Sony to patch copy-protected CD

Sony BMG Music Entertainment and a technology partner are working with antivirus companies on a fix for a potential security problem in some copy-protected CDs.

Earlier in the week, security experts said that anticopying technology used by Sony BMG could be adapted by virus writers to hide malicious software on the hard drives of computers that have played one of the CDs. The antipiracy tool is included on many of Sony BMG's latest music releases, from Van Zant to My Morning Jacket.

Sony BMG's technology partner First 4 Internet, a British company, said Wednesday that it has released a patch to antivirus companies that will eliminate the copy-protection software's ability to hide. In consequence, it will also prevent virus writers from cloaking their work using the copy-protection tools.

The record label and First 4 Internet will post a similar patch on Sony BMG's Web site for consumers to download directly, the companies said.

"We want to make sure we allay any unnecessary concerns," said Mathew Gilliat-Smith, CEO of First 4 Internet. "We think this is a pro-active step and common sense."

The issue erupted into the public consciousness late on Monday, when computer developer and author Mark Russinovich published a blog detailing how he had found the First 4 Internet software hiding deep in his computer, after he had listened to a copy-protected CD distributed by Sony BMG.

The anticopying technology included a tool called a "rootkit," often used by virus writers. A rootkit takes partial control of a computer's operating system at a very deep level in order to hide the presence of files or ongoing processes.

Rootkits, while not intrinsically malicious, are viewed with deep suspicion by many in the software development community. They are extraordinarily difficult to find and remove without specific instructions, and attempts to modify the way they act can even damage the normal functioning of a computer.

In the case of the First 4 Internet software, attempts to remove it manually rendered the CD drive of the computer inoperable, Russinovich found.

Several antivirus companies followed Russinovich's news with warnings that the First 4 Internet tools could let virus writers hide malicious software on computers, if the coders piggybacked on the file-cloaking functions.

"For now it is theoretical, or academic, but it is concerning," said Mikko Hypponen, chief research officer at antivirus company F-Secure. "There's no risk right now that we know of, but I wouldn't keep this on my machine."

The patch that First 4 Internet is providing to antivirus companies will eliminate the rootkit's ability to hide itself and the copy-protection software in a computer's recesses. The patch will be automatically distributed to people who use tools such as Norton Antivirus and other similar programs, Gilliat-Smith said.

The patch that will be distributed through Sony BMG's Web site will work the same way, Gilliat-Smith said. In both cases, the antipiracy software itself will not be removed, only exposed to view.

Consumers who want to remove the copy-protection software altogether from their machine can contact the company's customer support service for instructions, a Sony BMG representative said.

[rosco52]

A start, but not good enough

Publicly acknowledging the rootkit and making it visible is a start. It does nothing to allay the fears that users are nbot in control of their machine. And there is not an option to decline installing it (and not listening to the music) from what I have read so far.

[cjohn17]

Sony Saddens

I am a big fan of Sony products (except their MP3 players). I am
disappointed that Sony decided to "sneak this past us". With PC
platforms already at risk for attack, to add one more opportunity to
break the "camel's back" is just plain stupid.

They owe consumers an apology.

[PhilipPeake]

They are missing the point

The real point is that the actions that they took by secretly installing this unwanted code on people's computers is illegal in most countries/states, cand carries sever penalties (prison time, and large fines).

Their miserably inadequate response just confirms that these penalties need to be imposed. Whichever executives authorized this need to be in jail, and the corporation needs to face a very stiff fine. the California model of $1,000 per infected computer seems appropriate.

[royc]

That won't happen.

They are doing that as part of the copywrong thing so they are exempt.

[zshuster]

Sony Sony Sony

not only should Sony be fined and all affected consumers receive significant compensation...but they should be required to clearly label all such encoded CDs so we know not ot buy them

[Gleeplewinky]

Interesting

The article glosses over the question of whether
or not Sony broke the law. In fact, it quite
explicitly broke several state laws, but on its
face it may have even violated a provision of
the US Patriot Act. Do we not call companies on
the carpet for breaking the law anymore?

Regardless... why don't people like the EFF jump
on this sort of thing and leaflet record stores
and such. Heck, distribute bootable CDs with
CD-writing software that can be used to generate
rootkit-free copies of the disk. If you're a
legitimate owner of the CD in question,
producing a backup without the destructive
software would be perfectly legal.

