Sony: You don’t reeeeaaaally want to uninstall, do you?

Sony: You don’t reeeeaaaally want to uninstall, do you?

  • Comments 2
  • Likes
A few days after I posted my first blog entry on Sony’s rootkit, Sony and Rootkits: Digital Rights Management Gone Too Far, Sony announced to the press that it was making available a decloaking patch and uninstall capability through its support site. Note that I said press and not customer. The uninstall process Sony has put in place is on par with mainstream spyware and adware and is the topic of this blog post.

As I’ve stated several times already, Sony’s rootkit hides the Digital Rights Management (DRM) files from users that have it installed, so users not monitoring the developments in this story are unaware of the scope and intrusiveness of the DRM. The End User License Agreement (EULA) does not provide any details on the software or its cloaking. Further, the software installation does not include support information and lacks a registration option, making it impossible for users to contact Sony and Sony to contact its users.

What if a user somehow discovers the hidden files, makes the connection between files and the Sony CD that installed them, and visits Sony BMG’s site in search of uninstall or support information? Or what about the unsuspecting Sony DRM user that happens to visit the Sony BMG site to look at their other offerings? Will these customers learn about the patch and uninstaller?

See for yourself. Visit www.sonybmg.com and search for the support site Sony has made available to the press. There’s no information on this story anywhere on the front page, no support link, and the FAQ only contains information about Sony’s merger with BMG. The fact that Sony’s announcement was directed at the press and that they’ve made no effort to make contact with their customers makes the patch and uninstall look solely like a public relations gesture for the media.

Sony even gives those users like me that are aware of the “uninstaller” several hurdles to jump over. First you have to go to Sony’s support site, guess that the uninstall information is in the FAQ, click on the uninstall link and then fill out a form with your email address and purchasing information, possibly adding yourself to Sony’s marketing lists in the process.

Then, after you submit the information the site takes you to a page that notifies you that you’ll be receiving an email with a “Case ID”. A few minutes later you receive that email, which directs you to install the patch and then visit another page if you still really want to uninstall. That page requires you to install an ActiveX control, CodeSupport.Ocx, that’s signed by First 4 Internet, enter your case ID and fill in the reason for your request. Then you receive an email within a few minutes that informs you that a customer service representative will email you uninstall instructions within one business day.

When you eventually receive the uninstall email from Sony BMG support it comes with a cryptic link in the form http://www.xcp-aurora.com/support/sonybmg/process.aspx?opt=1&id=XYAUfasSFoSdasfDoFPPEWFFEoibnaZPQlSfFgKGSGGIAAAAAAAAAAA (I’ve modified the link so it doesn’t work) to your personalized uninstall page. Interestingly, the email address has a confidentially notice, which implies to me that Sony has something to hide, and it informs you that the uninstaller will expire in one week.

If you visit the uninstall page from the computer where you filled out the first uninstall form then the DRM software is deleted from your system. However, if you visit it from another computer the page requires you install the same CodeSupport ActiveX control as the uninstall-request page, but then even if the computer has the DRM software installed you get this error:



Besides the obvious question of why there’s not a universal uninstall link, the error also begs the question of how the Sony site knows that the uninstall link is for a different computer? For that matter, why do you have to install an ActiveX control just to fill out a web form and why does that form have to be filled out “using the computer where the software is currently installed”? The email, web page and ActiveX control offer no hints.

I of course decided to investigate. A network trace of the ActiveX control’s communication with the Sony site using Ethereal reveals that the control sends Sony an encrypted block of data:



A Regmon trace of the ActiveX control’s activity when you press the submit button on the Web page reveals that the encrypted data is actually a signature that the control derives from the hardware configuration of your computer:



The uninstall link Sony sends you has your case ID encrypted in the address and when you visit the uninstall page the ActiveX control sends the hardware signature to Sony’s site. If the signature doesn’t match the one it stored earlier with your Case ID when you made the second uninstall request the site informs you that there’s a case ID mismatch.

While I’ve answered the question of how the uninstaller knows if the uninstall link is for your computer, I can’t definitively answer questions like:


  1. Why isn’t Sony publicizing the uninstall link on their site in any way?
  2. Why do you have to tell Sony twice that you want to uninstall?
  3. Why is the email with the uninstall link labeled confidential?
  4. Why does Sony generate a unique uninstall link for each computer?
Sony has left us to speculate, but under the circumstances the answer to all these questions seems obvious: Sony doesn’t want customers to know that there’s DRM software installed on their computers and doesn’t want them to uninstall it if they somehow discover it. Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.

For those readers that are coming up to speed with the story, here’s a summary of important developments so far:

The DRM software Sony has been shipping on many CDs since April is cloaked with rootkit technology:

  • Sony denies that the rootkit poses a security or reliability threat despite the obvious risks of both
  • Sony claims that users don’t care about rootkits because they don’t know what a rootkit is
  • The installation provides no way to safely uninstall the software
  • Without obtaining consent from the user Sony’s player informs Sony every time it plays a “protected” CD
Sony has told the press that they’ve made a decloaking patch and uninstaller available to customers, however this still leaves the following problems:


  • There is no way for customers to find the patch from Sony BMG’s main web page
  • The patch decloaks in an unsafe manner that can crash Windows, despite my warning to the First 4 Internet developers
  • Access to the uninstaller is gated by two forms and an ActiveX control
  • The uninstaller is locked to a single computer, preventing deployment in a corporation
Consumers and antivirus companies are responding:


  • F-Secure independently identified the rootkit and provides information on its site
  • Computer Associates has labeled the Sony software “spyware”
  • A lawfirm has filed a class action lawsuit on behalf of California consumers against Sony
  • ALCEI-EFI, an Italian digital-rights advocacy group, has formally asked the Italian government to investigate Sony for possible Italian law violations
More on the story here.

Originally by Mark Russinovich on 11/9/2005 11:31:00 AM
Migrated from original Sysinternals.com/Blog

# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark did it wipe all the First4 files from your computer, or did the uninstaller still leave traces of it?

How can something so simple be made so complicated.

Heres something to think about. Once the intial patch is applied and the activeX is installed, I am wondering what kind of information is sent to Sony from your machine. It could be possible for them just to make a nice little blacklist of those customers that have removed their DRM. Heck they could use the information to try and pursue these individuals and see their downloading habits ect, there are a number of things that Sony could do with this information. None of which makes me feel any safer.


Again Mark, great work.

11/9/2005 12:28:00 PM by Jedite
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Slightly OT, but I did have a good look at that site.

Try turning everything off - Java, JavaScript - images, too. It doesn't exactly "degrade gracefully", does it?

Unsurprisingly, now we know what kind of company Sony is, the site shows a total disregard for the customer, and indifference towards special needs. Frames, flash ... you name it; it's there.


http://validator.w3.org/check?uri=http%3A%2F%2Fwww.sonybmg.com%2F&charset=%28detect+automatically%29&doctype=Inline&verbose=1

32 errors on the homepage alone.

I wonder how a blind person would cope with this site.

Would it pass Section 508? Is it even legal under access law?

11/9/2005 12:35:00 PM by Damian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The more I think about it, the more this seems like a worthwhile avenue to pursue.

First, we _should_ ask the question, "How easy would it be for someone with particular needs to get the uninstaller?"

Secondly, let's not forget that Al Capone was eventually brought to justice because of tax evasion.

I suggest that accessibility experts and lawyers need to look into the accessibility both of the site and of the uninstall procedure to ensure that disabled persons are not being illegaly discriminated against.

Courts in most developed nations do not look kindly on such things, and the penalties can be severe:

http://www.contenu.nu/socog.html

11/9/2005 1:09:00 PM by Damian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Perhaps someone should consider making some sort've proof-of-concept to show just how dangerous this DRM crap *could* be. A tame exploit if you will. (Note that I didn't say virus - certainly not something that could propigate, but could only be used by a willing volunteer, and would be easy to remove.)

11/9/2005 1:30:00 PM by Harvey
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Right now the level of Sony rootkit "infection" is a bit low for random-attack malware to efficiently expoit it. Is there any way for any malware vendors to tap into either of these communication streams? If this can be done, then suddenly the infection efficiency of the malware would climb to cira 100%.

In other words, even if Sony itself never does anything with this nice pipeline they've installed into our computers, it is certain that some else will, soon.

11/9/2005 1:44:00 PM by kgr1
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

It's not like you don't have other things to do but I was wondering if you could test to see if the ActiveX control that is installed and apparently required for removal is itself removed after the uninstall is completed successfully? After all, ActiveX is a notorious vector for bad behavior for third parties (aka Sony in this case).
Along the same lines, it is interesting that the installer doesn't require this ActiveX software to add the rootkit. I wonder why it's required to remove it? I would think any functionality needed for the uninstaller could be included in the uninstaller itself (such as the encryption generation) without the need to resort to a separate ActiveX control. Or maybe it is how Sony tracks the unique ID between web sessions?

11/9/2005 1:49:00 PM by David
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

As I have been following the links in all the various blog, other CD users have reported that their CDs would not work with DRM enabled CDs. This leads me to speculate (paranoia) on a couple of points. What happens if the DRM technologies are incompatible? Even worse, dirty tricks, company A's DRM actually kills company B's DRM.

11/9/2005 1:52:00 PM by srynas
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Why doesn't someone, other than Sony, create an uninstaller. This would quickly propogate around the blogging world and make it available to anyone.

11/9/2005 1:57:00 PM by Veign
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

California Department of Consumer Affairs

400 R Street, Suite 1080
Sacramento, CA 95814
(800) 952-5210 (California residents only)
(916) 445-1254 (Sacramento area / out of state)

Or contact your CA legislators

The good news is that right now is when they are thinking about what the bills for the next year should be.

11/9/2005 1:59:00 PM by Patrick Moore
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Lets engage in a little reverse engineering on this:

Q: Why isn’t Sony publicizing the uninstall link on their site in any way?

A: Because they want their users to be able to easily locate the uninstaller, so they can easily uninstall the rootkit.

Q: Why do you have to tell Sony twice that you want to uninstall?

A: Just in case you decide, after telling them once, that its all too much bother.

Q: Why is the email with the uninstall link labeled confidential?

A: If everyone knew the link then no one would be able to remove the software. Obviously, and logically (in an reverse way), the less people who can access the installer the more who can actually use it.

Q: Why does Sony generate a unique uninstall link for each computer?

A: This one is easy. A uniquely generated uninstall link, tied to a key generated by your handware, means that Sony can ensure that everyone has used the installer on any and all infected machines. How else would they know?

So there you go, Sony really has put all these hurdles in place for our benefit. Its what consumers want. Just as well that Sony is listening to their consumers otherwise I don't know what we'd all do.

11/9/2005 2:09:00 PM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Why doesn't someone, other than Sony, create an uninstaller.

I think the problem becomes one of intellectual property. Whose intellectual property is potentially hurt more by your uninstaller? Whom do you think Sony will go after faster? Mark, who exposed the rootkit, or the guy who builds the uninstaller to remove it?

As has been stated numerous times over the course of Mark's posts, this simply comes down to Sony believing that their intellectual property rights are more valuable (and thus more important) than your intellectual property rights. I really do hope that Sony is taken to task over this, because we really cannot allow any corporation, regardless of their size, to be allowed to get away with this.

11/9/2005 2:11:00 PM by Schlice
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

What happens if the DRM technologies are incompatible? Even worse, dirty tricks, company A's DRM actually kills company B's DRM.

Never attribute to malice, etc... Unless the companies that are writing these things do interoperability testing, bad things are bound to happen sooner or later.

11/9/2005 2:19:00 PM by LarsG
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Actually I dont believe anyone would get into much trouble if they created an uninstaller for this. Because really Sony has no claim as far as their EULA goes for this application(since it is never mentioned). Therefore they have no grounds to charge you with breach of the EULA if you were to create an uninstaller.

Heck if removing files from your computer without using the appropiate uninstaller was a crime then we would all be in serious trouble.

11/9/2005 2:20:00 PM by Jedite
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I'm wondering how Firefox users are impacted by this if at all. Since the rootkit requires ActiveX I'm wondering if it would be functional if someone had made Firefox their default browser.

11/9/2005 2:20:00 PM by Wayne_Fielder
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This all Sony DRM issue is by far better reading than any CSI style TV show :).
Thanks Marc for the investigation, just so sad that professional reporters stopped reporting 50 yeas ago, now they just publish press releases with some personal touch added to make it looks like their own story :(

I wonder if some Joe or Jane from New Jersey, or Hans or Greta from Germany, will take the very same DRM rootkit, press their own music disc together with 10 seconds of copyrighted tune "Banging on My Piano", include the same EULA, and give it away ...

Would the FBI and other EU police chase the "criminals"?, will Microsoft offer $$$ to find them? will CNN report?

Makes me wonder ...
Feeling that only way is to boycot Sony, so I will avoid Sony as much as I possible can.

11/9/2005 2:25:00 PM by Enough
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Wayne, it's the uninstaller that requires ActiveX.

11/9/2005 2:25:00 PM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Because really Sony has no claim as far as their EULA goes for this application(since it is never mentioned). Therefore they have no grounds to charge you with breach of the EULA if you were to create an uninstaller.

However, the rootkit is a component of the application which you already agreed to install. Underhanded, yes. But enforceable under the EULA? Potentially, as any sub-component of the main application is considered part of the application itself.

Note, I said potentially. Now, IANAL, but I think Sony being able to convince a reasonable person that the end user knew exactly what they were installing (rootkit and all) would be pretty slim. The possibility is there, but it's pretty slim IMHO.

11/9/2005 2:50:00 PM by Schlice
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I just got an email from Sony DADC, and even though Sony DADC is different from Sony BMG it might be interesting for some of you. In this email DADC mentions the news about Sony BMG's use of XCP by First4Internet. DADC does not try to dispute nor confirm this. They write that they do not use this copy protection scheme though, instead they use their's, key2audioXS.
Regards,
Sym
:

- quote begin -
Dear xx. xxxxxxx,


You may have seen recent news articles regarding Sony BMG purportedly using a Copy Control system with the name XCP from a company called First4Internet. This copy control system is said to use a rootkit based DRM system which makes it possible for viruses or other malicious programs ("malware") to use this rootkit to hide themselves on a user's PC. In this way, a virus or other malware may remain undetected even if updated antivirus software is installed.

