More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including
USA Today and the
BBC. This is the case of the
blogosphere having an impact, at least for the moment. But, there’s more to the story, like how Sony’s patch can lead to a crashed system and data loss and how Sony is still making users jump through hoops to get an uninstaller. At the core of this story, however, is the issue of what disclosure should be required of software End User License Agreements (EULAs) and how the requirements can be made Federal law.
The UninstallerDespite a chorus of criticism over Sony not delivering an uninstaller with their DRM software, Sony refuses to admit blame and to make an uninstaller readily available. The uninstall question on Sony’s
FAQ page directs you to another page that asks you to fill out a form requesting for uninstall directions to be emailed to you:
There’s no way to access the uninstaller without providing this information, and clicking on the Sony
privacy policy link at the bottom of the page takes you to a notice that your email address can be added to various Sony marketing lists.
A few minutes after submitting the form I received an email assigning me a case ID and directing me to another page on Sony’s site where I would have to submit an uninstall request a second time:
I’ve filled out the second form and am waiting for the follow-up email.
The Patch
You can the get to the patch supplied in the above email from the same Sony support site under
Software Updates:
The
download text claims that the rootkit does not pose any “potential security vulnerabilities,” however it’s obvious that any software that cloaks files, directories and Registry keys beginning with a certain string of characters is a clear security risk. An innovating exploit of the rootkit utilizes it to
compromise the World of Warcraft anti-cheat system.
The download of what should be a small patch is around 3.5 MB because it includes updated drivers and executables for the DRM software that the patch also installs (again, no mention of this is made in the download description). Interestingly, after installing the patch a new entry showed up in the Windows Add and Remove Programs utility, but it’s only because I checked immediately after I ran the patch that I knew it was related to Sony:
Nowhere up to now have I seen the Sony Player or DRM software referred to as “MediaJam”. I looked in the Program Files directory and the only file in the new MediaJam subdirectory was Unicows.dll, a Microsoft DLL:
Assuming that uninstalling MediaJam would uninstall the DRM software, I attempted to do so but was greeted with this dialog:
It looks like their rush to get the patch out precluded any kind of testing.
The actual decloaking, which is the only value the patch advertises, simply performs the equivalent of the following Windows command:
net stop “network control manager”
“Network Control Manager” is the misleading name the developers assigned to the Aries driver so the command directs the Windows I/O system to unload the driver from memory. After the patch had completed I dumped the system call table in
LiveKd and noted that the redirected entries had returned to their standard values and that the driver had unloaded from memory:
However, Sony’s uncloaking patch puts users systems at risk of a blue-screen crash and the associated chance of data loss. The risk is small, but I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running:
It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described.If the developers had heeded this warning the decloaker would have required the system to reboot so that the Aries driver could remain active through the shutdown, but then not load on the next reboot.
I urge Sony to make a real uninstaller readily available for download and to make both the de-cloaking and uninstaller unload the driver safely. In the meantime users can perform a safe decloaking by opening the Run dialog from the Start menu, entering “sc delete $sys$aries”, and then rebooting. This sequence deletes the driver from the Windows Registry so that even though its image is still present on disk, the I/O system will not load it during subsequent boots.
EULAs and Disclosure: Sony’s Player Phones HomeThere’s more to the story than rootkits, however, and that’s where I think Sony is missing the point. As I’ve pointed out in press interviews related to the post, the EULA does not disclose the software’s use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There's no way to ensure that you have up-to-date security patches for software you don't know you have and there's no way to remove, update or even identify hidden software that's crashing your computer.
The EULA also makes no reference to any “phone home” behavior, and Sony executives are
claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a
comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony’s site and sends the site an ID associated with the CD.
I decided to investigate so I downloaded a free network tracing tool,
Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID:
In response the Sony web site reports the last time a particular file was updated:
I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it.
The media has done a great job of publicizing this story, which has implications that extend beyond DRM to software EULAs and disclosure, and I hope that the awareness they’re creating will result in Congressional action. Both the software industry and consumers need laws that will clearly draw lines around acceptable behaviors.
The story continues with
Sony's Rootkit: First 4 Internet Responds.
Originally by Mark Russinovich on 11/4/2005 12:04:00 PMMigrated from original Sysinternals.com/Blog
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code."
Isn't it possible to allocate some non-pagable memory, write a couple of assembly instructions to it that checks a state variable and jumps to the detour or to the original function?
The service dispatch table would point to this assembly code instead of pointing directly to the detour function. Then the driver could be unloaded without any risk.
11/4/2005 1:19:00 PM by Eternal Idol
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeAnother excellent and informative article. These latest confirmations on 'phone home' activity and system stability yet again bring criminal liability into play in the UK under the Sale of Goods and Services Act, as yet again, they are clearly misleading the consumer about the product.
Thanks.
11/4/2005 1:58:00 PM by Alexander Hanff
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home@ Mark - you write: "I’ve filled out the second form and am waiting for the follow-up email"
Another place wrote this:
"In a test of the form late Wednesday, an e-mail confirming receipt was quickly returned by Sony BMG customer service, but it included no instructions on how to remove the software. The message promised another reply "shortly."
Link: http://www.foxnews.com/story/0,2933,174452,00.html
I am waiting for ANYONE to get this so-called follow up email from Sony to find out if what they send is successful or not in completely removing this DRM garbage.
PLEASE keep up posted..and thank you so much for your hard work on all this!
11/4/2005 1:58:00 PM by CindyRilla
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeHi Mark,
As usual, another excellent post.
Nick.
11/4/2005 2:09:00 PM by Nick Whittome
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark,
Thank you very much for finding and publishing this information. I am greatly disturbed by the mindset of people behind this.
If I purposely hid software on another person/s PC that reported information back to me(or my company) would I not be subject to Federal laws against hacking?
You say there needs to be stricter laws explaining EULA's, but I think the law is pretty clear on fraud, hacking, and gaining access under a false pretense.
I think the Sony Exec who authorized this should see jail time.
-AG
11/4/2005 3:00:00 PM by Adam Gates
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeDid anyone click on the link MARK provided and actually LISTEN to the audio??
In this Audio, you will hear a comment from Thomas Hessa (not sure of spelling), PRESIDENT of Sony BMG's Global Digital Business. In this Audio and he says "Most people, I think, do not even know what a Rootkit is, so why should they care about it?"
FREAKING UNBELIEVEABLE!
Click on the LISTEN button on this link here to HEAR it yourself!
http://www.npr.org/templates/story/story.php?storyId=4989260
11/4/2005 3:06:00 PM by CindyRilla
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeYou go to a website.
You click thru some intro page that solemnly swears you to benevolent visitorness, i.e., you're not going to damage, deface, or illicitly access what you shouldn't oughtta.
Upon connecting, you have just installed - quite without your knowlege or
explicit consent, which is what the bogus clickthrough was all about - a rootkit that monitors you for hacking activity, what you DL from the site, what commands you SEND the site, etc. and so on. And while it's there, hey, might as well pack up some marketing info and forward it to the website's databases. And their friends and partners. And parent co.
Am i to understand there's absolutely nothing technical stopping this from occurring right now? If buying a CD wins you this prize...
What SONY and Blizzard and all these other fascist shortsighted narrowminded idiots don't consider, of course, is that THEIR app is not the only one you run! Conflicts and version control on above-board apps is a hard enough task; when a small army of secret, self-interested programs begin to wage war on one another... intentionally or accidentally, makes no difference.
I don't know how to express what i'm seeing, but visualize the above: every app, every website you visit, every time any device you own makes contact with someone else's network, brushes up their 'intellectual property,' it will, in the name of DRM and the DCMA, with the RIAA and MPAA cheering it on, pick up any number of unknown riders, all looking after the interests of its corporate master.
Perfectly benign, of course. Nothing to get all lefty hysterical about, I'm sure. If you aren't a criminal you've nothing to fear, citizen.
'course i'd feel safer about it all if the world didn't keep growing to resemble every outlandish old SciFi short story i ever read.
11/4/2005 3:15:00 PM by spacefiddle
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeNever explain by malice what can be explained by incompetenceI don't believe that Sony management has a clue what really went on the CD and what the issue really is. I think this is actually worse than some of the conspiracy theories I've seen on the subject. Some top management guy told a lower echelon drone to "do something about copy protection, I've heard about this DRM thingy". Drone instructs sub-drone, who instructs sub-sub-drone, who ends up asking a number of companies how much it would cost to make this. The sub-sub-drone ends up making a choice by looking at technical capability of companies involved... not. The bid goes to the lowest bidder, whose account manager thought it would look good on his yearly bonus if he bagged Sony as a client. They then pick their first available programmer who starts putting something together. After too much time and money is spent, the software is rushed into production.
In my view this is not so much a DRM conspiracy issue, as much as it is the usual tale of miscommunication and incompetence in large corporations. The difference is that the cock-up is so visible and has such a wide impact.
Instead of passing it off as an easy "executive decision", it might be good if Sony management actually took a serious interest in the complex issues of digital rights. Who knows, we might even get intelligent discussion and decisions on the issue...
11/4/2005 3:55:00 PM by Serge Beaumont
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark,
Is there anyway some testing can be done for the following?
1. What happens when you UPDATE this mess, and make it NOT hidden, and you do a "System Restore" when it was hidden, or you restore a backup like Ghost for an example?
2. If you completly remove it and then do a "System Restore" whe it was hidden or do restore a backup like Ghost for an example?
In any of these cases, is your system screwed up, and could you end up having a Hidden and Non-Hidden version?
11/4/2005 4:20:00 PM by ZOverLord
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIt seems that a California based Law firm GREEN WELLING LLP has taken up this issue , good for them.
" We would be interested in speaking to all U.S. residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme. "
There Website is here http://www.classcounsel.com/
Look under Cosumer Protection.
You can contact us at gw@classcounsel.com.
