AT&T Tech Support 360
November 18, 2005 12:11 PM PST
Sony offers new CDs, MP3s for recalled discs
- Related Stories
-
Attack targets Sony 'rootkit' fix
November 16, 2005 -
Sony CD protection sparks security concerns
November 1, 2005 -
iPod undermines Microsoft on copy-locked CDs
July 12, 2004
The company is responding to widespread security worries over copy protection technology contained on 52 albums released over the last year. When put in a Windows-based computer's CD player, the discs install antipiracy technology on a hard drive that exposes the PC to the risk of viruses and other hacker attacks.
Sony said on Friday that customers who have purchased any of the affected CDs can mail the discs back to the company using instructions found on the record label's Web site. Once they have sent in the discs, customers will also be provided with a link to download MP3s of the songs on the album.
"Sony BMG is reviewing all aspects of its content protection initiatives to be sure that they are secure and user-friendly for consumers," the company said in a statement. "As the company develops new initiatives, it will continue to seek new ways to meet consumers' demands for flexibility in how they listen to music, while protecting intellectual-property rights."
The recall of 4.7 million compact discs, along with the exchange offer for the roughly 2.1 million discs sold with the copy protection technology included, is an expensive step for a record company that has been battered by criticism online and in other media for the past two weeks.
The copy protection software, created by British company First 4 Internet, hid traces of itself on hard drives using a powerful programming tool called a "rootkit," a technique sometimes used by virus writers to similarly mask the presence of an infection on a PC.
Because of flaws in the rootkit, Sony's software was left open enough such that other, malicious software could take advantage of its presence on a computer to hide itself. Several pieces of malicious software have already appeared online that piggyback on the copy protection to vanish in a PC, opening the computer to outside attacks.
Security researchers have found flaws not only in the original First 4 Internet software, but also in an uninstaller tool temporarily distributed by Sony that could directly allow an attacker access to a PC.
The Sony exchange offer is immediately available, and the company will pay all shipping charges in both directions, it said. Discs are already being pulled off retail shelves and are no longer available at online stores, including Amazon.com.
See more CNET content tagged:
copy protection,
First 4 Internet Ltd.,
Sony Corp.,
Sony BMG Music Entertainment,
rootkit
exchange offer for the roughly 2.1 million discs sold with the
copy protection technology included, is an expensive step for a
record company that has been battered by criticism online and
in other media for the past two weeks."
That "expensive step" of recalling/replacing those CDs is going
to cost mere pocket change compared to the cost of the next
several steps Sony must undergo whether it wants to or not.
Whether Merck loses more from all its "Vioxx" lawsuits than Sony
will from its legal liability for having created all those millions of
irreparably bot-controllable rootkit-infected Windows personal
computer systems is going to be an interesting question to
watch.
This issue was well presented by IT Hub/Security's Larry Loeb
("Sony's DRM: It Just Keeps Getting Worse" - November 14, 2005
- http://www.security.ithub.com/article/Sonys+DRM+It+Just
+Keeps+Getting+Worse/165201_1.aspx?
kc=ewnws111505dtx1k0000599 ), who talked about the
problems with Sony's other rootkit spyware, "... SunnComm's
MediaMax DRM (which) installs itself on Windows systems as
well as Mac systems.
While most attention has been focused on the XCP rootkit that
the Sony/BMG installs on PCs, this additional DRM has been
flying under the radar in the Windows world...
... The DRM acts like a virus in many ways. When a Sony DRM-
protected CD is inserted, the autorun feature of Windows
immediately invokes a program called PlayDisc.exe.
Though it displays a EULA, all the files the DRM needs are
inserted on the hard drive at C:\Program Files\Common Files
\SunnComm Shared\ before the EULA appears.
The only difference detected thus far between accepting and
rejecting the EULA is that acceptance causes the DRM to launch
every time the OS starts up.
The DRM files remain installed on the hard disk even if the EULA
is declined.
Like a virus, there is no meaningful uninstaller available. Now,
some of the DRM protected CDs will indeed add an entry for
SunnComm to the Add/Remove control panel.
When activated, it removes most of the files in the shared folder,
but leaves the core copy protection module (sbcphid.sys) active
and resident.
That means other programs (like iTunes) can't access other
SunnComm protected CDs. But wait, there's more. MediaMax
"phones home" without your consent every time you play the CD.
When a CD is played, a request is sent to a SunnComm server
that includes an ID along with the request that identifies the CD.
Of course, the request by itself identifies the OS you are running
as well as your IP address.
The request seems to be for SunnComm's 'Perfect Placement'
feature, which can insert ad content while viewing the CD.
So, Windows users have to deal with a triple threat. Without user
consent, the DRM installs software on the target computer,
provides no way to uninstall its core, and lets SunnComm know
every time the CD is played.
But wait, there's even more.
Someone in the Netherlands did a decompile on the XCP rootkit
that has gotten most of the attention lately. It seems that parts
of the rootkit use the LAME mp3 encoder, which is licensed
under the Lesser GPL. That means by delivering only an
executable (the rootkit) without source or crediting, XCP violates
the GPL Violating the GPL puts Sony at massive legal risk for?
wait for it?copyright infringement.
The irony is just crushing."
So will be Sony's legal $ liability for creating those millions of
irreparably bot-controllable rootkit-infected personal computer
systems. And that's doubtless just for starters - the other Sony
BMG rootkit spyware, 'First 4 Internet', also apparently leaves an
activated bot-infectable residue after it has gotten the
recommended rootkit removal treatment.
History will look back on this as one of many failures of the recording publishers as they lost control of the music industry.
arbitraryt.blogspot.com
Boycott Sony and burn Sony CDs.
They do not deserve the consumers business or trust.
and few people would be upset. They constantly hamstring
consumers. It all started by people "stealing" music from the
artists, most of which is nothing more than cookie cutter crap
that all sounds the same. Music today is filth and is an insult to
true musicians. But I digress. So the resolution for the whiny
musicians is to pair up with a label that willingly puts software
on the system, that for all purposes is an exploit, that was not
tested enough for security and openly invites hackers to come
on in. So in turn for giving Sony/BMI $19.99 of your hard earned
money you get your identity stolen from their half-assed rootkit
because it allows hackers to come in. The average consumer
should not have to worry about a company purposely bending
them over after forking out money for a service or good
provided. The boycotting of Sony is not enough but the music
industry in general. Its high time they realize we are sick of
computer composed digital crap. When musicians want to
provide us with REAL talent, with REAL meaning to a song, then
perhaps it will be worth buying. But when a company is willing to
allow their 20 dollar Cd to destroy my $1000 computer, hell will
freeze over before I ever buy their product again.
They arn't even accepting responsibity for their crime.
For me no more Sony Anything !