Post by va3css on Dec 6, 2005 14:27:52 GMT -5
This may be a long post, but it all needs to be said.
For years we've been hearing about music piracy. People downloading music off the internet without paying for it. Understandably, the record companies want it stopped, and they've been working hard on that.
To that end, they created the Digital Millenium Copywrite Act (DCMA. It's intent was to deal with protecting copywrited material in this new "digital" age with CDs, DVDs, the Internet and other forms of digital media on the horizon. Among other things, it states that it is illegal to create a program that can circumvent copy protection or encryption software on any music or video.
The next step in the evolution of this is for record companies to start including copy protection software on their music CDs.
Sony / BMG is the first such company to do so, only they didn't bother to tell us.
Since March 2005, they've been including their "Media Jam" software on ALL their music CDs. Any CD from any music company under the Sony / BMG Music umbrella had this software on it, clandestinely. Nobody knew about it, except Sony.
The software was created for Sony by a software developer called First4Internet. They used a program that us "techies" refer to as a Rootkit. Rootkits are most commonly used to create viruses and spyware.
Yes, you read that correctly.
The Extended Copy Protection, (XCP), that this rootkit brings installs secretly. You don't see a "progress bar" on your screen as it copies files. You don't get a prompt asking you where you'd like to install the program. It just goes ahead and does it's thing without letting you know about it.
Worse yet, after it's installed, the files it put on are hidden. The folder on your drive that the files are put in is also hidden. The changes it put into your System Registry are also hidden. Even the End-User Licence Agreement (EULA) that comes with the CD mentions NOTHING about this software installing.
The rootkit itself opens security "holes" in your system that help make your PC more vulnerable to viruses and spyware. Many new spyware threats have been coming out that take advantage of this rootkit, and you can bet there are more coming.
The person who first discovered this mess is Mark Russinovich. He makes a program called Systernals. It's a program "geeks" like me would use to diagnose problems on computers. He was actually testing a new version of it on his own PC when he "stumbled" upon Sony's rootkit, only he didn't know it was from them at the time.
Using a battery of other high-tech software utils, he traced down the source of the rootkit. That's when he discovered the link to Sony. He had recently purchased a new music CD from a band on a Sony family record label, and played it on his computer.
This was October. His blog has an entry on October 31 telling us all about it. So that means Sony has been printing billions of CD's between March and October with this garbage on it before they were discovered.
Since the program is not listed on his Add/Remove Programs list, he sent an email to Sony asking about an uninstall program for it. They, of course, denied that anything was installed.
After showing them all he found, they sent him a link in an email which claimed would take him to their uninstall program. He followed the link, and filled in the form on the web site. A few days later, he got another email with another link.
That second email's link to him to yet another page where he had to yet again fill in a form and submit more info. Finally, he was able to download an uninstall program.
In all this time, Sony had still yet admitted to this hidden spyware on their CDs. Their main page never said a word about it.
So he ran their uninstall program. Suddenly, he sees for the first time a program called "Media Jam" on his Add/Remove Programs list. When he tried to uninstall it, it told him it was already uninstalled. In other words, Sony's own uninstall program didn't finish uninstalling properly.
Again, he poked around his system to see if any other remnants of this crap were left. There was. The rootkit was still on the system and active. That meant his system was still vulnerable to attack in the same way it was after Sony's CD first installed their software...
At this point, Sony finally decided to admit there might be a problem with their rootkit, and offered to replace anybody's CD with another that does not have the XCP rootkit on it. They also claimed to offer replacing any retailer's stock of Sony CD's with a new batch free of the XCP rootkit on it.
But there's still the matter of their own uninstaller not completely removing the garbage. Russinovich even noted that their software actually installed hidden "filter drivers" between your CD or DVD drives and the computer. If you're savvy enough to tinker with a computer at that level, you can manually remove those filter drivers. The problem is, once you do, your CD / DVD drives will cease to work!
Had enough? Read on...
First4Internet used a portion of GNU (ie: public domain free) code to make their XCP rootkit. That's not illegal, however, anytime you use a GNU program to make a program of your own, you must include the GNU sourcecode that you used. In lieu of payment, GNU developers want a plug. That's the deal.
As it states on Technewsworld
Neither First4Internet, nor Sony bothered to include the sourcecode. That prompted the developers of that code to target Sony and First4Internet for a lawsuit.
Speaking of lawsuits, many states have passed their own spyware laws, since the federal government has been slow to do so. Since this rootkit is spyware, many states have now begun persuing legal action against Sony.