# posted by Green Welling : 3:35 PM, November 04, 2005
11/4/2005 4:26:00 PM by Nathen
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home@ Green .. how cool that California law is interested in this! Thank you for this info. I plan to let my friends know about this that live in Cali.
However, this is something that EVERY USA STATE should be interested in as well (as well as around the WORLD) And Mark, I certainly do hope that a "Congressional action" takes place!
I am glad to see the mainstream media pick up on this (finally).. such as Washington Post, Associated Press, BBC, Foxnews, MSNBC to name a few..
however I am VERY disappointed that CNN reports absolutely nothing on this! I sent a nasty gram regarding that but I doubt they care! It sure makes me wonder who is "partnered" in with Sony!
11/4/2005 5:25:00 PM by CindyRilla
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeDidn't CNN (Time Warner) and Sony/BMG (Bertelsmann Media Group) maried (or are on the way to do so?) That would explain it.
11/4/2005 6:14:00 PM by Venceremos
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark, thanks for bringing all of this out. Sony says no one reported any problems until your blog came out with it- that's no doubt because the people having computer problems as a result of this had no idea it was due to their legally purchased CD.
I bet many formats have been carried out only to be damaged again with this CD because they had no idea that it could be Sony's disc.
Johnny gets a call from his mother again about BSoDs. It even fails in safemode. He assumes that it's spyware again and formats, reinstalls her PC. Immediately after he leaves- she starts playing her favourite music again...
I think the reg and inq are writing their new articles as we speak.
hmmm- let's see "Sony rootkit/spyware combo phones home"
Sony needs to recall these discs and Amazon needs to take them off their website. Here's a copy of a user review:
Vivian [CONTENT/COPY-PROTECTED CD] [CONTENT/COPY-PROTECTED CD]
~ Vivian Green
NOT GOOD FOR 64bit USERS, October 9, 2005
Reviewer: tvideo (NJ, USA) - See all my reviews
Since, I don't care about stealing any music, the "Copy Protected" warning didn't bother me in the least. I am a Hardcore gamer I have a high end 64bit PC running Windows XP Pro. The CD claims it is compatible with Windows XP, it does NOT specify which versions so I assumed I was OK.
I installed this CD and I was forced to accept some agreement and then it installed some lousy music player. Everything seemed fine until next time I rebooted my PC both my DVD and CD drives had literally disappeared! That's right this so-called copy protection destroyed access to my drives!!! The copy protection REALLY works great they just disable all your CD/DVD drives so you can't use them with ANY discs anymore - UNBELIEVABLE!!!
http://www.amazon.com/gp/product/customer-reviews/B0007Y4TV0/ref=cm_cr_dp_2_1/103-1243566-0680626?%5Fencoding=UTF8&s=music
11/4/2005 6:22:00 PM by geek27
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeOne think I have not seen mentioned is what happens if a user had a file or directory with the $sys$ prefix -before- the rootkit is first unstalled.
I suspect that XCP does not scan for that before installing.
From the users view the file would simply disapear, probably would not be noticed for a while.
If that is not trashing someones system I dont know what is.
Unlikely but not impossible since some programs create arbitray file names at times...
All your files are belong to us.
11/4/2005 6:23:00 PM by moe-dog
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"however I am VERY disappointed that CNN reports absolutely nothing on this!"
I know it's not this simple but CNN is part of Time-Warner, who HAPPENS to be a RIAA and MPAA member. That's probably why.
11/4/2005 6:27:00 PM by amdrokz
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeAnother point is how can anyone possibly claim that this garbage that happens to be b0rking Windows boxes across the US protects their music when it can be defeated with the SHIFT key?
Maybe the new DRM compliant keyboards don't have SHIFT keys..
11/4/2005 6:36:00 PM by geek27
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIn responding to the specific comments in this blog we set out the following comments which I hope clears things up.
1) Blog: "The Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it."
Answer: The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities.
2) Blog: "The download of what should be a small patch is around 3.5 MB because it includes updated filters for the DRM software that the patch also installs (again, no mention of this is made in the download description)."
Answer: In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point.
3) Blog: He states that the patch installs something called MediaJam which he was not expecting and could not uninstall.
Answer: Service Pack 2 does not install the MediaJam player on the user's hard drive. The only MediaJam related file installed on the user's drive is a standard Windows file (unicows.dll) used to support multiple languages. When this standard Windows file is installed by Service Pack 2, it creates a MediaJam group in the Add or Remove Programs list -- even though no MediaJam player is installed. Attempting to 'uninstall' this program results in a dialog box which confirms that this program had never been installed in the first place.
4) Blog: He claims that the patch itself could cause a blue-screen, although he says the risk is small.
Answer: This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more.
5) Blog: As part of the uninstall process he notes that "clicking on the Sony privacy policy link at the bottom of the page takes you to a notice that your email address will be added to various Sony marketing lists."
Answer: An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.
11/4/2005 6:39:00 PM by xcp support
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home 11/4/2005 6:54:00 PM by CindyRilla
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeHmmm.. Obviously it sounds like SOMEONE at First4Internet got our nasty grams!
11/4/2005 6:58:00 PM by CindyRilla
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Homexcp support.
Care to comment on:
What would happen if a system restore was done that had the hidden version after it was removed?
What would happen if a system restore was done that had the hidden version after it was updated to non-hidden?
Was ANY testing done to check?
11/4/2005 7:01:00 PM by ZOverLord
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeWhat xcp support said is VERY informative.
To summarize it, customers need to trust them regarding whatever was installed, whatever they provide for uninstall and whatever information's been sending back to their server.
11/4/2005 7:05:00 PM by amdrokz
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"In responding to the specific comments in this blog we set out the following comments which I hope clears things up.
Answer: The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities."
There is no such thing as one way communication on the internet, all packets sent must receive an acknowledgement, if they don't it is not a communication. The network packet sniffer has determined that and ID is sent to 2 different Sony websites, the logs of these website will also include the IP of the computer that sent the this ID. Why should anyone trust that these logs will not be correlated and used for dubious purposes.
"Answer: In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point."
Due to the subterfuge already shown by your company and also the comment in the press from Sony stating they have now found new ways to hide DRM software, why should anyone believe a single word you say?
"Answer: This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more."
And as he has explained, this can cause a blue screen crash. Microsoft has also been reported as having told consumers with crash issues that your software is responsible. Again, why should we believe a single word you say.?
Answer: An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.
No an email address is not required, you can release the uninstall utility on the Sony or your own website, there is no need for you collect anymore details on these consumers whatsoever.
Now XCP Support, my turn. I spoke to your CEO on the telephone, I gave him 7 very specific questions via an email which he stated on the telephone he would answer in 24 hours. He failed to answer any of the questions.
I have reported you to the law enforcements agencies in the UK including Scotland Yard, Trading Standards and High tech Crime Unit. I believe you are guilty of violating the Sale of Goods and Services Act and the Computer Misuse Act (as do others). You have failed to disclose information about your product, this is a criminal offense in the UK under the Sales of Goods and Services Act (ammended), furthermore because you have broken the legislation required to be met for the contract of sale to be legal, the EULA means absolutely nothing, it is void. Thus the result of this is you are also highly likely to be in breach of the Computer Misuse Act.
I also doubt very much that the changes to EULAs and FAQs over the past 3 days will do you any favours in the eyes of a jury.
I asked your CEO what about people without internet access or people who know nothing about the massive security risks your software causes. How do they "upgrade" to SP2? So far you have failed to answer this question at any junction.
Finally, I will say You and Sony are BOTH liars (sue me if you dare). F4I are liars because they have claimed that the original software posed no security threat whatsoever. However, you and everyone else who is aware of this issue, know that by simply prefixing the name of malicious 3rd party software with the $sys$ will cloak it under the same rootkit your software installed. this is a serious issue as regards potential identity theft and internet fraud. By stating that the original software posed no security risk you have once again breached the Sale of Goods and Services Act by misrepresenting your product to your consumers.
Sony is a liar because they have been reported in the press as stating that there are absolutely NO copyprotected CDs in the UK from the Sony/BMG label, it took me less than 30 seconds to find 3 in my own collection of CDs and Sony also stated on their website in the FAQs that ALL music cds provided by Sony contain content/copy protection.
You sir, and your company, will be held accountable in court. Not a civil litigation (although I expect there will be a few of those too) but a criminal prosecution at which point you will be judged by a Jury of your peers and in light of the evidence, I highly doubt you will be found not guilty.
11/4/2005 7:07:00 PM by Alexander Hanff
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIs this a joke?
1) So the communication is only one way? So... when you said there was zero communication you admit that you were lied. Now we're supposed to believe you? joke, right?
2) In order to uninstall the DRM you have to upgrade it? You'll have to explain that one in more detail I'm afraid...
3) Did you just say that your uninstall program purposely does not uninstall anything? Did you really just say that?
4) Did you just accuse Dr. Russinovich of pure conjecture? It seems to me that either this procedure is safe or it is not. If you're 'lucky' and it doesn't crash does not mean that it's a safe procedure.
5) It's required to send you the information as you say and now you want us to 'just trust' that you aren't going to do anything? What in the past has shown us that you are worthy of trust? Anything? I just don't see it...
11/4/2005 7:21:00 PM by ThisAJoke
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI am extremely dismayed with the Los Angeles Time, New York Times, and PC Magazine. Each of these magazines avoids any article that exposes unethical business practices such as that done by SONY. Below is the Associated Press article that appeared in the Los Angeles Times. You will be pleased to note how Sony has "offered" to assist its customers.
-----------------------------------
IN BRIEF/MEDIA
Sony Offers Patch for Its Anti-Piracy Software
From Associated Press
After a chorus of criticism, Sony Corp.'s music division said it was distributing a free software patch to reveal hidden files that automatically installed onto hard drives when some of its music CDs were played on personal computers.
