Jump to content

Sony BMG copy protection rootkit scandal

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by JSpudeman (talk | contribs) at 12:40, 3 February 2006 (There. Now doesn't that look much better?). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The 2005 Sony CD copy protection controversy is a public controversy relating to copy protection software known as Extended Copy Protection (XCP), created by First 4 Internet and used by the media company Sony BMG Music Entertainment (frequently referred to as "Sony") on audio CDs.

History

Security holes presented by Sony BMG software

On October 31, 2005, Mark Russinovich posted to his blog a detailed description and technical analysis of the characteristics of the software contained on Sony BMG music CDs. Called Sony, Rootkits and Digital Rights Management Gone Too Far, the article asserts vocally that the software is illegitimate and that digital rights management had "gone too far." He stated that there were shortcomings in the software design that manifest themselves as security holes that can be exploited by malicious software such as worms or viruses. He also mentioned that the XCP software installed silently before the EULA appeared, that the EULA does not mention the XCP software, and that there was no uninstaller, all of which are illegal in various ways in various jurisdictions. Several comments to the entry recommended a lawsuit against Sony BMG.

Freedom To Tinker had an article on November 12, 2005 discussing the SunnComm DRM found on some Sony BMG CDs, which is very similar to the F4I software in that it installs without authorization or notification, and does not have have an uninstaller.

Rootkit removal program

Sony BMG released a software utility [1] to remove the rootkit component of Extended Copy Protection from affected Microsoft Windows computers, but this removal utility was soon analyzed by Russinovich again in his blog article More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home, and revealed as only exacerbating the privacy and security concerns. [2] In fact, the Sony BMG program merely unmasked the hidden files installed by the rootkit, but did not actually remove the rootkit. In addition, this program was reported to install additional software that cannot be uninstalled. In order to download the uninstaller, it is necessary to provide an e-mail address (which the Sony BMG Privacy Policy implies to be added to various bulk e-mail lists), and to install an ActiveX control containing backdoor methods (marked as "safe for scripting", and thus prone to exploits). [3]

On November 18, 2005, Sony BMG provided a "new and improved" removal tool to remove the rootkit component of Extended Copy Protection from affected Microsoft Windows computers. [4]

Opponents of Sony BMG's actions, especially Slashdot and Digg users, later accused Sony BMG of violating the privacy of its customers to create a backdoor onto their machine using code that even violates an Open-source license. They claimed that this DRM program, designed to give Sony BMG control over the customer's machine in the name of copyright protection, is itself infringing copyright by including code from the LAME MP3 library. [5] It appears that, since LAME is under the LGPL, this situation could be rectified by SONY BMG offering a copy of the LAME source code, as well as adding a notice that it was using code from the library (though this would not be a defense against past damages).

Prevention

The XCP software can be prevented from installing in several ways. First of all, a user can refuse to purchase such copy-protected CDs, perhaps downloading the music from a digital music distributor. Second, it is possible to disable autoplay so that the software will not run automatically (this can be done, temporarily, by holding the SHIFT key while inserting the CD). Perhaps the safest alternative is to use an operating system which the software does not automatically install itself on, such as Linux or Mac OS.

Product recall

On November 15, 2005, vnunet.com announced [6] that Sony BMG is backing out its copy-protection software, recalling unsold CDs from all stores, and offering consumers to exchange their CDs with versions lacking the software. The Electronic Frontier Foundation compiled a partial list [7] of CDs with XCP. Sony BMG is quoted as maintaining that "there were no security risks associated with the anti-piracy technology", despite numerous virus and malware reports. On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. They said that XCP uses rootkit technology to hide certain files from the computer user, and that this technique is a security threat to computer users. They also said one of the uninstallation options provided by Sony BMG introduces further vulnerabilities to a system. US-CERT advised, "Do not install software from sources that you do not expect to contain software, such as an audio CD." [8]

Sony BMG announced that it has instructed retailers to remove any unsold music discs containing the software from their shelves. [9] It is estimated by internet expert Dan Kaminsky that XCP is in use on more than 500,000 networks. [10]

CDs with XCP technology can be identified by the letters "XCP" printed on the back cover of the jewel case for the CD.

On November 18, 2005, Reuters reported that music publisher Sony BMG would swap affected unsecure CDs for new unprotected disks as well as unprotected MP3 files. [11]

Information about the swap can be found at the Sony BMG swap program website [12]. As a part of the swap program, consumers can mail their XCP-protected CDs to Sony BMG and would be sent an unprotected disc via return mail.