Heck, setup a booth at the record store to offer
deskunking of people's purchases.

[heystoopid]

Alas, straw apology only!

Alas, this is a traw apology ony, For SONY/BMG/SUNCOMM deliberately broke the law, by creating this way to hide the malware and initially failed to provide adequate removal tools to restore the system prior to it's invasion. It has been amply demonstrated that to remove this trojan ware, causes a lot of problems, for an expert like Mark Russinovich, For the average user, frustrated by this method, it would require a complete hard drive wipe/reformat and reload of the operating system, or it's equivalent backup! Now various state laws and other legal statuates, in many countries prohibits this activity period, this leaves SONY/BMG/SUNCOMM wide open for a billion dollar class action law suit. Now, the inept and incompetent idiots from SONY/BMG have released the technique on how to hide specific files, the cat is out of the bag, failed to comply with strict California Legal requirements, any apology now is one of straw! Time now to send in the legal eagles, and commence RICO style charges(an excellent opportunity for Eliot Spitzer to strike!)

[JesseG]

DRM takes a hit!

The real reason this story has taken off so well is that everyone hates digital rights management (okay, except the copyright holder). On top of that, many users have issues with malware on their computers, with the latest buzz being rootkits.
Is this rootkit really a concern? No, not likely- as those wishing to exploit it wouldn't know it's present on the target.

I, like 99.9% of the people out there, don't like being told how I can and cannot use things I buy. If I want to make a copy of the Music on my iPod, I don't think I should have to pay extra for it.
As I see it, there will always be a DRM game, those who help us use what we purchased vs. those that create a new way to protect it.

Here's a tip for anyone still reading: don't buy Sony "MP3" players, they (for the most part) don't actually play mp3's. They convert the mp3 into another DRM friendly format. This results in quality loss and slower transfers.

[notfatmocha]

The risk still there.

The reality of the situation is that majority of individual's are not going to be aware of this patch and are still going to be vulnerable to this unethical if not illegal software that is being installed on their machine's. Big industry for to long has taken advantage of the consumer that is ignorant of technology and expect to be able to trust the brand names that they have valued for many years. This type of behavior sow's distrust for many companies that do not deserve it all I have to say is SHAME ON SONY!

Mixed Mode/Enhanced CD

A sharpie covering the outer (data) portion of a Mixed Mode/Ehanced CD will still defeat any DRM copy-protection attempts on a CDA-format disc.

Then again, with AutoRun disabled, using a burning application like Nero to read the isc will also defeat AutoRun-installed DRM/copy-protection software as well.

[Methuss]

tsk.tsk Sony

I swear. SOny seems to have taken a page from the Hitchiker's Guide to the Galaxy in their response to this.

"We've always had instructions available to remove the DRM. The customer just has to contact us for it." Yet they cloak the software behind a rootkit with no notice it is even installed. How does a consumer ask for removal instructions when they don't know there is something to remove.

As Douglas Adams put it. They think public display means being in the bottom of a file cabinet in the basement, in a disused lavatory with a sign outside that reads "beware of the leopard."

[ajbright]

Protect yourself

The only way to protect yourself against things like this is to install software that will render copy protection malware inoperable.

Look at the situation.

If you purchase content legally, you are
1/Insulted by the implication that you have either stolen or will assist someone else in the theft of this content.
2/Threatened with legal action.
3/Restricted in the use of the content to the extent that you have to re-purchase it if you go beyond what the content holders deem an acceptable number of devices on which you'd like to listen or watch your media.

Funny, but if any other business was in the habit of threatening and insulting their customers there wouldn't be much surprise or sympathy if that business went under.

Which makes it all the more strange that anyone actually sympathises with a media industry that does this to every one of its customers.

So my choices are
1/Continue to be threatened and insulted and restricted in the use of legally purchased media.
2/Not have any media.
3/Steal it - if they're constantly calling me a thief and threatening me with legal action, I might as well be one - and ofcourse be rewarded for doing so because stolen media is rarely infected with copy protection and is usually of the same, or nearly the same, quality as the legal version.
4/Install software that removes the protections from all of your legally purchased media.

Under these circumstances, is it any wonder that so many people are doing exactly that.

I wonder how many were driven to this by the corporations themselves, and if they'd been offered protection free, insult free and threat free content in the first place, wouldn't be stealing it or providing protection free copies via bittorrent.

[davidows]

no reply from Sony

I requested the download procedure from Sony and received this right back, but nothing since. Has anyone received anything more?

From:
contentprotectionhelp <ContentProtectionHelp@info.sel.sony.com>
12:04 AM

Subject:
SONY BMG Email Inquiry Acknowledgment
To:
<xxxxxxxxxxx@xxxx.xxx>



Thank you for contacting SONY BMG.

This message confirms that your e-mail has been received by our support team. You should receive a reply shortly.

Thank you,

SONY BMG Customer Service

Sony Support

David - as was written in The Washington Post's article on this (<a class="jive-link-external" href="http://blogs.washingtonpost.com/securityfix/2005/11/sony_raids_hack.html" target="_newWindow">http://blogs.washingtonpost.com/securityfix/2005/11/sony_raids_hack.html</a>), Sony BMG will contact you to verify what/why/who you want/are, then escalate this to the rootkit's originating company, First4Internet. That company will then verify information with you, and in the end send you a utility to decloak its rootkit.

So just be patient.

BTW - SonyBMG has released a Service Pack that will also decloak, but not remove, their DRM rootkitware.

[bobby_brady]

Kick Sony where it will hurt the most! The PS3!

One way to kick Sony where it hurts the most is to boycott the PS3.

[Hernys]

Especially since...

The PS3 will include a Blu Ray drive, which will include a DRM mechanism designed by Sony. Do you expect it to be any less intrusive? They even dedicate a full processor (the eight SPE on the Cell) to handling DRM and copy protection stuff, and they don't talk about it (so they are in fact hiding the DRM stuff as they did with this Rootkit).

[royc]

Didn't anyone click the link to Sony/BMG ?

They are only releasing the code to let you see the file. The link has a requirement that you explain the problem, in detail, that this program causes on your computer.

My take on this is they MAY let you remove it.

I wouldn't hold my breath waiting!

And why is the MAC immune?

Hummm... Maybe Linux is too. BEG

Just another reason to switch.

[bobby_brady]

There is a way to remove it

Check out Slashdot.org

[Hernys]

Mac and Linux are not inmune to this thing

They are just incompatible with it. THe CD in question CANNOT be played on those machines.
I'd rather stick with that than with a Rootkit, but keep in mind the reason this CD doesn't work in Linux or a Macintosh is merely a market share thing: Sony didn't care to commission rootkit for those operating systems becaue the market share was too small, deciding to just leave them out of their market. Had they decided to include them, developing a rootkit (that asks for the administrator to log on as in this case) would have been just as easy. So users of Mac and Linux are in fact lucky this thing came up, since they were certainly next had this been left undercover.

[phuqm]

rootkits *ARE* "intrinsically malicious"

Anything that gets installed on my computer that keeps me from seeing what is going on ON MY COMPUTER, *IS* malicious.

[RobFT]

Don't buy anything SONY!

No matter what they offer to do, Sony has taken an unexcusable action to violate the privacy of your computer and it's contents. There is only one thing they understand... get them where it counts. Don't buy anything SONY.

[PCCRomeo]

Don't worry....

Sony products are over-rated and not as reliable as their price. The last two item's I've brought Sony was a CD-Walkman and PS2....The Walkman tore up a long time ago and I think the PS2 may be too...How convenient that the PS2 will be tearing up right when the PS3 comes out! Just like my PS1 did!!!

[ddsam004]

Don't buy anything SONY!

Right on! Agree with that sentiment 100%.

[usedalittle]

An Unethical Blunder

This unethical act by Sony is another blow to the industry. Sony's stupid blunder and irresponsible response is another slap in the face to both consumers and the entire music industry. I am angry and saddened.

[Hobbes68]

Hmmm...

Now the cat's out of the bag, so to speak, I'm sure there's some malcontent working diligently to come up with an exploit to Sony's "copyright protection feature."

[kfr01]

Sony is Missing the Point

Sony is missing the point with this patch that simply reveals the software.

The point is this: Sony, I BOUGHT your CD. Sony, I AM A CUSTOMER. Sony, you have INVADED -MY- COMPUTER.

I, for one, will not be buying ANY Sony products as gifts or otherwise this Holiday season.

What all customers should demand: that Sony STOP making these CDs and provide an EASY process for REMOVING this malware.