The offending technology was designed to thwart music piracy.
Sony BMG Music Entertainment and its partner, Britain-based First 4 Internet, said they decided to offer the patch as a precaution, not because of any security vulnerability, which some critics had alleged
11/4/2005 7:49:00 PM by srynas
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeWithout doubt, xcp support does not understand race conditions as he answers Item 4 in his response.
See Here:
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html#113115114916278358
When the System Service Table was modified to jump to the address of the "Sony DRM Root Kit" for these systems calls:
NtCreateFile
NtEnumerateKey
NtOpenKey
NtQueryDirectoryFile
NtQuerySystemInformation
As the driver is being stopped, other aplications may have the modified addresses and attempt to JUMP to them yet that driver is gone.
So, this is not a joke, and depending on what is going on at the time this driver is stopped it is very possible and NOT conjecture that this can happen.
11/4/2005 8:18:00 PM by ZOverLord
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities."
TCP and HTTP traffic, the 'language' used on the web, has a lot of header information. It's like CallerID on steriods. As reported: your ip, time you connected, CD id is sent. Sony can collect this information if they choose. Since it's Sony running these servers not yourself how would you know what they keep?
"When this standard Windows file is installed by Service Pack 2, it creates a MediaJam group in the Add or Remove Programs list"
Why would 'installing' a DLL create a folder and add/remove entry for itself? Wouldn't just copying the file in the correct location (like the program's folder) work fine? I don't have XCP installed on my system so I wasn't able to look at this particular file but the existing unicows.dll I already have has no mention of MediaJam within it (via Strings) so even if I was to register the dll it wouldn't create those items.
--
"F4I is using standard Windows commands (net stop) to stop their driver. Nothing more."
The patch tells windows to tell your driver to unload. Cause and Effect. Yes the patch doesn't directly cause the crash but it indirectly tells your driver to do something possibly risky. And what is "their driver"? It's F4I's driver, not windows or anyone else's.
--
"An email address is required in order to send the consumer the uninstall utility"
Why?
--
----
--
"In order to uninstall the DRM you have to upgrade it?"
I was confused on this for a bit also. They haven't released an uninstaller yet. They just updated the software to not hide. It's easy to miss that.
--
----
--
P.S. Mark: MediaJam instead of 'Media Jump'.
"I looked in the Program Files directory and the only file in the new Media Jump subdirectory was Unicows.dll, a Microsoft DLL:"
11/4/2005 8:22:00 PM by halfdone
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeOn a
NPR.org news item
Thomas Hesse president of Sony BMG's Global Digital Business division state the following two quotes:-
“Most people I think don't even know what a root kit is so why should they care about it” and
“No information ever gets gathered about the user’s behaviour, no information ever gets communicated back to the user. This is purely about restricting the ability to burn MP3 files in an unprotected manner”
11/4/2005 8:58:00 PM by Stephen
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI just checked my XP-Home SP2 machine and there is
No MediaJam software in the add/remove programs list. It wasn't installed during M$'s SP2 updates.
11/5/2005 12:29:00 AM by Menehune
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeRegarding risk of crash, this is not just theoretical. Imagine two drivers which hook the same service, and then perform: load 1, load 2, unload 1, unload 2. The final step will BSOD the system because "load 2" saves service table entry that points to first driver, while "unload 2" restores it even though driver 1 has been unloaded already. Mark, you can confirm this right? Care to try to hex edit the driver to change the device name and try out what happens with two copies of this beast?
Also, go check Contents\GO.EXE in the cd and search for string "LAME". This is possible LGPL violation, since LAME mp3 library has been statically linked against the executable. You can see that version.c has been compiled in since it generates those version strings, and I found tables.c as well. Didn't locate any code though, apparently removed by optimizing compiler due to being unreferenced, but I couldn't test for all LAME code as I don't have proper tools available (such as sabre-security bindiff)
11/5/2005 12:56:00 AM by Matti Nikki
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home 11/5/2005 4:18:00 AM by Matti Nikki
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI have just tested the bluescreening upon unloading, although using a more obvious problem than the race condition. I didn't even have to change the driver as it was a lot simpler than I thought, it doesn't create a device, it just hooks stuff. So, just make a copy of the driver and load it by any means you choose to (such as using w2k_load.exe), after that use the "net stop" command provided in the article above and unload the second driver. This will result in an immediate bluscreen, demonstrating that two copies of this very same, unmodified rootkit indeed can and will crash the system upon unloading. Rootkits are only safe to unload in LIFO order, attempting to do it in FIFO order will cause a crash.
Mark can probably provide better description after he reproduces these results. In summary, two rootkits of this very nature would be too much for a system and that's now been tested.
11/5/2005 4:40:00 AM by Matti Nikki
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeTo remove safely the rootkit, you just have to unpatch the SDT without removing the rootkit himself from memory (what you can do later, when enough time has passed so that any thread which might execute it will have finished).
11/5/2005 5:12:00 AM by jj
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeOne of the BBC's Tech reporters has posted a damming record of Sony's activites, my personal favorite line is:
"What Sony has done is stupid, but I am willing to accept that they did not really understand what they were getting into."
http://news.bbc.co.uk/1/hi/technology/4406178.stm
11/5/2005 6:34:00 AM by Akyan
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"I have just tested the bluescreening upon unloading, although using a more obvious problem than the race condition. I didn't even have to change the driver as it was a lot simpler than I thought, it doesn't create a device, it just hooks stuff. So, just make a copy of the driver and load it by any means you choose to (such as using w2k_load.exe), after that use the "net stop" command provided in the article above and unload the second driver. This will result in an immediate bluscreen, demonstrating that two copies of this very same, unmodified rootkit indeed can and will crash the system upon unloading. Rootkits are only safe to unload in LIFO order, attempting to do it in FIFO order will cause a crash."
This is absolutely another risk of the unload, but requires that two system-call hook drivers are loaded and redirecting the same functions.
11/5/2005 8:17:00 AM by Mark Russinovich
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeHere's Sony's instruction on how to remove the copy protection provided in the context of how to get this run with an iPod:
If you have a PC place the CD into your computer and allow the Sony BMG audio player on the CD to automatically start. If the player software does not automatically start, open your Windows Explorer. Locate and select the drive letter for your CD drive. On the disc you will find either a file named LaunchCD.exe or Autorun.exe. Double-click this file to manually start the player.
TIP: If your CD does not contain either the LaunchCD.exe or
Autorun.exe files, it may not be compatible with this iPod
solution. Please reply to this letter for more information.
Once the Sony BMG player application has been launched and the End User License Agreement has been accepted, you can click the Copy Songs button on the top menu.
Follow the instructions to copy the secure Windows Media Files (WMA) to your PC. Make a note of where you are copying the songs to, you will need to get to these secure Windows Media Files in the next steps.
Once the WMA files are on your PC you can open and listen to the songs with Windows Media Player 9.0 or higher (or another fully compatible player that can playback secure WMA files, such as MusicMatch, RealPlayer, and Winamp). You can then burn the songs to a standard Audio CD. Please note that in order to burn the files, you will need to upgrade to, or already have, Windows Media Player 9 or 10.
11/5/2005 8:39:00 AM by Boycott Sony
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark, since F4I has proven clueless to do this safely I distrust whatever uninstaller they might produce. In addition what you noted, the following:
http://66.249.93.104/search?q=cache:hDmbqX5yahgJ:www.osronline.com/showThread.cfm
is further proof of their cluelessness.
Could you provide a safe uninstaller for the good of the community?
11/5/2005 8:56:00 AM by Boycott Sony
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeTo avoid the multiple unloading problem the Rootkit should always store the original function, the one that the Windows Kernel sets at start up and not the current function.
11/5/2005 9:23:00 AM by Eternal Idol
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI personally do not want anything on my computer that I don’t know about. Anything that drops anything on my computer that I don’t know about increases my liability given that the average survival time for a PC on the internet is 20 minutes. If someone successfully breached one of my computers, and used aries.sys to block the calls, I won’t know about it, and it no longer becomes my computer, but I am liable for those things on the computer. That is what worries me, what is now on those computers that has been hidden by the handy little tool provided. Personally I don’t want to burn for Sony’s cloaking mechanism, and what happens when the happy little forensics people come along and take a look at a computer at work and finds a root kit. Will they think Sony DRM? No, they will think compromise, they will think evil, and someone goes down the tubes for playing a Sony CD on their work computer. That is the core issue, the cost of liability to other people, companies, and the legal system. That is the concept that I think most people are missing, there is a human cost to all this, the forensics bubba’s won’t know, nor will they care, they will report findings. There is a lot more to this than meets the eye, and it would behoove everyone to have this off their systems.
11/5/2005 9:49:00 AM by JASG
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeThomas Hesse president of Sony BMG's Global Digital Business division:
“Most people I think don't even know what a root kit is so why should they care about it”
So you're saying what people don't know about can't come back to bite you in the arse? Hasn't our good friend Mark taught you otherwise over the past week?
When are you going to revise the labels on your slimey CDs?
---------------------------
WARNING: This software stands a good chance of hosing the following operating systems including but most certainly not limited to:
Windows XP Media Center Edition
Windows XP 64bit edition
Windows Vista beta
Other random BSoDs and sudden unexpected features are also possible with our enhanced CD software. Please look for the latest service pack for our wonderful software. Service Pack 2 is available at the time of this writing but we're currently working on so many more new features!
Please ensure autoplay is enabled and absolutely do not use the SHIFT key or you may be liable for the circumvention of a copyprotection mechanism under the DMCA (We paid a lot of money to license this protection and the SHIFT key is such a cheap shot.)
We like to reward our honest customers. Thank you for choosing Sony and we hope you enjoy your enchanced CD audio experience.
