Is Sony Trying to Kill the CD Format for Music?

http://blogs.pcworld.com/staffblog/archives/001051.html

Is Sony Trying to Kill the CD Format for Music?
Posted by Andrew Brandt
Wednesday, November 02, 2005, 10:32 AM (PST)



By now, you've probably heard the news that Sony, the media giant, has been quietly installing hidden software on PCs, when people buy music albums published by Sony BMG Music, and try to play them on their computers. The software, called Extended Copy Protection (or XCP) uses rootkit techniques similar to those used by viruses, Trojan horse programs, and spyware to hide the fact that it is installed from the user.

The discovery, by security expert Mark Russinovich (whose outfit, Sysinternals.com, makes several free Windows utilities I find invaluable in diagnosing spyware infestations), details how Sony uses commercial software that automatically installs itself when you put a music CD in a Windows PC's CD drive.

...

The bigger question people have got to ask is, does Sony not respect the integrity of the computers of its customers? This cavalier act of sneaking software onto PCs not only violates our own Prime Directive -- it's our PC, dammit -- but threatens the entire music industry.

After all, if you suspect that a commercial CD will install software secretly, which you won't be able to remove and which, itself, may increase the already-great security problems of your Windows PC, would you continue to buy CDs?

I'll tell you right now, I won't. I'd much rather buy an unrestricted copy of a song electronically, using iTunes, or Rhapsody, or one of the other music services that offer this feature, than take a chance that some music disc will stick some hidden files in my Windows folder, which I can't see or remove.


More... http://blogs.pcworld.com/staffblog/archives/001051.html

Washington State has some of the strictest anti-virus and anti-malware laws in the US. I wonder if I could sue Sony?

Added: One of my co-workers, who is a music buff, mentioned that a list he subscribes to has been discussing the matter since yesterday. In Washington, it is a felony to install "malicious software" on to a user's computer without the user's consent. The definition of "malicious software" was recently broadened to include any code that disables, hijacks or alters the performance of legitimate software, without full disclosure of the "malicious software's" actions. Investigations in to a class-action lawsuit under Washington law is already underway.

http://reviews.cnet.com/4520-3513_7-6361348.html

Security Watch: Root Kit 101

By Robert Vamosi
Senior editor, CNET Reviews
October 21, 2005



I've written before about the dangers of remote access Trojan horses (RATs). Briefly, these are bits of code that get onto your computer in a variety of ways and open an unused port on your PC so that remote criminal hackers (crackers) can gain access at their leisure. Root kits are a more specialized version of a RAT, in that they are virtually invisible. The good news is that more and more security vendors are recognizing the danger posed by root kits. The bad news is that root kit authors are finding more and better ways of keeping their malicious code hidden.

<snip>

There's quite a bit more here, as well as some additional discussion in the forum associated with the article.

It's not piracy that's killing the music industry, it's the sheer amout of marketed crap,lack of risk-taking, and the ridiculous prices of CDs (which benefits neither the consumer nor the artist) that's doing the job.

I was watching a VH1 documentary about one of my all-time favorite artists (George Michael). When he released his first solo album called Faith in 1987, it yielded SIX #1 songs on the billboard charts.

Those kind of albums nowadays are just completely unheard of.

George Michael albums being "unheard of nowadays", that is.

that you pretty much never see an album that spins out so many #1 songs nowadays. That George Michael album is still great and I continue to listen to it now.

If more "great" albums like Faith were being produced, I'd buy more CD's. I don't like paying ~$15 or whatever for an album that has one or two hit songs, but the rest of the CD is filler crap.

None of this malware will install itself on a Macintosh!

Because the internal mechanisms are so different.

The idea that Macs and Linux boxes are immune to viruses is based completely on the fact that Windows dominates the computing environment, and a lot of people have a fanatical hate for Bill Gates. Linux and Mac viruses are appearing.

But, in this case, it's no more difficult to engineer a viral or Trojan form of "copy protection" than for Windows.

There's another big difference, too, but it doesn't pertain to the OS. That is, it's almost impossible to trace virus makers; but the big entertainment companies are hard to avoid.

--p!

As a device driver writer for Windows, Macs, Linux and BSD, I would happily testify in court that it is MUCH, MUCH easier to write such a thing for Windows.

It might be much easier to write malware for Windows, but the big corporations would have the resources to hire top-flight programmers. It is no big deal to pay a top programming house a couple of million dollars to write a newly-legal parasite intended to protect the sanctity of Profit.

