November 14, 2005 8:58 AM PST

Sony 'rootkit' prompts office clampdown on CD use

Sony's decision to include rootkit-like copy restrictions on some of its music CDs is prompting some companies to review whether they allow their staff to use personal CDs at work.

Last week, Trojan horses emerged that avoid detection by using the digital rights management, or DRM, software used by Sony BMG Music Entertainment on some of its audio CDs. This software uses the same techniques used by rootkit malicious software to hide itself from the operating system, which makes it particularly difficult to detect.

Andrew Yeomans, vice president of global information security at Dresdner Kleinwort Wasserstein, said that he is already assessing whether the Europe-based investment bank needs to tighten up its controls.

Reader response
What should Sony do?
Debate how the debacle will
affect the label's policies.

"I'm reviewing the autorun settings for music CDs, but not planning to ban their use," Yeomans said. "We certainly don't want arbitrary software to be installed."

Yeomans added that the bank cannot prevent all its employees from running executable programs from a CD or download. That's because some people have to be given administrator rights to use certain applications, which would allow them to override such restrictions.

Richard Starnes, president of the Information Systems Security Association, said that other companies should consider whether they need a policy on CD use.

"This is certainly something that would trigger a review of policies. I would advise companies to review the situation," Starnes said.

"If it's solely a Sony issue, it is easier for a company to make a decision that it will not allow particular Sony CDs. But if it becomes widespread, then it becomes difficult to decide what CDs are allowed or not allow," added Starnes, who was speaking before Sony announced it had stopped producing CDs containing the rootkit-like software, called XCP.

Other companies have confirmed that they are also watching the situation closely.

"Something that can get in and hide itself would have the security people screaming their heads off," said the capacity manager at one major financial firm, who asked to remain anonymous.

"Up until now, they thought that audio CDs are safe. I think that will change, and I wouldn't be surprised if every major bank changed their policy. The fact that this software can be used to hide other stuff means that the possibilities for getting at customer data are horrendous," he added.

Opposition to Sony's behavior has been fierce, with threats of boycotts and even legal action.

Ingrid Marson and Graeme Wearden of ZDNet UK reported from London.

42 comments

Join the conversation!
Add your comment
Sony rootkits
""Up until now, they thought that audio CDs are safe. I think that will change, and I wouldn't be surprised if every major bank changed their policy. The fact that this software can be used to hide other stuff means that the possibilities for getting at customer data are horrendous," he added."

And the sky is also falling...
Posted by RichardET (9 comments )
Reply Link Flag
Famous last words
"And the sky is also falling..."

Remember that when some dweeb uses the rootkit to plant a Trojan on your PC, steals your banking info, and drains your account.
Posted by Get_Bent (534 comments )
Link Flag
Are You Sentient?
> And the sky is also falling...

I have to assume you are trying to be funny, because the rootkit problem is serious. In any event, Sony has unleashed a situation where my data is at risk.

What do you find questionable about that scenario?
Posted by R. U. Sirius (745 comments )
Link Flag
Make your voice heard
When I first read about this a few days ago, I went to the Sony BMG music site and looked for a feedback or comment page, then sent a brief message saying that Sony's actions were making their customers' PCs less secure.

Since then Sony has put up a statement saying they "deeply regret" the inconvenience caused by this.

The next time something like this happens it's up to the little people to make their voices heard. If enough people complain, their ideas of what is acceptable behavior will change.

I happen to like Sony products a lot and won't change my views on their other products, but stupid decisions like these should be challenged.
Posted by blizzard23 (24 comments )
Reply Link Flag
Re: Make your voice heard
Interestingly, the Sony FAQ at <a class="jive-link-external" href="http://cp.sonybmg.com/xcp/english/faq.html#knownissues" target="_newWindow">http://cp.sonybmg.com/xcp/english/faq.html#knownissues</a> and customer service contact at <a class="jive-link-external" href="http://cp.sonybmg.com/xcp/english/form1.html" target="_newWindow">http://cp.sonybmg.com/xcp/english/form1.html</a> says, effectively, if you can't use Sony copyright-protected CDs with Apple's iTunes, contact Apple Computer.