We would like to clarify that Sony DADC does not produce any discs with the above mentioned copy control system XCP, rather only with our own market proven copy control technology, key2audioXS. Sony DADC's copy control solution is already used on about 50 mill. discs worldwide, with the highest compatibility certified by accredited test laboratories. key2audioXS does not install any rootkit on a user's PC and thus does not facilitate the possibility for "damaging attacksö from the internet. This fact has already been acknowledged by a leading antivirus software company.

For any further information and clarification please do not hesitate to contact our product manager xxxx xxxxxxxxxx
on +xxxxx/xxxxxxxxx.
xxxxx.xxxxxxxx@sonydadc.com

Best regards
xxxxx xxxxxxxx
Product and Sales Management
Virtual Factory - Copy Control Solutions

11/9/2005 3:11:00 PM by Symlink
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

For companies using a Snort IDS with updates from Bleeding Snort, a signature update is available depicting the Sony DRM rootkit - http://www.bleedingsnort.com/article.php?story=200511081928180

11/9/2005 3:19:00 PM by Ryan
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This post has been removed by the author.

11/9/2005 4:01:00 PM by Sharpy
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sharpy:

Are you sure about that? I thought it couldn't contain the media player not IE. But here is the department you want:

http://europa.eu.int/comm/competition/index_en.html

This is the guy tasked with ensuring Microsoft complies with EU requirements:

http://bcswiki.walmsleys.com/NeilBarrett

11/9/2005 4:42:00 PM by Damian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Cor-pirations at their finest!!!

11/9/2005 4:42:00 PM by wawadave
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

http://www.eff.org/deeplinks/

Review of Sony-BMG's EULA. Electronic Frontier Foundation.

11/9/2005 4:46:00 PM by srynas
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Oop's to much cheap wine I stand corrected.

It's Sans media player not IE.

Bugger.

Also how can Un-installing this be Against ANY-Law . FORMAT C: would be classed as a Felony.

11/9/2005 4:58:00 PM by Sharpy
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

People seem to be focussing on [i]uninstalling[/i] the rootkit ; I think we're jumping ahead of ourselves here. You're not going to uninstall it if you're not aware that you're infected.

Someone ought to write a script to that [i]detects[/i] the rootkit - this would especially be advantageous to home users and people not aware if they've purchased a Sony CD. [Do you recall the labels of the last 5 CD's that you've purchased. I sure don't. And what if friends/family/co-workers have put CD's into your computer?]

This would make non-technically oriented people aware that they have a problem and would be a great way to publicize the crap we're being asked to put up with. The detection program could then refer the infected user directly to the link where he/she can request the uninstall from Sony [if indeed this is worthwhile to do] or could refer the user to a website for further information and perhaps, eventually, a better uninstall script.

The best features of this plan that it doesnt put anyone in legal jeopardy, but it does make it easy for individuals to be certain they are infected - and it immediately directs infected individuals to sources of aid. It can also encourage non-technically oriented indivudals to jump through all the necessary hoops to uninstall by making them aware of how big a security risk this rootkit poses.

11/9/2005 5:17:00 PM by icarus
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The EFF says that the Sony EULA for the rootkitted DRM software effectively says:

*If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

*You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

*If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

*You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

*Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

*The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

*If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

*You have no right to transfer the music on your computer, even along with the original CD.

*Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

http://www.eff.org/deeplinks/archives/004145.php

This is so unacceptable I can hardly believe it. Who do these people think they are? It is time to really slap them down.

11/9/2005 5:21:00 PM by Damian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I ran into this issue yesterday when I purchased the new Neil Diamond (a first for me) disc. I couldn't bring it into ITUNES or more specifically the Windows Media player. So I returned it. I tried the email route and that didn't work. I called Columbia Records in NY (a long distance call) and was pointed to the wrong website. This email dialogue then ensued. (read from the bottom up)

Your ticket 0NNNNN has been Answered

That is correct - they are in error. We are not affiliated with any release by Niel Diamond. Furthermore, to set your mind at ease involving the albums we are affiliated with, we do not employ the use of root kits in our protection package. The recent news and controversy is pertaining to an alternate software vendor used by Sony. We do hope you have luck in getting this removed, and we are sorry we could not be of more assistance.
CLIENT: mexxx@xxx.com
Song BMG directed me to this site - were they in error?

-----Original Message-----
From: techsupport@sunncomm.com
Sent: Tuesday, November 08, 2005 3:18 PM
To: ME
Subject: Ticket Answered: : My Morning Jacket-it Still Moves [029675]

Your ticket 0NNNNN has been Answered

Thank you for contacting us. We appreciate your purchase of this
copyright protected CD and apologize for any inconvenience.

Please note that while this CD may contain copyright protection, it does
not contain our copyright protection.

Thank you.

SunnComm Tech Support Staff

CLIENT: mexxx@xxx.com
I returned the Neil Diamond CD "12 Songs" I purchased after I learned I
could not rip it to ITUNES (or Media Player) and after the rootkit was
installed.

Since I do not own the CD, I would like the software removed. Please let me know how I may do this. Thank you.



--------------------------------
I needed to call twice more to Columbia - but eventually got someone in their IT group who pointed me to the Aurora site. In my case, I didn't need to verify anything (for some reason). I did state I didn't own the CD and wanted the rootkit removed. I ran a rootkit finding utility afterwards and I believe everything has been deleted.

Thanks again for the posts. It really is amazing that Windows users only are paying to have malware installed on their systems by purchasing these CDs. You would think the retailers would be applying pressure to Sony as well. Apparently they don't care either.

11/9/2005 6:19:00 PM by Ziggy
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

What are the artists saying about this?
Did that Van Zant band make any comment yet? Are they suing Sony for "hacking" into their fan's computer? Will they make their music available for free over the Internet?

11/9/2005 6:47:00 PM by Laurent
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I love you, man. Keep up the good work.

11/9/2005 7:14:00 PM by Jason
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Why are Sony doing this? Here is a theory I've been working on: They have no morals?

11/9/2005 8:04:00 PM by Per
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Here's something interesting:

When you visit that bad URL it forwards you to copycontrolhelp.com.

At that URL:

http://copycontrolhelp.com/english/updates.html


There are no updates!

11/9/2005 8:57:00 PM by anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Furthermore:

http://copycontrolhelp.com/english/faq.html

It doesn't tell you how to uninstall it, if that's even possible!

11/9/2005 8:59:00 PM by anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Others have said it, but this is another argument for getting your music as mp3s from pirate sites - there is less danger doing this than using the latest CDs from the major labels.

So help spread the word: mp3s are less risky than all the spyware/virus/rootkits soon to be available from buying CDs!

11/9/2005 9:26:00 PM by MonkeyMan
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

># posted by Wayne_Fielder : 2:20 PM, November 09, 2005
>>I'm wondering how Firefox users are impacted by this if at all. Since the rootkit
>> requires ActiveX I'm wondering if it would be functional if
>>someone had made Firefox their default browser.

The rootkit does not require ActiveX to run - it requires ActiveX to be removed. So you can't remove it without using Internet Explorer.

11/9/2005 10:05:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I wonder if software like this http://www.sandboxie.com/ (freeware) would prevent this problem from the get-go? Maybe you could copy the music so you don't need their player also.

11/9/2005 10:13:00 PM by Jojo
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I wonder if software like this http://www.sandboxie.com/ (freeware) would prevent this problem from the get-go? Maybe you could copy the music so you don't need their player also.

11/9/2005 10:16:00 PM by Jojo
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

this is the real terrorism facing our collective societies today; that of uncaring, profit-driven corporations against all people, regardless of colour, religion, gender, age or geography.

thanks Mark, for your good work.

The onus is now on the rest of us to contribute by making sure the corporate PR machines are unable to silence our dissent.

11/9/2005 11:28:00 PM by dismissive
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The solution should be obvious. Do not put one of these "CDs" into a computer running Windows!

The popular GNU/Linux operating system is immune to the rootkit, which takes advantage of the way Windows works. It's a reasonable certainty that somebody you know is already using Linux and your best bet is to ask them. But this is my attempt on a quick guide as to how to do it yourself. Because it's a quick guide, I'm going to concentrate on how to do it through the command line; Linux does have a graphical user interface but it's strictly optional, and power-users prefer typing in commands. It's quicker and it makes us feel like we're bonding with the computer :) Command lines have an undeserved reputation for being complicated, but I'm sure you will agree, this whole procedure is quite straightforward compared to removing Sony's rootkit :)

Go to http://slax.linux-live.org/ and download the latest Slax ISO image {it's less than 190MB and will fit onto an 8cm. CD-R!}. Burn the ISO image to a CD-R with your favourite burning software {I don't know Windows but it must have a way to do this, look for something like "burn ISO image" in the menus} and then switch off your PC while the recently-burned disc is still in the drive. Switch back on, and let it boot from the CD {you may need to mess with your BIOS options to do this}.

At the boot: prompt which will appear if the Slax CD is being read right, type
slax copy2ram
{note! you do not have long to do this, but hitting any key will cancel the timeout} and wait for the login: prompt {which means everything is ready and Linux is up and running}. The login and password are rather helpfully displayed on-screen; enter them and you will get the # prompt {standard Unix/Linux superuser prompt}. By this stage you can swap the cd for the music CD you are interested in.
Now type
# cd /mnt
# ls
{the # is meant to be the prompt, so don't actually type it}
/mnt is the directory where -- if you are lucky! -- your hard drive partitions were mounted. The cd command selects a directory, use "cd .." to go back to the next level up. Cursor up and down scroll through previously-typed commands and the TAB key tries to finish off a name if you typed just the first few letters. Note that capital and small letters are treated differently and that spaces and punctuation marks will need a \ in front of them -- and if you are in the UK, the \ will actually be on the # key. Find a sensible directory to save your music files in, or create one with the mkdir command. Then just type
# cdparanoia -B
This will begin extracting the music tracks off the CD as a bunch of .wav files. If you want to convert them to MP3s then enter the following command {all on one line}:
# for i in *wav; do lame -h $i; done
If you want to delete the .wav files immediately after conversion, then use this command instead:
# for i in *wav; do lame -h $i && rm $i; done
You can change to a new directory and extract another CD ..... in fact you can do as many CDs' worth of audio as you can fit on your hard disk.

Other commands you might find useful:

# ls
..... lists filenames in the current directory
# mv filename new_filename
..... changes the name of a file
# rm filename
..... deletes a filename
# cd dirname
..... changes directory
# cd ..
..... changes to previous directory
# cp filename new_filename
..... copies a file
# less filename
..... displays a text file screen-by-screen

When you are done, remove the music CD. Press ctrl+alt+del, reboot Windows, and then do whatever you want with the .wav and maybe .mp3 files you just created. You probably will want to rename them or something.

I'm even going to have a go at making my own Linux-CD which will simply prompt you for the various steps involved.

11/10/2005 4:37:00 AM by ajs
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Simple one, but of most concern to me is this:

Isn't it illegal under British Law (Computer Misuse Act) to amend the operating system of any computer without authority?

If this is the case, and i believe it is, then Sony are not just guilty of computer abuse, but they are guilty of the criminal charge of computer misuse and the Police are duty bound to investigate.

In fact it is possible that all senior executives would need to be rounded up and taken to the local nick for 72 hours to be checked out.

In all seriousness, if Sony have let this one out into the wild then they are guilty of a criminal act and the company that made the rootkit are guilty of conspiracy to cause computer misuse and are also liable for criminal prosecution.

Just a thought...

11/10/2005 5:41:00 AM by Robert
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

ajs said...
" The solution should be obvious. Do not put one of these "CDs" into a computer running Windows!

"I'm going to concentrate on how to do it through the command line; Linux does have a graphical user interface but it's strictly optional, and power-users prefer typing in commands. It's quicker"

Why not boot "toram" DamnSmallLinux or
PuppyLinux into Graphical User Interface?
CLI is pretty good for some task but not to any and all tasks...

11/10/2005 5:41:00 AM by zeh_
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Another thought is this...

If Microsoft are so protective of their software, why are they allowing a large corporation like Sony to launch a rootkit utility like this that can damage a normally working copy of Windows?

Also, seeing as MS are so keen to show how secure Windows is, how can they justify not putting a security update out that kills and removes this piece of crap software?

11/10/2005 5:48:00 AM by Robert
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This post has been removed by the author.

11/10/2005 6:10:00 AM by Bazza
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Great work Mark. Stick it to them.
Just one thing: "A network trace of the ActiveX control’s communication with the Sony site using Ethereal reveals that the control sends Sony an encrypted block of data"
That encoded text is a postback as used in .NET .aspx web pages. It's used to maintain state when submitting information back to the webserver. It enables the client to tell the server what is in the web form, and when the page is given back to the browser (as often happens when one is browsing) then no information is lost.

11/10/2005 6:10:00 AM by Bazza
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Excellent sleuthing Mr. Russinovich. I've been following this story for a while, and I am glad I can help spread the word of these criminal business practices to everyone I know. I've been boycotting Sony for some time now, thanks to their first bungle with malfunctioning DVD-ROM drives in the Playstation 2.

Now we have real evidence to their intentions of extorting consumers with cheap and now, invasive products.

Let's hope people really wake up though.

11/10/2005 6:10:00 AM by Obsydian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Dear Senator,

I’m writing you to express my concerns about the recent revelation regarding ‘root kit’ software that is being secretly installed on users’ computers when they agree to a misleading End User License Agreement from Sony / BMG.

According to recent research, said software uses the same techniques used by hackers to camouflage viruses, and other forms of mal-ware. Not only that, this software is so poorly written as to open the host system up to other, potentially more damaging attacks.

I work as both a software developer and network administrator for a Central Florida based company which creates applications used by the banking industry. Network security, and software security are an important part of my day to day thinking.

I want you to understand that the security vulnerabilities that Sony / BMG have inadvertently created are the kind that any competent hacker can fly a virtual 747 into.

