Should you be concerned about Sony's DRM and rootkit?
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
- Thomas Hesse, Sony's president of Global Digital Business
- November 4, 2005
According to Sony's Thomas Hesse, you should not be concerned. This is like saying that somebody who does not know what a PC virus or Trojan Horse is, should not be concerned about the security of their PC. Sony has put software, named XCP, that was developed by British applications maker First 4 Internet Ltd on 52 different music CDs that Sony released this year. XCP is a program that installs programs on your PC that:
- limits the number of times you can copy the CD to your PC,
- hides itself from the owner/user of the PC,
- sends information to Sony without your knowledge,
- damages the computer if you try to remove it and
- allows hackers a back door into your computer.
It even appears that Sony is violating copyrights themselves by using code in this program that is open source. Sony is claiming that they have done nothing wrong and this is why I and others think that we should boycott Sony's products? It is the only way that Sony BMG will get the message that they screwed up by hitting them where it hurts, the pocket book.
Sony is treating law abiding customers as criminals by installing this DRM (Digital Rights Management) software on your computer, when you play one of the affected titles on a Windows PC. Sony put the XCP program on the music CDs to prevent piracy but it really does not stop piracy, all it really does is treat their customers as criminals and make it harder for these law abiding customers to put the songs on another medium (create a CD of favorite songs from different CDs, copy the music to their iPod or similar device, etc.). The pirates overseas that mass produce copies of these programs to resale them are not stopped. They have ways of getting the music tracks off of the CDs and creating thousands of CDs that are sold illegally. It did not stop distribution on the internet because from what I hear the songs from these artists and albums are still available for download. The only thing it did was punish the people who legally purchased the music and give hackers a way into that person’s computer. I think a company should be allowed to protect their intellectual properties but I would like to believe that:
- It is illegal for a person or company to install spy-ware software on my PC,
- It is illegal to for a person or company to install mal-ware on my PC and
- That fair use still exists.
The only thing that the XCP software does is punish the people who legally purchased the music and give hackers a way into that person’s computer through the security hole that it opens.
Up until 2 weeks ago a lot of people did not know what a rootkit was. In fact there are probably still a lot of computer users who still do not know what a rootkit is. I think that this is because there has not been much news coverage by the conventional news sources. A rootkit is a powerful piece of software that, when installed on a computer, takes over control at the most fundamental level. In computer terms, it establishes "root" access, which is similar to administrative access, instead of access for just an ordinary user. This software can potentially prevent a computer user from detecting its presence or from performing certain tasks on their own PC. On October 31st Mark Russinovich posted his article on www.sysinternals.com explaining how he found Sony's rootkit on a PC. Mark discovered the following about the XCP software:
- That it was hidden from the owner of the PC,
- That it would disable the CD drive if you deleted it,
- That it creates a vulnerability that hackers can exploit and
- Was installed by a Sony Music CD.
It has also been discovered that this program has a phone home feature that reports information back to Sony. Sony has claimed that they do not do anything with this data but sending information from somebody’s PC with out their permission is illegal. Yeah, right!
The XCP software that the Sony music CD installs, when you play it, makes the computer vulnerable to hackers, degrades the performance of the PC and can actually break it. The spyware/malware program that is installed on a PC by Sony changes settings on the PC so that the files it installs are hidden. This is done by making changes in the windows registry so that files beginning with $sys$ are not displayed. Hackers have taken advantage of this and created programs that hide their own code and these programs can take over your PC and/or get your personal information. Since this was discovered and reported by Mr. Russinovich, Microsoft and companies that make anti-virus products are updating their programs so they can find any viruses that used this back door. Another problem with the XCP software is that it will disable the CD drive if it is tampered with. Something is wrong when a company can install software on your PC that will break your PC if you try to remove it. Sony has said that information is reported back to them thru the phone-home system but claim that they do nothing with that information. The program also runs in the background and uses some of the PCs processing power with out the user’s knowledge. If an individual had done what Sony has done, he/she would be would be called a hacker. I guess it is different if you are big corporation.