---------------------------
Don't forget to check out Steve Gibson's special Security Now podcast covering this mess- (the "Shields Up guy".)
http://www.grc.com/securitynow.htm
11/5/2005 10:13:00 AM by geek27
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeSony really just does not have a clue. Rootkit technology actually is not intrusive if you believe them.
From Sony's official FAQ:
6. I have heard that the protection software is really malware/spyware. Could this be true?
Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution.
It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement.
http://cp.sonybmg.com/xcp/english/faq.html
11/5/2005 10:21:00 AM by geek27
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeHow much more "intrusive to your computer system" can you get than hacking/hooking into the kernel.
I guess it's not intrusive when you compare it to firmware and BIOS updates to your hardware. Is that what they're working on right now?
11/5/2005 10:34:00 AM by geek27
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeOh no! Now look what's happened to the innocent that PURCHASED the RETAIL CD's!
http://img45.imageshack.us/img45/8397/evilsesamestreetc2yz.jpg
Good people turned evil..Shame on YOU Sony! LMAO
11/5/2005 11:12:00 AM by CindyRilla
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIt is another security threat that consumers have to download so called SP2 from "updates.xcp-aurora.com" ,
because they don't know what "xcp-aurora.com" is. How can you trust xcp-aurora.com ?
SP2 download should be placed in sonybmg domain.
Spammers can send you an email with disguised header infomation, which claims you should download SP2 from some unfamiliar URL. What you can download from the URL might be a malware.
Furthermore, the uninstall request form (from which you have to send emai address) is not https-protected.
11/5/2005 12:55:00 PM by Kogawa Masaki
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home 11/5/2005 1:25:00 PM by JohnDoeStudent
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomePosted by Matti Nikki:
If you want a more concrete proof, try to rename your favourite ripping software as $sys$whatever.exe and then run it again. You'll notice that the DRM system can no longer detect it, and thus you'll get good copy of the track you try to rip instead of one filled with noise.
Thats just hilarious. I think everyone should simply not worry about removing the rootkit, as this is too difficult, and then just do at Matti says, and use the rootkit to make your favorite ripping tool immune to the DRM. On second thought, is their software breaking the DMCA? It provides a method to bypass copyright protection that they install? Hmm...
11/5/2005 3:52:00 PM by Brad Green
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI think the fun starts at that point, you insert another copyprotected CD Disk of that kind.
After 3 or 4 such disks you need a bigger CPU because of all the "inactive if not in use" (sure) and a couple of new CD Rom drives....
Tolomir
11/5/2005 4:56:00 PM by Tolomir
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeSony's offer to let you download a patch to their "rootkit" really is totally unacceptable. Those CDs are still out there and still virulent.
Years or decades from now (I've got lots of CDs over 10 years old) your grandchild is going to pop one of these carriers of the "Sony Flu" into their new computer running a still-to-come version of Windows and what do you think is going to happen?
Well, Mikko Hypponen of F-Secure found out when he popped it into a machine running Windows Vista that the Sony CD "breaks the operating system spectacularly." Who's going to know how to fix it in 2020? Already most of the "weblinks" on my so-called "Enhanced CDs" (provided by these same recording studios) get "404 Not Found" errors only a year or two after release.
Keeping these still-infectious CDs around on your shelf is like keeping a live hand-grenade as a WW2 souvenir. Just hope your kids don't play with it.
The only acceptable solution would be for Sony to recall every one of these virulent CDs out there and take them out of circulation.
11/5/2005 5:19:00 PM by Jasper Jones
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeWe Need a NEW Law that says:
("Any Software or Hardware, that attempts and/or succeeds to hide itself, its files, or parts thereof, from ANY operating system function, process or program, which would otherwise be capable to find it, shall be deemed malicious, be default").
11/5/2005 5:29:00 PM by ZOverLord
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeWith the AntiVirus vendors soon to decide what definition to call Sony's DRM Rootkit as Spyware or Malware.
Will Sony's own Anti-Virus vendor start sending them security updates to stop their own software from operating???
Will this finally make them admit wrongdoings or will they insist the Anti-Virus & Security vendors have got it wrong?
11/5/2005 6:16:00 PM by Stephen
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeOK quick poll
Q. Do you think that They (1st4Internet & Sony) Know how to remove this crud** the understanding is they can do it on a box in a lab but can't build a generic Un-install utility.
1) yes, Of course they know how
2) No, the idiots blew it big time.
3) I dont care I'm using it to cheat while playing WOW.
11/5/2005 6:18:00 PM by Sharpy
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeHow can a company claim they had no idea this would cause problems when they knew it would HIDE anything system wide that started with $sys$?
Why could they not have used a table or list inside or outside their program to ONLY cloak their directories, files and registry keys?
Their GREED to protect their own product became their single goal.
It is impossible for me to believe that before this mess if you interviewed the average programmer("making sure you did not tell them it was an International Company installing this") and asked them what COULD be the ramifications of implementing something that could hide anything system wide that starts with $sys$ on a typical PC owners system and would they consider just the installation of such said software, "malicious", the vast majority would say yes, and that the ramifications would only be limited to OTHERS creativity to use this.
So for someone ("Programmers") who have the smarts to create a Root Kit that can hide things attempting to try to convince others that they do NOT know all the uses of "IF THEN ELSE" to hide only their software components, and somehow were forced ("By Operating System Constraints") to implement their Hiding technique System Wide, well they have at least committed "Programming Malpractice" and maybe even earned the titles of "Malicious Programmers".
I think in court, this is as clear as a Doctor walking out of Open Heart Surgery, when all that's left was to close the persons chest, the Dr. knew that's not RIGHT, and these programmers knew this was not right as well.
If an when I go into SURGERY, I don't care what papers I sign, if I am going in for Heart Surgery, I am NOT giving permission to remove a LIMB!
EULA agreements need to be limited in SCOPE, we should NOT think that with the right wording, you lose all legal rights, and that your computer can go into surgery for an Ear Operation, and come out of surgery with a "NOSE JOB!" and nothing can be done about it.
Actually, if ANY case made it to the Supreme Court on EULA this one is the one that should.
Does ANYONE actually think that these methods of "System Wide" were anything but PLANNED?
It seems to me that there may have been thought of implementing NEW features and this is why system wide use was used.
It would be very very interesting to get hold of internal EMAILS and MEMOS to see if any discussions where made about possible liability and choices in making this cloaking system wide.
A good law firm could just request such information to show intent, claiming that they need this information to proceed with their case.
Here is another question:
What if by reviewing the original version, it can be determined that OTHER software could have been installed, on the fly, with no EULA displayed?
Would that construe "Malicious Intent"?
Should Forensic review on the original version stop?
I mean not really trying to be political but....
The CIA agent has been OUTED....do we want to know for what purpose? or do we assume it was all an ACCIDENT?
11/5/2005 6:26:00 PM by ZOverLord
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIn cruising the internet a couple of obvious points materialized. One, Pandora's box is open. What happens when other vendors take up the rootkit approach to make their product the one and only product to work on your computer? The operating system will be so highly modified, the system will crash without hope of recovery.
Second, over the years I've noticed that certain periodicals: NYTimes, LATimes, and PCMagazine seldom appear to report on bad business practices by computer/music/media companies. They are "full" of articles on the wrongs of piracy but when a media company is caught in the act(Sony rootkit), there is a deafening silence. Where are the truth seeking investigative reporters? These periodicals are reporting a one sided selfserving point of view from industry press releases, not giving us the truth. Kudos on the Washington Post and PC World for reporting this story.
11/5/2005 7:18:00 PM by srynas
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI'm exceptionally worried about Sony BMG's dangerous tactics - but at the same time I'm exceptionally relieved to know that I have someone as knowledgeable as Mark and the SysInternals team to point out these things! Major kudos for your tireless investigative work, you should get a reward for discovering all of this. :D
No-one is above the law, and it's about time the recording industry realises this and realises that they're also culpable for their actions, be they misinformed or not. I hope they get brought down at least a few notches by the repercussions from this fiasco. It's interesting to read Courtney Love's article on the music industry from almost six years ago - nothing much has changed at all in the music industry's attitudes towards piracy, methods of selling their goods, digital rights... All that's changed is that artists are getting smarter and cutting the labels out.
Time for SonyBMG to wake up from their 1980s-style make-money-at-all-costs attitude, I think.
My thoughts on F41's XCP_support comments... These comments are coming from the same company whose programmer (a Ceri Coburn) once requested help in modifying a component supplied as part of a software Developer's Kit to make it load new drivers into Windows' CDAudio interface to make this rootkit work as it does.
A programmer who's asking for help on an open source programmers' mailing list to code a VERY tricky piece of low-level system driver (one which has very little margin for error)... And SonyBMG is willing to mass-market this potentially lethal bit of code? We've all seen the damage it can do to some installations of Windows. This isn't protecting digital rights, this is corporate arrogance on the highest level.
I've copied CDs before, but I've always BOUGHT a CD or a DVD if I've felt that the artist deserves recompense (as with many other people, there's music that I'll listen to maybe a couple of times but never have any intent of buying, be there a download available or not) - but these kind of actions have given me the impression that it's nothing less than an all-out war on anyone and everyone. This is beginning to sound to me like one of the American Government's 'pre-emptive strikes' (and look at the damage they've done) - there should be laws against over-reaching EULAs and increased onus on corporate responsibility.
I hope that these events will kickstart these changes, set the ball rolling and give the common consumer the ability to make the US Government and Congress review all the last-minute, subtle changes to laws passed through the years with an aim to curbing the far-extending reach that the RIAA, music industry and certain individuals seem to have over US Law (Orin Hatch seems to be a name which springs to mind immediately).
This almost makes me want to copy my CDs and share them with friends on a matter of principle, hell, if Sony can do what they like to my PC, I can do what I like to music that I've purchased... But oh no, wait, the music industry managed to get the idea of music as "works-for-rent" codified into the US constitution (and therefore it's now pretty much part of the DMCA, which seems like it can be applied worldwide - how did that happen?), so really, I don't actually own the music at all, I'm just renting it.