Sony created the incompatibility and expects Apple to fix Sony's flawed, poorly-designed implementation. Moreover, Sony has the gaul to redirect users to Apple's iTunes website, rather than provide a fix for it's XCP DRM.
Posted by Mark Donovan (29 comments )
Link Flag
Boycott Sony
Putting fear into companies such that playing your music is discouraged in the workplace-smart move, Sony.
Posted by kfr01 (12 comments )
Reply Link Flag
I will also BOYCOTT SONY
This company does not deserve the consumers trust or dollars.

Buy nothing Sony!
Posted by Stan Johnson (322 comments )
Link Flag
BOYCOTT
I have spent thousands on Sony products. I will spend zero next year! Spyware is not the answer to your property rights propaganda.
Posted by SonySpyware (1 comment )
Link Flag
Attempt to send message to Sony Classical
Interestingly enough, I was unable to send a message from the Sony Classical "contact" page--perhaps they don't want to hear about people planning to boycott their products and thus many great composers, singers, and other musicians.
Posted by MB217 (2 comments )
Link Flag
Sony CDs now forbidden on my network - How you can help
Sony CD's are now forbidden on my network

I managage a small network of 60 PC's and keep up its Intranet. All users know of Sony's breach of consumer trust and security recklessness on our intranet.

I took a new Sony CD / DVD player back to the retailer on Sunday. I have two Sony TV's and an Amp - the old Amp and 1 TV will be replaced before xmas but not with Sony. I have blank Sony media, CD's DVD's floppies - never to be purchased again. I also consult for other small busness and home consumers - 2 have been disuaded from buying Sony Vaio PC's.

I mananage a small website which gets just 3000 unique visitors a month. All visitors can read my review of Sony's irresponsible behavior

And still the infected CD's stay on the Retailers Shelves. The CD's should be recalled
Posted by coisa (5 comments )
Reply Link Flag
The trouble is,
Sony is the company that got caught this time - I would lay odds that irresponsible corporate behavior is much more common than people realize.

Auto-Play is one of the "features" I turn off when I do a fresh Windows install. Everything from music CD's to game demo disks want to run a piece of code these days; better to not trust any of it.
Posted by Marcus Westrup (630 comments )
Link Flag
Same here
Banning music cds from our network is impossible. Most of our executives have iTunes &#38; iPods. However, ALL Sony CDs are now verboten as are a growning list of known copy protected cds.

I wonder what will happen to the brain donor Sony executive that authorized this disaster, now that many sources are stating that the only safe way to acquire Sony music is to download it.
Posted by rcrusoe (1305 comments )
Link Flag
Where will it end?
This story demonstrates an underlying problem with Sony's DRM software. How many different Windows patches will be installed by competing DRM software distributed with various copyright-protected CDs?

The Sony XCP approach patches Windows's CD driver software. What happens when another copyright owner uses a similar, though incompatible, driver patch? Who's responsible for driver incompatibly with other software -- certainly not Microsoft? Who does the user or administrator contact to resolve the incompatibilities? Moreover, how does the user even know Windows has been patched in this way? Do copyright-protected CDs included free software tech support?

I certainly understand that a business would ban all CDs rather that attempt to identify which ones might cause problems. The situation is a nightmare for system administrators in a business environment!
Posted by Mark Donovan (29 comments )
Reply Link Flag
Yes . . .
i agree. only .mp3 files should be allowed in all business environments. ;-)

mark d.
Posted by markdoiron (1138 comments )
Link Flag
Its about Consumers choice, privacy and security
YES, Boycott SONY until


-Sony Recalls ALL Root kit "infected" CDs

-Has on their website an uninstalled option on there main page, with NO emails or "HOOPS" one has to jump through to get it (NOT providing information to get it).

-Offer FULL refunds to anybody that wants to return his or her infected CD

-Publicly admit they made a mistake, and should have not installed software without an "FULL UNINSTALL OPTION" and not notified the consumer about the "hacker" technology being installed.

-Revised their EULA so that paying consumers actually own the CD content they purchased, and INCLUDE "Fair Use" provisions.

-Bend over backwards in offering goodwill gestures.


Boycott for at least 6 MONTHS until they listen, take notice, and comply with these reasonable provisions. If not take another six months.

TELL YOUR FRIENDS&
POST IT AT CAMPUS&
POST IT AT WORK&
BLOG IT&
DIGG IT&

Your almighty DOLLAR is what SONY listens to, make it count;
curtail your SONY purchase, buy another brand.