It gets worse...
The state of N.Y. sent investigators into many retail outlets to see if indeed the infected titles were pulled from the shelves, as Sony promised. They were not.
The same thing was found to be true in the state of Massechusetts:
They're both now considering legal action for that as well.
Still not enough? Read on...
One of the first programs to offer a "cleaner" for this spyware is Microsoft's Anti-Spyware, (the same one I've been saying is the best one for a while.) Well, some tech bloggers are suggesting that Microsoft may be liable for doing so, as per the DCMA.
Section 1201 of the DCMA:
It's unlikely that Sony would go after M$ for this, since they pulled their rootkit of their own accord. Still, the way the DCMA is written, M$ will remove / circumvent Sony's copy protection measure. They have broken the DCMA, technically.
I don't think any of us mind.
Yep, there is more yet...
The RIAA, the ones who go around suing 12-year-olds for downloading music on behalf of their record company members, had only this to say about the discovery of Sony's rootkit:
"Seems very responsible???" Is this man on drugs???
Let's review:
Yep, pretty responsible to me...
What an IDIOT this Sherman is.
Nope, not done yet.
Artists who have their recordings on one of Sony's labels are beginning to feel the wrath of us buyers who are aware of Sony's rootkit:
You bet your bottom dollar there's still more...
Anybody here have an iPod or purchase songs from iTunes? Recently iTunes was in a legal wrangle with record companies who felt that their $1/song price was too cheap. It's now been discovered that Sony's rootkit actually hacks into iTunes...
Unbelievable...
The supreme irony in all this is how Sony tried to stop music piraters by attacking those who actually paid for the music. How will this look when you take this CD to work and unknowingly infect the network at work? How will your employer feel about Sony then?
Sony is already laying off 10,000 or more people for reasons totally unrelated to this fiasco. How many more heads will roll as a result?
IMO, the music wing of Sony is going to be forced to restructure big time. It might even be a case where Sony tries to make it appear that they're getting out of the music business by selling their interests to another new company. That new company, we'll find out later, will be owned by Sony anyways...
Some links pertaining to all this:
Mark Russinovich's Systernals Blog
Texas Attorney General files suit against Sony
Electronic Frontier Foundation files suit against Sony.
Washington Times reports that a private citizen, acting as a "Private Attorney General" (legal in that state) is also filing suit against Sony.
www.boycottsony.us/ ;D
Whatever you do, DO NOT PLAY ANY SONY / BMG MUSIC CD ON YOUR COMPUTER!
If you have already, and are using Windows 2000, or XP, go to Microsoft.com and download their FREE MS Anti-Spyware to remove it with. You can also see Mark Russinovich's Systernals Blog for more utils.
If you're still using Windows 98, then I have pity on you! ;D Time to upgrade.
For years we've been hearing about music piracy. People downloading music off the internet without paying for it. Understandably, the record companies want it stopped, and they've been working hard on that.
To that end, they created the Digital Millenium Copywrite Act (DCMA. It's intent was to deal with protecting copywrited material in this new "digital" age with CDs, DVDs, the Internet and other forms of digital media on the horizon. Among other things, it states that it is illegal to create a program that can circumvent copy protection or encryption software on any music or video.
The next step in the evolution of this is for record companies to start including copy protection software on their music CDs.
Sony / BMG is the first such company to do so, only they didn't bother to tell us.
Since March 2005, they've been including their "Media Jam" software on ALL their music CDs. Any CD from any music company under the Sony / BMG Music umbrella had this software on it, clandestinely. Nobody knew about it, except Sony.
The software was created for Sony by a software developer called First4Internet. They used a program that us "techies" refer to as a Rootkit. Rootkits are most commonly used to create viruses and spyware.
Yes, you read that correctly.
The Extended Copy Protection, (XCP), that this rootkit brings installs secretly. You don't see a "progress bar" on your screen as it copies files. You don't get a prompt asking you where you'd like to install the program. It just goes ahead and does it's thing without letting you know about it.
Worse yet, after it's installed, the files it put on are hidden. The folder on your drive that the files are put in is also hidden. The changes it put into your System Registry are also hidden. Even the End-User Licence Agreement (EULA) that comes with the CD mentions NOTHING about this software installing.
The rootkit itself opens security "holes" in your system that help make your PC more vulnerable to viruses and spyware. Many new spyware threats have been coming out that take advantage of this rootkit, and you can bet there are more coming.