Hmm.
On the flipside to all of this, it's both nice to see the little man fight back and get somewhere for a change - and great to see that indie media, bloggers and individuals within a particular sphere of interest can effect massive public media interest (and rightly so) when the time requires it - this has also lent further well-deserved credibility to already-respectable figures, and I again applaud Mark for his efforts. Don't stop now, you caught them with their pants down :D
11/5/2005 10:51:00 PM by Christopher
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIn all the furore over Sony BMG, I think that the First4Internet company should be the one that really takes the heat. They are the company that is purporting to be experts and wrote this dren. When will they be held accountable?
11/6/2005 6:02:00 AM by michael
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI just did a quick lookup on google for F4i, and found another of it's customers at
PreventonThey state, in part (highlights mine):
"
Preventon’s subscription-based platform enables ISPs to increase revenues, loyalty and market share by delivering a ‘highly-sticky’ security service designed for non-expert mass-market users. It has a low Total Cost of Ownership, requiring minimal capital investment and having negligible ongoing support costs. And as a true DRM subscription-based solution, PSID reduces churn by
raising the barrier to consumers switching ISP accounts. If the subscription is ended, the software simply ceases to work.
PSID can be easily re-branded, making Preventon completely transparent to end-users, allowing ISPs to retain full ownership and control over their subscribers. It can be deployed quickly and easily, allowing revenues to be recognised in weeks.
Preventon’s ISP customers, which include Tier-1 European service providers such as Wanadoo and Planet Internet, have a combined subscriber-base of over 40 million. "
Interesting, indeed.
On the original subject, it appears F4i may be in violation of a number of UK rules, regulations and laws. They sell a rootkit for commercial purposes, use misleading names for the 'services' they install and hide their installation. That may very well fall under the Computer Misuse Act.
Pete
11/6/2005 8:55:00 AM by PeteS
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home 11/6/2005 9:17:00 AM by Noah
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIt's an unbelievable story and a big downfall for Sony and it's credibility in safety and customer satisfaction. We keep track of your developments on this site in our Dutch Magazine Morpurgo.nl.
11/6/2005 9:21:00 AM by Morpurgo.nl
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeAs an IT Manager, I have just set a new policy banning Sony/BMG music CD's from being played on company computers. I see this as a corporate security issue. Here is the content of the email:
I know some of you listen to music CD's on your computer, however, due to Sony/BMG's attempt to protect their copyrights they have instead created a major security risk on your computer. If you install the copyright protection software found on some of the newer copy protected CD's made by Sony/BMG the software is actually a "root kit" which is very much like the technique being used by virus writers to hide and cloak their viruses from the computer system and virus software.
The net result is that Sony has created a pretty major problem and I am sure you will start hearing about it in the news - the class action group should be looking into this. Some news channels are not breaking the news as they have financial ties to Sony/BMG ( ie CNN ). I think over the coming days you will start to hear about it as it seems pretty serious to me. The software has many flaws and in fact from what I have read on the net so far it has been determined that the method it uses to protect the files can in fact be used against itself to allow you to actually copy the music in full 100% digital quality.
Effective immediately - no one is to insert a Sony/BMG branded CD into their computers at work especially if it is known to indicate anywhere on the CD that it has copy protection technology.
I suggest you be careful on any home machines as well until Sony comes up with an uninstall routine ( they have a patch available but apparently it has issues too )
1. If you insert a Sony/BMG recording and it pop's up a license agreement - DO NOT ACCEPT the agreement and DO NOT INSTALL the software. Stick to listening to it on your normal CD player and not on your computer.
2. If you recall seeing a license agreement when inserting a music CD on your work computer please contact me. I want to test to see if it is the Sony rootkit. If so there is no way to remove it and your computer will have to be re-installed. ( until someone or Sony comes up with a way to remove it properly )
11/6/2005 9:22:00 AM by Scott
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeThis is why I do not ever buy music CDs! Atleast if I download the MP3s and burn my own CD, I know what's on the CD and don't have to mess with crap like this! Good job Sony:
1.) Load gun
2.) Aim at foot
3.) Pull trigger
4.) Complain about pain and blood loss.
11/6/2005 9:52:00 AM by Geminus
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeSign the petition
here.
11/6/2005 10:17:00 AM by Gnomalarta
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Homefor the casual user who hasn't a clue about how to 'fix' their computer, does anyone know if there is a list of the offending cd's ??
11/6/2005 10:42:00 AM by Mary Lou
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeThe computer industry crys about all the costs of malicious code, viruses and spyware, and does very little about all the poorly written, iresponsible software vendors.
This though is ideed criminal, though Sony likely never imagined it as such, if they do not get off there iresponsible duffs NOW AND I MEAN RIGHT NOW, they are criminally responsible for this crap!
And I do mean more than lamo apollogies, it is well past time for the man TO STAND UP AND BE A REAL MAN, instead of stinking lying coward!
11/6/2005 11:29:00 AM by Barry
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMary Lou, Here is a Google Search list for CD's with this sowftware on them:
http://www.google.com/search?q=sony+site:amazon.com+intitle:%22%5BCONTENT/COPY-PROTECTED+CD%5D%22&num=100
11/6/2005 11:30:00 AM by ZOverLord
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeOOPS! It appears I was wrong about being able to hide the ripping software with $sys$ prefix! However, during my first test it DID work, so something's going on. Looks like I'll have to disassemble the damn thing to be sure.
11/6/2005 11:36:00 AM by Matti Nikki
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeHere's a list of Sony BMG record label sites, I don't expect that it to be complete :) I'm sorry that it's just a cut and paste job.
From http://www.sonymusic.com/labels/index.html and http://www.sonybmg.com/ :
http://www.arista.com/
http://www.bluebirdjazz.com/index.jsp
http://www.bmgclassics.com/
http://www.bmgheritage.com/
http://www.bnarecords.com/
http://www.columbiarecords.com/
http://www.epicrecords.com/
http://www.j-records.com/
http://www.laface.com/
http://www.legacyrecordings.com/
http://rcarecords.com/
http://www.rcavictor.com/index.jsp
http://www.sonyclassical.com/
http://www.sonynashville.com/
http://www.sonywonder.com/
http://www.soso-def.com/
http://www.verityrecords.com/
http://www.windham.com/index.jsp
11/6/2005 12:00:00 PM by Gnomalarta
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeBravo, Mark, but will you by another audio cd again ? Even if it will be not Sony labeled (god knows what the protection could be there) ?
11/6/2005 12:04:00 PM by mv011
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Homeby
*buy of course
11/6/2005 12:05:00 PM by mv011
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeTo: Matti Nikki
I hope you're testing in a vm. As Mark said - safe mode will not help you.
---
Can anyone verify that the s/w uses componments of LAME?
The open source community might be more than a little upset if it does. LAME is LGPL software.
--
Does anyone know if Service Pack 2 of XCP removes the filter driver?
--
Can anyone take and host a digital pic of aries.sys causing bluescreens?
I wonder what XCP will say in response to an unbootable PC.
--
Yet more PCs have been disabled as a result of malware. I wonder if this was the early work of F4I:
Brown Sugar [Copy Protected CD] [CONTENT/COPY-PROTECTED CD] [CONTENT/COPY-PROTECTED CD]
Various Artists
Copy protection VERY problematic, May 27, 2003
Reviewer: Joanne "Reader" (NY USA) - See all my reviews
I knew I wouldn't be able to copy selected songs to my PDA for my own private use when I purchased this CD so I have no complaints about that aspect of the copy-protection. I didn't expect to have a hard time playing it on a computer, however. The 'player' that's supposed to launch when you insert the CD into your drive is adequate *when* it plays. It took awhile to get the player and CD to do their thing the first time but it did eventually play. I had to restart my computer in order to use my standard player for other CDs and no CD is worth that much trouble. When I tried a second time the CD just plain wasn't recognized so I tried it on another computer and that CD drive completely disappeared from 'My Computer', the CD never loaded and now I'm wondering what kind of re-configuring I have to do there. And, guess what - it also proves occasionally problematic on my new CD player which supports mp3s. I'm not a computer newbie and it's not a matter of my not understanding. This is way beyond a minor inconvenience.
The copy protection has so soured me on this soundtrack I kinda loathe it and shy away from attempting to play it. From what I've heard, it's pretty good, maybe worth a 3.
source url:
http://www.amazon.com/exec/obidos/tg/detail/-/B00006JKCG/qid=1131294192/sr=1-1/ref=sr_1_1/103-1243566-0680626?v=glance&s=music
11/6/2005 12:12:00 PM by geek27
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeBUYERS BEWARE of ALL Sony CD's from old releases to the recent releases!!
@ Mary Lou & ZOverloard...
Check this out- on this particular CD called "Live In Tokyo" by G3 LABEL: SONY, released Audio CD (October 25, 2005)
The CD information does NOT have the "[CONTENT /COPY-PROTECTED CD]" blip on Amazon's web site!
http://www.amazon.com/exec/obidos/tg/detail/-/B000B5QWM4/ref=pd_rhf_p_1/103-7296677-5315821?v=glance&s=music&no=*
There is even a review there dated as far back as OCT. 27th - long before this all came out with this recent news.