There are no "unbreakable" systems, though I agree, Windows is a particularly vulnerable OS. What the corporations want, the corporations get -- unless and until we put our collective foot down, or up their collective ass.

If nothing else, their "fool-proof" parasites will be analyzed and destroyed by other hackers. DVD copy prevention encoding was a fairly tricky system, but it was cracked in a short time.

As to general virus issues with Macs and Linux/BSD -- I'd still scan regularly.

--p!

Never found one, though... (Except once, in 1996, a discarded computer I rescued had a copy of the ancient Mac NVIR virus on it, which was inoperative since the system it was on had already been patched to prevent its working.)

(unlike windows which will "auto-run" CDs) I doubt very much that Linux is vulnerable to this kind of attack.

Not that unix-like systems aren't vulnerable to "trojan" attacks - one of the most famous ever was perpetrated on a unix C compiler so that it produced backdoored "login" executables ( http://cm.bell-labs.com/who/ken/trust.html )

to be vulnerable to such an attack, considering that the basic setup doesn't allow for write access to most of the disk. In other words, unless such rootkits exploit login backdoors or kernel exploits, I would say it is much harder to have such things happen. Unless of course, you actually run as default user "root", which is idiotic.

http://www.sysinternals.com/blog/ I see that the CDs in question come with a version of Media Player that you have to install to play the CDs, and installing that is what gives you the rootkit, so my assumption that autorun was involved was wrong.

You can bet that Sony won't be bringing out a Linux version of Windows Media Player any time soon, anyway, so I'm safe for now! ;-)

All they require is that the user install something. That act of installation opens the door.

In the sony case you have to install the media player to play the stupid DRM CD. To do that you have to have admin privilege. Now you are cooked - the install program is running with enough privelege to do any damn thing it wants.

Linux has the same problem as windows with respect to administrative privilege. There is an NSA version of linux (NSA secure linux) that attempts to avoid this issue, and Microsoft is taking a similar approach with Vista, although both run into the problem that usability is in direct conflict with compartmentalized security.

I'll try once more. The lack of mac and linux viruses, malware, etc. is a reflection of the disparity in installed base compared to windows. Like software vendors, virus implementors in general take a look at the installed base, and they will port to mac/linux/whatever when they get around to it but they will implement for windows first.

So far the only virius on my system has been that infamous linux virus that works on the "honor" system, you receive an email from a fellow linux user requesting that you randomly delete a few files and then send a copy of the email to at least two friends. It all works on the "honor" system. At the rate these linux viruses are coming, I stand a good chance of being dead before it becomes a problem. On the other hand Windows had problems back in the dos days, even before they managed to monopolize the desktop..but keep telling yourself it doesn't matter, linux and Mac will have the same problem, some day soon, never - ever consider it a problem associated with Microsoft poducts.

The only reason why the Mac isn't more of a target is that it doesn't have enough market share to bother with. Same with linux. All operating systems are vulnerable to attack.

Come back when you succeed.

I won't hold my breath.

Here ya go- top three mac viruses documented at the symantec site

Symantec Security Response - Mac.Simpsons@mm
Mac.Simpsons@mm is an AppleScript worm that targets the Macintosh platform. It may open Microsoft Outlook Express or Entourage, and send a copy of itself with the ...
http://securityresponse.symantec.com/avcenter/venc/data/ mac.simpsons@mm.html - 25.8KB - United States

Symantec Security Response - MP3Concept
MP3Concept is a proof-of-concept Trojan horse that is targeted at the Mac OS X platform. As this is written, this threat has not been reported in the wild. The ...
http://securityresponse.symantec.com/avcenter/venc/data/ mp3concept.html - 26.0KB - United States

Symantec Security Response - SH.Renepo.B
SH.Renepo.B is a data-collecting script virus that only runs on Mac OS X systems. Note: Virus definitions dated prior to October 26, 2004 may detect this threat as ...
http://securityresponse.symantec.com/avcenter/venc/data/ sh.renepo.b.html - 33.3KB - United States

What? Did you say something?

Virus companies have to justify their existence, so they work HARD to come up with attempts at viruses that never did and never could survive in the wild. None of these is a current threat even without virus guards, and none of them ever caused damage in real systems.

I know the internals of MacOS X really well, and I cannot imagine a successful virus except for those that infest Microsoft applications (like word macro viruses) regardless of what system they run on.

I am certainly not going to write a virus. If you think that OSx is secure enough to preclude all virus attacks, despite the fact that there exist viruses for OsX, there is little I can do to persuade you of the error of your ways as you are acting on faith, not reason.