I hope that you will urge the senate to look into this matter, but more importantly I hope that you will see the need for stronger and clearer legislation to protect users from companies that would use such underhanded techniques.

I urge you to read Mark Russinovich’s web log entries regarding this software, and take heed his expert opinion on this matter.

Here are links to the relevant entries.

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html


I thank you very much for your time and cooperation.

Sincerely,

11/10/2005 6:22:00 AM by melgish
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Backdoor.Win32.Breplibot.b

"We've been analysing the backdoor program which uses the Sony rootkit technology. ... When launching, the backdoor copies itself to the Windows system directory as $SYS$DRV.EXE. Using this name makes it possible for the rootkit technology used by Sony to hide the activity of the malicious program."

http://www.viruslist.com/en/weblog

11/10/2005 6:28:00 AM by Damian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The artists should consider suing Sony to get out of their contracts with them on the grounds that Sony is attacking their fans.

Surely one of the bands is going to comment on this fiasco sooner or later.

11/10/2005 6:28:00 AM by geek27
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

"That encoded text is a postback as used in .NET .aspx web pages. It's used to maintain state when submitting information back to the webserver. It enables the client to tell the server what is in the web form, and when the page is given back to the browser (as often happens when one is browsing) then no information is lost."

I posted the wrong screenshot. I've uploaded the correct one showing the encrypted packet.

11/10/2005 6:31:00 AM by Mark Russinovich
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

@Damian - Great link. Sony will have to react to this and I hope Microsoft steps in to protect it's customers.


Another extract from Damian's above link:

Sony rootkit backdoor program

Yury November 10, 2005 | 14:28 MSK

comment
The first backdoor which utilizes the 'Sony rootkit' was detected today. We've classified this malicious program as Backdoor.Win32.Breplibot.b.

We're analyzing the progam at the moment and will have more information soon. Watch this space.

11/10/2005 6:34:00 AM by geek27
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

*waves to Mark*

You're up early. Thanks again for your hard work and expertise.

11/10/2005 6:35:00 AM by geek27
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The coverage of this story on the BBC has been consistently excellent. Today's instalment is "Sony sued over copy-protected CDs": http://news.bbc.co.uk/1/hi/technology/4424254.stm

I guess it helps that the BBC is independent of all the major media conglomerates and RIAA members...

11/10/2005 7:13:00 AM by ThePHB
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Editor of Dutch webzine WebWereld, Brenno de Winter, has taken some time to take a closer look into Sony's 'Rootkit'. He states: "The spyware that sony installs on the computers of musicfans doesn't seem to comply with copyrights." As it seems, certain pieces of code are identical to LAME, an open source mp3-encoder. An anonymous expert, figured out the CD 'Get Right' by 'Van Zant' contains strings from the library version.c from Lame. He stubled upon: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 ". This discovery could imply major consequences for Sony.

11/10/2005 7:24:00 AM by IvoG
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Looks like legislation is being considered against Sony. EXCELLENT WORK MARK!!! (bows to hero).

http://www.computerworld.com/securitytopics/security/story/0,10801,106064,00.html?source=x10

11/10/2005 7:29:00 AM by JohnA
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

So what if the computer doesn't have an internet connection?

11/10/2005 7:43:00 AM by PhilHibbs
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Been following this issue and haven't seen anyone address this question yet:
How would someone without an internet connection (perhaps they use public library computers for email and surfing) uninstall this? Does the installer or CD cover mention anywhere that an internet connection is required to use the disc in a PC? If not, how can SonyBMG require one to remove their software? I'd like to see how they respond to a user in this situation.

11/10/2005 8:00:00 AM by Greg S.
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I have a friend of mine that has a Sony laptop. He told me that the latest update that he received from Sony caused his CD-Rom to disappear. He said that he spent long hours with Tech support trying to fix the problem, but they couldn't help. Ultimately, a friend of his helped him out.

Do you think this is a result of Sony putting this Rootkit on all "their" computers via updates?

11/10/2005 8:25:00 AM by David K Dudley
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Whose intellectual property is potentially hurt more by your uninstaller?

The don't call it an uninstaller.

11/10/2005 8:31:00 AM by flaurijssens
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The rootkit apparently kills Vista Beta1 completely. There are hundreds of thousands of these dangerous discs already in circulation, and they will remain in peoples collections for decades to come. Microsoft will have to break compatibility or specifically blacklist this driver and prevent its installation, or thousands of people are going to find their machines mysteriously made unbootable for years to come.

11/10/2005 8:47:00 AM by Edward
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Symtantec also declares this "rootkit" as "SecurityRisk". And Sony still claims this piece of shit to be safe and sound, it does not even compromise systems.

11/10/2005 8:47:00 AM by Knutern
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

@zeh_: Yes you could start a GUI, but why would you want to? You know exactly what you want to do -- navigate to a directory, extract the audio from a CD and maybe MP3-ify it. I personally find it's a lot less fart-arsing about just to do all this the easy way. Anyway, you're not telling me that there's a quicker way to do the equivalent of
for i in *wav; do lame -h $i && rm $i; done
in any GUI. Unless you include the time taken to learn the art of one-line shell scripts, but I just gave you the script; and if you follow the instructions precisely, it will work. And it would have taken longer to explain how to do it in a GUI.

11/10/2005 8:49:00 AM by ajs
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Then don't call it an uninstaller.

That was a bit quick...

What if the uninstaller was called a tool to back up and restore your OS's hooks 'n' filters? Not specifically aimed at XCP, but a nice and handy tool for all Windows owners that, by mysterious coincidence, happens to safely remove XCP as well.

11/10/2005 9:10:00 AM by flaurijssens
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

McAfee should now be able to remove the rootkit feature in Sonys DRM.

See: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136855

"With the latest DATs, McAfee detects, removes, and prevents reinstallation of XCP. Please note that removal will not impair the copyright protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP (http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html ). System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself."

This will probably mean that the DRM will still use to much CPU-power, and phone back to Sony ?

11/10/2005 9:18:00 AM by Fuzhi
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark,

you might want to publish these lists of CDs containing the rootkit:

http://www.eff.org/deeplinks/archives/004144.php
http://slashdot.org/~xtracto/journal/121088

Note that these are not just obscure b-grade music groups. Among them are:

Amerie
Natasha Bedingfield
Ricky Martin
Celine Dion
Neil Diamond

i.e. Top 10 performers with 6-digit record sale numbers.

11/10/2005 9:31:00 AM by nickpicker
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Can someone confirm that the rootkit software is NOT installed if you decline to accept the EULA?

Given the underhand nature of the software, and the fact that it's sole purpose is to prevent you using your existing media players to play the CD, I'd be quite surprised if they didn't install the DRM software anyway, whether you decline the EULA or not - after all the software has to run to even present the EULA in the first place.

(I have a machine that I've recently replaced, that I could test this on, but I don't have any of the infected CDs in my collection, and I'm not going to buy one!)

11/10/2005 9:56:00 AM by ripwave
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

First backdoor exploiting the Sony rootkit out in the wild:

http://www.bitdefender.com/VIRUS-1000058-en--Backdoor.IRC.Snyd.A.html

11/10/2005 9:59:00 AM by nickpicker
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Fuzhi wrote:

"This will probably mean that the DRM will still use to much CPU-power, and phone back to Sony ?"

It's a decloaker that doesn't address the DRM.

11/10/2005 10:01:00 AM by zapkitty
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

"Can someone confirm that the rootkit software is NOT installed if you decline to accept the EULA?"

The software does not install if you reject the EULA and the CD ejects. The CD is not visible to Windows Media Player or ITunes.

11/10/2005 10:03:00 AM by Mark Russinovich
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

If McAfee are leaving the DRM software in place, then they are NOT uninstalling XCP - they are only uncloaking it! The DRM software is still redirecting system calls to the CD drive, and is still using deliberately misleading process names.

You'll still be "rooted" even if XCP is uncloaked.

11/10/2005 10:06:00 AM by ripwave
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark, I have two questions if you have time....

#1. Does Sony's new service pack (Service Pack 2a) perform a "safe" decloak of the rootkit?

#2. Does Sony's uninstaller completely remove the copy protection software from your computer?

I'm just curious because I know that I will run into an "infected" computer eventually.

11/10/2005 10:11:00 AM by Aaron
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark said: "The software does not install if you reject the EULA and the CD ejects. The CD is not visible to Windows Media Player or ITunes."

??? I'm confused. A number of people have claimed that disabling autorun will prevent the "infection" from occurring. Others have claimed that the CD works fine in Linux and on Macs, which suggests that it's a standard Red Book CD. If there is no software installed, how can WMP or iTunes be prevented from seeing the disc?

Is it simply that the EULA stub keeps running, and blocks access until you reboot the machine?

11/10/2005 10:12:00 AM by ripwave
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

>#1. Does Sony's new service pack
>Service Pack 2a) perform
>a "safe" decloak of the rootkit?

No.

>#2. Does Sony's uninstaller
>completely remove the copy
>protection software from your
>computer?

It appears to, yes.

11/10/2005 10:12:00 AM by Mark Russinovich
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

" If there is no software installed, how can WMP or iTunes be prevented from seeing the disc?"

Its not clear why the Audio portion of the CD are not visible from within Windows. It appears to be a Windows driver incompatibility with the CD.

11/10/2005 10:14:00 AM by Mark Russinovich
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

QUESTION: Does anyone have a link to all artists on the Sony/BMG label?

I refuse to buy (or even listen to) music created by artists represented by Sony/BMG moving forward.

Life's too short (and good music too plentiful) to support a company that acts this disrepectfully.

11/10/2005 10:20:00 AM by Blacklist
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This post has been removed by the author.

11/10/2005 10:21:00 AM by Blacklist
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark said: "Its not clear why the Audio portion of the CD are not visible from within Windows. It appears to be a Windows driver incompatibility with the CD."

Ah. I was under the impression that disabling AutoRun was all that was required to stop XCP from preventing Windows users using this CD as they do most other CDs.

I was under the impression that the anti-copy methods used in other techniques that involve the deliberate introduction of errors, so that a "CD" no longer conforms to Red Book standards was "OS Neutral", targetting the drive hardware. I'm surprised that it's possible to make a CD that Windows can't read that other OSs can, without modifying Windows.

More to the point, if they can do that, why do they need to install OS hooks at all? After all, requiring you to use their Media Player wasn't a problem for you.

That makes any possible claim that the installation of a Rootkit is required for DRM purposes even more obviously bogus.

11/10/2005 10:29:00 AM by ripwave
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

"It appears to be a Windows driver incompatibility with the CD."

They boasted that XCP "wrapped around the audio transparently to standalone players" for whatever that's worth... so apparently they are gaming the Windows drivers.

Wouldn't that break with Longhorn?

Thus this emphasis on keeping their hooks in the users system?

11/10/2005 10:58:00 AM by zapkitty
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark, thanks for revealing this intrusion.
I have a question Roxio is able to copy the CD. Does this mean that the rootkit has been installed even though the cd has not been played with the included player software ?

11/10/2005 10:59:00 AM by gaa
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark, thanks for revealing this intrusion.
I have a question Roxio is able to copy the CD. Does this mean that the rootkit has been installed even though the cd has not been played with the included player software ?

11/10/2005 10:59:00 AM by gaa
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Why don't you just cut off the "homephone" crap by using a personal firewall and NOT grating internet access to the f..ing SONY music player process....?

11/10/2005 11:05:00 AM by ITManager
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This post has been removed by the author.

11/10/2005 11:19:00 AM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

>QUESTION: Does anyone have a link
>to all artists on the Sony/BMG
>label?

BBC NEWS have a news report on the Class Action Lawsuit; it has a list of affected CDs halfway down the page:

http://news.bbc.co.uk/1/hi/technology/4424254.stm

For the lazy, here is that list:

XCP PROTECTED CDS
Trey Anastasio - Shine
Celine Dion - On ne Change Pas
Neil Diamond - 12 Songs
Our Lady Peace - Healthy in Paranoid Times
Chris Botti - To Love Again
Van Zant - Get Right with the Man
Switchfoot - Nothing is Sound
The Coral - The Invisible Invasion
Acceptance - Phantoms
Susie Suh - Susie Suh
Amerie - Touch
Life of Agony - Broken Valley
Horace Silver Quintet - Silver's Blue
Gerry Mulligan - Jeru
Dexter Gordon - Manhattan Symphonie
The Bad Plus - Suspicious Activity
The Dead 60s - The Dead 60s
Dion - The Essential Dion
Natasha Bedingfield - Unwritten
Ricky Martin - Life

11/10/2005 11:19:00 AM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

It's all about copy protection! Sony makes you bend over backwards to uninstall their DRM software to prevent people from uninstalling/reinstalling the software to allow another 3 copies of the CD to be made.

11/10/2005 11:27:00 AM by Todd Lindberg
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Just looking over my last comment, anyone else find some of the names somewhat ironic:

Celine Dion - ***On ne Change Pas***

Our Lady Peace - ***Healthy in Paranoid Times***

Van Zant - ***Get Right with the Man***

Switchfoot - ***Nothing is Sound***

The Coral - ***The Invisible Invasion***!

***Life of Agony*** - Broken Valley

***The Bad Plus*** - ***Suspicious Activity***!

Natasha Bedingfield - ***Unwritten***

11/10/2005 11:31:00 AM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sophos also identifies the new trojan exploit. I love their name for it Troj/Stinx-e
http://www.sophos.com/virusinfo/analyses/trojstinxe.html

11/10/2005 11:52:00 AM by Mattandi
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

# posted by ajs : 8:49 AM, November 10, 2005
"@zeh_: Yes you could start a GUI, but why would you want to?"

If one is a windows user, perhaps clicking
on an icon or a menu is what is expected.
Reading The Fine Manual of a cryptic
command line isn't the "windows way".

11/10/2005 11:55:00 AM by zeh_
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

“It’s a tempest in a teapot,”

“It’s benign content protection. It’s not malware, it’s not spyware—it’s innocent.

