"Get your facts first, and then you can distort them as much as you please." (Mark Twain)
Thursday, November 03, 2005
On the heels of the Internet uproar over security concerns with its copyright-protection measures, the company that developed the software for recording-industry giant Sony BMG Music Entertainment says it is providing computer users with a "patch file" that will mitigate some of the features that alarmed security researchers when they were discovered earlier this week -- especially the program's built-in ability to hide files on the user's system.
Privacy and security experts charged that the technology built into many of Sony's music CDs since March is unnecessarily invasive and exposes users to threats from hackers and virus writers....
Earlier this week, computer security researcher Mark Russinovich published an analysis showing that some new Sony CDs install software that not only limits the copying of music on the discs, but also employs programming techniques normally associated with computer viruses to hide from users and prevent them from removing the software.
Russinovich's findings -- posted on the Web site (http://www.sysinternals.com/) that he runs with another researcher -- indicated that the CDs in question use software techniques that behave similarly to "rootkits," software tools that hackers can use to maintain control over a computer system once they have broken in.
He found that traditional methods of uninstalling the program would not work, and that attempts at removing it corrupted the files needed to operate his computer's CD player, rendering it useless.
Sony spokesman John McKay said the technology has been deployed on just 20 titles so far, but that the company may include it on additional titles in the months ahead.
(Link via Suburban Guerrilla; internal link to specific post at sysinternals provided in place of the generic link in the original WaPo text.)
Russinovich traced the infection on his own computer to his copy of Sony BMG artists the Van Zant brothers' Get Right With the Man (the irony here did not escape Russinovich himself, nor did it escape the folks at Slashdot). In addition to the security problems presented by the Sony BMG discs, not to mention the ethical issues posed by the secret installation of hidden and practically unremovable software, the copy protection scheme also breaks third-party products - such as iPods:
It seems that Sony’s newest DRM technologies are preventing users from transferring legally-purchased files onto Apple iPods. In a twist of logic I have yet to understand, Sony places blame on Apple for refusing to license its Fairplay DRM to the music labels.
Suppose, however, that you absolutely need a Sony BMG disc, because you are a huge fan of (say) Switchfoot, and you want to know how to get around the DRM malware. No problem:
Major labels Sony BMG and EMI are releasing more and more new CDs that block fans from dragging their tunes to iPods.
Now, in the most bizarre turn yet in the record industry's piracy struggles, stars Dave Matthews Band, Foo Fighters and Switchfoot -- and even Sony BMG, when the label gets complaints -- are telling fans how they can beat the system....
One solution artists offer to iPod users is to rip the CD into a Windows Media file, burn the tracks onto a blank CD (without copy protection) and then rip that CD back into iTunes.
Columbia Records act Switchfoot, whose latest album, "Nothing Is Sound," is copy-protected -- and debuted at No. 3 on The Billboard 200 last week -- recently took copy-protection defiance one step further. Band guitarist Tim Foreman posted on a Sony Music-hosted fan site a link to the software program CDEX, which disables the technology. The post has since been removed.
One final point - the Sony BMG copy protection scheme is subject to an End User License Agreement, as is most software. The argument, then, is that while the consumer may have actually purchased the CD, they have merely licensed the accompanying software, and agreed to the terms of its use when they clcked through the EULA. Which reminds me that we still have yet to address the general problem of software EULAs. We must remember to get to that one day soon.
Update: Bruce Schneier has more:
Removing the rootkit kills Windows.
Could Sony have violated the the Computer Misuse Act in the UK? If this isn't clearly in the EULA, they have exceeded their privilege on the customer's system by installing a rootkit to hide their software.
Certainly Mark has a reasonable lawsuit against Sony in the U.S.
Update 11/4/2005: Sony BMG has felt the heat, and released a fix here. I don't know if this fix truly solves all the problems - I will wait for the expert geeks to weigh in - but you should probably take a look at it if you've played any of these CDs on your computer.