November 21, 2005

Sony's Scary Adventures

Hatched by Dafydd

I've been following this story for several weeks now, since I first got an alert from Jerry Pournelle -- whose excellent web site, Chaos Manor Musings, is absolutely worth your perusing time. Now it's broken into the mainstream press, big time:

Texas Sues Sony Over Anti-Piracy Software
Associated Press
Nov 21, 2005

AUSTIN, Texas (AP) - The state sued Sony BMG Music Entertainment on Monday under its new anti-spyware law, saying anti-piracy technology the company slipped into music CDs leaves huge security holes on consumers' computers.

The lawsuit is over the so-called XCP technology that Sony had added to more than 50 CDs to restrict to three the number of times a single disc could be copied.

After a storm of criticism, Sony recalled the discs last week.

To enforce the restrictions, the CD automatically installed the copy-protection program when discs were put into a PC - a necessary step for transferring music to iPods and other portable music players.

Attorney General Greg Abbott accused Sony BMG of surreptitiously installing "spyware" in the form of files that mask other files Sony installed as part of XCP.

This "cloaking" component can leave computers vulnerable to viruses and other security problems, said Abbot, echoing the findings of computer security researchers.

"Sony has engaged in a technological version of cloak-and-dagger deceit against consumers by hiding secret files on their computers," Abbott said in a statement.

You can find a list here of the fifty-two CDs that Sony currently admits had this dreadful copy-protection scheme built into them. If you have put any of these CDs into your PC's CD player, you have been infected. You have the Sony rootkit on your system, and you're now as vulnerable to hackers as you would be vulnerable to burglars if you left your front-door key under the doormat. As to what to do... I don't know. Sony has made available what they call an "uninstaller," but it appears only to uninstall the copy-protection and leaves all the security holes still on your system! Internet security companies caution that removing a rootkit can damage your computer's operating system; that's one of the things that makes them so awful: you're blued if you do and tattooed if you don't.

Sony was attempting to prevent the widespread copying of music CDs, DVDs, and computer games; as an author myself, I certainly understand the concern about such piracy: too many of Generation Next believes that they were endowed by their Creator with the inalienable right to free music and movies for life. They love to shout slogans (or more accurately type them, as they typically are a bit too shy to advocate such idiocy in person); their favorite is the imbecilic "information wants to be free!" By which they mean that information consumers want to get free stuff, and they don't give a damn who they steal from.

So, noble goal: stop the theft of intellectual property. Alas, Sony used enitrely dishonorable, even despicable means to achieve that goal, completely nullifying any shred of sympathy I would ordinarily have for them. They infected fifty-two CD releases with something they advertised as a copy-protection system, but which actually turned out to use spyware techniques to hide files on your PC... leaving gaping security holes through which malicious viruses can (and already have) slithered in.

Note that this isn't the first time that the Japanese keiretsu Sony has stumbled badly by instituting draconian or outrageous methods to prevent "copying." I want everyone of you to go out today and price some nice Betamax VCRs....

A long article in the technology section of today's New York Times asks the underlying question, going beyond the specific case of the Sony-BMG spyware: Who has the right to control your PC? They correctly note that there are two distinct property rights involved: the intellectual property rights owned by the composers and movie producers (and the sales rights owned by Sony), but also the physical property rights of PC owners.

Sony rages like a harpy about the first, but seems utterly oblivious to the last -- thus neatly undercutting its own case: if I don't get to own my own computer, why should Sony get to own its CDs? Kiddies looking for any excuse at all to rip-off music will surely not fail to notice this hypocrisy... and use it to argue that it's all right to steal stuff, but only if they rilly, rilly want it.

The intellectual property rights argument is sound: but it's just a subset of property rights in general. Sony and all other entertainment companies need to make the argument clean and find some copy-protection system that does not violate ownership rights of customers.

The Sony scheme uses a rootkit, or at least something close enough to be just as dangerous. A companion article to the piece linked above is titled What makes a rootkit? The broadest definition, good enough for non-technies such as us at Big Lizards, is that a rootkit is any software that (a) gives a third party the ability to execute commands at the root (lowest) level of your operating system, and (b) conceals its presence from the owner.

Rootkits have been widely available online, sold or given away by hackers to anyone who wants them -- typically for malicious reasons. But this is the first time I've heard of one installed covertly merely by inserting a commercial CD into your computer to play it. While Sony may only intend to protect itself from illegal copying of its CDs, the ability it creates to take over your PC's operating system remains available for any other virus or spyware that is clever enough to use filenames similar to those used by Sony.

The real question for me is -- why didn't it occur to Sony in the first place that there was something fundamentally wrong and dishonest about a corporation secretly tricking customers into handing over the reins of their PCs? And even if you think all big corporations are venal, then what possessed them to think that they would get away with it? Did they believe that their customers were all so stupid, that none of them would ever figure out that their Sony CDs were hacking into their PCs?

To paraphrase a Dierks Bentley song that was hot a few weeks ago, "I know what you were feeling, but what were you thinking?"

Internet security companies (Microsoft, McAfee, Symantec, etc.) are of course already working on rootkit removers; but it's difficult and dangerous, since even removing a rootkit like Sony's can damage your computer's operating system. This is yet another unacceptable element of Sony's dreadful error: they can damage the operating systems of the very customers they rely upon to keep them in business. How many lawsuits will be filed against Sony, I wonder? Not just from outraged individual customers, states, and the federal government, but also lawsuits filed by the artists whose CDs were issued with this insane copy-protection scheme -- and which surely now will be boycotted or rejected out of fear, perhaps even after the bad CDs are withdrawn and replaced by CDs that aren't infected.

If I were advising Celine Dion or Van Zant, I would urge them to break their contract with Sony (on "failure to disclose" grounds) and take out advertising everywhere saying not to buy the Sony version, but only the version by [fill in the blank], which is not infected with a rootkit "virus inviter." And I would advise them to demand that Sony pay for the adverts, pay the transition cost, and would insist that any future contract with Sony include a specific clause banning any type of copy-protection software that met the broadest definition of a rootkit.

Or else just sign with somebody else instead.

Hatched by Dafydd on this day, November 21, 2005, at the time of 5:35 PM

Trackback Pings

TrackBack URL for this hissing:


The following hissed in response by: MarkD

It gets worse. Slither over to slashdot. Sony - ahem - misappropriated some open source software to create their rootkit. Evidently they can't be bothered to respect intellectual property rights while enforcing their intellectual property rights, right? You can't make this stuff up, nobody would believe it...

The above hissed in response by: MarkD [TypeKey Profile Page] at November 21, 2005 6:24 PM

The following hissed in response by: Dirty Dingus

At my blog I have gathered links to some of the ways to manually remove the rootkit and/or its buggy uninstaller.

It is possible to do manually if you are 1) careful and 2) well prepared beforehand

The above hissed in response by: Dirty Dingus [TypeKey Profile Page] at November 22, 2005 12:28 AM

Post a comment

Thanks for hissing in, . Now you can slither in with a comment, o wise. (sign out)

(If you haven't hissed a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Hang loose; don't shed your skin!)

Remember me unto the end of days?

© 2005-2009 by Dafydd ab Hugh - All Rights Reserved