However I won't quite give up. Virus-proof operating systems are a subject of RESEARCH not COMMERCIAL IMPLEMENTATION. They require a level of security that, for now, is in direct conflict with usability. Google the NSA secure linux project for some insight into how difficult this is.

For commercial operating systems, 'virus proof' means a system disconnected from any network that is never subject to the installation of any software after its initial installation.

Never had music problems on my G4!

I'd be curious to know...

Blank media should be safe.

OTherwise, it isn't blank; a format must exist for the data to sit on, and once that's done, the disc is closed and cannot be rewritten unless it is a CDRW disc.

Even then, a complete format of the disc would erase anything already sitting on it.

This data identifies the type of media, and whether it is an Audio disk or not. (Audio disks have the built-in royalty payment to RIAA, so, why is making a copy to one illegal???) I am not sure of how large this track can be, or if you could hide malware in it, but I doubt is is a danger.

virus or some other unseen and unwanted program from a music download.

The fact is that our computers are at the mercy of those who manufacture the media that we install and plug into them every day.

We have a right to expect proper disclosure and honesty from software manufacturers. They need to be regulated in a way that protects consumers.

But I know wtf I'm doing. :shrug:

inclination nor time to protect their system from mega-corps that spend millions of $$$'s to develop stealth software.

The only way to protect the public is by legislation. Not that Bush & Co. are going to do it - they are busy protecting the mega-corps.

These stealth copy protection schemes don't solve anything, they just end up screwing over the average consumer. People in the know will always find a way around it. DRM only serves to fuck up people's machines.

I vote with my wallet and only buy directly from the artists. I go to support local bands and people I like...hell I just went to a show this past Sunday and bought a T-shirt and some CDs from a couple of the groups.

Unfortunately the *AAs have Congress in their pocket, I doubt we will ever seen substantial legislation to protect the consumer. :(

People are riled up now about the RIAA and its inane crusade, but haven't boiled over yet. Imagine where all that anger is going to go when these secret "security enhancements" start messing with peoples' computers -- and lives.

RFID technology. Secret computer spyware. Intellectual Property rights extended to absurd lengths at the behest of a couple of companies and a dead musician/comedian/right-winger/Scientologist (that would be Salvatore "Sonny" Bono).

It's not the Mark of the Beast -- it's the Mark of the Vulture.

--p!

and probably not care. They'll know their comp is acting flaky, but they'll never put two and two together.

from CD to Ipod, then they will be pissed.

I think Sony eventually wants to make their artist's discs un-iTunes rippable.

What do they hope to gain?

take over a bit of the OS for various reasons. In this case Sony wanted to be able to hide their DRM copy protection software from people trying to circumvent it. So they stole some OS interfaces to allow them to intercept all attempts to list files in directories, and use these 'hooks' to make their copy protection files 'disappear'.

But I have no idea what that means.

I do know that my PC was made by Sony and that I burn numerous CDs and DVDs on it with no problem. So I don't get what it is alleged that they're trying to prevent...

First, this only applies to music cds sold by sony that are labelled as having Digital Rights Management (DRM) protection. This has nothing to do with PCs manufactured by Sony, or non-DRM cds sold by Sony.

In order to play these CDs on your pc you have to install SOny's media player application. By doing so you also install, without your knowledge, a rather hideous bunch of software (the root kit that this discussion is about) used by Sony to protect their media player from circumvention. This root kit hides a lot of other software (and itself) by stealing a bunch of OS interfaces. In doing so it manages to open up a huge backdoor for more malicious spyware, malware, viruses etc. to get into your system.

It's just another example of an incomprehensible and suicidal business decision.

The format is too compressed, for one. You should be able to download .wav files, but the DRM necessitates some kind of different file format than a pure sound file.

Lame.

The reason they don't offer them for download is a file size issue. Apple has a lossless codec they can use, but it only achieves about a 1:2 compression ratio.

They figure not many would be willing to download that large a file, but it's the only way I would buy music over the Internet - I'm not about to pay money for music in a lossy format. I don't like mp3's at all, that swirling-toilet treble drives me nuts.

Todd in Beerbratistan

MP3's just aren't worth full price, which is what 99 cents a song in AAC format minus packaging comes out to.

if there is not adequate disclosure. Tort lawyers probably looking at this?

Buy CDs from independant artists and labels who don't do that shit...

Start with this one...

http://cdbaby.com/soulamp

hehehe

Major label artists are mostly crap anyway. Dig deeper, find real innovation in your music.

...which is fucking awesome, by the way, is to hold the shift key after inserting the disc. This disables autoplay in Windows, which is how the software starts.

