Sony BMG Music Entertainment and the Electronic Frontier Foundation digital rights group jointly announced Tuesday that they had found, and fixed, a new computer security risk associated with some of the record label's CDs.
The danger is associated with copy-protection software included on some Sony discs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a disc is put in a computer's CD drive.
The issue affects a different set of CDs than the ones involved in the copy-protection gaffe that led Sony to recall 4.7 million CDs last month, and which has triggered several lawsuits against the record label.
"We're pleased that Sony BMG responded quickly and responsibly when we drew their attention to this security problem," EFF staff attorney Kurt Opsahl said in a statement. "Consumers should take immediate steps to protect their computers."
The announcement is the latest result of the detailed scrutiny applied by the technical community to Sony's copy-protected discs, after a string of serious security issues were found to be associated with the label's antipiracy efforts.
The record label's copy-protected discs have been on the market for more than eight months. But in late October, blogger Mark Russinovich discovered that they surreptitiously installed a "rootkit" programming tool. Rootkit tools are typically used by hackers to hide viruses on hard drives, so Sony's move opened up a potentially serious security hole.
The controversy escalated as other researchers discovered new security flaws associated with the copy-protected CDs, which used technology from British company First 4 Internet. Virus writers began distributing malicious code that took advantage of the holes. The label recalled all the discs with the First 4 Internet technology installed, offering an exchange program for consumers who had purchased any of the 52 CDs affected.
Following those revelations, the EFF asked computer security company iSec Partners to study the SunnComm copy protection technology, which Sony said has been distributed with 27 of its CDs in the United States. iSec found the hole announced Tuesday and notified Sony, but news of the risk was not released until SunnComm had created a patch.
Sony said another security company, NGS Software, has tested the patch and certified that it addresses the vulnerability.
Sony said it will notify customers though a banner advertisement directly in the SunnComm software, as well as through an Internet advertising campaign.
This is the straw that broke the camel's back. I'm buying all my future music from Apple's iTunes. At least I know what their DRM is and can live with it. You and your sneaky attack on our computers have crossed the line. I hope this costs you enough that you get the message that we will not put up with these games. I buy music not root kits and security holes.
I'll have to agree that Sony has lost my trust. Now when I send staff down to the local music store to get music for the radio station, I tell them specifically to give anything with a Sony label, the miss... Plenty of other record producers out there who don't feel the need to hack radio station networks.
Alex Colquitt Director - 2USA American Radio in Australia
I been a fan of Sony products ever since I worked with Sony video cameras and recorders in 1973. Not anymore. My mistrust of Sony products extends beyond CD's, to ALL Sony products. I don't have time to dismantle and analyse their electronic circuitry for hidden "gotcha's," so I just shop for other brands.
Oh, so now you get ads with your CD's and now they are the means for disseminating vital security information? **** poor job Sony. You have no upgrade/patch contingency? I bet it makes sense now... (or does it?)
You know technically if you think about it all of these companies are breaking the EULA. In the EULA for software and Audio it says you can make one legal archive for your purposes only. Well with all the time and money that is spent on protecting Data in one form or fashion they are prohibbiting us from making our leagal archive of what we have purchased. What I want to know is why no one has complained about this. Should the companies trying to stop thieves also provide the tools for people that have purchased the prouct the tools to make their 1 legal Archive? Being a Musician and and IT person I am really torn on all sides here. I believe the purpose of being an entertainer is to get you music/message out to as many people as possibe. When CD's originally came out they were only $9.99 which was a very fair price to pay. However Greed from the Record companies has driven up the price. Lord knows it is certainly not the talent with some of the crap they try to pedal us. When you think about the cost factor from when CD was introduced until now the cost has actually gone down on to produce a CD. When a local garage band can produce 100 CD's for $500, make you think that a Rcord Company producing millions has to be paying a fraction of a dollar to produce a CD. Then Software people do not set a good price point for the consumer. Sure we understand that many hours of labor goes into makeing a product but really does it cost $300 to $600 for what some people are asking? When connecting to a server why should we pay for a connection license. Did we not all just buy the OS? In the words of Joe Pesci from the Lethal Weapons series the F**K you in the drive through. Well that is how I am starting to feel from both the record companies and the software companies. Final thought Make it at an afordable price point and people will not find the need as much to steel your stuff. Quite being greedy and be more consumer conscious. And if I purchase something give me the rights to protect my investment by being allowed to make my backup copies.
sony, when i buy a product, i will do what i want with it, when i want with it, weather you like it or not, sony thinks they can control the product, once you own it, this is a mistake!