“We understand what the concern was, but there was no intent. We reacted as quickly as we could, took responsive issues. And now, hopefully, we move on.”

Mathew Gilliat-Smith, CEO of First 4 Internet

11/10/2005 12:09:00 PM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

have you seen the NYT article on this?
http://www.nytimes.com/2005/11/09/technology/circuits/09POGUE-EMAIL.html

11/10/2005 12:17:00 PM by Johnny
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Finally, the New York Times has recognized this story as news worthy. See the link below. I have long complained that the NY Times, LA Times, and PCMagazine appear to refuse to cover DRM issues from the consumers viewpoint.

http://www.nytimes.com/2005/11/09/technology/circuits/09POGUE-EMAIL.html

11/10/2005 12:30:00 PM by srynas
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Looks like Johny and I were looking at that article at the same time. But he got his in first. Good job.

11/10/2005 12:35:00 PM by srynas
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

this is a pretty big movement. i think highly of sony electronics but i really do hate their business practices. why do they have to make everything proprietary? well anyway i hope this gets a lot more press because unless it hits them where it hurts (their wallets) nothing is going to get done.

11/10/2005 1:33:00 PM by jaewon223
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

by the way really job well done on uncovering this fiasco. top effort

11/10/2005 1:34:00 PM by jaewon223
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark, like a lot of other people I've been following this story from your initial post, and I want to tell you thanks for exposing these fraudulent activities by Sony, and for fighting The Good Fight in general.

11/10/2005 1:35:00 PM by Ferrous Porkus
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

ditto

We all appreciate the heads-up on this one 'Dr Russinovich.'

(couln't resist that one, not after seeing it on BBC) ;)

11/10/2005 1:40:00 PM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Just thinking...

The IA community has been preaching for years now about appropriate disclosure of vulnerabilities. I would state that this disclosure is defiantely inappropriate... but then again, that 30/60/90 day window after contacting the vendor is to allow them time to fix the problem. Since Sony is denying there's a problem, something tells me that while this may seem inappropriate, that it's called for. This whole story looks like it could stand as a good dissertation for the PhD canidate out there on the topic of ethics ;)

Good read! (and I'm not buying the CD's)

11/10/2005 1:40:00 PM by Ian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

http://www.sophos.com/support/disinfection/rkprf.html

Sophos releases a removal tool for both trojans (One of which they are calling Sony's).

11/10/2005 2:31:00 PM by h0bbit
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I just read all the artciles... good job, and I for one will not be buying those CD's either. Sports radio suits me just fine on my drive home from work!

11/10/2005 2:47:00 PM by Thrymm
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I do not know why they keep saying it is only 20 cd's.

20 is the list of the ones they have found so far.

As far as I know sony has not made public a list of the cd that contain their "virus", so append to that list "A Tribute to Luther Vandross" from a "small" recording co. "J Records" owned by Sony.
(as i mentioned in a previous comment)

Glad to see some lawsuits going on.

I wonder what purpose does it serve to annoy your own costumers, with a copy protection mechanism that works only in windows machines?, that won't stop the real pirates, the ones that make a lot of money selling copies of any CD.

it is just plain stupid

but what can we expect from a company that does not think in what the people want.
their list of failures just keep getting bigger and bigger: betamax, minidisc, attra files, memory stick, SACD, rootkits, etc, etc.

Thanks to Mark

11/10/2005 3:34:00 PM by notavailable
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Depending on how many clients Moe, Larry and Curly have ("First4Internet")

They and any of their clients who use these methodologies had better Speak Now, or Forever Open Their Wallet because now that they know the exposure of this, including many trojan exploits now, to not inform THEIR customer base, well......

11/10/2005 3:43:00 PM by ZOverLord
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

According to the XCP-Aurora web site press releases:

From the http://www.xcp-aurora.com/press_article.aspx?art=aug_05_art3 press releases:

HOUSTON--(BUSINESS WIRE)--Aug. 9, 2005--Sterile burning content protection technology pioneered by First 4 Internet (F4i) has been utilised by Texas based Upstairs Records on its latest album by Lil Rob, "Twelve Eighteen".

Fontana Distribution, part of Universal Music Group and distributors for Upstairs Records Inc., are encouraging the independent records labels they distribute to use content protection on their CDs. "Twelve Eighteen", featuring the hit song "Summer Nights", carries the same content protection currently being used by Sony BMG.

First 4 Internet's XCP2 sterile burning technology has been used on over 30 new album releases since February 2005.

11/10/2005 3:48:00 PM by Scott
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

As I stated in an earlier thread, this copy protection scheme is not limited to Sony. Sony has many subsidiaries that are using the scheme as well. BMG, RCA, Arista, Epic, EMI to name a few. I'm sure there are more.

If you quit buying any music that is on a Sony owned label, you may find yourself listening to a lot more indie (independent label) music, which in itself is not a bad thing...

11/10/2005 4:16:00 PM by Skoegahom
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I read somewhere that EMI does not have the same one as Sony it is different . How different I do not know.

what I wanted to say is that you can Add, Santana's newest cd -just released- to the list of protected cd's.

Here is Sony new slogan

Santana great music in his newest CD.

too bad It's a Sony

11/10/2005 4:36:00 PM by notavailable
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

First4Internet SELLS the technolgy for this, they made this Root-Kit, there are many more customers who use this besides Sony Companies, who are they, and what products is this embedded in they sell?

11/10/2005 4:37:00 PM by ZOverLord
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark,

Thanks for exposing this, just thinking of how many other "big" companies might be using similar products is kind of chilling...

I recently rented a movie (Are we there yet) and noticed it was from Sony Pictures Home Entertainment. So, I checked to see what's on this DVD and it ends up there's 3 executables on the DVD and one of them has had its name changed from the original "player.exe".

Is this thing also "infected"? WOW!

11/10/2005 4:38:00 PM by NicoG
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Raise awareness at your workplace!

Here's a good template to send to your company's IS department (I did):


The IS Department may want to inform the company's users of spyware installed by copy-protected Sony music CDs, which also is a conduit for viruses:

http://www.usatoday.com/money/industries/technology/2005-11-10-sony-hackers_x.htm?POE=NEWISVA

Does our company have any policy against Sony music CDs now that they distribute spyware? Also, apparently spyware/anti-virus software has difficulty detecting the Sony malware and the viruses that it can hide. Do we know if our spyware/antivirus software detects and/or cleans up this problem yet?

It would be helpful if the IS Department could send out a bulletin on this situation to our company's users, since the infection vector (commercially-purchased music CDs) is a new one that most users would never suspect.

11/10/2005 5:35:00 PM by dustbinge
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

According to the Sony EULA for these CD's your NOT allowed to use them in the workplace, go figure, maybe because they knew you could INFECT your company computers already, read the EULA, o kidding.

11/10/2005 5:53:00 PM by ZOverLord
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Apple Macintosh users be warned. I've been seeing some rumours that these rootkit CDs also include some software that installs on Macs. This would make Sony the proud publisher of the first spyware to appear on Mac in over 10 years.

A quote from BoingBoing: "Digging into the "enhanced" content on the disk, he found a Start.app that, when run, shows a license agreement, then asks you for an admin password. On entering this, it installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext."

11/10/2005 5:53:00 PM by reactor13
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Somebody BUZZ me when the first release of the Key-Logger DVD's from First4Internet is released, Will
Ya?

All I want for Christmas......
Is my FRICKEN Computer back!

11/10/2005 6:21:00 PM by ZOverLord
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Forgive me if someone else has already said this, but if you finally get the DRM uninstalled, if you EVER put that CD in your computer again it'll uninstall itself. And with the 10 day expiration of the uninstaller you'd have to go through the whole process again!

11/10/2005 6:34:00 PM by Brad
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark was interviewed on CBC Radio 1 this evening on As It Happens (the link is to tonight's show, the interview is at "...Part 2..." between times 07:45 and 14:15). Lead interviewer Mary Lou Finlay sounded a bit bemused.

This show is a big deal. It has a large listenership across Canada, on NPR in the US, and world-wide on short wave. The show is a Canadian institution, founded by Barbara Frum, mother of the Bush speechwriter who invented the "Axis of Evil".

11/10/2005 6:53:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Oops, trying again on that As It Happens link at http://www.cbc.ca/insite/AS_IT_HAPPENS_TORONTO/2005/11/10.html

11/10/2005 6:58:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

In "Sony aims at pirates - and hits users", By Matt Bradley in the 10Nov05 edition of the Christian Science Monitor we have the following: "According to First 4 Internet CEO Matthew Gilliat-Smith, the rootkit application could create a secret backdoor for hackers." Could be a misquote, but its still on their site after 24 hours.

An interesting backgrounder is "We will block Napster at source – Sony exec", by Tony Smith on The Register, all the way back on 23Aug00. A Sony VP is quoted as saying: "We will firewall Napster at source - we will block it at your cable company, we will block it at your phone company, we will block it at your [ISP]. We will firewall it at your PC."

11/10/2005 7:35:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sony comments on napster are real cute.

If you look deep enough. Who now owns about 25% of Napster. Yep you've guessed it SONY.

11/10/2005 8:42:00 PM by Sharpy
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

First off, I'm very impressed with all this work Mark, the press, and many others have done to bring out this story.

Another story I'd like to get the goods on is Sony-BMG's other little anti-piracy sideproject: corrupting files on P2P networks. They employ a company called Media Defender, whose website has gotten more and more sparse in the last 6-8 months. It used to have some quotes here and there about protecting kids from harmful files and yadda yadda, but never actually stated what they do, or had more than just that one page.

I work in the music biz. I wouldnt know this if people hadn't told me. They were apparently very successful in corrupting 60-70% of the files they were gunning for on most of the usual P2P haunts; limewire, slsk, and all those random ones popular in colleges now. They also claimed to have success in corrupting torrents.

As I understand it, their basic plan of attack is what I understand to be a "SYN-flood" on any user they identify as trying to download one of the files they're protecting. They establish as many connections as possible, which are either sending a corrupt file or just transferring very slowly, to tap out the number of connections on the client's home machine.

Is that really legal?

11/10/2005 10:11:00 PM by wixard
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

That SYN Flood technique is used by some company to try to corrupt torrents of HBO content.

I guess they figure DOS attacks on people who are breaking copywrite laws are justified... or at least they figure they're safe from litigation.

11/10/2005 11:25:00 PM by frantik
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Is there any chance that Spybot will include protection/uninstall feature against this rootkit? After all, it's its job.
Did Spybot's author contact you, or did you contact them?

11/11/2005 4:53:00 AM by Fabien
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sony 'Sorry' Well sort of ...er almost..well maybe not .

http://news.bbc.co.uk/2/hi/technology/4427606.stm

First Virus was Faultly , but you'll be glad to know that issuse been fixed now. Works like a charm

/Sarcasm mode

11/11/2005 5:56:00 AM by Sharpy
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Search term "Sony Virus" at Trend Micro returns a strange result:
Item 2 - SONY UK CHOOSES TREND MICRO TO PROTECT ITS MESSAGING ENVIRONMENT
Item 8 - BKDR_BREPLIBOT.C - Description and solution

Also in Australian Press by Razor here

11/11/2005 5:59:00 AM by Stephen
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

"Sony BMG faces digital-rights seige
Robert Lemos, SecurityFocus 2005-11-10

The criticism of music giant Sony BMG Music Entertainment and its surreptitious copy protection software went up an octave this week as attorneys and law firms readied nearly a half dozen legal complaints against the company on behalf of consumers. "

http://www.securityfocus.com/news/11356

---

The latest Steve Gibson podcast is covering Sony's rootkit DRM again:

"Leo and I follow-up on last week's discussion of the Sony Rootkit debacle with the distressing news of "phoning home" (spyware) behavior from the Sony DRM software, and the rootkit's exploitation by a new malicious backdoor Trojan."



http://www.grc.com/securitynow.htm

11/11/2005 6:32:00 AM by geek27
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The story has finally been picked up by CNN:

http://www.cnn.com/2005/TECH/internet/11/10/sony.hack.reut/index.html

11/11/2005 7:20:00 AM by Elwood Herring
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

There is a good side to all this Sony DRM snarl-up though.

I'm learning great new things which is always useful :-)

Thanks Mark - very well written article's, gave me the incentive to start reading your Windows Internals book (which is fascinating) and I've started reading more on the technology behind Windows rootkits.

I always work on the theory I won't talk about something until I can begin to understand it :-)

Thanks again!

11/11/2005 7:53:00 AM by Tantalus
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Funny that the CNN story starts with the setup that there are "bastard virus writers" piggybacking on Sony's evil plot. Better late and better twisting the story? not for me, I quit using CNN as my news source long long time ago ...

11/11/2005 8:09:00 AM by Enough
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This is all really depressing but on a lighter note.. Every time I read an article or any reference to Mark as "Dr Russinovich"...
This silly song comes to mind (my tweaked version to Palmer's song)! LOL

"Doctor, doctor give me the news!
I've got a bad case of SONY BLUES!
No fix is gonna cure my bitch!
I've got a bad case of SONY BLUES!"


11/11/2005 9:19:00 AM by CindyRilla
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Just going to "http://www.xcp-aurora.com/support/sonybmg/process.aspx" wants to install the ActiveX rubbish from First4Internet.!

11/11/2005 9:20:00 AM by ColdFusion1
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

An interesting snippet I'd like to point out from the Computer Associates article.

These CDs install the pest XCP.Sony.Rootkit, which is a trojan that opens security vulnerabilities through rootkit functionality.

Thank you Computer Associates for labeling this software for what it really is. Hopefully other companies will come to this realization as well and anti virus programs will be upgraded with the capability to remove this malicious code from our computers.

11/11/2005 9:59:00 AM by Ryan
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I would suggest that ALL people in the US who read this, take the opportunity to visit:

http://www.ala.org/al_onlineTemplate.cfm?Section=alonline&template=/ContentManagement/ContentDisplay.cfm&ContentID=108214

This month, the public are able to post comments which will be considered in the review of DMCA next month. Everyone should take the opportunity to post protest about DRM techniques being used. Judging by the amount of noise this Sony rootkit issue has raised, I expect if enough people post to the comments section below:

http://www.copyright.gov/1201/comment_forms/index.html

They will be forced to listen and act on consumer concerns.