If you don't do this, you are prompted to agree to terms of use and then software that will ruin your rip to mp3 will install itself to your machine, which is difficult to remove and does not add itself to the "add/remove programs" list in Control Panel.

After the CD ROM drive finishes initializing (sometimes you will see an hourglass briefly when this happens), you should be able to drag and drop to your ITunes library.

It should be noted that the software enables a DRM-protected Windows Media Audio (WMA) rip, but this is useless to anyone with an IPod.

From my attempt...

No buyers though.

:-(

Actually just get a crappy PC and let it disinigrate into popup land.

Too bad for artists that signed up with them. :nopity:

Notice how it's only on Windows PCs? You wont get that crap installed on your Mac if you have one.

You name it - the introduction of the CD, the mini-disc, copy protection - its all a scam to get people paying over and over gain for the same back catalogue. They are one of the main reasons why I stopped regularly buying records decades ago.

...or run Linux on your Wintel box.

Here's one account:

Celine Dion Killed My iMac!
http://www.macopinion.com/columns/curmudgeon/

I wonder if this technique keeps it from installing the software:
CD Crack: Magic Marker Indeed
http://www.wired.com/news/technology/0,1282,52665,00.html

stop and disable the 'shell hardware detection' service is one way

but you buy a sony DRM CD and in order to play it you need to install the Sony media player and then you are cooked. Autoplay not required, and it is very difficult for any OS to prevent mal/crapware from being installed when the user says 'install this'. As long as the user has administrative privileges, user directed installations are a huge problem.

I bet I could play it without installing their crap. Look for a program called Exact Audio Copy, it's a great ripper.

at http://cp.sonybmg.com/xcp/english/updates.html




as seen on slashdot at: http://slashdot.org/article.pl?sid=05/11/02/2147258&tid=167&tid=188&tid=185&tid=98

and who will trust them to install this? :rofl:

All this program does is make the files in question, of the rootkit, visible to the Windows API, ANY ATTEMPT AT THEN MANUALLY REMOVING THE OFFENDING FILES WILL RESULT IN POSSIBLY LOSING ACCESS TO YOUR CD-ROM DRIVE.

I think consumers are going to start thinking twice about purchasing products by Sony. They might lose money from it...

(I hope.)

An interesting side discussion happened around Mr. Russinovich's blog note on his experience with the Sony crapware. As the crapware in question was DRM crapware it actually is protected by the noxious Digital Millenia Protection Act. This crapware-legislation makes it illegal to tamper with DRM software, including REMOVING IT FROM YOUR SYSTEM. So Russinovich, off checking his system for rootkits, finds one, removes it, and in doing so potentially opens himself up for either civil (EULA license with Sony crapware prohibits tampering) or criminal (DMPA thinks its a crime to undo what some DRM software has done to YOUR system.) Neat huh? Run a virus checker, go to jail.

Of course this is a bit of hyperbole, undoubtedly nobody is going to go after someone for removing a rootkit from their system, once they understand what a rootkit is.

Interesting side note on just how STUPID the sony crapware is: it hides all files with a certain unusual naming pattern ($sys$ or something like it in the name). So guess what can piggyback right on top of the Sony crapware? Real malware/spyware/virii that are using the nicely hidden name scheme from their unwitting friend Sony.

The lawsuits should all be going in Sony's direction, and it should cost them quite a bit.

Circumventing these schemes is also, technically, illegal, so basically, if you have a Non-Windows OS or disable auto play(shift key or permanent), then theoretically Sony could sue you for circumventing their DRM.

is that the software installed is itself in violation of various laws at the very least on the state level in several states. Illegal software cannot be protected by another law. Sony has committed a crime by sneaking a rootkit onto PC's, an action for which there is NO excuse whatsoever for anyone. That's called destruction of property.

Sony has flushed an awful lot of good will down the commode, and stand to lose far, far more than they would have lost from music piracy. Typical behavior of myopic corporate suits...no perspective at all. Why does it always seem like unregulated capitalism ends up eating itself...

Todd in Beerbratistan :beer:

I heard something about it a while ago, that Phillips (who afaik invented the CD format in the beginning) has said, that music CD's with various formats of Copy Protection on it, can't be called a CD?

A lot of people returned their CD's saying that this was really a data disk and there was no warning on the label.

I play all commercially made cds on my stereo, never on my pc. I've long suspected that spyware and more installs itself in the computer when these thigs play--not to mention that certain media players transmit electronically to the manufacturer information including the title of the cd that you're playing.