And on Mark's previous blog someone wrote this problem regarding this same CD:
"Has anyone had the problem of this type of CD breaking their iTunes? After I went through the process with the new G3 Live in Tokyo album my iTunes will not acknowledge any new cd that I put in, if i put in a cd i have already ripped it sees it fine and I can play it. I even installed the supposed fix by Sony and it is still having the same problem. Has anyone else experienced this?
posted by Sam R : 10:35 PM, November 03, 2005"
11/6/2005 12:25:00 PM by CindyRilla
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeOne item to note, there seem to be two flavors of DRM used by Sony/BMG. Ihave followed these threads after getting hit by the DRM on David Gray's "Life in Slow Motion". This is a MediaMAX copy protection that did not present a EULA when I first played the CD. In fact, it just played in iTunes right off. It may be that having iTunes running first, playing other discs, and then inserting the offending disc put up a dialog behind the iTunes window and I didn't see it. Next day, however, I inserted the CD prior to opening iTunes and saw a dialog go by "Updating DLLs" with a thermometer bar as it wrote a bunch of files to my HD. Upon playing in iTunes, of course it's now garbled and MediaMAX throws up a dialog stating that the "Digital Rights database failed to initialize. Contact technical support." Of course there is no TS link provided anywhere. Off to search for what is [not] happening and I find this page: http://www.cs.princeton.edu/~jhalderm/cd3/ which references a file: sbcphid.sys in %systemroot%\system32\drivers\
I locate the file and renamed it, rebooted and the CD plays. Then off to learn more and eradicate this junk without falling for the "use our new uninstaller" scam. This ceoms under the heading: "Fool me once, shame on you. Fool me twice, shame on me."
Part of getting rid of the crap was doing a system restore, as the registry keys were protected. Have not found aries.sys on this system. Only sbcphid.sys and related keys, so I am unsure if it is all REALLY gone but I am continuing to research.
11/6/2005 12:52:00 PM by B.E.Johnson
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home@ Geek27 That "Brown Sugar" CD found on the Amazon link with that review you posted just bugged me as the record
LABEL is MCA and this CD was released in Sept. 2002 – the reviewer wrote that in MAY 2003 (link: http://www.amazon.com/exec/obidos/tg/detail/-/B00006JKCG/qid=1131294192/sr=1-1/ref=sr_1_1/103-1243566-0680626?v=glance&s=music )
As I dug a bit deeper, I found this bit: "In 1995, Seagram Company Ltd. acquired 80% of MCA INC. and the following year the new owners dropped the MCA name; the company became Universal Studios, Inc. and
it's music division, MCA Music Entertainment Group, was renamed Universal Music Group." (link: http://en.wikipedia.org/wiki/MCA_Records )
And in connecting the dots,
First4Internet was founded in 1999 , and their clients include not only Sony but First4Internet's other clients - include
Universal Music Group , Warner Music Group and EMI - using the technology. (link: http://www.whatsthedownload.com/music_news/archive58/index.aspx )
So I guess not only should we be concerned with SONY Labels and all it’s other record labels as posted by Gnomalarta earlier here,
but ANY company and their record labels of various names that has ANY involvement with First4Internet!
11/6/2005 2:51:00 PM by CindyRilla
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI have added some blog entries that may be of interest. First legal
issues:
Sony DRM rootkit code (#19) EULASony DRM rootkit code (#11) Letter to CO AGSony DRM rootkit code (#6) Trespass to ChattelsSony DRM rootkit code (#5) Msc Causes of ActionSony DRM rootkit code (#4)Sony DRM rootkit code (#3) Cyberia-l suggestionsSony DRM rootkit code (#2) Class ActionSome more links - though probably nothing that hasn't shown up here:
Sony DRM rootkit code (#18) HackingSony DRM rootkit code (#17) BlacklistSony DRM rootkit code (#16) System Call HookingSony DRM rootkit code (#15) Sony FAQSony DRM rootkit code (#14) 64 bit WindowsSony DRM rootkit code (#13)Sony DRM rootkit code (#12) more linksSony DRM rootkit code (#10) SecuritySony DRM rootkit code (#9) System Call HookingSony DRM rootkit code (#7) MSNBC ArticleSony DRM rootkit code (#1) Original Article 11/6/2005 3:25:00 PM by Bruce Hayden
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeAnother victim of DRM:
http://www.amazon.com/exec/obidos/tg/detail/-/B00006JKCG/qid=1131294192/sr=1-1/ref=sr_1_1/1 03-1243566-0680626?v=glance&s=music
Brown Sugar [Copy Protected CD] [CONTENT/COPY-PROTECTED CD] [CONTENT/COPY-PROTECTED CD]
The CD broke My Computer!!, October 23, 2002
Reviewer: A music fan
I'm guessing it's the "Copy Protected CD" part but when I put the CD into my computer at work (where is the only place I ever listen to CDs) the CD locked up the computer and I had to take the computer in for repair to fix it. I couldn't even start the computer! But since the so called CD had a warning on it, it was my fault the computer broke :( I will now NEVER buy a CD that is copy protected unless it could guarantee that it will act as a real CD and not break my computer. I hope other people don't make the same mistake as I did...
(that's too bad because from the reviews it sounds like a good cd :(
11/6/2005 4:03:00 PM by geek27
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeAnyone tested what happens if a computer infected with Sony's rootkit visits a malicious website and downloads $sys$myvirus.exe or some such...
Will the virus scanners be able to deal with it?
11/6/2005 5:32:00 PM by melgish
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeSONY: THE LARGEST ROOTKIT DISTRIBUTOR 11/6/2005 8:52:00 PM by nmaf
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeFirst off - I didn't get hit by this, my taste in music is sufficiently outre that none of the main stream labels carry anything I like.
However - Sony and F4I may have done us a huge favour by doing what they did, in the way they did it. Computers and their operating systems are a hobby of mine, and I've been playing with them since I got a Timex Sinclair for Christmas one year. It doesn't seem to matter what system I've had, or what operating system, some idiot always tries something stupid, which can muck up the system, and is dangerous if not fatal to a non-technical user.
Well, Sony and F4I have definately done something stupid which can be dangerous if not fatal to a non-technical user. And of course they will decline all responsibility for the probelms created.
Now what they did MAY have been legal in North America. However it may not be much longer. I can see a smart politician latching onto this issue like an octopus, and pushing through a law making this sort of thing illegal.
Which in my personal opinion it should be. In most cases the EULA is there to protect the vendor against their own culpability, not to protect the customer.
11/6/2005 9:40:00 PM by Urban Terrorist
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeDear master,
my name is Katina.
I have a birthday today.
Here in small Bulgaria it's November 7-th.
I want to say THANK YOU :] You are GREAT
I was reading an article on a local site and it led me to the Sony case.
Your detailed investigation written so reader-friendly, full of information and links appeared to be a wonderfull present for my 22-nd birthday. You revealed a whole Universe to me and made me happy to know there are many people like you, though I know not the same as everyone is Unuque :] I myself am a Linux user but I am sure that case concerns me as many bulgarians run Windows workstations. Many of them had never heard about ROOTKITS and their misuse.
Thank you once again, master :]
Best regards
K.
11/6/2005 10:51:00 PM by Gatta Negra
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeJust Wondered if others thought these same thoughts?
I am sure as some have already stated, that this Sony Mess, is not considered a "Big Deal" but are we forgetting the possible Fallout from this?
It could go 2 ways:
No Legal Action Or Change Of Laws Because Of This:1. Others can and will use similar techniques and claim they were protecting their software and not just for Media related software, but for everything!
2. Many folks in these forums, who already are kind enough to volunteer their time to help others will be swamped with very complicated removal instructions.
3. When more than one of these type protection mechanisms is installed on a system, it will be a house of cards to determine, which one to un-install first. There will be NO right way, it will be based on the order the malware was installed, as well as how many of these you are infected with.
4. More systems than ever before will become infected with malware because the mechanism used is now provided by companies providing commercial software which have much more access to the general public and in many different forms than the current malware producers, including hackers.
5. Most people might not even be able to pre-scan the software prior to being installed because it may be compressed or encrypted in such a way that you cannot see what it will look like until fully installed. This would mean you would need to take the chance to install it, and check later.
6. Exploits of holes in these protection methods will allow non-seasoned hackers to take advantage of such said holes with no liability as well. Since in some cases what they did might not have been possible without the commercial companies software.
Legal Action Or Change Of Laws Because Of This:1. Finally, some sanity comes to the rights of ownership of computer systems, and the ability of International Companies to Join the malware industry will be at least hindered, if not stopped.
Very Dangerous Precedent Exists NOW!It matters very little if this was oversight, malice or accidental.
We are setting a very dangerous precedent for other companies, and/or individuals who create software.
This actually could be the most important precedent set since the personal computer was created if we are going to allow ANY entity to continue to do this in the future.
We will have almost removed the purpose of EULA and in fact created the "Act Of Downloading" ANYTHING removes the liability of the creator(s) of the software downloaded itself.
I hope people don't think I am going over-board here, because I think after all is said and done, there are many companies that are waiting in the wings to see how this is resolved, and that this moment based on how it all goes down, could be the turning-point of what rights the computer owner has, once they have accepted ANY download.
There are many more possible BAD things that could come out of this, I just tried to think of some major ones.
Comments, Please?
11/7/2005 12:07:00 AM by ZOverLord
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeOne major fallout I see from this STUPID move by Sony would happen if some court determines that Sony's software is legitimate DRM. Then any company that makes software that fixes the problems caused by this rootkit exploit could be in violation of DRM laws and face serious consequences. For example, Microsoft could not legally create a patch that prevents this type of behavoir as a security update.
11/7/2005 2:16:00 AM by Tuckers
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI *never* install any software that comes with *any* CD, DVD, or other media. If it's required to use the product on my PC, I just won't do it. (Not to mention that I refuse to by DRM-protected music.)
Anyone who does install the supplied software is asking to be messed with, spied upon, and otherwise inconvenienced as the installed software will invariably misbehave. The 'secret' to keeping a Windows system functioning smoothly is to resist installing everything that is thrown at you.
This Sony junk is just the latest skirmish in an ongoing war. Act accordingly.
11/7/2005 2:41:00 AM by Inactivist
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeHi
why i never manage to delete
Program Files\xerox\nwwia
directory ?
can it be another rootkit?