Originally Sony had said that only 20 titles were affected but again as people started checking the list grew. Finally Sony admitted that 52 titles have the XCP software (spyware/malware) installed on them. Last week Sony has recalled the CDs with XCP from the retailers and is offering to replace the CDs of consumers who purchased the ones with XCP. They are also offering free downloads of music to customers who purchased the CDs with XCP on them. A patch that can be downloaded from their website that uninstalls the XCP software. How many of the 4.7 million CDs produced (2.1 million sold) will remain in the hands of an unsuspecting public? What about people that have PCs and but do not go online? What about the people who have not heard about Sony’s recall? They are still affected by the vulnerability and the performance hit that the XCP software imposes. Sony is doing nothing that I know of to inform the public other then relying on the news and a notice on their website to inform their customers. Sony still has not admitted to doing anything wrong and still say that they are within their rights to use programs like this to protect their intellectual property. Well, what about the personal and intellectual property rights of all the consumers who played these 52 music CDs on their PCs?
As if that were not enough that Sony is hacking your computer. You better be sure to read the End-User License Agreement (EULA) that comes with the CD. It appears that Sony’s lawyers have developed their own rootkit. Here is a summary (check out the link below for more):
- If your house gets burglarized, you have to delete all your music from your computer when you get home.
- You can’t keep your music on any PC at work (like your system admin would even think of letting you put a music CD in your PC after this).
- If you move out of the country you have to delete all your music.
- You must install any and all updates or else you lose the music on your computer.
- Sony-BMG can install and use backdoors in the copy protection software or media player to “enforce their rights” against you, at any time, without notice.
- The EULA says that Sony-BMG will never be liable to you for more than $5.
- If you file for bankruptcy, you will have to delete all the music on your computer.
- You have no right to transfer the music on your computer, even along with the original CD.
- Forget about using the music as a soundtrack for your latest family photo slideshow, mash-up or sampling.
So much for fair use!! Under Fair-Use when you buy a regular CD you own it and you can do anything with it that does not infringe on the rights given the owner of the copyright. You can play it at a dinner party, loan the CD to a friend or transfer it to another medium to listen to it. Sony would probably like to make you pay each time you play a song off of one of their CDs if they could figure out a way to do it.
Not only is Sony is treating their customer badly but it appears that they are stealing someone else’s intellectual property. The code used for the music player on the XCP CDs contains components of the open-source project LAME (an MP3 player). When open source code is used it needs to be identified so it can be shared with others. Open source developers could not find any reference to the open-source code used in the copy-protection software. Both First4Internet and Sony-BMG have declined comment about the use of open-source code. I guess Sony thinks it is OK to infringe on copyrights, if they are doing it to protect their own copyrights.
If Sony has done this to Music CDs what have they done to their other products? Has Sony installed some software or hardware on their Sony Vaio PCs? Do they connect to Sony and let them know what you have been doing? What about Sony’s upcoming Playstation3? What does it have on it and does it do anything that you do not know about? What about Sony's new DVD format Blu-Ray that is competing against Toshiba's HD-DVD format? One thing that I have read is that the Blu-ray format has a DRM scheme that will verify that your DVD drive has not been tampered with. If it finds a discrepancy or an error occurs the drive disable feature is enabled. You will then have to take in your HD-DVD player to be serviced. It seems that Sony is concerned about protecting what they have and could care less for the consumer’s rights.
One comment I read said, "Don't buy SONY until they become more consumer friendly."
I say, "DO NOT BUY SONY AT ALL!!" They have broken my trust and there are other companies that make better products. Get an X-Box 360 instead of a PS3. Buy a receiver, CD player, clock radio, etc. from some other manufacturer instead of Sony. Get a Canon digital camera instead of a Sony. Don't buy Sony BMG music CDs, there may be something on them besides the music. Sony still has not admitted to doing anything wrong and say it was within their rights to use programs like this to protect their intellectual property. Unless we voice our opinions with our wallets, these big corporations like Sony will continue with crap like XCP that infringe on the consumers rights and cause more problems for everybody!
Nov. 27, 2005
The Article that explains how the rootkit was found by Mark Russinovich
List of Sony CDs more then 20 Titles from www.idiotaboard.com along with user comments
Sonys Official List of Titles with XCP
Sony's rootkit is on 500,000 PCs
FAQ about "Fair Use" from the Electronic Frontier Foundation
Copyright and Fair Use information from Stanford University Library