11/11/2005 10:11:00 AM by Alexander Hanff
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sophos has posted a cleanup tool at http://www.sophos.com/support/disinfection/rkprf.html .

I don't have a known infected machine to test yet as I don't buy a whole lot of CDs.

11/11/2005 10:39:00 AM by Michael Johnson
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

So, I jumped through all the hoops, and the multiple emails, and I finally downloaded and ran the uninstaller yesterday afternoon. This morning, I notice that Media Jam still shows up on my machine. When I attempt to remove it, I get the "it's already been uninstalled error" message. Anyone else notice this? And now, has it really been uninstalled, or is this more shoddy coding?

11/11/2005 12:18:00 PM by msmail
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This post has been removed by the author.

11/11/2005 12:19:00 PM by msmail
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

To summarize information from several posts above, there seems to be quite a difference between Computer Associate's XCP.Sony.Rootkit response and McAfee's XCP.

11/11/2005 12:46:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

John M wrote:

"...there seems to be quite a difference between Computer Associate's XCP.Sony.Rootkit response and McAfee's XCP."

And so far all fixes are just decloaking, which is quite understandable given the DMCA.

It seems that it will require a legal finding against Sony before that next step can be taken, at least in the US.

11/11/2005 1:00:00 PM by zapkitty
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Security Fix - Brian Krebs on Computer Security at the Washington Post just posted about the Department of Homeland Security becoming concerned about this. See DHS Official Weighs In on Sony.

11/11/2005 1:02:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Check out this Reuters article:

"Sony BMG pulls CD software"
Fri Nov 11, 2005
http://go.reuters.com/newsArticle.jhtml;jsessionid=GM1U2EYWJ4PYACRBAEOCFFA?type=technologyNews&storyID=10253253

Congratulations Mark! Your efforts really are making a difference.

11/11/2005 1:36:00 PM by itchscratch
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Here's a better link to the Reuters story:

http://today.reuters.com/news/newsArticle.aspx?type=musicNews&storyID=2005-11-11T192333Z_01_MOL166114_RTRIDST_0_MUSIC-SONY-COPYPROTECTION-DC.XML

11/11/2005 1:47:00 PM by itchscratch
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This is yet another reason I don't buy music anymore.

11/11/2005 1:56:00 PM by WaifLover
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sony to Stop Controversial CD Software
Washing Post Article (Partial)

By Ted Bridis
The Associated Press
Friday, November 11, 2005; 2:02 PM

Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.

http://www.washingtonpost.com/wp-dyn/content/article/2005/11/11/AR2005111100632.html

11/11/2005 3:12:00 PM by srynas
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Washington Post Article (Partial)

European Group Battles Copy-Protected CDs

By HELENA SPONGENBERG
The Associated Press
Thursday, November 10, 2005; 8:49 PM

BRUSSELS, Belgium -- The music industry should stop criminalizing customers and limiting their freedom in the battle against piracy, a European consumers' group said Thursday.

http://www.washingtonpost.com/wp-dyn/content/article/2005/11/10/AR2005111001018.html

11/11/2005 3:22:00 PM by srynas
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

H'mmmm. I just occurred to me. Sony is discontinuing, at least temporarily, this technology. However, there is no mention in the news release of recalling these CDs and providing customers with new CDs. Until these CDs are vaporized, they are a threat.

11/11/2005 3:38:00 PM by srynas
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I've been following this story, but haven't actively examined what occurs when running the uninstaller/ActiveX control. That being said, the __VIEWSTATE field in the postback may just simply contain the control values to be decrypted by ASP.NET on their server. I believe there are some ViewState utitlies out there that can help you view the contents to see if Sony is passing back anything underhanded. I'm all for bringing them down, but in this case the encrypted postback contents may simply be part of the ASP.NET architecture.

Eiher way, I hope this inflicts serious financial damage on them. Enough is enough.

11/11/2005 3:40:00 PM by D.J. Stachniak
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This is now the top story on MSNBC.com!

http://www.msnbc.com

11/11/2005 4:07:00 PM by ThisAJoke
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark,
Great analysis as always.
Not only have you dissected the problem and your solution so well you probably have also saved yourself a ton of money that you would have to otherwise give your lawyers to help you in a deposition. :)

11/11/2005 4:40:00 PM by Abhay Kulkarni
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

To those having trouble playing their XCP protected discs in Windows after bypassing the autorun/player:

I don't have a copy of one of these discs for testing but I understand that they are multisession.

I would expect Windows to default to the data session - session 1.

Try right-clicking on the CDROM drive and selecting the CD Audio session. Then just fire up your favourite player...

Please post a confirmation in consideration of others if this works. Thanks


---


Sony / F4I still have not responded to claims that XCP contains LAME LGPL code.

If bad publicity keeps up- they will have to recall these discs. I'm suprised that they haven't fired F4I already and attempted to transfer all of the blame to them.

11/11/2005 4:45:00 PM by geek27
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Brian Krebs at the Washington Post already has another blog article Sony Suspends Use of Anti-Piracy Software. Also, Sony DRM has been at the top of Google News Sci/Tech (but invisible in Business and Entertainment) all day.

11/11/2005 4:48:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sony should not only be forced to recall all the dodgy CDs, but make an uninstall CD available for free to anyone who requests it, worldwide.

Not every PC with a CD ROM is connected to the internet, and their dubious uninstall procedures are a real pain anyway.

Another thought: do you think the pirated versions of the CD have the rootkit software removed?

In the meantime I hope all the AntiVirus companies make sure their AV software is able to detect these Sony CDs when they are inserted into the user's PC, whether the software is already installed or not.

11/11/2005 4:48:00 PM by Donn Edwards
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Looks like CNN is FINALLY reporting the same AP article here:
http://www.cnn.com/TECH/

Link to full article found here:
http://www.cnn.com/2005/SHOWBIZ/Music/11/11/sony.copyprotection.ap/index.html

11/11/2005 4:53:00 PM by CindyRilla
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

>Another thought: do you think the >pirated versions of the CD have the >rootkit software removed?

It all depends whether the pirate version was ripped using an entire disk image, or merely copied the individial tracks (say on a mac or linux machine).

If the hypothetical disk was copied 'at-once' using an image then, yes, the copy protection rootkit will also be duplicated.

If the tracks were merely ripped and compiled in a burner (like iTunes) then, no, the copy protection would probably not survive the process.

Theoretically, at least, that should be the way it works.

11/11/2005 4:57:00 PM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The webcast video was not available earlier but it's online now:

http://blogs.washingtonpost.com/securityfix/2005/11/the_bush_admini.html


You'd better be listening, Sony!
"It's not your computer"

11/11/2005 5:03:00 PM by geek27
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Update on the Apple Mac DRM measures
http://www.theregister.co.uk/2005/11/11/sony_bmg_mac_drm/

11/11/2005 5:04:00 PM by murray
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Does First4Internet get to continue to market their "Commercial Root-Kit" to other companies? What other companies have purchased it from them?

Do you care? Do You Want to KNOW?

11/11/2005 5:18:00 PM by ZOverLord
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

http://www.cnn.com/TECH/

This little blog's on the front page of CNN right now. The Internet has done great things!

11/11/2005 5:20:00 PM by anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

ANYONE WANT TO EMAIL MR. ANDREW LACK CEO OF SONY BMG? HERE IS THE EMAIL ADDRESS THAT I CAME ACROSS.

11/11/2005 5:24:00 PM by RolandSmoke
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

OOPS FORGOT THE ADDRESS.

HERE IT IS

andrew_lack@sonymusic.com

11/11/2005 5:24:00 PM by RolandSmoke
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The piracy issue is an important colophon to this debate:

Sony's DRM rootkit is designed to impede "casual piracy" (FT.com) and, therefore, will do absolutely nothing to hinder the organised mass-copying that career criminals use.

Professional pirates use pro-audio copying devices that don't recognise any of the SCMS protection algorythms that are encoded in digital media to prevent consumers using the digital outputs on commercial DVD players etc.

So, once again, the DRM *kit targets the 'little guy' and leaves the criminal gangs free to do what they want.

11/11/2005 5:30:00 PM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

It seems to me that Sony has defined a process to download the uninstaller that could be used as legal identification.

Since this would in essence target everyone who knew about the rootkit via the various blogs, you might consider this a counter legal move to be used in the future. Everyone in the class action must identify their computer. Is this enough to bump you from the class?

In Mark's first article he mentioned that Win 64 was immune to rootkits. Just completed moving my primary work to a Win 64 machine.

Mark, thank you for your diligence.

11/11/2005 5:37:00 PM by qsbrett
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

And what might be the outcome of the lawsuits?
If (and I hope not) the courts find in favour of SonyBMG, then they will have found a new, legal way of spreading spyware, backdoors, trojans, etc, and the distribution medium won't be the internet, it will be the good old-fashioned "floppynet". People, carrying the files on disk, from one computer to the next. What's worse, the consumer will BUY the software!
I pray for the future that this is not the outcome.

11/11/2005 5:45:00 PM by mur
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I wrote my local high tech newspaper and my Senator and Congressperson and as a resident of "Silicon Valley" I was expecting total outrage from all. Man what a letdown, they only seemed to copycast other sources. Keep blogging on this or it may be swept under the rug.

Thanks Dr. Mark.............

11/11/2005 5:58:00 PM by JimOrs
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

http://news.ninemsn.com.au/article.aspx?id=71751

READ THIS!

Sony ceasing production of copy protected cds!

11/11/2005 6:32:00 PM by Jessica
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I bought Botti's "To Love Again" CD. About 1/2 way home from BB I decided to try it in the car CD player...ERROR. When I got home I tried it in my system ....ERROR. Then I made the mistake of trying it in one of my backup computer system (thank God my main computer was being used by the wife at that moment). This machine has been in the family for 5 years, stable as hell, and as reliable as any Win98SE machine can be. With in seconds of the CD tray closing and the SD spinning up I saw that something was installed and the ASPI layer was updated... all happen too fast for me to react. In last than 30 sec of that CD hitting the OS I got the BSOD. Hours of trying to revive the "old friend" failed. I tried everything with no luck. Was I pissed. You bet. Did I lose some things that I would still like to have... yes. Will I ever purchase a SONY CD again ... F' NO. I can't believe that they do this crap to people who purchase the music when there are guys standing on the street in every major city in the US (forget China) and sell copies for 2$. I hope that SONY is made a real example of in the music industry... they almost single handedly destroyed it.

11/11/2005 6:52:00 PM by Laxnut
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Why don't we just create an uninstaller that safely removes their rootkit?

Beyond the potential DMCA backlash such a tool may generate, what other obstacles lay in our way?

I see it is stated that the Aries.sys device driver hooks the system calls so it can hide files and registry keys beginning with $sys$, but does it also protect those registry keys? If I understood the description of the cloak, it still allows access to the keys if you know of them, but only blocks them from being enumerated making them invisible. If this is the case, would it be possible to safely remove the Aries.sys cloak driver by first setting the Start key to disabled (4), reboot, and then proceed to removing the remaining traces?

Exo

11/11/2005 8:24:00 PM by Exothermic Reaction
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark, and others,

I'm trying to find out more about the DRM CDs that Sony didn't stop shipping today--the CDs using SunnComm's Media Max technology.

Sony has at least one other copy-protection system in place, on a different set of CDs. That second system is called Media Max, and is made by a company called SunnComm (www.sunncomm.com).

I spoke with SunnComm earlier today; they assured me that Sony is not abandoning SunnComm's DRM technology. Sony's press release today specifically mentions the XCP DRM technology, not the Media Max technology.

It remains to be seen whether SunnComm's DRM technology will prove to be as dangerous as the XCP technology Sony has been employing.

This second set of DRM technology, available on Imogen Heap's "Speak for Yourself" and Foo Fighters' "In Your Honor," actually installs "kernel
extensions" onto Macintosh Computers. Luckily, the current version of Media Max is incompatible with Mac OS 10.4 (it only affects 10.3.9 and previous versions), but a kernel extension is the Mac equivalent of a rootkit. Is that correct?

I don't know how SunnComm's DRM technology effects Windows machines; it may be less egregious than the Mac version. Either way, Sony is not
changing course or even changing tactics regarding DRM--they just dropped a particular version of the technology.

As long as Sony continues to ship CD's using SunnComm's DRM technology, they will remain vulnerable to public outrage and lawsuits. Meanwhile, they may just make possible the first Mac virus.

Does anyone have more information on SunnComm's DRM software? Is anyone like Mark (or Mark himself) examining what SunnComm's software does, and how it compares to First 4 Internet's DRM technology?

11/11/2005 9:53:00 PM by Robert Cantoni
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Here's what I emailed Andy Lack today:

Dear Mr. Lack,

I am sure you are receiving plenty of email right about now, so I'll keep this terse. Your company's decision to ignore the personal property and privacy rights of your customers is abhorrent. I understand the need to protect your ip rights, but the approach approved by one of your overzealous subordinates is clearly misguided. You are clearly alienating your customer base; which may be the worst thing you could possible could do. In addition, with the public outrage, I would imagine you are also curtailing Congress' interest in passing new legislation to further your cause.

I, for one, am not going to purchasing any copy protected music from your company; and I will be sharing that fact with the artists who partner with you.

Have a nice day,

Chuck Williams

11/11/2005 10:43:00 PM by Chuckster
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Tonight, McAfee antispyware detected XCP on my computer. This was expected as I already knew that I had infected my computer with either the Black Rebel Motorcycle Club's CD Howl or KT Tunstall's CD Eye to the Telescope. Both have a logo in the gutter of the CD case with either "Content Protected" or "Copy Controlled." I purchased and played these CDs on my computer before I read Mark's blog.

When I expanded the flagged XCP program, it lists C:\WINDOWS\system32\services.exe. When I click on the "Tell me more" button, McAfee opens this URL: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136855

After reading this descripion, I am still unclear if I should "remove" or "trust" this flagged XCP program until an approved removal tool is tested and suggested as the right course of action by this blog. I just don't trust F4I or Sony anymore...