Other companies will think twice before they violate consumers choice, privacy and security.

This is the flash point&this is the last straw&
SPREAD THE WORD&





Tell SONY why you are not buying from them and tell them why

here

<a class="jive-link-external" href="http://www.sonymusic.com/about/feedback.cgi" target="_newWindow">http://www.sonymusic.com/about/feedback.cgi</a>
Posted by CTF tomahawk (1 comment )
Reply Link Flag
important since its christmas
most retail businesses find that the christmans holiday is the make or break of their fiscal year. If people just boycott all things Sony over christmas SOny WILL get the picture in a big way!

NO SONY ITEMS FOR CHRISTMAS
Posted by The user with no name (259 comments )
Link Flag
But with possibly millions already out there...
The downside of this Frankenstein-like Sony DRM horror show is that with possibly millions of such DRM monster CDs already sold, this rootkit threat will now persist for possibly many many many years as no one can predict when one of the now "discontinued" but common FrankenSony DRM discs will rear its monstrous head (i.e. be placed in a corporate PC's CD-ROM drive).

Sony should therefore RECALL and REPLACE FREE all of the FrankenSony DRMed discs.
Posted by PolarUpgrade (103 comments )
Reply Link Flag
Ther must be a utility...?
Someone needs to create an application (PrevX comes to mine, but I'm not sure if it can do it) that can prevent the execution of any code that attempts to run from an unauthorized location. I like the fact that Windows XP will note the contents of a CD and offer to launch the right applications to use data on the CD... I just don't want it to *ever* run an executable on the CD without asking me first. (I guess the same advice goes for USB keys and even removable hard drives.)
Posted by PlaceHolder (16 comments )
Reply Link Flag
First of all,
what are people doing listening to music at work?

Secondly, the privelege of listening to music at work has to be taken away, not because of abuse but because of Sony's actions. It's just like when you forbid a child from playing with a friend who is a bad influence. The actions of someone else sometimes have drastic consequences affecting large groups of innocent bystanders.

All of the Sysadmin headaches that this opens up, combined with Sony's lack of a solution to remove, disable, and insure no reinstallation made the decision for the Sysadmins. Sysadmins must be concerned with their computers and networks, not the employees ability to listen to Barry Manilow.

Just like I had to wait until I was 21 (instead of 18, like my parents), to buy alcohol, because of drunkdrivers, these employees cannot listen to music CD's at work, because of Sony. Besides, if music is that important to them, they can stay home.
Posted by dam7ri (67 comments )
Reply Link Flag
re: "First of all"
"what are people doing listening to music at work?"

I ,and countless millions of others like me, listen to music at work almost everyday (though certainly not Barry Manilow!). A great many of us are probably calmer and more productive because of this, that is until Sony pulled this crap (I'm a sysadmin). Are you trying to insinuate something with this line of questioning?

The whole point here is that Sony screwed up BIGTIME, not that people who listen to music at work are somehow slackers.
Posted by J_Satch (571 comments )
Link Flag
dude WTF???!!!
There is nothing wrong with listening to music at work! Your comment did imply that people who do so are slackers or screw ups or just don't care about their work. This is far from the truth, and the prevalence of the corporate music culture proves it. For you to insinuate what you did is really just a bunch of crap! I hate having to sit here and rant on you when Sony is such a better target but as I said...***!!!???

Furthermore, yes Admin really has no choice but to take this priviledge away from their employees because of Sony's reckless, immoral, and possibly illegal activities.
Posted by The user with no name (259 comments )
Link Flag
SONY BMG is the criminal here!
What SONY BMG did, is basically criminal trespass, by the stealth loading of this windows mal der mer ware! Further, they are fully and legally liable for any costs, involved in current and future incantations of virii/trojan and phisher ware sporting the use of this evil software code they have created! Alas, because of this all SONY audio discs, should be automatically, and permanently banned, form use with all office networked computers! For they have shown, they are totally willing to break every consumer,business ethic and computer laws on the book and then some. As fo their response to any complaint, they chose to point the user to a useless block FAQ questions, and totally refused to accept any responsibility for their criminal actions in this case. Since they lack adequate ethics, a total boycott of all SONY and affiliated company products, is the only consumer recourse. The sooner the current US CEO of SONY is jailed for 20 to 30 years!, for criminal trespass and the uncounted losses caused by this faulty deviant product the better! Let the death by a hundred million cuts begin, to wipe out this foolish multinational organization, who follows no laws but its own that chose to treat all customers as thieves!
Posted by heystoopid (691 comments )
Reply Link Flag
What about...
the creator of the software.