The person who first discovered this mess is Mark Russinovich. He makes a program called Systernals. It's a program "geeks" like me would use to diagnose problems on computers. He was actually testing a new version of it on his own PC when he "stumbled" upon Sony's rootkit, only he didn't know it was from them at the time.
Using a battery of other high-tech software utils, he traced down the source of the rootkit. That's when he discovered the link to Sony. He had recently purchased a new music CD from a band on a Sony family record label, and played it on his computer.
This was October. His blog has an entry on October 31 telling us all about it. So that means Sony has been printing billions of CD's between March and October with this garbage on it before they were discovered.
Since the program is not listed on his Add/Remove Programs list, he sent an email to Sony asking about an uninstall program for it. They, of course, denied that anything was installed.
After showing them all he found, they sent him a link in an email which claimed would take him to their uninstall program. He followed the link, and filled in the form on the web site. A few days later, he got another email with another link.
That second email's link to him to yet another page where he had to yet again fill in a form and submit more info. Finally, he was able to download an uninstall program.
In all this time, Sony had still yet admitted to this hidden spyware on their CDs. Their main page never said a word about it.
So he ran their uninstall program. Suddenly, he sees for the first time a program called "Media Jam" on his Add/Remove Programs list. When he tried to uninstall it, it told him it was already uninstalled. In other words, Sony's own uninstall program didn't finish uninstalling properly.
Again, he poked around his system to see if any other remnants of this crap were left. There was. The rootkit was still on the system and active. That meant his system was still vulnerable to attack in the same way it was after Sony's CD first installed their software...
At this point, Sony finally decided to admit there might be a problem with their rootkit, and offered to replace anybody's CD with another that does not have the XCP rootkit on it. They also claimed to offer replacing any retailer's stock of Sony CD's with a new batch free of the XCP rootkit on it.
But there's still the matter of their own uninstaller not completely removing the garbage. Russinovich even noted that their software actually installed hidden "filter drivers" between your CD or DVD drives and the computer. If you're savvy enough to tinker with a computer at that level, you can manually remove those filter drivers. The problem is, once you do, your CD / DVD drives will cease to work!
Had enough? Read on...
First4Internet used a portion of GNU (ie: public domain free) code to make their XCP rootkit. That's not illegal, however, anytime you use a GNU program to make a program of your own, you must include the GNU sourcecode that you used. In lieu of payment, GNU developers want a plug. That's the deal.
As it states on Technewsworld
"Open source programs are distributed with license agreements. If you copy and redistribute such a program, you're a copyright infringer, unless you're complying with the terms of the program's license.
"The licenses in question are the Free Software Foundation's GPL for mpg123 and DRMS, and the LGPL for the other programs. The terms of the GPL would require the companies to distribute the source code of XCP, which they're certainly not doing.
"The LGPL requires less, but it still requires the companies to distribute things such as the object code of the relevant module without the LGPL-protected code, which the companies are not doing.
"So if they're shipping code from these libraries, they're infringing copyrights."
Neither First4Internet, nor Sony bothered to include the sourcecode. That prompted the developers of that code to target Sony and First4Internet for a lawsuit.
Speaking of lawsuits, many states have passed their own spyware laws, since the federal government has been slow to do so. Since this rootkit is spyware, many states have now begun persuing legal action against Sony.
It gets worse...
The state of N.Y. sent investigators into many retail outlets to see if indeed the infected titles were pulled from the shelves, as Sony promised. They were not.
New York Attorney General Elliot Spitzer sent undercover agents disguised as customers into record and retail stores throughout New York to see whether Sony had, in fact, removed all of the offending CDs from the market. The investigators found that the CDs in question were still being sold in a number of stores.
Spitzer was clearly perturbed about this and stated: "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year."
Agents found copies of the CD's on the shelves at Wal-Mart, Virgin Megastore, Best Buy, and other retailers.
Source: New York Attorney General investigates Sony
The same thing was found to be true in the state of Massechusetts:
Massachusetts Attorney General Tom Reilly warns many of the discs are still being sold to unsuspecting consumers in Boston.
---
Meanwhile, Reilly is conducting an investigation of Sony BMG related to the privacy and consumer protection issues raised by the copy protection software that Sony BMG used on the CDs.
Source: Boston Attorney General after Sony
They're both now considering legal action for that as well.
Still not enough? Read on...
One of the first programs to offer a "cleaner" for this spyware is Microsoft's Anti-Spyware, (the same one I've been saying is the best one for a while.) Well, some tech bloggers are suggesting that Microsoft may be liable for doing so, as per the DCMA.