Anyway, when I right click on services.exe, this is what I see:

File version: 5.1.2600.2180
Description: Services and Controller app
Copyright: Microsoft Corporation. All Rights reserved.

This doesn't appear to be a file I want to remove.

Please help a semi-Windows challenged dude to make the correct choice...

BTW, for anyone interested, you can become a plaintiff in litigation against Sony.

Milberg Weiss Bershad & Schulman LLP
One Pennsylvania Plaza
New York, New York 10119
phone: (212) 946-9408
www.milbergweiss.com

You can join in by filling out this form:

http://www.milbergweiss.com/contact/reportafraud.aspx

Finally, just a note, I really like the music on both CDs and I’m really bummed that Sony screwed us over…

11/12/2005 2:19:00 AM by Skoegahom
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

"Sony Customer Survival Kit" from Ed Felten, Professor of Computer Science and Public Affairs at Princeton University:

http://www.freedom-to-tinker.com/?p=924#comments

11/12/2005 2:43:00 AM by Damian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Well, me thinks its finally gonna hit home for good ole Sony. This link will take you to an article where the Office of Homeland Security tells Sony "it's your intellectual property but its not your computer"

http://blogs.washingtonpost.com/securityfix/2005/11/the_bush_admini.html

Score one for the good guys!!!!!!!!!!!!

11/12/2005 2:54:00 AM by JimOrs
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Afraid I'm a little less sanguine about Sony's decision to "temporarily suspend" production of DRM protected CDs.

For one, they haven't come clean and said that in future their copy protection mechanisms will leave the systems of end-users intact.

Don't get me wrong. Its been fun watching Sony squirm as this story has snowballed.

The trouble is, I don't think this is over by any stretch of the imagination.

However, before we steel ourselves for the upcoming challenges, its important to frame the issues.

Companies have a right to use technology to protect their Intellectual Property, no one should argue with that.

But the protection technologies should be limited to the media that contains the copyright material. It should not interfere, intercept, or, in any way, change or alter, the computers and hardware that are used to listen to the material.

If anything that is what we've been fighting about. A line has been drawn. Its up to us to keep our eyes on that line, in future, to make sure it's not overstepped.

11/12/2005 5:44:00 AM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Does this have any effect on Macintoshes, or is there a version of this infection for the Mac and OS X?

Is this another reason to buy a Mac?

The new Dave Matthews CD, ironically titled 'Stand Up' has Sunncomm software that it installs. I remember not being able to get it into itunes on the PC, but got it into iTunes on the Mac...

What are the ramifications of the sunncomm software?

I don't mean to start/restart a jihad over the religious significance of the windows/mac choice, it's just great that reduced market share seems to have its advantages...

11/12/2005 8:44:00 AM by RW
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Thank you Mark. You are the best.

11/12/2005 9:18:00 AM by aao
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Something that had to be said. I for myself have a dozen Sony/BMG CD's bought so I supported Sony quite a long time during my life. But if this continues I am going to never ever buy any Sony/BMG CD again. It gives me a headage: The people that suffer from stuff like that are the COSTUMERS, not the illegal-download-community. I believe that they will always find a way.

11/12/2005 9:30:00 AM by MortenMacFly
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I didn't find a post here yet of Symantec's First4 Removal Tool posted on Symantec's site 11/11/05. I'm thinking this maybe the clean way to rid your system of this Trojan Horse rather than playing games with Sony's uninstall sequence...

http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html

11/12/2005 10:05:00 AM by OneEyedGeek
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

OneEyedGeek wrote:

"I didn't find a post here yet of Symantec's First4 Removal Tool posted on Symantec's site 11/11/05. I'm thinking this maybe the clean way to rid your system of this Trojan Horse..."

Except that it's not a removal tool.

Like all other options so far
it's a decloaker. The system remains rooted, with the kernel of the OS rewritten to suit Sony... and nobody else.

Now, decloaking is good, and is definitely needed, but the core problem remains: Sony owns your computer.

And short of risking the CD drive disappearing, or jumping through internet hoops at Sony's beck and call, there is nothing the average user can do about it.

11/12/2005 10:58:00 AM by zapkitty
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Well, I will not buy anything with the stamp Sony on it for a very very long time(if ever again). And I don`t mean only CD`s. It is a bit sad consider I have been pleased with their other products for some years now. But this just tipped me over. I think Sony should wake up soon, this will affect more than only their music proffits.

11/12/2005 11:12:00 AM by silence_blogger
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This post has been removed by the author.

11/12/2005 11:12:00 AM by silence_blogger
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Regarding the Macintosh question ...

From what I've read about the Mac Kernel Rootkit, it asks you to enter your Administrative Password. This is not surprising since admin passwords are default on Macs.

If you have a Mac and you insert one of these CDs and get a prompt for your admin password, just click cancel. You wont be able to listen to the CD, but neither will your kernel be patched.

So far the details about the Mac issue are sketchy.

Also I'm not sure "market share" has anything to do with Windows receptivity to spyware/malware.

Linux and Unix have a greater market share when it comes to internet infrastructure (something you'd imagine malware would covet) and neither of these platforms has the same bother with Viruses.

My theory regarding the Windows fixation by malware/spyware writers is to do with the nature of the OS, and the NATURE of the windows user-base.

If you own a Linux server or a networked Unix machine you are likely to be versed in the techniques virus/malware use (opening attachments, suspicious downloads etc). You need to be!

On the other hand Windows, having the lion-share of the Desktop market, and being an OS that prides itself on being user-friendly, does not require the majority of its users to know anything more beyond pointing and clicking (or "pointing and grunting").

The user friendly environment protects users from knowing anything about the underlying architecture, and therefore blinds the "common user" to the possibilities that miscreants use to infect their machines.

Malware attacks the lowest common denominator, preys on the weak. A properly patched Windows box in the hands of a user who has taken the time to understand the possible weakpoints (all OSes have them) is as secure as the next machine.

Sadly mass marketing, and user friendliness do not encourage users to go beyond the pretty pictures.

I use Macs, Windows and Linux. I used to be derisive of Windows. While there is still much to dislike, from a granularity point of view, I no longer reckon that there is anything fundementally weak about it's security: the weakness is in it's user-base (this blog excepted, of course).

11/12/2005 11:47:00 AM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

"What are the ramifications of the sunncomm software?"

Apparently, it installs two kernel extensions on Mac OS X. I'm not aware of the full significance of that, but it's a totally unnecessary thing to do and not likely to do anything for the stability of the machine. It needs looking into further and should, in any case be stopped, as a valid Phillips Red Book CD will play in the software that ships with the machine without no stinkin' kernel extension.

"I don't mean to start/restart a jihad over the religious significance of the windows/mac choice"

Of course, such a discussion has no religious significance, because it is about technology not religion. Nevertheless, I submit it's heartening to see that people are not too intimidated by political correctness to use the word "jihad" in a negative context. ;-)

Frankly, users of Windows, OS X, Linux (or any other OS) need to know about software that might impact on their machine's security, privacy, or stability. Consequently, I hope the possible threat to Mac users here, even though there are fewer of them, gets more attention in the media that it has so far.

11/12/2005 11:51:00 AM by Damian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

OK, so XCP2 is dead except for the million or so unrecalled pseudo-CDs bought or in the pipeline. But free-market unregulated DRM and the DMCA are alive and well. So a year from now I buy an Algerian CD with selected readings from Sayyid Qutb's Fi zilal al-Qur'an, and when it is loaded into my PC it installs a next-generation DRM shim requiring administrator access. Then nobody, not me nor Mark, can inspect it to confirm it hasn't just subscribed me to SETI@Home without my permission. Let's hope somebody out there is going to inspect and certify these things.

11/12/2005 12:09:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This post has been removed by the author.

11/12/2005 12:09:00 PM by BuckarooBanzai
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

2 things:

- Has anyone tried recoverying from a backup created while the computer was under the influence of XCP/F4I/Whatever? Will the Backup Utility actually back up these hidden files and device drivers and restore them? or will restoring from these backups images with an ASR disk render the CDROM drives broken?

- Did everyone who installed this software player have driver signing turned off? Or did you have to acknowledge that you were installing unsigned drivers?

If not then there are two possible issues.

1) Drivers can be installed/overridden/bypassed in such a way as to bypass the driver signing check. Would this not indicate that driver signing is essentially useless?

2)Whoever signed these drivers felt that they were WHQL quality. What value does WHQL signing have if this kind of driver gets certified? Who signed this driver, and what kind of certification testing did it pass when it breaks in so many ways?

11/12/2005 12:16:00 PM by BuckarooBanzai
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Thanks to Mark for its invaluable work. It is pleasant to see someone always understanding hardware registers and IRQ serving routines.

Now, one word on CERI COBURN who seems to be the bad soul behind this poorly designed software.

After reviewing some of its posts on many forum, I may state that it is a SHAME that such JUNIOR PROGRAMMER should be allowed to design a sensitive piece of software directly injected in the OS kernel. As the CEO of a software firm acting in real-time field I would not allow such a sub-average programmer to work on system services.

I also think that consummers just need to stop buying DRM protected disks.

11/12/2005 12:47:00 PM by Ebrelion
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

As Robert mentioned above, I was subject to a failed attempt to install SunnComm Media Max DRM by playing a recently purchased new CD by Santana's - "All That I Am". I run Server 2003 at home and assume this DRM software is not comaptible. When I played the CD, I received an error that Media Max failed to install. I hope this turns out to be another kick in the butt for Sony!

11/12/2005 12:49:00 PM by goober
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I've read with interest everything this blog and its commentaters have had to say about SONY, as well as many of the links they have helpfully provided. I wonder at these things. Don't we ever learn from our mistakes? This has all been done before...

I cut my teeth on Altairs and Wangs, but really learned micro-computing from an original Apple II. It was a hacker / hobbyists dream come true.

Even in those simpler days, copy protection was an issue. All the games had it. It slowed us down a little, but never stopped us for long. Everytime they'd come up with a new way to _stop_ us, we'd find a new way to make our copies anyway. It sometimes felt like we were on a merry-go-round. Who was following who?

Then came the CP/M machines, whose crowning glory was the new IBM PC with it's CP/M compatible DOS, and a new kind of user came on the scene - business people with only one interest in their computers: Getting work done. Getting work done without hassels, without complications and as easily and efficiently as possible. Copy protection didn't help do that. Programs like Lotus 123 that used it, started encountering customer resistance. The protection didn't stop hackers from making as many copies as they wanted, it just punished honest folks trying to earn a living. It didn't stand. The message seemed to be heard loud and clear that using copy protection cost the software makers more business and money than it protected. We thought that lesson was learned forever. I guess not.

Back in June or July, I checked out some music from the library to listen to on my computer while I was working. It's a great way to sample artists I'm not familar with, a kind of try before I buy approach. I can remember being surprised when one of the CD's asked my approval on a EULA. I read it over. Didn't sound too bad, although I wasn't crazy about the notice that a small program would remain behind, and I did debate if my home office machine counted as a "business" machine, but it was from a reputable company (SONY) and if it gave me any trouble, I'm not afraid to purge it from my registry....

I don't know if my regular listenware could see it, or if I could have copied it - I didn't try either, but playback with it's built-in player seemed fine.

Two weeks later, my power supply blew, and took my motherboard with it. By now, I had returned the bad seed-dee to the library, along with the rest of them. The motherboard was under warranty, so it took a couple of weeks to put everything back together again. I added a new hard drive and cd-rom drive (a SONY!) at the same time, and made the new drive my boot drive. After installing WinXP Home on it, I hooked both it and my old drive up together on a friend's machine and, copied EVERYTHING over. My friend also made a ghost of the original.

What I got for my trouble was a very unstable system that locked up continually, especially if I was using listening software that could also rip. It was getting to be a real pain-in-the-arse, to the point that I finally decided to rebuild my Windows setup from scratch. I had already overwritten my original drive's contents, so I backed up my full C: drive into a folder on the old drive, but I did this from within the tainted environment. I have checked - none of the $SYS$ files were copied over. It took me just over a week to get everything running again smoothly. One week after that, Mark showed me just how fat and happy and lazy I have gotten in my old age. I didn't used to EVER have Autorun turned on!

So, here's my dilemna: I have never bought one of these monstrosities, but have nonetheless lost a week or two's wages to it! Do I qualify for inclusion in the law suit? (And should I have possibly been burdened for life from a junkware/malware program that came with a LIBRARY item?) I'm hoping my friend still has the ghost image he made, but he is out of town, and I haven't been able to check.

SONY, are you listening? I will not only refuse to buy any of your music products any more, I won't even check them out at the library again. (That way I won't know what I'm missing to miss it.) I'm also removing this otherwise fine cd rom drive that I find hard to be quite as proud of these days, and sending it to the shooting range. Shame I won't be there to see the results!

Your honest customers are your gold mine. When you cause a cavein, where will you make your money? The only people you have hurt with this are people who will now no longer support you financially. The so called "casual" copiers you are trying to stop tend to be kids without sufficient funds to buy much - so you really aren't losing much there - and hackers who love the challenges you give them, and laugh at you openly as they work their way around your poorly planned defenses. They will ALWAYS solve the puzzle, and as long as you maintain ANY resemblance to red book audio, there will always be a way to rip your seedy music. The only people you hurt with this are the people who will now hurt you back by staying away in droves.

I hope the other publishing houses learn from the past. Just because they can do DRM, doesn't mean it's good business to do DRM. As long as people can buy the two or three tracks from a CD that they really want for a dollar a pop on line, and not have to pony up $15 for the full package, you will be seeing fewer sales of cd's. It isn't because there are more dishonest people, it's because they don't have to buy the whole farm to get the milk and eggs they want. Lower the cost on your CD's, and improve the quality of the content, and people WILL buy them in enough quantity to put you back in the market standing you hope for. Insist on twenty year old pricing and marginal quality, or even great content with shoddy DRM schemes, and we'll be telling our kids about great companies we once knew that they've never heard of.

"Choose your fate...."

