Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Sony BMG recalls copy-protected discs
Canoe ^ | Nov. 16 | BRIAN BERGSTEIN

Posted on 11/16/2005 9:25:14 AM PST by holymoly

BOSTON (AP) -- The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony's suggested method for removing the program widened the security hole the original software created, researchers say.

Sony has moved to recall the discs in question. But music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable.

"This is a surprisingly bad design from a security standpoint," said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. "It endangers users in several ways."

The "XCP" copy-protection program was included on at least 20 CDs, including releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion. Sony BMG said 4.7 million were shipped, with 2.1 million sold.

When the discs were put into a PC -- a necessary step for transferring music to iPods and other portable music players -- the CD automatically installed a program that restricted how many times the discs' tracks could be copied, and made it extremely inconvenient to transfer songs into the format used by iPods.

That antipiracy software, which works only on PCs running Windows, came with a cloaking feature that allowed it to hide files on users' computers. Security researchers classified the program as "spyware," saying it secretly transmits details about what music the PC is playing. Manual attempts to remove the software can disable the PC's CD drive.

The program also gave virus writers an easy tool for hiding their malicious software. Last week, "Trojan horse" programs emerged that took advantage of the cloaking feature to enter computers undetected, antivirus companies said.

Trojans are typically used to steal personal information, launch attacks on other computers and send spam.

Stung by the controversy, Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP.

But the uninstaller created a new set of problems.

To get the uninstall program, users were asked to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix.

Essentially, it makes the PC open to downloading and installing code from the Internet.

According to security experts, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.

"The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday after being tipped by a Finnish researcher, Matti Nikki.

"It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."

On Tuesday evening, Sony BMG was preparing to release a safe new method for removing XCP. It was unclear when it might be available.

Other programs that knock out the original software are likely to emerge. Microsoft Corp. says the next version of its tool for removing malicious software, which is automatically sent to PCs via Windows Update each month, will yank the cloaking feature in XCP.

A Sony BMG statement Tuesday said the company would pull unsold CDs with the software from store shelves and let consumers exchange already purchased ones.

On Friday the company had said it would halt production of CDs with the technology and "re-examine all aspects of our content protection initiative."

"We share the concerns of consumers regarding discs with XCP content-protected software," Tuesday's statement said.

First 4 Internet was not making any comment, according to Lynette Riley, the office manager who answered the company's phone Tuesday evening in England.

***

Security experts have found that a hidden antipiracy technology on some Sony BMG music CDs causes dangerous computer vulnerabilities -- as does the company's method for removing the original program. Among the questions users might have:

Q: How do I know if I bought one of these CDs?

A: Sony BMG has not released a list of the titles with the XCP technology. But you can check the back of discs for this printed Web site address: http://cp.sonybmg.com/xcp -- that link to Sony's copy-protection page indicates the disc is protected by XCP. The Electronic Frontier Foundation has published a partial list of affected CDs at http://www.eff.org/deeplinks/archives/004144.php

Sony has stopped making discs with the technology and is recalling ones already sold.

Q: What happens if I have one of the discs?

A: Nothing bad can happen if you play the disc only on conventional stereo systems.

But if you've played the disc on a Windows computer, the CD installed a program that limits your ability to copy songs. The program also contains cloaking features that keep you from seeing that it's there or removing it. Malicious software creators have released programs that piggyback on the cloaking feature to live unnoticed on computers.

Sony BMG activated a Web site that enabled PC users to remove the XCP software, but that method opened up new vulnerabilities that could let outsiders take over a computer. The program asked users to fill out an online form before they could get the removal software; experts advise users to avoid that method until Sony BMG releases a new system.

Outside spyware removal programs also might eventually solve the problem. Microsoft Corp. has indicated that malicious-program busters regularly sent to computers running Windows Update will take out the cloaking function in XCP.

Q: I filled out that online form to remove the original program, and now I'm worried I'm vulnerable. What should I do?

A: According to Princeton University researchers Ed Felten and J. Alex Halderman, you can try to delete the dangerous component left by the online form. It's called CodeSupport. Guidance how to do that can be found on their blog posting at http://www.freedom-to-tinker.com/?p927

But they caution that it might not prevent the software from coming back.


TOPICS: News/Current Events; Technical
KEYWORDS: bmg; cd; disc; pc; rootkit; sony; spyware; windows
Navigation: use the links below to view more comments.
first 1-2021-33 next last
A Sony BMG statement Tuesday said the company would pull unsold CDs with the software from store shelves and let consumers exchange already purchased ones.

How magnanimous of them. /sarcasm

Are they also going to compensate people whos' PCs have been hosed by their little rootkit spyware?

1 posted on 11/16/2005 9:25:16 AM PST by holymoly
[ Post Reply | Private Reply | View Replies]

To: holymoly
Easy solution: Don't buy anything Sony. You can't trust it.
2 posted on 11/16/2005 9:32:54 AM PST by sionnsar (†trad-anglican.faithweb.com† || (To Libs:) You are failing to celebrate MY diversity! || Iran Azadi)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

This little escapade is probably going to end up costing them at least a billion dollars in lawsuits and bad will. I can understand how such a stupid ploy could have slipped under the CEO's radar, but I can't understand how they could have been so stupid as to leave it hanging out there this long.

I posted the story here first, after it was posted at BetaNews.

Several Antivirus programs have added stuff that will uncover the Sony rootkit, but they have been slow to issue removal tools, probably because of fear that Sony might sue them for removing copy-protection, which is illegal.

