Sony and DRM

It seems to be that sort of day - first off the MPAA is ruining movies (see previous post) - and the Sony DRM nonsense is getting louder. It reminded me of a Previous Coles Note's I had done on a DRM protected CD from the Dave Tucker Band - but it came from Starbucks and not Sony. But the issues are the same. It's got me wondering if maybe there are other Music publishers that are using this stuff.

Some people - like this fellow in Britian are really getting steamed about it - to wit:

Those who have read my previous email will know that over the past week it has become known that SonyBMG (the big music record label) has been discovered to have been shipping their new music cd's with embedded software (known as DRM) to prevent the copying of their music. This in itself goes against fair use laws here in the UK, but a matter of much higher importance is the method in which this software was written and installed as well as the huge security implications for computers have that been used to play these CDs.

On October 31st, Mark Russinovic from SysInternals & Winternals (technical websites), reported the issue in his blog on http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

It was discovered that the software installs itself on the users computer when they first install the player that comes with the CD to prevent unauthorised copying of the music. The problem is, the End User License Agreement (EULA) makes no mention of the nature of this software. It does not inform the consumer that the software will make alterations to windows at the core level, intercepting internal system calls and rerouting them through its own device driver. Neither does it inform the consumer that this software will be hidden, not just from the consumer but also from the operating system itself. Furthermore, the software was so poorly written that any 3rd party who wants to write a virus, trojan, spyware or malware (all malicious computer programs) would simply need to make the name of their files start with the prefix $sys$ in order to also be hidden on any machine that has the Sony software installed. By doing this, all the malicious software would also be cloaked under the Sony software making antivirus applications unable to find or remove it, hiding it from system administrators and owners of computers and making it impossible to remove requiring the system to be reinstalled.

Again, due to how badly written the Sony DRM software is, it cannot be uninstalled without causing problems that may cause the computer to stop working (requiring a reinstallation of all the software).

Sony and First 4 Internet (the UK company that wrote the software) have released a patch to force the software to show itself (uncloak it) however, this causes further problems that may render your computer useless see the following link:

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

Other problems with the patch are that it is only available online, so people who do not have internet access are still open to security threats from virus infected compact disks or other media. Furthermore, most people who have bought music cds with this software embedded are unlikely to know about the issue as many of them will not be readers of technology articles on the internet, so whereas the patch is available, many systems will remain compromised.

A full recall of all SonyBMG music CDs currently on sale in the UK is required to prevent potentially millions of people being left wide open to attacks of identity theft and internet fraud. As long as SonyBMG cds remain on the shelves, they are posing a high risk.

Both Sony and First 4 Internet have repeatedly changed the End User License Agreement and the Frequantly Asked Questions sections of their websites over the past week in order to try and cover themselves. They have also made several public announcements that the software is not a security risk, which is untrue as it can be abused by 3rd party malicious software as outlined above. Both companies are attempting to hide behind a EULA that they know 99% of consumers will just click through without reading, but even so, the EULA makes no mention of this particular software nore it faults. This is a violation of the Sale of Goods and Services Act (ammended) by failing to provide the consumer with an accurate representation of the product or any faults with the product, so in essence, due to the fact that the EULA breaks the law, it is in fact Null and Void, leaving the vendors (Sony and First 4 Internet) criminally liable under the Computer Misuse Act.

Furthermore, neither Sony nor First 4 Internet have been able to provide a program to uninstall this software and the patch they do provide simply uncloaks the software and UPDATES the DRM software, this patch can also cause the computer crash. The software also makes connections to Sony servers in the US and sends information such as the CD that is being played, the Internet Protocol address (the address used to locate someone on the internet) of the consumer, the time the cd was being played, the date, the operating system of the computer and much more. This privacy violation is also not mentioned in the EULA.

My advice to ALL people who are responsible for any computer, would be to check if this "rootkit" is installed on the systems you are responsible for. This can be done by right clicking on your desktop, selecting New from the menu, selecting Folder from the submenu and naming the folder $sys$test

If the folder disappears, your system is compromised with the Sony DRM software and you would be advised to seek the assistance of a professional Microsoft Windows technician. I would NOT advise anyone to install the Patch offered by Sony due to the fact that it could cause your computer to crash.