Obviously by unleashing this stealth trojanware, full of security holes, on all of Microsoft Windows, customers worldwide for the price of a legitimate cd. I can only conclude SONY BMG, does not wish for return custom! Oh well, let them sink into a sea of redink for restitution of this malware, and take down the already financially troubled HQ as well, from the problem these buccaneers Messr's Lack & Hesse, have created, they would be of no real loss to the world! Mind you, for non US residents, you should see the merry-go-round , of we don't care/not our responsibility/border limits apply/unit responsibility, not our problem!, this has created
Sony BMG -- the company that gave us a new payola scandal. Their music is so crappy they have to "comp" DJs with trips to Vegas and plasma screen TVs to get airplay.
<a class="jive-link-external" href="http://www.oag.state.ny.us/press/2005/jul/jul25a_05.html" target="_newWindow">http://www.oag.state.ny.us/press/2005/jul/jul25a_05.html</a> "SONY SETTLES PAYOLA INVESTIGATION Company Acknowledges Problems; Agrees to Sweeping Reforms
Attorney General Eliot Spitzer today announced an agreement to halt pervasive "pay-for-play" in the music industry.
Under the agreement, SONY BMG MUSIC ENTERTAINMENT, one of the world's leading record companies and owner of a number of major record labels, has agreed to stop making payments and providing expensive gifts to radio stations and their employees in return for "airplay" for the company's songs.
Such payoffs violate state and federal law.
"Our investigation shows that, contrary to listener expectations that songs are selected for airplay based on artistic merit and popularity, air time is often determined by undisclosed payoffs to radio stations and their employees," Spitzer said. "This agreement is a model for breaking the pervasive influence of bribes in the industry."
After receiving tips from industry insiders, Spitzer's office conducted a year-long investigation and determined that SONY BMG and its record labels had offered a series of inducements to radio stations and their employees to obtain airplay for the recordings by the company's artists."
after all the bad press and the falling cd sales over this last rootkit, you think that could really happen? i'm certain that sony will keep pushing drm, but i doubt it will be anything remotely connected with rootkits.
Yes, sony's gonna regreat it later, when cd's stay week after week in those store shelves, because nobody will want their computer compromised by a stupid program just because sony can't seem to get their act together when protecting their products, don't get me wrong, I know they have to protect their business but this is just plain stupid, now people will fear buying cds from them, Nice going Sony !!!!!!!!!
the thousands of people with dial up or no internet access have to recourse to remove the Sony spyware. I called them and they told me to go to a friends house that has high speed and burn the patch or removal software to a disk. They told me they do NOT plan to help users without high speed.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
For people who don't have time to tend a Zen garden, the Zen Table will handle the work for you. The table is filled with silicone beads and a robotic system that "rakes" images into the sand.
The Washington State Senate passed a bill that would charge electric car owners $100 per year to compensate for not paying gas taxes. The bill still has to pass the House.
future music from Apple's iTunes. At least I know what their DRM
is and can live with it. You and your sneaky attack on our
computers have crossed the line. I hope this costs you enough that
you get the message that we will not put up with these games. I
buy music not root kits and security holes.
Alex Colquitt
Director - 2USA
American Radio in Australia
video cameras and recorders in 1973. Not anymore. My
mistrust of Sony products extends beyond CD's, to ALL Sony
products. I don't have time to dismantle and analyse their
electronic circuitry for hidden "gotcha's," so I just shop for other
brands.
**** poor job Sony. You have no upgrade/patch contingency? I bet it makes sense now... (or does it?)
Glad I only buy music online.
<a class="jive-link-external" href="http://www.oag.state.ny.us/press/2005/jul/jul25a_05.html" target="_newWindow">http://www.oag.state.ny.us/press/2005/jul/jul25a_05.html</a>
"SONY SETTLES PAYOLA INVESTIGATION
Company Acknowledges Problems; Agrees to Sweeping Reforms
Attorney General Eliot Spitzer today announced an agreement to halt pervasive "pay-for-play" in the music industry.
Under the agreement, SONY BMG MUSIC ENTERTAINMENT, one of the world's leading record companies and owner of a number of major record labels, has agreed to stop making payments and providing expensive gifts to radio stations and their employees in return for "airplay" for the company's songs.
Such payoffs violate state and federal law.
"Our investigation shows that, contrary to listener expectations that songs are selected for airplay based on artistic merit and popularity, air time is often determined by undisclosed payoffs to radio stations and their employees," Spitzer said. "This agreement is a model for breaking the pervasive influence of bribes in the industry."
After receiving tips from industry insiders, Spitzer's office conducted a year-long investigation and determined that SONY BMG and its record labels had offered a series of inducements to radio stations and their employees to obtain airplay for the recordings by the company's artists."
mark d.