One thing I think we have learned from P2P is that you can be liable for how you market your software. Did the creators of the rootkit market it as safe? Did they tell Sony that it software uses techniques of hackers? How did the company market it to Sony?

I'm not taking Sony's side or trying to pick on the company that create the software. I just think that they should go after all culpable parties.
Posted by System Tyrant (1453 comments )
Link Flag
MORE than 20! Sony lied.
it's not just 20 CDs. Sony lied. Imagine that. It's at least 47, maybe more.
<a class="jive-link-external" href="http://www.idiotabroad.com/2005/11/cds-affected-by-the-sony-bmg-spyware/" target="_newWindow">http://www.idiotabroad.com/2005/11/cds-affected-by-the-sony-bmg-spyware/</a>
Posted by ChazzMatt (169 comments )
Reply Link Flag
it's not just sony's cd's...
...sony is a major provider of d-drives (cd/dvd/etal drives) to the large oem's. last year i installed ca's pest patrol anti-spyware on a brand new computer which was acting glitchy. like most anti-spyware programs, its default settings didnt scan the d-drive but i changed the default to include the sony drive which came with the system. lo and behold, pest patrol picked up and quaranteened a rool-kit located in the d-drive.
Posted by i_made_this (302 comments )
Reply Link Flag
Yes Sont H/W is suspect as well
Ive said this from Day1. Thanks for the info!
Posted by The user with no name (259 comments )
Link Flag
Legal action can fuel changes in higher court
I can smell a class action lawsuit against Sony BMG Entertainment and its parent company, Sony Corporation. Ouch.

I pity the person or organisation who would take such risk to protect their ends. . .
Posted by swgoldwire36 (3 comments )
Reply Link Flag
A question regarding Macs
Does this affect Mac networks as well? My office is run on an
entirely Mac-based network and I was wondering if we are immune
to this flaw. As far as I know, autostart music CDs don't "autostart"
on a Mac. Thanks in advance.
Posted by kyot3 (1 comment )
Reply Link Flag
Re: A Question Regarding Macs
Not exactly. See <a class="jive-link-external" href="http://www.realtechnews.com/posts/2122" target="_newWindow">http://www.realtechnews.com/posts/2122</a>
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
from what I read
their software only installs on windows based systems. Macs of old and new aren't in any danger. Any pc runing linux also is immune.
Posted by thedreaming (573 comments )
Link Flag
very reasonable
Any company in their right mind who is concerned about security and the efficiency of their network would be concerned about this! The amount of time that an IT dept will have to spend to not only insure non "infection" but to also remove whatever they find could amount to thousands, if not tens of thousands of dollars on this one drm scheme alone!

I personally do not want MY bank to be allowing employees to put MY data and money at risk merely so the employee can enjoy their favorite CD!

Does it suck that companies may now be forced to deny their employees what has, up until now, been a normal daily activity? Yes it does! But us employees need to remember to put the blame where it belongs:

ON SONY!

"Most" people may not have known what a rootkit is, and "most" people may not care to know the details of what it is. But "most" people will sure be mad as hell that they can't listen to music at work anymore!

And this isn't just about CD's.... think about the other Sony software you install (and have installed via firmware and drivers) these cannot be trusted either!
Posted by The user with no name (259 comments )
Reply Link Flag
Sony BMG
I have removed all Sony and Sony BMG products from my wish list and from my buy list.

Sony has been totally irresponsible, first by using a sneaky, cheating rootkit kind of copy protection, second, by not owning up to the extent of where it put this kind of copy protection, and third, by not recalling all of the products as soon as the knowledge of its misdead became public,

I hope many people BOYCOTT ALL kinds of Sony products - hardware, music, videos, etc.

Maybe loosing sales and profit will teach Sony to be a socially responsible company!
Posted by R2ramos (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.