11/7/2005 4:47:00 AM by obo
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeQuick note
Sony has a Rather large share in Napster the online music supplier.
Could a napster user run marks RKR.
11/7/2005 5:00:00 AM by Sharpy
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeSo far as I can tell, this falls under the UK "Computer Misuse Act, 1990".
If it does, then as soon the the rookit is executed on a PC in UK this would make Sony guilty of a criminal offence.
11/7/2005 5:02:00 AM by bugmenot
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeThis kind of shit makes me so angry. I'm no kind of 'computer genius' and I only discovered this today, (ironically through a lyric search from one of my favourite sony artists!) but this really makes me feel helpless. It was a really big achievement when I fixed iTunes latest update. how on earth is anyone not computer gifted supposed to fix this??
11/7/2005 5:34:00 AM by Jessica
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeSony is now CriminalWe now have: Hidden software, rootkits and call-home activity, difficult removal, and possible system damage (not to mention security implications). This all comes without proper user notification. Sony is now officially installing Spyware by just about any legal or coloquial definition I can think of.
Class action suit anyone?
Criminal Prosecution?
11/7/2005 5:54:00 AM by Stephdn Samuel
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeThis is the security alert I just posted to my Political Party's mailing list. This will catch the attentions of many high profile politicians, technical professionals and consumers.
***************
Those who have read my previous email will know that over the past week it has become known that SonyBMG (the big music record label) has been discovered to have been shipping their new music cd's with embedded software (known as DRM) to prevent the copying of their music. This in itself goes against fair use laws here in the UK, but a matter of much higher importance is the method in which this software was written and installed as well as the huge security implications for computers have that been used to play these CDs.
On October 31st, Mark Russinovic from SysInternals & Winternals (technical websites), reported the issue in his blog on http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
It was discovered that the software installs itself on the users computer when they first install the player that comes with the CD to prevent unauthorised copying of the music. The problem is, the End User License Agreement (EULA) makes no mention of the nature of this software. It does not inform the consumer that the software will make alterations to windows at the core level, intercepting internal system calls and rerouting them through its own device driver. Neither does it inform the consumer that this software will be hidden, not just from the consumer but also from the operating system itself. Furthermore, the software was so poorly written that any 3rd party who wants to write a virus, trojan, spyware or malware (all malicious computer programs) would simply need to make the name of their files start with the prefix $sys$ in order to also be hidden on any machine that has the Sony software installed. By doing this, all the malicious software would also be cloaked under the Sony software making antivirus applications unable to find or remove it, hiding it from system administrators and owners of computers and making it impossible to remove requiring the system to be reinstalled.
Again, due to how badly written the Sony DRM software is, it cannot be uninstalled without causing problems that may cause the computer to stop working (requiring a reinstallation of all the software).
Sony and First 4 Internet (the UK company that wrote the software) have released a patch to force the software to show itself (uncloak it) however, this causes further problems that may render your computer useless see the following link:
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html
Other problems with the patch are that it is only available online, so people who do not have internet access are still open to security threats from virus infected compact disks or other media. Furthermore, most people who have bought music cds with this software embedded are unlikely to know about the issue as many of them will not be readers of technology articles on the internet, so whereas the patch is available, many systems will remain compromised.
A full recall of all SonyBMG music CDs currently on sale in the UK is required to prevent potentially millions of people being left wide open to attacks of identity theft and internet fraud. As long as SonyBMG cds remain on the shelves, they are posing a high risk.
Both Sony and First 4 Internet have repeatedly changed the End User License Agreement and the Frequantly Asked Questions sections of their websites over the past week in order to try and cover themselves. They have also made several public announcements that the software is not a security risk, which is untrue as it can be abused by 3rd party malicious software as outlined above. Both companies are attempting to hide behind a EULA that they know 99% of consumers will just click through without reading, but even so, the EULA makes no mention of this particular software nore it faults. This is a violation of the Sale of Goods and Services Act (ammended) by failing to provide the consumer with an accurate representation of the product or any faults with the product, so in essence, due to the fact that the EULA breaks the law, it is in fact Null and Void, leaving the vendors (Sony and First 4 Internet) criminally liable under the Computer Misuse Act.
Furthermore, neither Sony nor First 4 Internet have been able to provide a program to uninstall this software and the patch they do provide simply uncloaks the software and UPDATES the DRM software, this patch can also cause the computer crash. The software also makes connections to Sony servers in the US and sends information such as the CD that is being played, the Internet Protocol address (the address used to locate someone on the internet) of the consumer, the time the cd was being played, the date, the operating system of the computer and much more. This privacy violation is also not mentioned in the EULA.
My advice to ALL people who are responsible for any computer, would be to check if this "rootkit" is installed on the systems you are responsible for. This can be done by right clicking on your desktop, selecting New from the menu, selecting Folder from the submenu and naming the folder $sys$test
If the folder disappears, your system is compromised with the Sony DRM software and you would be advised to seek the assistance of a professional Microsoft Windows technician. I would NOT advise anyone to install the Patch offered by Sony due to the fact that it could cause your computer to crash.
Furthermore, all system/network administrators responsible for the network inside any organisation should put new policy into play that prevents anyone from listening to music cds on their computer due to the fact that should they have this software embedded it would render the network wide open to malicious security threats and could possibly place the company in violation of the Data Protection Act.
It is everyone's responsibility to inform their friends, families and colleagues about this issue. In an age when computer/internet fraud and identity theft are at a high, everyone needs to know about risks such as this in order to protect themselves and their families from such security issues. However, this goes beyond just personal security, if this software is compromised by 3rd party malicious software on a company network, passwords used for access to company systems and databases could be recorded, leaving your company intellectual property assets and other such data, at risk.
I have worked in IT for 14 years and currently work as a consultant for a very large software developer that specialises in enterprise solutions for some of the biggest companies in the world. I would not report this issue to this audience if I did not think it was a significant threat to society as a whole. This software is reported to be on 20 different titles from Sony amounting to millions of CDs on the shelves. Furthermore, First 4 Internet has publically boasted that this software has been sold to other recording industry members for use on their CDs, which laves the potential for 10s of millions of disks on the shelves with this security threat.
It is my belief that in light of the seriousness of this issue, ALL music CDs currently on the shelves of UK retailers which contain DRM software (copy protection software) should be recalled until such time as a full investigation has been carried out of ALL titles to ensure they do not contain software that compromises the security of our population. Once a CD has been shown not to be a risk, it should then be permitted to be sold. Furthermore, all CDs that come with copy protection software embedded in the future should be cleared by security specialists prior to release.
Finally, we need to take a serious look at the use of End License User Agreements as contracts. It is a well known fact that most of these contracts are never read and are agreed to blindly, and whereas I understand that is a problem which needs addressing with the consumers, it should not give the right for corporations to abuse this situation to install software which most users would never agree to if they were aware of the potential effects.
For anymore information, please contact me on my private email address.
Alexander Hanff
*************
11/7/2005 6:08:00 AM by Alexander Hanff
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeUgh.
I'm going to write something up about this, as I know that several staff members at the school that I both go to and work for use their personal laptops for music.
Also, I'm going to write an article for the school paper, which will reach about 100 students, their parents, and the administrators of the school districts that my school services (about 40 districts).
11/7/2005 6:17:00 AM by bhtooefr
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark, I want your babies. Thanks for lookin' out.
11/7/2005 8:20:00 AM by Moof
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIf you have one of these CD's take it back and complain to the shop where you bought it. Kick up a fusss about how it broke your PC, make your complaint loud loud loud and show up the shop at a busy time.
Persuade shops that selling this stuff causes agro and maybe they will start to refuse to stock DRM infected CD's, point out that these CD's are not proper Audio CD's (as Philips Electronics has said) and claim that they deceived you into buying something that is NOT a "proper" CD by putting it in with normal audio CD's.
For once wal*mart may come in handy, if enough people kick up a stink to wal*mart they might bring their might purchasing power and influence to bear on companies like SONY and refuse to stock DRM CD's
I can dream can't I, who knows, it might work.
11/7/2005 9:14:00 AM by fluffytears
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeAlso...
Take a look at what I did:
Sony is
evil!
(Click the "Sony" link to read about it. The "evil" one points to Sony's site.)
11/7/2005 9:51:00 AM by bhtooefr
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark - nice work! If you enjoyed that, how about doing something similar for StarForce? It's a PC copy-protection technology used by UbiSoft and other game producers. Starforce installs itself as a Windows driver and can interfere with normal disc operations. It's not a rootkit, but the intention and the bad side-effects are similar.
11/7/2005 9:53:00 AM by Jeff
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark -
You said "....but is not mentioned in the EULA, is ***refuted*** by Sony, and is not configurable in any way..."
I think you meant it is ***denied*** by Sony.
Cheers
Martin A
11/7/2005 10:27:00 AM by Martin A
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeJust mentioning, but the fact that they uses $sys$ as a prefix, opposed to say $sony$ or some other prefix kinda hints at the 'malicious intent' to me.
I mean, simply put, they're trying to misdirect users about what files on their computer do. Even if a layperson *found* them magically, they'd be likely to assume they belonged. I know I've often had to convince someone that just because WIN, SYS, or something similar was in a filename, it was safe to remove it because the malware author just named it that to scare you.
11/7/2005 10:30:00 AM by Paul_The_Nerd
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMethinks the masses (that's us, folks!) miss the entire point. Sony's DRM is just symptomatic of a shift in business. The shift is driven primarily by the USA, as national policy. Here's what I perceive.
The USA is no longer able to manufacture much of anything at a reasonable cost. Manufacturing labor costs in the USA are just too high, especially when compared to third world countries and even countries that have pulled themselves up from the bottom levels (Mexico comes to mind).
So, where is the revenue for business in the USA gonna come from? Intellectual Property (IP). Just have a look at what's happening in the area of patent and copyright law: Copyrights are now extended effectively to perpetuity; software is not patentable in the USA, along with the concept of "business practices"; the USA is pushing the EC to adopt US style copyright and patent law.