Mark - fabulous site! I look forward to reading it all, and am very impressed with the tools I have already tried. Even though this wasn't at all what I was googling for when I found you, I am glad I looked!

11/12/2005 2:10:00 PM by Donosaur
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

"1) Drivers can be installed/overridden/bypassed in such a way as to bypass the driver signing check. Would this not indicate that driver signing is essentially useless?"

Yes, the drivers are unsigned and installed in such a way that Windows never checks for a signature. Note that my ctrl2cap keyboard filter driver also gets installed without a signing check because of the same loophole. Vista will close the hole.

11/12/2005 4:13:00 PM by Mark Russinovich
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

ATTN: Mark

The other Sony DRM is also spyware, apparently. If you agree with this guy's findings you should make note of it in your blog (even though it's not your regular style), just to get him some publicity.

http://www.freedom-to-tinker.com/?p=925

11/12/2005 7:25:00 PM by anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Hi Anonymous, that link would be to "Sony Shipping Spyware from SunnComm, Too", Saturday November 12, 2005, by J. Alex Halderman at site Freedom to Tinker. Halderman says "... MediaMax doesn’t resort to concealing itself with a rootkit ..." so his concern seems to be different from the main issue here (spyware having been something of a sideshow).

11/12/2005 8:15:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark seems to have won another fan. Microsoft Zapping Sony DRM 'Rootkit', By Ryan Naraine, eWeek.com, November 12, 2005.

"The software giant's Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology."

11/12/2005 8:42:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The uninstaller is practically a backdoor and I have a proof!

It exposes lots of interesting methods, scriptable by anyone, to the user. Check out my proof-of-concept reboot link from my research page:
http://hack.fi/~muzzy/sony-drm/

11/12/2005 9:27:00 PM by Matti Nikki
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Finally! Microsoft's Malicious Sofware Removal Tool will deal with this:

http://news.com.com/2100-1002_3-5949041.html

11/13/2005 3:35:00 AM by Damian
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Why is it that Nobody seems to want to deal with the NON Root-Kit aspect of this First4Internet code?

No Government Agency, that I am aware of would be allowed to insert a filter, that would INTERCEPT any/all communications from/to your PC to CD Drive without a WARRENT!

This would include the FBI as well as Homeland Security.

So, Cloaked, un-cloaked, your system was re-configured and without your permission an ILLEGAL "Wire-Tap" was installed on your computer, and without your permission.

What if someone changed a HOST file so that when this called "HOME" it called them? what of they could respond as if they were Sony?

Does this thing call HOME for ANY CD inserted?

Backup CD's, Sensitive Data.

There are TWO parts to this software:

ONE is an ILLEGAL "Wire-Tap" installed between your computer and your CD Drive, what are it's capabilities, what commands can it receive, what can it send HOME?

We need to RIP apart this software to show the public just what it can/could do!

Lets Talk about BOTH Portions, the Root-Kit, and the Filter, that even after this is un-cloaked remains on your system, intercepting EVERY byte of data from/to your CD drive from/to your computer.

11/13/2005 3:36:00 AM by ZOverLord
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sorry for the Typos, in the above post, should preview first.

Damian, if you read in more detail, Microsoft states they will only remove the "Root-Kit" portion of this.

Which means the 'Wire-Tap" filter between your CD drive and the PC still remaims, as is.

11/13/2005 3:43:00 AM by ZOverLord
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Hello Mark
One can mess around with the software, but the kernel is sancrosanct!
I'm sure there is a huge law-suit between Microsoft and Sony brewing up here....
Thanks for the stellar work, keep it up!

Suneel
India

11/13/2005 9:52:00 AM by suneels
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

pirated versions of the song containing virus will be circulating from computer to computer forever damaging computers of those who chose to illegially download music. This should be very good for sonys business

11/13/2005 10:20:00 AM by John Stall
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Mark, thanks for the work.

We can all help to force a recall of these CD's by filing complaints with the FTC. This should be treated no different than a defective product or drug and the government should force a recall of this potentially damaging product.

11/13/2005 10:47:00 AM by w3w0
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

pirated versions of the song containing virus will be circulating from computer to computer forever damaging computers of those who chose to illegially download music. This should be very good for sonys business

The trojan/rootkit is actually on the discs produced by Sony, and isn't in the songs themselves. Anyone with sufficient computer skills can bypass the rootkit-DRM installation and rip the songs cleanly.

Ironically, by doing what they have done, Sony has now made it much safer for people to download Sony/BMG music online, than to buy it from a store.

I don't see any plausible scenario in which this incident will be good for Sony's business.

11/13/2005 10:58:00 AM by Seraphiel
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The New York Times posted a very careful article on its IHT website earlier today: "Sony BMG learns hard lesson in war against 'casual piracy' of CDs", By Tom Zeller Jr. The New York Times, SUNDAY, NOVEMBER 13, 2005. Thus the early definitive story in the "Newspaper of Record". Interestingly, a featured quote is given to Professor Felten of the Freedom to Tinker site.

11/13/2005 11:11:00 AM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

If you want your infected system
brought back to the way it was before you played the sony disk
it can be done with a couple of lines of dos
code.....
but only if you have made copys of two folders " windows and the documents and settings "folders
before the sony disk was installed.eg at the dos prompt
md c:\win
then
xcopy c:\windows c:\win /e/c/q/h/k

then md c:\docs
and save the documents and settings folder to it

then when you want your system fixed/restored or whatever you boot to the dos prompt and rename the windows folder wintrash
ren c:\windows wintrash
then
do the same for the documents and settings folder
ren c:\docum~1 doctrash

now you rename the win folder windows and rename the doc folder documents and settings.
then finish up by making new copys of both the windows folder and the documents and settings folders for future restores
then boot up to windows and delete the wintrash
and doctrash folders.
done

this fix works on winxp "it will even
unwind back the 30 days to activation clock"
if you have win98 then its even easyer
do as above but with only 1 folder "windows"

11/13/2005 12:11:00 PM by charliefromwashington
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

One of the funniest and potentially most damaging things that could arise from this issue, is the LAME copyright infringement issue.

Sony are part of MPAA and RIAA, both groups lobbied congress to pass laws that would set a maximum penatly of 150 000 USD -PER INFRINGEMENT- for vicarious copyright infringement.

Since Sony have published that they have shipped 4.3 million CDs with this copy protection on (which is believed to infringe on the copyright for LAME mp3 encoder) this could cost them a further:

$645 000 000 000.00 USD in maximum damages for vicarious infringement.

So they law they lobbied to get put in place, could now come back and destroy them as a company whilst pumping over 600 billion USD into the open source community. Imagine how much development that could fund?

11/13/2005 1:13:00 PM by Alexander Hanff
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Ok, now that you've gone to Sony's website and used the F4I update to expose the DRM, and supposedly uninstall Sony's rootkit, are you any safer?

Initial reports seem to indicate that the uninstaller ActiveX controll is scriptable and leaves a lot of scriptable functions floating around that could be exploited by rather rude people. In Sony's perfect world, we're too dumb and happy to care whether this is possible.

For more info...

http://hack.fi/~muzzy/sony-drm/

11/13/2005 1:42:00 PM by partenavia
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Slightly OT :
I wonder if some other Sony eccentricities are related to other kinds of "copy protection" malware (yes, it's a malware).
I'm a unhappy owner of Sony Network Walkman NW-E99, a digital Player which can only play Sony's ATRAC format or MP3s converted by a special slow and inefficient program called MP3FileManager.
On the CD there are drivers to install and a software called Sonicstage which rips the CDs in ATRAC format...... Isn't it possible that there are other rootkits around ?

Stefano

11/13/2005 2:20:00 PM by Steve
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

We are issuing an alert to the real estate industry (1.2 million members in USA) globally through their associations. The NAR members purchase a lot of CDs and commonly can be found playing them through a CD drive and are thus likely a target demographic.

First 4 Internet has been advised of this intent via an e-mail letter and a fax transmission.

We are working on creating an open-source tool to remove this malware.

11/13/2005 3:19:00 PM by Leonid S. Knyshov - Crashproof Solutions, LLC
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Suggestion: Attack Sony at the state level through the consumer affairs or attorney's general offices.

Here in WA, we have a consumer protection division of the AG's office.

What we need is a comprehensive, well structured, complaint to file. Mark, your posts on this subject for the basis for a complaint from a technical perspective, but we need also to know exactly what laws are violated.

If Sony is now licensing instead of selling it's music product, there may not be a basis for complaint, except through the fact that Sony is making this change in a way that's invisible to the consumer.

As far as installing malware, I'm not sure what laws are violated there either, unless it's not addressed in the EULA.

I'm not a lawyer, but I'm willing to file a complaint in WA if I can get help structuring one properly.

Any thoughts?

RC

11/13/2005 3:27:00 PM by Roland
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

The first known hint of the Sony rootkit seems to have been a thread started 12Aug05 at CastleCops titled "Hidden files and directories - DRM or trojan?". Full marks to "jgk4cfc" for perhaps the first sighting! Anyone know an earlier? Arthur Nonamiss had this link in a comment on 01Nov05.

11/13/2005 3:53:00 PM by John M
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

ZTree Anticloaking Software

I believe that ZTree, the fantastic file management software available at http://www.ztree.com, should be able to see through the cloaking.

Underneath

C:\Documents and Settings\UserID\Local Settings\Temporary Internet Files

there are a series of directories

|-Content.IE5
| |-C1EF8LIZ
| |-C5WHMRUZ
| |-ESDFN2L7
| |-ETP27MD4
| |-GL2N8D2B
| |-GLG5YVWX
| |-KTUVKXYR
| |-KVP3YMFP
| |-LB7VT1CE
| |-MRK5CT69
| |-NBHRNDWW
| |-OPIJ89MN
| |-PIYSG7IB
| |-QJGTMTCP
| |-QJY7AHM3
| \-SRBVM4X5
|-Content.MSO
|-OLK3C
\-P6L5VIZ2

that Windows Explorer can't see but which ZTree can. You can change to these directories via Explorer if you enter the full path in the Address field in the same way as discussed in the SysInternal blog for the Sony DRM directories.

This leads me to believe that ZTree should be able to see the directories created by the Sony DRM software.

If this is so, ZTree could be used to hunt for and deal with such threats.

More information about ZTree is available at the ZTree Unofficial Home Page at http://www.ztw3.com and more particularly on the ZTree Forum at http://www.ztw3.com/forum/forum.cgi

As an aside, in case you don't know, when you open an attachment in Outlook it is extracted to the OLKnn directory. If the user changes the attachment and then saves it but then doesn't save the change to the email you may be able to recover the document from the OLKnn directory.

Andrew Watson

11/13/2005 4:14:00 PM by Andrew Watson
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

"Microsoft Corp. will start deleting the rootkit component of the controversial DRM scheme used by Sony BMG Music Entertainment.
ADVERTISEMENT

The software giant's Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology."

source eweek

11/13/2005 7:41:00 PM by Yakumo
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Yakumo,

It is very important to NOTE that this will ony remove the "Root-Kit" componant of this software.

There is also a Filter which now sits between your CD Drive and your PC which INTERCEPTS ALL traffic from/to your PC from/to your CD Drive, for ALL CD's.

It is also known that this componant can "CALL HOME" however all of its capabilities are currently NOT known.

I refer to this as the "Wire-Tap" which seems to NOT have receivied as much attention as the "Root-Kit" portion of this and we should all be aware of this.

11/13/2005 8:37:00 PM by ZOverLord
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

@ Andrew Watson:

I have a 15 year old DOS program called LIST.COM created by Vernon D. Buerg, this program can list the IE temporary directories and others, albeit names are compressed to 8.3 style. If I recall old DOS Norton Commander did basically the same. There are other programs, for DOS and Windows.

This is one of the ways rootkits are found: list all files using very low level instructions and compare if high level Windows API is blind to some files and directories.

But why not use tools specifically anti-rootkits? like mark's RKR, or F-Secure's Blacklite (at least while it is free), or IceSword (for advance users only)?

If you use program to list files and directories, then you must know what files/directories to look for, today we are looking for $sys$, but tomorrow there will be another name, and later another name, etc.

11/13/2005 10:45:00 PM by Enough
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I believe what Andrew came upon is Windows' built-in file/folder hiding. I don't believe it should ever be on, so to turn it off:

In Explorer goto Tools menu
Folder Options
click the View tab
click "Show hidden files and folders"
uncheck "Hide extensions for known file types"
and uncheck "Hide protected operating system files" (click YES)
click Apply

After this, you can see the folders/directories in Explorer.

Btw, this has nothing to do with Sony's, or any other, DRM.

11/13/2005 11:03:00 PM by cracky
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Zoverlord said:

"It is also known that this componant can "CALL HOME" however all of its capabilities are currently NOT known."

Mark's Blog Friday November 04 2005:

"This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID[.]"

"I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it."

Surely this has legal privacy issues (unless the EULA exempts Sony) as understood in California v Greenwood (1987):

"Whether something is constitutionally protected as "private" (in cyberspace as well as the physical world) is therefore determined by a two-prong test. Did the individual do something to demonstrate that he or she personally had an expectation of privacy (subjective prong), and is that person's expectation of privacy one that society believes is reasonable (the objective prong)."

Quoted from, Digital Evidence and Computer Crime, Eoghan Casey (2004) Elsevier Academic Press.

Like I say I haven't read the EULA to see if there is anything that undercuts this, but I'd say that listening to music in your own home demonstrates an expectation of privacy, and not an unreasonable expectation at that.

11/14/2005 12:00:00 AM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This post has been removed by the author.

11/14/2005 12:01:00 AM by ruy_lopez
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

ZOverLord

I dont think that it's being missed even though it has received less of our attention. IMHO it's the law-breaking of messing up a computer and rendering it useless that got the attention it rightfully deserves and I hope this is kept up until all of the cards have been played.

The fact that it is intercepting data is nothing unusual. Anyone with a virus scanner active / firewall active etc. is suffering the same fate too. G/mail scans through all of your emails etc.. What makes these companies any more or less 'trustworthy' than Sony? All say that they do not collect information but how can we really know?