Section 1201 of the DCMA:
(b) Additional Violations. -
(1) No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that -
(A) is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof;
It's unlikely that Sony would go after M$ for this, since they pulled their rootkit of their own accord. Still, the way the DCMA is written, M$ will remove / circumvent Sony's copy protection measure. They have broken the DCMA, technically.
I don't think any of us mind.
Yep, there is more yet...
The RIAA, the ones who go around suing 12-year-olds for downloading music on behalf of their record company members, had only this to say about the discovery of Sony's rootkit:
“The problem with the SonyBMG situation is that the technology they used contained a security vulnerability of which they were unaware. They have apologized for their mistake, ceased manufacture of CDs with that technology,and pulled CDs with that technology from store shelves. Seems very responsible to me. How many times that software applications created the same problem? Lots. I wonder whether they’ve taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?” Source: CP NewsLink Transcript: Cary Sherman of the RIAA
"Seems very responsible???" Is this man on drugs???
Let's review:
- Sony begins putting spyware on their audio CDs, disguised as "Content / Copy Protection."
- Upon discovery of this spyware, Sony denies it's existence. They even posted this on their website:This component is not malicious and does not compromise security.
That quote is no longer on their website, of course. - Russinovich, who forced Sony to acknowlege all this, had to jump through hoops to get an uninstaller, which did not work, and did not repair the security hole it created.
To this day, we're still waiting for Sony to come out with a suitable uninstaller. - In a press release from Sony BMG’s Global Digital Business President Thomas Hesse, he says this:Most people, I think, don’t even know what a rootkit is, so why should they care about it?
Most people don't know what a root canal is, either. But they still don't want one...
Yep, pretty responsible to me...
What an IDIOT this Sherman is.Nope, not done yet.
Artists who have their recordings on one of Sony's labels are beginning to feel the wrath of us buyers who are aware of Sony's rootkit:
When Sony announced the XCP recall, it said it would replace the infected CDs with new, non-protected versions.
In the interim, many of the artists with XCP CDs have seen their sales tumble.
Neil Diamond, whose widely praised 12 Songs opened at No. 4 on Billboard's Top 200 chart just two weeks ago, has fallen to No. 52 in the most recent chart. Bette Midler's Peggy Lee Songbook fell to No. 157 from No. 51, while Chris Botti's To Love Again:The Duets tumbled to No. 172 from No. 74.
Source: USAToday.com
You bet your bottom dollar there's still more...
Anybody here have an iPod or purchase songs from iTunes? Recently iTunes was in a legal wrangle with record companies who felt that their $1/song price was too cheap. It's now been discovered that Sony's rootkit actually hacks into iTunes...
Sony rootkit ripped off anti-DRM code to break into iTunes
Sony's DRM supplier XCP ripped off a free software project so that it could defeat Apple iTunes.
Remember when Sony got nailed for including code an open-source crack for iTunes in its rootkit DRM? Princeton researcher Alex Halderman has been patiently teasing apart the rootkit, looking for an explanation. Why would Sony's arms-merchant rip off an anti-DRM program for its DRM?
Halderman concludes that the XCP -- the Sony rootkit -- was intended to be used to crack open iTunes and insert Sony's music into it, without allowing Sony customers to convert their music into MP3s along the way.
Source: Sony rips of code to hack iTunes
Unbelievable...
The supreme irony in all this is how Sony tried to stop music piraters by attacking those who actually paid for the music. How will this look when you take this CD to work and unknowingly infect the network at work? How will your employer feel about Sony then?
Sony is already laying off 10,000 or more people for reasons totally unrelated to this fiasco. How many more heads will roll as a result?
IMO, the music wing of Sony is going to be forced to restructure big time. It might even be a case where Sony tries to make it appear that they're getting out of the music business by selling their interests to another new company. That new company, we'll find out later, will be owned by Sony anyways...
Some links pertaining to all this:
Mark Russinovich's Systernals Blog
Texas Attorney General files suit against Sony
Electronic Frontier Foundation files suit against Sony.
Washington Times reports that a private citizen, acting as a "Private Attorney General" (legal in that state) is also filing suit against Sony.
www.boycottsony.us/ ;D
Whatever you do, DO NOT PLAY ANY SONY / BMG MUSIC CD ON YOUR COMPUTER!
If you have already, and are using Windows 2000, or XP, go to Microsoft.com and download their FREE MS Anti-Spyware to remove it with. You can also see Mark Russinovich's Systernals Blog for more utils.
If you're still using Windows 98, then I have pity on you! ;D Time to upgrade.