The trend is unmistakeable. The USA is out of the manufacturing business and is now into the IP business. This means that the law of the land will become whatever it has to become to protect the IP of its owners. IP law will exempt any business from civil suit, no matter how much damage it does, if it is acting to protect its IP. So, give up on the idea of getting the law on "your" side. That avenue is already rigged.
What is the solution? I have no idea. It is the wave of the future.
I have never bought a CD or DVD. My music collection was complete with the last vinyl I bought oh so many years ago. Yes, I've ripped it all and listen to it on my computer and my stereo. I do not share music and don't partake of others' shared music.
11/7/2005 11:06:00 AM by Loren Bluebear
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeHas anyone that filled out the uninstall request forms heard back from Sony yet? If so, how did they instruct you to uninstall it and is it safe? I'm still waiting for them to get back to me.
11/7/2005 11:07:00 AM by Hendrix95
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeWay to go Mark. You've done us all a great service, and there's no way they can argue with any of your technical findings. Hats off to you!
11/7/2005 11:35:00 AM by sahir
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeLest we forget, those in UK tend to have dialup (if they're online
at all). So, not only do you have to know to go to a third party website to download something that could crap your machine up even more for you, you also have to pay for an extra 8mins of phone call just to download it.
11/7/2005 1:10:00 PM by Mr Bester
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeThanks for taking the time to share your findings with the rest of the world. I definitely appreciate it!
11/7/2005 2:04:00 PM by calebb
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeF4I wrote a lousy piece of software, and should take the brunt of this.
Sony is just trying to protect it's copyrighted works, but should have done it's Due Diligence and discovered that they should have used someone else's DRM software. Though, in the US, DRM may be considered illegal by itself, as it restricts Fair Use as allowed under copyright law.
Microsoft should be the biggest target here, though. Why would they still sell an operating system that allows another piece of software to install itself and take over core functions without some kind of warning? Don't get me wrong, I like Windows more than Linux (yes, I've used both) but I don't like that Windows is so vulnerable. At least you can't update a Linux kernel without realizing it. Hmph!
11/7/2005 2:11:00 PM by Blog Reader
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark
First great job. I got here by reading the Inquirer, and I am learning lots, Thanks.
I have a question or task actually.
A friend borrow me (I returned the cd already)one of those CD with protection "A tribute to Luther Vandross" I noticed right away the legend and logo for copy protected CD.
I tried to played anyway and "something" got installed, I believed the windows media player got updated, although I am not sure, It could had been installed by the LAN Manager and I did not noticed.
I must say I
DID NOT accepted the EULA, I did not installed anything on purpose. I DID NOT click the NOT ACCEPT either because that causes the CD tray to open.
I Tried to use some common CD players (i.e. Winamp) it did not work, the songs were playing in segments jumping to another song every 60-90 seconds.
Since the CD it is actually compatible with Red Book specs. (it plays good in the standalone players I have) They are installing something to stop the CD from playing in a computer, regardless if the user accepts the EULA or not.
Which it is another broken law right there.
Mark: If you have the time, Could you tell us what are they installing (before you accept the EULA) and leaving behind in your PC even though you did not accepted the EULA.
Thanks
11/7/2005 3:10:00 PM by notavailable
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeWhen I connect my laptop to the internet through my mobile phone, it costs me about $8 per megabyte. In my view, any app that connects to the internet without my permission is simply stealing from me.
11/7/2005 3:18:00 PM by Confused Vorlon
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeIf Sony can do what it wants to my computer, can I do what I want to their computers?
11/7/2005 8:55:00 PM by SonyKiller
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeMark, Great job! You've done us all a huge favor.
I think what we're all missing here is the Artists side of things. We the fans of music simply want to listen to great music. The Artists simply want to create great music that is listened to and appreciated by their fans. Fans and Artists all want the same thing. We should all be on the same side here.
We're not. Right now, the studios are holding up the musicians as "shields" in this fight. They keep citing the poor starving musicians and how they need to buy shoes for their kids all that kind of shit.
What we fans need to do is totally boycott DRM cds. And then tell the Artists what we have done and why. We need to explain to them that we really want to legally purchase their cd but we can't morally support the DRM issues that the Labels have forced upon us all. We need to explain our ourseleves to the Artists and ask for their support. We need to assure the Artists that our problem is not with them but with the Labels and DRM foisted upon us.
11/7/2005 9:46:00 PM by twmcneil
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"Microsoft should be the biggest target here, though. Why would they still sell an operating system that allows another piece of software to install itself and take over core functions without some kind of warning? Don't get me wrong, I like Windows more than Linux (yes, I've used both) but I don't like that Windows is so vulnerable. At least you can't update a Linux kernel without realizing it. Hmph!"
You're wrong here and in fact Linux has had more critical security patches then Windows in the past 18 months; go google it.
The problem isn't necessarily with Windows allowing you to run code on your system that can modify the kernel. The problem is with YOU running as an Admin and getting cheated by a company you thought you could respect. It's the same thing as getting riped off by your babysitter. There has to be trust somewhere.
If you were really a security concious person you wouldn't be running as an admin. You should run under a reduced privledged account to play your music. Driver installation fails if you don't have the privledges to install new software under Windows mind you. You just don't use the option.
Instead of blaming MS try learning how to use your computer and learn its features. This whole thing could have been avoided by the security concious. Maybe people will start configuring their systems better.
11/7/2005 9:50:00 PM by LithVXD
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home 11/7/2005 9:52:00 PM by LithVXD
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeTWO CLASS ACTION LAWSUITS HAVE BEEN FILED AGAINST SONY BMG MUSIC ENTERTAINMENTThe first, filed in state court in California, alleges:
1. Violations of the Consumer Legal Remedies Act (Cal Civil Code Section 1750 et seq.);
2. Violations of the Consumer Protection against Computer Spyware Act (Business and Professions Code Section 22947-22947.6); and
3. Violations of the California Unfair Competition law (Business and Professions Code section 17200 et seq.)
The second, filed in the Southern District of New York, alleges:
1. Computer fraud under 18 USC 1030;
2. Deceptive Business Practices under New York Law (Sections 349/350 of the GBL); and
3. Common law fraud.
For information on how to join in these Class Action lawsuits:Consumerlaw1@earthlink.net
11/7/2005 10:34:00 PM by Consumerlaw1
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeLithVXD : "You're wrong here and in fact Linux has had more critical security patches then Windows in the past 18 months; go google it."
Which just shows that the Linux community tries to fix the security flaws, whilst another OS manufacturer ... Agreed, if they tried to fix them, they would solve all unemployment issues worldwide.
You better all switch to Linux, that would keep Sony out of your systems. But I wonder if I would be able to listen to those CD's.
11/8/2005 1:14:00 AM by ghp
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI just found out that Computer Associates (CA) classifies Sonys Rootkit as Spyware :
http://www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76345
11/8/2005 2:05:00 AM by Feynor
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeReading about the XCP.Sony.Rootkit on the CA site, they state in the "Reasons For Retention" segment:
"Silently modifies other programs' information or website content as displayed."
What is THAT all about ?
Is this a new aspect of the rootkit this blog haven't been told about or figured out yet ?
11/8/2005 2:33:00 AM by Feynor
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeI don't buy CDs. When I can order 100 DVDs (4GB) for around £20 but still am expected to pay £5-15 for new albums which only use 650MB CDs I'm not going to make a fool of myself by throwing away money. Notice that price for 100DVDs also includes distribution. Then there's the fact that sony doesn't use compression, not even lossless. Isn't it amusing how much of an effort Sony will go to to make sure people can't rip them off, but how reluctant it is to deliver value for money. Secondly, why should we be forced to pay for fancy boxes and inlays. I'd be perfectly happy if they came on the disk (jpg/txt). In fact, I'd be happy if they came with no inlays/extraneous art what-so-ever.
Just a quick guide:
Sometimes FAT32 can actually be more secure than NTFS. It has better linux support for maintainance.
Always disable autorun.
Never install proprietry software when popular alternatives are provided free. Don't install those free popup blockers and browsers from your ISP disk. Mozilla is free and so is MS Internet Explorer provided you have a copy of windows.
You shouldn't need any additional applications for media disks as players are again freely available. XMMS, Winamp, etc.
If you see a CD that has copy protection, simply don't buy it, download it on emule. That'll really annoy Sony.
11/8/2005 4:57:00 AM by Orakio
# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning HomeWell, after reading all this stuff, I am just
so glad that I don't use Windows.
I believe in the
Four Freedoms; that is the freedom to Enjoy, Study, Share and Improve. I believe I have a right to inspect, and maybe alter, the source code {that is, the human-readable form of a computer programme such as a competent programmer can make use of} of every piece of software that runs on any computer I own, and to help my neighbour {which, if I expect my neighbour to help me, is more of an obligation than a right} by sharing any improvements I make with others. I believe that these freedoms are as fundamental and sacred as any other of my human rights.
That is why I will not use Windows: firstly, it does not come with the source code and secondly, Microsoft would not allow me to share any changes I made with the world at large.
It may come as a surprise to some of you that there is software out there that
does allow you to look inside it and that
does allow you to share it. And in fact, there is more than enough of it to run a fully-functional computer system. The only awkward bits are where, because of software and hardware manufacturers' attempts at secrecy, sometimes things have to be figured out by experiment. So, oftentimes, brand-new hardware might not have a driver from Day One; but there are many people out there working to get it working!
Open Source is not a new idea: it's actually quite old-fashioned. Back in the days when you
had to be an expert to use a computer, everyone helped one another out. And it was normal to supply source code because it had to be altered slightly to work with different makes and models of computer.
Whether you are completely new to GNU/Linux, or you have heard about it but thought it was too complicated, you should