Brian's Brain

Dec 6 2005 8:48PM | Permalink | Email this | Comments (1) |
Blog This! using:  Blogger.com | LiveJournal |
Digg This | Slashdot This | add to Del.icio.us

Continued from 'Sony: Seriously Screwed Up'....

4. If the user accepted the EULA, the rootkit (so-called because it subsequently hid its presence from the operating system and all other software running on it) was installed. It had a number of nefarious functions; it regularly 'called back' to Sony and First4Internet servers as a user played music, for example, and it reportedly degraded the quality of music ripped from ALL (not just Sony) CDs.
5. Mac users are not completely immune from Sony's DRM. In an 'enhanced content' partition of the CD, they find a SunnComm-developed utility that, if run, installs operating system kernel extensions. Linux users, however, are impervious to the DRM. And how many total users are affected? No one knows for sure (except for Sony and First4Internet, that is), but one estimate puts the number of impacted DNS name servers (each with an unknown number of infected systems querying it) at over 500,000.
6. Since the First4Internet-developed rootkit obscured the presence of all files beginning with the character sequence '$sys$', several viruses and other programs took advantage of this 'feature' to obscure themselves when installed on a Sony DRM-inclusive system.
7. Sony initially provided no un-installation routine. Manually removing all traces of the DRM utility would, if not carefully done, render the system unusable; minimally, the optical drive would be non-functional. And, ironically, such removal could be prosecuted as a violation of the Digital Millenium Copyright Act!
8. Speaking of copyright, careful analysis of the utility reveals that it contains code from several different open source projects, incorporated without attribution or otherwise following the license requirements. Ironically, some of the code comes from DVD Jon's FairPlay-circumventing algorithms, but used in reverse; it appears that one of the not-yet-enabled features of XCP was capable of adding Apple's DRM to 'ripped' music! Here's a direct link to Jon's blog entry on the subject.

As if this all wasn't bad enough, Sony's glacially slow, multi-stage response made the issue even worse. Thomas Hesse, the President of Sony BMG's global digital business division, initially said on National Public Radio that "Most people, I think, don't even know what a rootkit is, so why should they care about it? The software is designed to protect our CDs from unauthorized copying, ripping." When (nearly two weeks after the news broke) Sony decided to 'temporarily suspend' production of XCP-inclusive CDs, a company spokesperson defiantly defended its right to employ DRM as "an important tool to protect our intellectual property rights and those of our artists" One week earlier, Sony had released a patch that, while it claimed to uninstall the DRM, only made the rootkit visible to the operating system. And, unbelievably, the patch's ActiveX control opened up yet another security hole in systems (an earlier version of the SunnComm uninstaller had the same sort of problem). The patch, by the way, has yet to be up-rev'd by Sony, although antivirus and antispyware firms (including, notably, Microsoft) have been provided DRM un-installation instructions, which they're quietly implementing.

On November 18^th, Sony seemingly finally saw the light and issued a much more contrite announcement in which it claimed it was pulling the affected CDs off store shelves and would ship replacement CDs (along with downloadable MP3 files, believe it or not, although if it were me I wouldn't accept them, being likely watermarked) to customers. Two weeks later, however, New York Attorney General Eliot Spitzer reported that XCP-inclusive CDs were still on store shelves and he was considering legal action against Sony. To date, lawsuits have also been filed by the Electronic Frontier Foundation, Texas's Attorney General, and both California and New York City law firms. If I were a musician such as Trey Anastasio, whose XCP-inclusive 'Shine' CD was released a short time before the debacle caught the public's attention, I'd seriously consider suing too.

Continued with 'Put Your Money Where Your Mouth Is'....