November 18, 2005 12:11 PM PST

Sony offers new CDs, MP3s for recalled discs

Sony BMG Music Entertainment released details Friday of a virtually unprecedented CD recall program that will allow music buyers to exchange recently purchased CDs with copy protection for new discs and MP3s.

The company is responding to widespread security worries over copy protection technology contained on 52 albums released over the last year. When put in a Windows-based computer's CD player, the discs install antipiracy technology on a hard drive that exposes the PC to the risk of viruses and other hacker attacks.

Sony said on Friday that customers who have purchased any of the affected CDs can mail the discs back to the company using instructions found on the record label's Web site. Once they have sent in the discs, customers will also be provided with a link to download MP3s of the songs on the album.

"Sony BMG is reviewing all aspects of its content protection initiatives to be sure that they are secure and user-friendly for consumers," the company said in a statement. "As the company develops new initiatives, it will continue to seek new ways to meet consumers' demands for flexibility in how they listen to music, while protecting intellectual-property rights."

The recall of 4.7 million compact discs, along with the exchange offer for the roughly 2.1 million discs sold with the copy protection technology included, is an expensive step for a record company that has been battered by criticism online and in other media for the past two weeks.

The copy protection software, created by British company First 4 Internet, hid traces of itself on hard drives using a powerful programming tool called a "rootkit," a technique sometimes used by virus writers to similarly mask the presence of an infection on a PC.

Because of flaws in the rootkit, Sony's software was left open enough such that other, malicious software could take advantage of its presence on a computer to hide itself. Several pieces of malicious software have already appeared online that piggyback on the copy protection to vanish in a PC, opening the computer to outside attacks.

Security researchers have found flaws not only in the original First 4 Internet software, but also in an uninstaller tool temporarily distributed by Sony that could directly allow an attacker access to a PC.

The Sony exchange offer is immediately available, and the company will pay all shipping charges in both directions, it said. Discs are already being pulled off retail shelves and are no longer available at online stores, including Amazon.com.

17 comments

Join the conversation!
Add your comment
The problem is!
The problem is that Dan Kaminsky an intrepid researcher, has shown in a snapshot of 9.9 million users on line, some approximately 568,000 computers infected with this invasive nightmare DRM malware/spyware. Now with 200,000 with unique Japanese ISP addresses, compared to only 130,000 in USA and 44,000 in the UK. The question is this recall appears limited to only CANADA and the USA due to retail sales of contaminated cd's in those countries(both Sony Australia & New Zealand deny any problem exists, but thanks to parallel importing, Australia has a minimum of 8000 infections) So the whilst the real problem exists in Japan. Oh well, as usual SONY hasn't given us the whole story as to real numbers sold in all countries world wide! Further, seems to be in a constant state of denial, in part due to the unwillingness for the top ten in management, unwilling to admit to all, in the criminal liability of illegal subversion of all users computers, criminal trespass breach of assorted crimes and business ethics acts etc! I hope the class action law suits sink SONY BMG totally, with their restitution costs. But alas, under a subclause requiring artists to pay album promo costs, from their royalty payments, guess who gonna be stiffed with this restitution charges! Looks like the assorted recording artists involved in this fiasco will need to file a class action law suit, to recover what is due and proper and penalise SONY BMG on another front. Here's hoping Eliot Spitzer, starts waving his big crime stick on the third front! And the all consumers boycott all that is SONY on the fourth front! Oh well, there goes the neighbourhood! SINK SONY demand a full cash refund, accept no substitutes for this insult!
Posted by heystoopid (691 comments )
Reply Link Flag
Send a Message!
I don't see the need to Throw-the-Baby-out-with-the-Bathwater!

Am I more than upset w/Sony! Darn Betcha!!!...,

But if we can get them to pay foe the error of their ways, that should suffice. Heck, if we trashed all the various stupid corporations that screw us over, we'd have nobody to buy from.