Furthermore, all system/network administrators responsible for the network inside any organisation should put new policy into play that prevents anyone from listening to music cds on their computer due to the fact that should they have this software embedded it would render the network wide open to malicious security threats and could possibly place the company in violation of the Data Protection Act.

It is everyone's responsibility to inform their friends, families and colleagues about this issue. In an age when computer/internet fraud and identity theft are at a high, everyone needs to know about risks such as this in order to protect themselves and their families from such security issues. However, this goes beyond just personal security, if this software is compromised by 3rd party malicious software on a company network, passwords used for access to company systems and databases could be recorded, leaving your company intellectual property assets and other such data, at risk.

I have worked in IT for 14 years and currently work as a consultant for a very large software developer that specialises in enterprise solutions for some of the biggest companies in the world. I would not report this issue to this audience if I did not think it was a significant threat to society as a whole. This software is reported to be on 20 different titles from Sony amounting to millions of CDs on the shelves. Furthermore, First 4 Internet has publically boasted that this software has been sold to other recording industry members for use on their CDs, which laves the potential for 10s of millions of disks on the shelves with this security threat.

It is my belief that in light of the seriousness of this issue, ALL music CDs currently on the shelves of UK retailers which contain DRM software (copy protection software) should be recalled until such time as a full investigation has been carried out of ALL titles to ensure they do not contain software that compromises the security of our population. Once a CD has been shown not to be a risk, it should then be permitted to be sold. Furthermore, all CDs that come with copy protection software embedded in the future should be cleared by security specialists prior to release.

Finally, we need to take a serious look at the use of End License User Agreements as contracts. It is a well known fact that most of these contracts are never read and are agreed to blindly, and whereas I understand that is a problem which needs addressing with the consumers, it should not give the right for corporations to abuse this situation to install software which most users would never agree to if they were aware of the potential effects.

For anymore information, please contact me on my private email address.

Alexander Hanff
*************
# posted by Alexander Hanff : 6:08 AM, November 07, 2005

And more interestingly - an IT manager posts:

As an IT Manager, I have just set a new policy banning Sony/BMG music CD's from being played on company computers. I see this as a corporate security issue. Here is the content of the email:

I know some of you listen to music CD's on your computer, however, due to Sony/BMG's attempt to protect their copyrights they have instead created a major security risk on your computer. If you install the copyright protection software found on some of the newer copy protected CD's made by Sony/BMG the software is actually a "root kit" which is very much like the technique being used by virus writers to hide and cloak their viruses from the computer system and virus software.

The net result is that Sony has created a pretty major problem and I am sure you will start hearing about it in the news - the class action group should be looking into this. Some news channels are not breaking the news as they have financial ties to Sony/BMG ( ie CNN ). I think over the coming days you will start to hear about it as it seems pretty serious to me. The software has many flaws and in fact from what I have read on the net so far it has been determined that the method it uses to protect the files can in fact be used against itself to allow you to actually copy the music in full 100% digital quality.

Effective immediately - no one is to insert a Sony/BMG branded CD into their computers at work especially if it is known to indicate anywhere on the CD that it has copy protection technology.

I suggest you be careful on any home machines as well until Sony comes up with an uninstall routine ( they have a patch available but apparently it has issues too )


1. If you insert a Sony/BMG recording and it pop's up a license agreement - DO NOT ACCEPT the agreement and DO NOT INSTALL the software. Stick to listening to it on your normal CD player and not on your computer.

2. If you recall seeing a license agreement when inserting a music CD on your work computer please contact me.(Don't contact him, this was an internal e-mail) I want to test to see if it is the Sony rootkit. If so there is no way to remove it and your computer will have to be re-installed. ( until someone or Sony comes up with a way to remove it properly )

Man - this is starting to get ugly. But the main points are coming out.