[philpacker]

Exactly the wrong point

Sony, the RIAA and the lot just don't get it. They keep pushing
the envelope of treating their customers like criminals. I love
music, I have never illegally copied a mp3 (or any other format)
because it is wrong. However, as the industry continues down
this road, less and less law-abiding customers have sympathy
for them. I for one would much rather do without Sony's cd's
than have to put up with the nonsense inflicted by this copy
protection crap. As if this is going to slow down the chinese
pirates more than a few hours. In fact, they will make up the
time with Sony's new CD ripper that can handle 200 CD's

[ogryzek]

But Can We Trust Them With The Patch ?

So we can all agree that we should not really trust Sony nor that First 4 Internet company.

Than Sony gracefully posts a link to a software patch that requires browser with ActiveX Controls support.

Which brings me to my original point -- do I really want to trust those guys THAT much ? ? ?

[panderso]

What other Music Companies have similar Copy Protection??

The CEO of First 4 Internet, Mathew Gilliat Smith, boasted to a European IT website -- "IT Enquirer" in July 2005, that their XCP-1 copy protection software is now in use by "most of the large record labels around the world" ( <a class="jive-link-external" href="http://www.it-enquirer.com/main/ite/more/digital_rights_management/" target="_newWindow">http://www.it-enquirer.com/main/ite/more/digital_rights_management/</a> ). Is Sony just one of many companies that have been doing this??? It looks like maybe people who have the skills to follow Mark Russinovich's lead may need to start searching for rootkits on their machines if they have used any music CD's from any number of companies that are known to have, or might be suspected to have, copy protection.
Note that this Wired article <a class="jive-link-external" href="http://www.wired.com/news/digiwood/0,1412,67696,00.html" target="_newWindow">http://www.wired.com/news/digiwood/0,1412,67696,00.html</a> from May reported that First 4 Internet's clients include Universal Music Group, Warner Music Group and EMI, in addition to Sony/BMG.

BTW-- If you want to send your opinion directly to First 4 Internet, here is how to contact Mr. Mathew Gilliat Smith.
info@first4internet.co.uk subject='attn: Mathew' -

[PCCRomeo]

Only Sony and BMG I believe....

I'm pretty sure that Sony and BMG (when the were both seperate companies) are the only 2 that have ever attempted to mass market copy-protected CD's and they always flop.....People might as well not talk about American's being greedy, this shows that the foreigners are just as bad!

[quintoldfart]

Re: Copy-Protected CD

Apparently the patch download weblink uses Active X, It will only work If you use IE. I tried with Firefox (1.0.7) &#38; Mozilla, to no avail. As I do not use IE, it will not download unless I reinstall IE (which I do not plan on doing). Does anyone have a workaround method to remedy this...Regards: dejc...

[lamaslany]

How would you know you needed to remove it?

If it is not stated that the software is installed and the the EULA doesn't mention it how would a user know that they need to remove it?

[thedreaming]

like all malware...

You would notice a degration in system performance, not to mention that the moment you try to rip a sony music cd, your cd would eject without any indication as to why.

Don't know about you, but that would clue me in that something was running around in the darkest parts of my machine, doing who knows what.

In the end, I don't hate them for trying to install DRM. I hate them for installing it without telling you, then lying about it.

If they were open about it and told everyone, "If you want to play our cd, you have to have DRM installed, otherwise take the cd back to the store and get your money back."

This disclaimer should be posted at the store for everyone to read, not just on the start screen of the cd.

[wtortorici]

Luke, the patch will iform you if...

has the rootkit on your computer. go to

<a class="jive-link-external" href="http://updates.xcp-aurora.com/" target="_newWindow">http://updates.xcp-aurora.com/</a>

to download the program.

[sitinsprinter]

What are Sony On

I bought Good Sharlete CD recently, only to find I could not put it onto my mp3!! What are they doing ? Result was I gave it to a friend who was able to copy it using a cd to cd music mixing unit ( not PC ) so its easy to copy so why bother. I bought the CD in good faith now I will source copies in future for these so called pre ripped CD ( what a laugh sony )

[wtortorici]

I just downloaded patch from...

<a class="jive-link-external" href="http://updates.xcp-aurora.com/" target="_newWindow">http://updates.xcp-aurora.com/</a>

I put on my desktop for future use.