At least Sony took some action to try to fix the problem, That earns them a second chance in my book.
Posted by Aardasp (31 comments )
Link Flag
this article has a rather Sony-friendly spin
"The recall of 4.7 million compact discs, along with the
exchange offer for the roughly 2.1 million discs sold with the
copy protection technology included, is an expensive step for a
record company that has been battered by criticism online and
in other media for the past two weeks."

That "expensive step" of recalling/replacing those CDs is going
to cost mere pocket change compared to the cost of the next
several steps Sony must undergo whether it wants to or not.

Whether Merck loses more from all its "Vioxx" lawsuits than Sony
will from its legal liability for having created all those millions of
irreparably bot-controllable rootkit-infected Windows personal
computer systems is going to be an interesting question to
watch.

This issue was well presented by IT Hub/Security's Larry Loeb
("Sony's DRM: It Just Keeps Getting Worse" - November 14, 2005
- <a class="jive-link-external" href="http://www.security.ithub.com/article/Sonys+DRM+It+Just" target="_newWindow">http://www.security.ithub.com/article/Sonys+DRM+It+Just</a>
+Keeps+Getting+Worse/165201_1.aspx?
kc=ewnws111505dtx1k0000599 ), who talked about the
problems with Sony's other rootkit spyware, "... SunnComm's
MediaMax DRM (which) installs itself on Windows systems as
well as Mac systems.

While most attention has been focused on the XCP rootkit that
the Sony/BMG installs on PCs, this additional DRM has been
flying under the radar in the Windows world...

... The DRM acts like a virus in many ways. When a Sony DRM-
protected CD is inserted, the autorun feature of Windows
immediately invokes a program called PlayDisc.exe.

Though it displays a EULA, all the files the DRM needs are
inserted on the hard drive at C:\Program Files\Common Files
\SunnComm Shared\ before the EULA appears.

The only difference detected thus far between accepting and
rejecting the EULA is that acceptance causes the DRM to launch
every time the OS starts up.

The DRM files remain installed on the hard disk even if the EULA
is declined.

Like a virus, there is no meaningful uninstaller available. Now,
some of the DRM protected CDs will indeed add an entry for
SunnComm to the Add/Remove control panel.

When activated, it removes most of the files in the shared folder,
but leaves the core copy protection module (sbcphid.sys) active
and resident.

That means other programs (like iTunes) can't access other
SunnComm protected CDs. But wait, there's more. MediaMax
"phones home" without your consent every time you play the CD.
When a CD is played, a request is sent to a SunnComm server
that includes an ID along with the request that identifies the CD.

Of course, the request by itself identifies the OS you are running
as well as your IP address.

The request seems to be for SunnComm's 'Perfect Placement'
feature, which can insert ad content while viewing the CD.

So, Windows users have to deal with a triple threat. Without user
consent, the DRM installs software on the target computer,
provides no way to uninstall its core, and lets SunnComm know
every time the CD is played.

But wait, there's even more.

Someone in the Netherlands did a decompile on the XCP rootkit
that has gotten most of the attention lately. It seems that parts
of the rootkit use the LAME mp3 encoder, which is licensed
under the Lesser GPL. That means by delivering only an
executable (the rootkit) without source or crediting, XCP violates
the GPL Violating the GPL puts Sony at massive legal risk for
wait for itcopyright infringement.

The irony is just crushing."

So will be Sony's legal $ liability for creating those millions of
irreparably bot-controllable rootkit-infected personal computer
systems. And that's doubtless just for starters - the other Sony
BMG rootkit spyware, 'First 4 Internet', also apparently leaves an
activated bot-infectable residue after it has gotten the
recommended rootkit removal treatment.
Posted by BurmaYank (10 comments )
Reply Link Flag
They failed to adapt to a changing market.
This is a classic example of a dinosaur in an entrenched industry failing to adapt to changes in their marketplace. The reason Sony is in this mess is they responded to changes in the market by taking defensive actions rather than embracing the change. Rather than figure out how to make money in new ways is a dynamic market they tried to maintain the status quo. They have failed miserably; in fact this mishap will cost them millions more in sales and cleanup costs than any market share they may have lost from people illegally copying music CDs. Any business that cannot adapt in the market deserves the inevitable fate they receive.

