the terms by which and purposes for which purchasers can make copies (well, we would if DMCA didn't completely undermine it). It's called copyright law.

It is pretty assinine for content providers to try and undermine the balance that system creates through EULAs. It is even more assinine for them to feel they have some right to invoke a sort of martial law on people's purchased media and electronics.

[Stating]

What Else Will Sony Do?

Now that they have surreptitiously installed a rootkit, why not just send a little message back to headquarters over the broadband connection that tells them everytime the CD is played? Oh, and why not rifle through the computers's playlists to see what other music lives on the computer? I am sure the Marketing guys would love to know these things. The possibilities are endless, all under the guise of copyright protection and buried in a 10 page EULA that you have to read in a tiny scroll box while you are in a hurry to play that new song you just traipsed to the mall to buy.

[aabcdefghij987654321]

Not next, already happening

A network monitor has already shown a message going to two different Sony sites when a CD is being played.

[BlueScreenOfDeath]

How to disable autorun...

Perhaps someone should post how to disable cd autorun on WinXP/2000/98 systems. Win2000's "Help" system isn't very helpful...

[Inksaver]

Here's how to disable Auto-Run

How to disable Auto-run

Download Microsoft Powertoys from http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
It is TweakUI you are specifically after. Versions for other flavours of Windows are available.

When installed fire it up and select MyComputer/Autoplay/Drives from the list on the left. De-Select the CD/DVD drives.

Click OK. You may need to re-boot.
Sorted

Now when you insert your copy-protected CD it will not install the software, unless you double-click the drive in Windows Explorer (Use Right-Click->Open to view the contents).

You can extract the audio using Isobuster, Exact Audio Copy and other software, and create yourself a nice clean DRM free Audio CD.

Enjoy

Win 2K CD Autorun disable

Hope this helps :)

http://support.microsoft.com/kb/q155217/

or

http://service.steinberg.net/knowledge_pro.nsf/0/86e1874e598f6746c1256a3900385a44?OpenDocument

[jetstoya]

I don't buy anything Sony anymore!

These guys sitting back counting their pennies making hundreds of thousands of dollars a year make me puke. The executives of Sony are so worried about losing a couple bucks to the little guy that they have lost sight of what's important. I don't buy anything Sony anymore!

[bhayden]

Possibly underestimating the threat

I think that a careful reading of Mark Russinovich's original post would cause more concern than has been evidenced by this article and the commenters thereof.

First of all, the Sony DRM root kit does system call hooking. Kernel mode APIs are invoked via entries in the kernel's system service table. Legitimate kernel routines are located in the kernel. But in the case of system call hooking, some other routine is substituted in that table, and it is typically not located in the kernel. The Sony DRM substitute APIs are not, potentially causing what Mark terms a "race condition". He says "It?s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory".

Secondly, the Sony code not only uses up memory, but is a constant drain on CPU resources, regardless of whether or not a CD is in the drive. Apparently, every two seconds it scans the executables of all running processes and queries basic information about each of those executables eight times per scan (is that bad programming or what?)

As a final note, I am trying to pull together as much of this information as I can, and, in particular, the legal ramifications, at: http://bhayden.blogspot.com/

[H Voyager]

So that's what that unidentified program was

I had figured it was some new virus that my scanners weren't picking up. I ended up having to do a low level format to get it off of my hard drives, and wiped my backups, because I didn't know how far the infection had gone.

I'd say I was angry except I think I'm so far beyond that point that the term no longer applies.

[bobby_brady]

Sony, now hiding malware like programs

from their customers. Sony has really hit a new low!

I was just in the market for a new television, and thought of the Sony Trinitron. But I've been afraid to even purchase one, because I believe it has software installed that will prevent me from watching my MPEG files. I have Media Center 2005 installed.

[gravrdr]

that's why i don't buy anymore

When the record companies stop trying to "copy protect" everything then i will by music again. I still can't understand what all the fuss is about. Once I have bought (or anyone has for that matter, bought a CD then it belongs to them. We should be able to use it how we see fit and across as many devices as an individule owns. Those greedy MFs in the RIAA MPAA are hurting themselves. Untill they come to their sences i have personaly boycotted the purchase of any copy protected cd's. I think it's time the real Hackers out there declare cyber war on hte companies that are doing this and hit them where it will hurt the most. Utter data destruction. let them try to creat new copy protection schemes when they can't even get their own systems to run.

[ajbright]

AnyDVD

I have a program called AnyDVD (slysoft.com) that removes the copy protection from any CD or DVD on my PC.

One of it's side effects is it prevents this "virus" from being installed on your PC, and the CD is presented to all your media software as protection-free.

The only downside is that after 20 days you have to register (buy) the software if you want to keep using it.

Personally I've found that this and CloneDVD2 are the best DVD backup programs out there - they're both easy to use and are continuously updated to protect you against the latest copy protections placed on CDs or DVDs.

Are they legal, probably not - but then as far as I'm concerned until Hollywood and the music industry comply with the fair use provisions of the DCMA, their products aren't legal either.

[wcattey]

I don't buy media from companies that treat me like a criminal.

I've done work with online data media repositories.
I am very respectful of copyright both at work and at home.

There have been times when negotiations for media broke
down because the vendor insisted on treating customers
pre-emptively like criminals.

Sony has gone WAY too far in its approach to Digital Rights
management by Installing software and then
masking its presence.

I will be buying NO SUCH media. And I will encourage my
friends and colleagues to boycott Sony and BMI until this
extreme DRM approach is abandoned.

William Cattey
Software Project Manager
Massachusetts Institute of Technology

[wallybass]

"No comments" - baloney

>>"I think this is slightly old news,"Gilliat-
Smith said. "For the eight months that these CDs
have been out, we haven't had any comments about
malware (malicious software) at all."<<

Let me translate this.

"Since most people lack the skills of
Russinovich, no one else so far has been able to
track any of the system failures that we have
induced back to us. You see, we spent an
extraordinary amount of time covering our tracks
by cloaking things that people would normally
able to see in their systems.

"As to the (probably thousands of) poor smucks
whose CD disappeared due to our code, or who blue
screened, or whatever, and who spend hours
trying to figure out what was wrong, and then
more hours rebuilding their systems - well - who
cares. They didn't trace it back to us - it
doesn't affect our bottom line."

I really love his attitude: "well, we knew that
we screwed you eight months ago - boy are you
guys dummies that you only now have figured it
out."

Hopefully, a good case will be made against these
clowns, and Sony will pay heavily though a class
action suit, and in the marketplace. With a
little luck, maybe someone will even do some jail
time.