vnunet.com analysis: The Sony BMG anti-piracy debacle
2005 Review of the Year: Sony BMG
/v3-uk/analysis/1942886/2005-review-year-sony-bmg
28 Dec 2005, Tom Sanders in California , V3
One single blog posting in late October succeeded in shaking the reputation of a major record label, notifying the world of the threat of rootkits and turning the music piracy debate upside down.
The saga began when a software developer called Mark Russinovich purchased a CD by Van Zant and played it on his computer.
When he first inserted the music disk, a window popped up informing him that playing the CD required a special player application. But on clicking 'I agree' the application installed more than just a player.
It also copied digital rights management software and a so-called rootkit to his system that would hide the software and prevent uninstalling.
Russinovich found out that the entire software suite was cooked up by a firm called First 4 Internet and is marketed as XCP. He published his findings in a blog posting that was soon picked up by news media world wide.
As more people scrutinised the XCP technology, it turned out that First 4 Internet had created a monster. The cloaking technology did not just hide the software from the user, but from Windows and virus filtering software.
A worm or piece of spyware could easily use the cloaking technology to dodge detection by security software. XCP was identified as a serious security vulnerability.
"Sony's motives are reasonable from its point of view, but it is a terrible security hole," Roger Thompson, chief executive at security provider Worm Radar, told vnunet.com.
"The risk is that [worms] now have a place to hide things where antivirus programs cannot see them. They can tuck themselves in under the protection of the rootkit."
Security experts at F-Secure quickly backed up Russinovich's claims. It would later turn out that the firm had started investigating the XCP rootkit in the summer and had been talking to First 4 Internet and Sony BMG about the security risks.
The process, however, was painstakingly slow and had stalled by the time Russinovich published his blog posting.
Following the public outrage, Sony BMG announced that it would issue a patch to consumers who wanted to remove the software from their systems.
But the label refused to issue a list of CDs that were affected by XCP. And the patch was hard to come by, requiring consumers to register with Sony BMG before receiving the software.
Although Sony BMG had been informed of the full scope of the security implications, the firm maintained that the technology "does not compromise security".
In a rare public appearance Sony BMG's president of digital business tried to cage the dogs.
"Most people don't even know what a rootkit is, so why should they care about it?" he said in a radio interview with the National Public Radio a week after the blog publications.
But ridiculing the critics only made things worse for Sony. F-Secure led the efforts to condemn the record label.
"I think that record companies should stop playing with rootkits and other 'black hat' techniques [before they] cause major grief to the customers," Jarno Niemela, a researcher at F-Secure's laboratory, warned on the F-Secure blog.
In the following days reputable security companies including Computer Associates and Symantec lined up against Sony, labelling XCP as a "trojan" and creating software to help consumers rid their systems of the pest.
And then, 10 days after the initial blog posting, the doom scenario became reality. Antivirus vendors detected the first internet worm on 10 November that made an attempt to use XCP cloaking technology.
The worm was poorly engineered and failed to cause any actual harm, but Sony finally woke up to the danger. The next day the record label promised to abandon XCP. It also published a list of 52 "infected" CD titles and launched a consumer exchange programme.
But the label's worries even then were far from over. The Texas attorney general has since launched an investigation into Sony's actions, alleging that the label violated local anti-spyware legislation. If found guilty, the label could end up paying $100,000 per violation.
Consumer advocacy group the Electronic Frontier Foundation has also started legal procedures in the US and Italy.
First 4 Internet, meanwhile, was accused of stealing open source software to use in the XCP technology.
As consumers kept calling for an all-out boycott of Sony, the company once again jeopardised the security of its customers.
A tool that aimed to remove XCP from infected systems was found to contain security bugs. And it soon transpired that another Sony anti-piracy technology contained security vulnerabilities that weren't removed properly either.
Sony BMG's anti-piracy initiative was intended to put an end to illegal copying, but it succeeded in doing the exact opposite. The crisis around its DRM technology had alienated the group of consumers who purchased perfectly legal hard copies of CDs.
In the end little real damage was done to consumers, as there are no known cases of hackers or worms which have succeeded in exploiting any of the many holes in Sony's technology. But the image of Sony BMG has been tarnished for years to come.
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
little real damage?
"In the end little real damage was done to consumers ..."
i beg to differ.
my niece who uses her computer to LEGALLY buy music from itunes , to rip LEGALLY bought cds and to transfer all this music to her LEGALLY bought iPod has found this rootkit on her pc.
she has now lost access to the cd burning function in iTunes.
she is now faced with the prospect of reinstalling windows to get rid of this rootkit.
HOWEVER ...
when she does this, she will lose all the music LEGALLY bought from iTunes. and, unlike eMusic and some other music sites, iTunes WILL NOT let her re-download the music she has previously purchased.
so, "little real damage"? i think not.
Posted by Terry, 21 Dec 2005
Sony rootkit . . .only one way
to deal with people like these "why should they care about it" types and that is to BUY NOTHING FROM SONY
Posted by CHUCK, 21 Dec 2005
No real damage?
The article ends by stating that no real damage was done to consumers. Well, I sure wasted a lot of time scanning all of our networked computers for rootkits; sure felt like damage.
Posted by Charles Wenzel, 21 Dec 2005
Rose-colored glasses...
Tell me, do those rose-colored glasses have wire rims or horn rims?
"No real harm done?" You've
hurrying to tack the coda on a little too early, aren't you?
What's the rush... now?
The foot-dragging on this by the major anti-malware vendors, who gave Sony a free ride for entirely too long, is only exceeded by the media coverage of this fiasco.
It would have been a laugh riot if not for the actual damage done to peoples PCs.
Facts:
One: Due to the covert nature of Mediamax installation many people do no know that they are infected and that their increased frequency of Windows crashes, apparent CD drive "failures", and suddenly "buggy" multimedia programs might have a cause other than Bill Gates... much less that a remotely exploitable security hole has been opened up in their systems.
It's kinda difficult to get patches out for malware, y'know.
Two: Audio CDs have a very long usuable lifespan compared to software CDs. Each of the millions of Mediamax-afflicted CDs said to be in the wild will attempt to covertly install the malware and open up the same security hole in any PC they're played in for a LONG time to come.
Posted by the zapkitty, 22 Dec 2005