History will look back on this as one of many failures of the recording publishers as they lost control of the music industry.
arbitraryt.blogspot.com
Posted by ArbitraryThinker (30 comments )
Reply Link Flag
Hey! Take a look at the ad next to the story.
Is that an ad by Sony? :(
Posted by wtortorici (102 comments )
Reply Link Flag
My God it IS! An ad from Sony
Sorry Sony but you're not getting my money any more!
Posted by bobby_brady (765 comments )
Link Flag
Sony/BMG buyback offer.
Does anyone know if these titles are the only ones that are out there, or are there still more waiting to be revealed? Also, I have a copy of Natasha Bedingfield's Unwritten, but it's UPC code is slightly different from the listing and was issued as a 'DualDisc' cd/dvd format. I have not tried playing it on my computer yet and am very hesitant to do so until I can be sure that I am not going to have to reformat my hard drive(s) and reload my Windows XP Professional OS to eliminate Sony's garbageware from my machine.
Posted by Confidential Sage (2 comments )
Reply Link Flag
List of effected CDs...
There is a list at <a class="jive-link-external" href="http://cp.sonybmg.com/xcp/english/titles.html" target="_newWindow">http://cp.sonybmg.com/xcp/english/titles.html</a>

which also states that the dualdisc are not equipped with the program(s) in question, so you should be ok with the disc you mentioned
Posted by Niropium (1 comment )
Link Flag
50 some odd cd's
I saw a complete list (sorry cant remember where...) that had over 50 listed. I think that some may have been though sony partner labels
Posted by The user with no name (259 comments )
Reply Link Flag
Down with Sony --- BURN SONY CDs!
This does not fix people computer systems.

Boycott Sony and burn Sony CDs.

They do not deserve the consumers business or trust.
Posted by Stan Johnson (322 comments )
Reply Link Flag
Someone Needs To Sue Sony
This is a prime example why Corporate America can go to hell
and few people would be upset. They constantly hamstring
consumers. It all started by people "stealing" music from the
artists, most of which is nothing more than cookie cutter crap
that all sounds the same. Music today is filth and is an insult to
true musicians. But I digress. So the resolution for the whiny
musicians is to pair up with a label that willingly puts software
on the system, that for all purposes is an exploit, that was not
tested enough for security and openly invites hackers to come
on in. So in turn for giving Sony/BMI $19.99 of your hard earned
money you get your identity stolen from their half-assed rootkit
because it allows hackers to come in. The average consumer
should not have to worry about a company purposely bending
them over after forking out money for a service or good
provided. The boycotting of Sony is not enough but the music
industry in general. Its high time they realize we are sick of
computer composed digital crap. When musicians want to
provide us with REAL talent, with REAL meaning to a song, then
perhaps it will be worth buying. But when a company is willing to
allow their 20 dollar Cd to destroy my $1000 computer, hell will
freeze over before I ever buy their product again.
Posted by zOe_1981 (1 comment )
Reply Link Flag
Someone Needs To Sue Sony (part 2)
I agree with Zoe, but the question is who is going to do it? If I were a laywer I would sue them for everything they got. They used malicious software to protect their product, not the copy rights of the musicians. They are worse then those poor young hackers that they grab and take to jail and destroy their future. But Sony will get away with it because they got the money and the laywers to cover up their booboo... That's the way the cookie crumbles. :)
Posted by Eugenios (2 comments )
Reply Link Flag
Demand Money back !
Sony needs to pay for their mistake ...Don't settle for another copy with different coding on it!

They arn't even accepting responsibity for their crime.

For me no more Sony Anything !
Posted by nnjdonny (8 comments )
Reply Link Flag
sony's nand/nor memory
last time i new nand/nor were invert gates not powerless storage memory. Can anyone explain what is meet by this reference to nor/nand memory. Is there power/battery on chip?
Posted by ldakar1 (5 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.