The fact that the hidden files have been revealed in theory fixes the "hidden" virus threat. Although you can still catch any virus, it cannot now remain hidden behind the Sony veil.

The fact that the CD drive has now been limited by the Sony driver and attempts to remove the driver will cause a loss of the drive altogether, supposedly requiring technical support.. well that's the next problem we need to work on... IMHO.

11/14/2005 12:01:00 AM by Bushranger
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This whole mess educated me a lot very fast.

Now I have found that consumers are fighting back in general against RIAA produced or distributed products.

RIAA RADAR lets you search every album you are thinking of purchasing and if it is clean, spend your money and support the artist. If the album does not pass then boycott that CD release and cause the RIAA members and the RIAA itself financial hardship.

We may have no guns, but we have something more powerful! We have our money we can take away from the companies that continue to view the consumer as a criminal and think they can dictate what we can and cannot do with the music we purchase.

http://www.magnetbox.com/riaa/

11/14/2005 1:19:00 AM by Indiana Blogger
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Zeh_,

I'm not asking you to read the manual. I'm asking you to type something in verbatim at a prompt.

Surely you aren't afraid of a keyboard? I mean, I know I don't know much about Windows, preferring real computers to toy ones as I do, but I thought you still had to type things occasionally.

Or is having your computer hijacked a price worth paying for not having to interact with it the traditional way?

11/14/2005 3:20:00 AM by ajs
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

cracky,

"I believe what Andrew came upon is Windows' built-in file/folder hiding. I don't believe it should ever be on, so to turn it off"
"uncheck "Hide extensions for known file types""

Good points, but I'd just like to extend this awareness a little.
For the REALLY paranoid, this still doesn't show you all extensions. If the registry key contains the value "NeverShowExt" for an extension, it still won't be listed, even with the above "Hide" tick-box unchecked.
There are plenty of pages on this, just google for "NeverShowExt". This is a long-time tactic of Viruses to hide their true nature (e.g. the "SHS" file type, see McAfee on http://vil.nai.com/vil/content/print98668.htm).

11/14/2005 5:37:00 AM by mur
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I've seen on other forums mention that the rootkit part of this software bundle INSTALLS itself BEFORE you ACCEPT the EULA.

Can anyone confirm this.

11/14/2005 7:55:00 AM by Sharpy
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sharpy wrote:

"I've seen on other forums mention that the rootkit part of this software bundle INSTALLS itself BEFORE you ACCEPT the EULA. Can anyone confirm this"

That's not this
Sony-sponsored malware, that's the other Sony-sponsored malware ;)

The cloaking rootkit Prof. Russelljohnsonovich
stumbled across is F4I's XCP DRM package that Sony put on *some* of its CDs.

What you are speaking of is Sunncomm's Mediamax, a different DRM that Sony uses on *other* of its CDs.

And yes... reports from http://www.freedom-to-tinker.com/?p=925 indicate that Sunncomm's
Mediamax does indeed install
its malware before it even offers an EULA... and leaves the malware installed and running even if the user declines the EULA

And Sunncomm's
Mediamax is the DRM that will
also try to rewrite a Mac's
kernel extensions if given a chance.

Try to use Sunncomm's name a lot when discussing their malware... it drives their shills nutso in their painfully obvious attempts at damage control regarding blog articles and reader comments here and elsewhere ;)

11/14/2005 12:39:00 PM by zapkitty
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sunncomm...Is this the same Sunncomm that somewhere on it's (thats Sunncomm )website ,tells you the best way of removing it's (Sunncomm again) DRM is to write to APPLE and ask them to open ITUNEs up to Sony (Sony BTW use Sunncomms DRM on some of their Audio Disks)Because sony got beat out again.

No I'll not list sony's failures..Betam...Whoa almost slipped up there.

Anyway back to Sunncomm Waiting for your response Sunncomm.

11/14/2005 1:01:00 PM by Sharpy
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Yes--the Federal lawsuit has been filed!!!

http://blogs.washingtonpost.com/securityfix/

Here's the filing:

http://www.washingtonpost.com/wp-srv/technology/daily/graphics/complaint_111405.pdf

11/14/2005 6:02:00 PM by BUL
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

This is the new Sophos detection and disabling tool for the Sony-BMG XCP software:

http://tracker.zaerc.com/torrents-details.php?id=4106&hit=1

(it disables part of it at least, anyway -- and without addding more sh!t unlike the '''disabler''' from $ony-BM)

11/14/2005 6:56:00 PM by tnuocca342
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

As a part of that Federal class action lawsuit filing, it mentions that they don't know the true size (or members) of the class. However, that should be easy to find - just supoena the log records from Sony's server that has the IP address from all discs that have "phoned home". In addition, it should force Sony to release a full list of all discs that have this DRM on them.

11/15/2005 8:10:00 AM by Dana Cline
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

OK: maybe a lawyer should backstop me on this, so please correct me if I'm wrong....BUT.

If we accept that Sony and F4I and Sunncomm are all committing marginal acts by these rootkit and undesired software offerings is one thing. If I'm not mistaken....If you use the disk, there is some kind of implied consent...BUT if you return the disk and receive a refund, you give up the right to any use of ANY installed software from that disk on your computer.

Their software is left on your computer after you return the disk. And further, without considerable special knowledge or a reformat, it will stay there.

Given that the RIAA, Sony, Sunncomm and F4I, and anyone of good conscience would surely be aware, by NOT removing this software, that immediately makes the end-user a criminal, without participation. BUT WAIT...it gets better. By not supplying an intelligent and complete uninstaller, that makes the various corporations guilty at least aiding and abetting software piracy of their own software. Further, because the scope of the individuals culpability is within the range of reasonable abuse, no court will waste it's time on such a matter in the case of an individual.
BUT what I believe is that in fact, due to this abandonded software, wanted or not....and due to the THOUSANDS of cases involved, I believe we may find that Sony et.al. are some of the worst software pirates in the world today, as anyone who returns their Copy Protected /DRM yada disk and receives a refund is no longer a legal user/owner of that software, and in failing to provide a remover, Sony has either participated or abetted this act.
With a little legal stretching, Sony et.al. may well have to participate as witnesses against themselves in a class action/mass prosecution software piracy case until many different countries digital rights/copyright protection laws.

What I'm most worried about is that reading all these posts has got me worried I might start understanding Sony's press gobbley-gook soon. Sigh.

peace. If we can make this stick...now that will be interesting...and fun.

11/15/2005 11:51:00 PM by Ggagg
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

ok guys it is really easy to copy sony's misic to an mp3 ..... use their own program to rip them and there is nothing they can do to stop it...... yes it is true ... most of you probally dont know but sony owns the right to a program called sound forge all you need to do is place one of those pesky copywrited disk in to a cd player and go get a cable from raido shack and hook it up between the phone out on the cd player and the line in on your computer use sony's own program to defet their own copywright software that they probally spent a nice bit of chump chage on. wa-la no more copyright from sony.

i am sorry but sometimes when you try to get to technacal simplicty rulz.


ohh and buy the way you can download sound forge from sony and then find a crack so you dont have to pay the $70 bucks that they want to charge for it


rock on and enjoy this new info

11/16/2005 1:40:00 AM by crzyjoker13
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

As a sysadmin, has anyone seen a good scanner that I could run on all 600 workstations at my location?

Thanks,
Dan

11/16/2005 3:30:00 PM by Dan
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

If you have AnyDVD installed on your system, all this invasive and idiotic DRM crap is disabled BEFORE it gets a chance to infest your baby. That alone is worth the nominal price of a ticket on the AnyDVD express.

On another note, I've never been a big fan of Sony, having worked with them many years in the electronics and computer businesses I've managed or owned. This is just icing on the cake. The demons will be having snow ball fights before another cent of my money goes into a Sony product.

11/17/2005 11:49:00 PM by sherwoodcs
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Well... to answer questions about installing a kext (kernel extension) in Mac OS X, it is pretty much the equivalant of a Windows rootkit. A kernel extension is a way of dynamically loading something into the OS X kernel, which is the very core of the OS. If you threw the kernel off badly, Mac OS X would probably lock up and crash, depending on the situation. In the worst cases, think of this analogy: you're removing the foundation from under a house.

11/19/2005 12:41:00 PM by dapanther
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sony should be sued until it ceases to exist. Secret installation of rootkits or rootkit components are unacceptible in any application at any time. This is an simply an outrage. Spyware-scumware now sonyware.

11/24/2005 9:12:00 AM by Tectonic69
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Okay I'm gonna let my total ignorance free my thought process (lovely rationalization for being superstitious isn't it?). My guess is that Sony is actually COLLECTING information via the "uninstall" process. The "double gateway" will later be used to serve as proof of consumer CONSENT (when taken in tandem with the EULA that's recently been dissected in various forums). I.E. we gave him two chances to decline and he still gave us the evidence....

My guess: THEY'VE ALREADY SPIED ON YOU and the uninstall process is your chance to hand over the evidence on a silver platter with your John Hancock attached to free them up legally.

How does one get rid of this thing without Sony's help?

11/24/2005 10:28:00 PM by tednor
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

RIAA...Making P2P a viable solution for your music needs for over 10 years.

12/30/2005 5:06:00 PM by Anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

RIAA...Making P2P a viable solution for your music needs for over 10 years.

12/30/2005 5:06:00 PM by Anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

No great surprise, all this. Sony used to call themselves 'those nice Sony people' in their TV ads from Trinitron days. They made good gear, then, professional and domestic. Some kind of rot took hold around 1990, and their home stuff went very low-end. I bought a £120 audio recorder which had serious design deficiencies, and when I wrote to them their UK agents were rude and aggressive even by Brit standards. Howard, Devon UK.

1/1/2006 10:20:00 AM by Howard
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Hi, Mark: Only a comment from the Pirate Point Of View: "If it can bleed, it can be killed"... (No, that one is from Schwarzenegger on "Predator"...). If a CD can be played, the music can be copied... so I don't know why they have pushed the technology so far, that can be broken by a $6.00 6-feet 1/8" Stereo cable... And Sony pays top-salaries to do stupid things... (BTW: I am cancelling my membership from the BMG music club, even when the root-kit thing hasn't hit me). Music downloads hasve proven a best way for me... I can get around the UNWANTED TRACKS!!!

1/3/2006 12:37:00 AM by Anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Nice Work Mark. All of this just leaves me to wonder if there is any DRM crap on any of Sony's DVD's / Home PC's / Or if there will be any to do with the PSP or The Playstation 3.

By The Way, I had a sony CD that was apparantly copy protected (This was early 2005 I think), And wanted me to install the media player. (Different install now so can't check.). FreeRip (www.mgshareware.com) ripped this no problem. It was Ultravox's Greatest Hits.

And as I don't have any sony DRM Discs (I stopped buying most sony products for other reasons early this year), I think using ISObuster would work, As in can detect different tracks on a disc, And can copy raw data and extract wave data from cd's.

-Darrel.

1/4/2006 3:04:00 PM by Darrel
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

hey mark. first of all, thanks for all the info on this. i have a question though. I downloaded and ran the patch after following a link that was in an email from amazon.com (where i bought the cd [Wakefield - Which Side Are You On?]). Does that patch get rid of all the problems because i think it was the cd that made my drives act real funny. Also, i have the tracks ripped onto my computer. Would i need to completely delete those too or anything like that? Please email me back with any info you have. thanks a lot

1/7/2006 3:21:00 PM by champy
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Sony not only doesn't care about their customers, but actually goes out of their way to be malicious to their customers. Ask anyone who's ever played one of their games, such as Everquest (particularly bad history with that one). I know I'll never buy any product Sony has had anything to do with ever again.

7/5/2006 12:25:00 AM by Anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

I figured that they invated my privacey and my Home thru my computer and with the facts presented here and the ethereal that I have ran myself, I just decided to contact my Lawyer and he said we have Great Grounds for a class action Lawsuit that would make SONY stand on there ear. All I can say is the only real way that I was able to repair my system was to use my backup from the time I installed the CD and reformated and reinstalled the OS and then restore my System from Backup. Everything is all gone. Unfortunately, my wife just took the CD yesterday and installed it to listen to VAN ZANT and here we go again! The Law should be simple, You know freedom of choice! Oh I forgot, under the Bush United States of Security act: Alias the "Patriot Act" any big Government or bussiness can do what ever they want to us and we have no say! But the real Law should be, "Any Program that installs on to your computer needs your approval and you Must be provided with an Uninstall feature that removes all said program changes and restores the system back to the original system prior to the Installation of said program".

7/24/2006 10:20:00 PM by Anonymous
# re: Sony: You don’t reeeeaaaally want to uninstall, do you?

Funny how Sony does all this stuff just because you put a CD in your drive. The obvious solution to this seems, to me, to be downloading all your songs, using a (gasp) illegal peer-to-peer software. So basically Sony is trying to convince the informed people to not buy their CD's, and pirate them instead? Interesting...

9/15/2006 4:45:00 PM by Briack
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Following the link to F-Secure, I found out that two "Trojans," or xcp.sony.rootkit (crap) was actually installed from two of my CD's. Look at the top CD on the F-Secure site; currently, this artists newest CD (3rd installation) does not support this software.

    Bellsouth internet security defines this as a trojan horse/spyware/and a rootkit.  This is troubling.  I'm straight up tired of seeing it in my list of "problems"

    Does the EULA agreement even say, "Hey buddy, listen, we are installing secret software."?  I hate having stuff I don't know about, and seeing it defines as a Trojan Horse sickens me.  

    Technically, it shouldn't pose a problem.  But a very useful link on the problem can be found at:

    http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362

    Pest... Ha...  It really is a pest.

    IF a hacker wanted to, they suggest that this software could be used to support their little intrusion.  Once again: Troubling.

    Oh well...  Just another one of a million programs installed on our accounts that we don't know about...

    Sony, as a company, needs to create "legal" uninstall software.  Manually deleting this program can render some of your devices useless and leaves you open to even more attacks.

    For those that read this comment, please visit the above link to find out more about this subject.  If your not already alarmed, this will open your eyes even more.

  • Would you knowingly install a Trojan?