On November 29, 2005 the New York Attorney General Eliot Spitzer found through his investigators that despite the recall of November 15 Sony BMG CDs with XCP were still for sale in New York City music retail outlets. Spitzer said "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."[13] On November 30, 2005 Massachusetts Attorney General Tom Reilly issued a statement saying that Sony BMG CDs with XCP were still available in Boston despite the Sony BMG recall of November 15. Attorney General Reilly advised consumers not to purchase the Sony BMG CDs with XCP and said that he was conducting an investigation of Sony BMG.[14]

As of January 26, 2006, Sony BMG's website offered consumers no reference to this issue and no way to locate Sony BMG's explanation or list of affected CD's. (The link below, however, will bring up the explanation and list.) [15]

Class action suits have been filed against Sony BMG in New York and California. [16] On November 21, 2005 The Texas Attorney General Greg Abbott sued Sony BMG. Texas is the first state in the nation to bring legal action against Sony BMG for illegal “spyware.” The suit is also the first filed under the state’s spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems. [17] [18]. On December 21, 2005 Greg Abbott added new allegations to his lawsuit against Sony-BMG. Abbott says the MediaMax copy protection technology violates the state's spyware and deceptive trade practices laws. He says Sony-BMG offered consumers a licensing agreement when they bought CDs and played them on their computers. But, Abbott alleges in the lawsuit that even if consumers reject that agreement, files -- known as spyware -- are secretly installed on their computers, which pose security risks for music buyers. Abbott said "We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music," and "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes." In addition to violations of the Consumer Protection Against Computer Spyware Act of 2005, which allows for civil penalties of $100,000 for each violation of the law, the alleged violations added in the updated lawsuit, on December 21, 2005, carry maximum penalties of $20,000 per violation.[19] [20] It was reported on December 24, 2005 that Florida Attorney General Charlie Crist is investigating Sony BMG spyware.[21]

Threats of legal action in Italy have also been reported. [22] On November 21, EFF announced that they were also pursuing a lawsuit over both XCP and the SunnComm MediaMax DRM technology. [23]. On December 6, 2005 Sony-BMG said that 5.7 million of its CDs were shipped with SunnComm MediaMax that requires a new software patch to prevent a potential security breach in consumers' computers. The security vulnerability was discovered by EFF and brought to the attention of Sony BMG. [24][25] The MediaMax Version 5 software was loaded on 27 Sony BMG titles.[26] All these suits are regarding security threats and other damage to customer computers, not copyright issues in the code. The EFF lawsuit also involves issues concerning the Sony BMG end user license agreement.

Despite the numerous civil lawsuits that were spawned or threatened, the US Department of Justice (DOJ) refused to make any comment on if it would take any criminal action against Sony. This despite the fact that the company seems to have violated several sections of Federal cybersecurity law. Instead, the DOJ initiated a new bill to Congress called The Intellectual Property Protection Act of 2005 that would formally criminalize the act of file sharing, thus showing support for Sony's efforts to protect its copyrights [27].

A Slashdot story noted [28] that the rootkit includes code and comments (such as "copyright (c) Apple Computer, Inc. All Rights Reserved." [29]) illegally copied from sections of the program VLC written by Jon Lech Johansen and Sam Hocevar, the former best known for being prosecuted in connection with DeCSS (which circumvents the digital rights management mechanism used on movie DVDs).

On December 30, 2005, the New York Times reported that Sony BMG has reached a tentative settlement of the lawsuits, proposing two ways of compensating consumers who have purchased the affected recordings. [30] According to the proposed settlement, those who purchased an XCP CD will be paid $7.50 per purchased recording and given the opportunity to download a free album, or be able to download three additional albums from a limited list of recordings if they give up their cash incentive. District Judge Naomi Reice Buchwald entered an order tentatively approving the settlement on January 6, 2006. [31]

The settlement is designed to compensate those whose computers were infected, but not otherwise damaged. Those who have damages that are not addressed in the class action are able to opt out of the settlement and pursue their own litigation. [32]

A fairness hearing will be held May 22, 2006 at 9:15 am at the Daniel Patrick Moynihan United States Courthouse for the Southern District of New York at 500 Pearl Street, Room 2270, New York, NY.

Claims must be submitted by December 31, 2006. Class members who wish to be excluded from the settlement must file before May 1, 2006. Those who remain in the settlement can attend the fairness hearing at their own expense and speak on their own behalf or be represented by an attorney.

Company & press reports

In a November 7, 2005 article, vnunet.com summarised [33] Russinovich's finding in a less technically detailed way, and urged consumers to avoid buying Sony BMG music CDs for the time being. The following day, The Boston Globe (boston.com) [34] classified the software as spyware and confirmed that it communicates personal information from consumers' computers to Sony BMG. The methods used by the software to avoid detection were likened to those used by data thieves.

After the first virus which made use of Sony BMG's stealth technology to make their malicious files invisible to both the user and anti-virus programs surfaced on November 10, 2005 [35], Yahoo! News announced on November 11, 2005 [36] that Sony BMG has suspended further distribution of the controversial technology.

According to ZDNet News: "The latest risk is from an uninstaller program distributed by SunnComm Technologies, a company that provides copy protection on other Sony BMG releases." The uninstall program obeys commands sent to it allowing others "to take control of PCs where the uninstaller has been used." [37]

According to BBC News on November 14, 2005 [38], Microsoft has decided to classify Sony BMG's software as "spyware" and provide tools for its removal. In both this and the previous Yahoo! News announcement, Mark Russinovich is quoted as saying, "This is a step they should have taken immediately."

See also

References

Retrieved from "https://en.wikipedia.org/w/index.php?title=Sony_BMG_copy_protection_rootkit_scandal&oldid=37991314"