Sophos was the first to issue a tool to detect and remove the Rootkit. Considering what has been happening, I would take a chance with their tool rather than anything Sony puts out, because so far all their solutions have only made things worse.

The Sophos rootkit detection and removal tool is at:

http://www.sophos.com/support/disinfection/rkprf.html

It will tell you if you have the rootkit on your computer, and several usually reliable sources have recommended it. I haven't tried it myself, since I don't have the Sony virus.


3 posted on 11/16/2005 9:35:23 AM PST by Cicero (Marcus Tullius)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

4 posted on 11/16/2005 9:36:08 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

Ooooh, this is gonna leave a mark...


5 posted on 11/16/2005 9:36:08 AM PST by polymuser (")
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

They'll compensate them, all right. After the class action lawsuit which in this case is warranted. If they want to fight the cassette tape over and over again fine, but it's going to cost them.


6 posted on 11/16/2005 9:36:44 AM PST by mysterio
[ Post Reply | Private Reply | To 1 | View Replies]

To: Nightshift

ping


7 posted on 11/16/2005 9:40:31 AM PST by tutstar (OurFlorida.true.ws)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly
"The "XCP" copy-protection program was included on at least 20 CDs, including releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion. Sony BMG said 4.7 million were shipped, with 2.1 million sold."

It disturbs me that 2.1 million CDs can be sold that include Neil Diamond and Celine Dion.

8 posted on 11/16/2005 9:41:23 AM PST by RabidBartender
[ Post Reply | Private Reply | To 1 | View Replies]

To: sionnsar
...including releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.

Oh yeah, these are the artists that they need to protect with their spyware. Now if it was Engelbert Humperdinck...

9 posted on 11/16/2005 9:45:05 AM PST by kaboom
[ Post Reply | Private Reply | To 2 | View Replies]

To: RabidBartender
 

It disturbs me that 2.1 million CDs can be sold that include Neil Diamond and Celine Dion.

 

 

10 posted on 11/16/2005 9:47:17 AM PST by HawaiianGecko (Facts are neither debatable nor open to "I have a right to this opinion" nonsense.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: holymoly

They will, 5 years down the line and millions of lawyers' fees later.


11 posted on 11/16/2005 9:48:32 AM PST by thoughtomator (Bring Back HCUA!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: thoughtomator

A coupon for a free CD.


12 posted on 11/16/2005 9:52:21 AM PST by HiTech RedNeck
[ Post Reply | Private Reply | To 11 | View Replies]

To: kaboom
Do people who listen to the "artists" even own computers?

Seems to me that this would be a much bigger problem whith the 8-track versions of these albums.


13 posted on 11/16/2005 9:52:22 AM PST by j_k_l
[ Post Reply | Private Reply | To 9 | View Replies]

To: sionnsar
So much for the much-vaunted synergies between hardware and software (content) in consumer electronics. Sony can make great consumer hardware -- but, their need to protect their investment in content is causing them a lot of grief. (Games are an exception, because everything is proprietary.) Sony needs to sell off its content businesses, so that their hardware side is free to design products, without having to worry about the effect on the content side.
14 posted on 11/16/2005 10:26:15 AM PST by USFRIENDINVICTORIA (")
[ Post Reply | Private Reply | To 2 | View Replies]

To: holymoly

Pirate Bay.


15 posted on 11/16/2005 10:28:35 AM PST by GraniteStateConservative (...He had committed no crime against America so I did not bring him here...-- Worst.President.Ever.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: sionnsar
Easy solution: Don't buy anything Sony. You can't trust it.

That's what I'm recommending to everyone this Christmas. If Sony or BMG is on the product, pass it up.

16 posted on 11/16/2005 10:32:58 AM PST by zeugma (Warning: Self-referential object does not reference itself.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: USFRIENDINVICTORIA

A few years ago, I was shopping for a home theater system. Nothing too fancy, just somehting with everything in one box. When I tried Sony systems, they were hard wired NOT to play any burned CD's. Needless to say, I didn't buy one and the salesperson said that before they knew about this, they had a lot of customer returns on Sony products.


17 posted on 11/16/2005 10:37:52 AM PST by doc30 (Democrats are to morals what and Etch-A-Sketch is to Art.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: HiTech RedNeck
A coupon for a free CD.

Hah, this should allow for a free plasma HDTV. The cleanup on one single PC for this crap could take hours to fix.


18 posted on 11/16/2005 10:45:27 AM PST by unixfox (AMERICA - 20 Million ILLEGALS Can't Be Wrong!)
[ Post Reply | Private Reply | To 12 | View Replies]

To: j_k_l

Funny!

And in other news concerning the Sony spyware debacle:

It was discovered that Sony also included the rootkit on newly released 8 track tape versions of a Carly Simon album.
Reportably the root kit infected a customers 8 track tape player, and the customer's 1978 Pacer would not start.
The customer was able to work around the problem. She removed the Carter/Mondale bumpersticker from her car and wrapped it around the the tape player.


19 posted on 11/16/2005 10:48:17 AM PST by HereInTheHeartland (Never bring a knife to a gun fight, or a Democrat to do serious work...)
[ Post Reply | Private Reply | To 13 | View Replies]

To: holymoly
"We share the concerns of consumers regarding discs with XCP content-protected software," Tuesday's statement said.

If that were true, then why did they release it in the first place?

20 posted on 11/16/2005 10:50:35 AM PST by Born Conservative ("Going to war without France is like going deer hunting without your accordion." -Donald Rumsfeld)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-33 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson