--- begin forwarded text
Delivered-To: [EMAIL PROTECTED] Date: Wed, 9 Nov 2005 10:50:05 -0500 To: Philodox Clips List <[EMAIL PROTECTED]> From: "R. A. Hettinga" <[EMAIL PROTECTED]> Subject: [Clips] Sony BMG's DRM provider does not rule out future use of stealth Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] <http://www.tgdaily.com/2005/11/04/f4i_says_sony_bmg_xcp_is_not_rootkit/print.html> Tom's Guide Daily Sony BMG's DRM provider does not rule out future use of stealth By Scott M. Fulton, III Published Friday 4th November 2005 22:27 GMT Oxfordshire (UK) - The CEO of the company which provides digital rights management tools and software to global music publisher Sony BMG, and which developed the XCP system that was the subject of controversy this week, told TG Daily in an exclusive interview that, despite what some security software engineers, news sources, and bloggers have suggested, XCP is not, and was never designed to be, a rootkit. "We believe there are some comments that have been misunderstood in the media," said Matthew Gilliat-Smith, chief executive officer of First 4 Internet, the manufacturers of XCP. "Our view is that this is a 'storm in a teacup,' as we say over here in the UK ... I want to confirm that this is not malware. It's not spyware. There's nothing other than pure content protection, which is benign." As we reported yesterday (http://www.tgdaily.com/2005/11/03/sony_bmg_xcp_is_it_a_rootkit/), security software engineer Mark Russinovich discovered, through the use of a program he wrote called RootkitRevealer, that drivers deposited on his system from a Sony BMG audio CD he purchased were using stealth techniques to hide their appearance not only from the user, but also from portions of the Windows operating system. These drivers had been installed in such a way that they were run perpetually, loaded automatically - even in safe mode - and were referenced in the Windows System Registry using a method that could not be deleted without extensive reworking of the Registry, to enable the operating system to recognize the CD-ROM drive again. In his investigation, he identified these drivers as part of the XCP copy protection system. Russinovich's story, posted to his company's Web site (http://www.sysinternals.com/Blog/), was widely read and generated enormous response from bloggers, some of whom believed either that Russinovich was suggesting, or that his evidence had substantiated, that XCP constituted a rootkit. Under the more technical definition of that term, it would have to open up an unmonitored Internet connection with a remote host, probably with the intention of delivering a malicious payload in a very undetectable manner. No such allegations were made of such behavior by Russinovich, yet the characterization hung in the air. "There's areas of misinformation which I'd be very happy to set straight," Gilliat-Smith told us. "The first is [the allegation that XCP is some form of] rootkit technology, in the form that would be used to spread malware. What it is, it's using cloaking techniques that are similar to a rootkit, for the purpose of making speed bumps on the content protection, to make it more difficult to circumvent the protection." Gilliat-Smith said his software does not open up any connection between the stealth driver and its host. "Ours does not do that," he said. "All we're doing is using a hook and a redirect, so when you look for a file, it is hidden. It is very widely used...since way back in 1994, by many shareware companies and anti-virus companies." A paper describing what appears to be the "hook and redirect" method to which Gilliat-Smith refers, published by the online hacker magazine Phrack.org, defines rootkit as "a program designed to control the behavior of a given machine. This is often used to hide the illegitimate presence of a backdoor and other such tools. It acts by denying the listing of certain elements when requested by the user, affecting thereby the confidence that the machine has not been compromised." By "backdoor," the paper can be presumed to mean a method by which a remote party can take control of the system undetected. Gilliat-Smith denies any such methods are, or have ever been, used by XCP. Furthermore, Gilliat-Smith stated, the version of XCP which utilized this "hook and redirect" method to hide the presence of the persistent driver, is no longer being used in new audio CDs. At the time these concerns arose, he said, "we had already created the new version of the software, which provides a range of additional features for the consumer. We have moved away from the cloaking technology that gives rise to these concerns." First 4 Internet (F4i) has made available to Sony BMG a removal tool, which users can download from Sony BMG's Web site (http://cp.sonybmg.com/xcp/english/updates.html), that removes the XCP driver from users' systems and cleans up the mess left in the Registry. In addition, F4i's Gilliat-Smith told TG Daily, the company has offered anti-virus companies tools with which they can bypass the "hook and redirect" API method, and scan files in XCP's stealth directory. One of the anti-virus companies to which F4i has been talking, he said, has been F-Secure, which recently claimed that malicious users could conceivably craft methods that take advantage of XCP having opened up, in effect, a "stealth channel" to the operating system, enabling them to fill in the gaps and make XCP into a true rootkit. No material evidence of these claims has been presented, though last Tuesday, F-Secure officially listed the XCP DRM software (http://www.f-secure.com/v-descs/xcp_drm.shtml) as a virus. No method of propagation or payload distribution was reported. Gilliat-Smith cited F-Secure's development of a rootkit removal tool, called Blacklight, "so it seems that they have a vested interest in the subject," he said. F-Secure officials have informed XCP of its opinions and stand on F4i's software, he added. But the potential for leveraging XCP as the backdoor for a real rootkit, as well as any vulnerabilities alleged by Russinovich, he said, should all be treated as theoretical, adding, "Vulnerabilities can occur in any software application that a user puts on his computer. The balancing act: Protection vs. fair use "Independent consumer surveys [about] the CDs that have been released have shown very positive consumer reactions to the way the CDs work in their computer, and the ability to make backup copies," stated First 4 Internet's Gilliat-Smith. "So we're always reviewing the ways forward...and we will recommend and suggest different ways of putting in these speed bumps, but we will not be using the same methodologies that have been written about in [Russinovich's] article." Ross Rubin, director of industry analysis for NPD Techworld, has been following the XCP DRM story with us. "It's a difficult challenge to balance the convenience of listening to music with the desire to protect intellectual property," he told TG Daily. "I think, at this point, it's very difficult to try to go back in time and turn CDs into a secure mechanism, because there's just such a tremendous installed base of compatible products, and consumers are used to listening to CDs on their computers and ripping them." The ultimate solution, Rubin believes, is to work toward focusing upon preventing the undesired behavior, rather than preventing a large class of behaviors, most of which are not necessarily illegal or even unethical. But what's a company like F4i to do? If it uses completely benign copy protection methods, even novice users can easily smooth out its "speed bumps;" if it uses stealth in any form (especially now), it opens itself up to ridicule. "It's kind of a no-win situation," responded Rubin. "It's very hard to find the medium that's not going to punish the legitimate users of your product, but which is going to discourage those who would abuse fair usage privileges. I think up until now, most of the criticism has been around the protection schemes being too easy to circumvent. Now, perhaps, the pendulum has swung the other way." Responses we received to yesterday's article about the Russinovich story included a comment that XCP may be undesirable from a consumer's perspective not because it's malware, but because it wastes processor space and that it monitors customers' CD-ROM listening habits. Gilliat-Smith denied both claims: "I sense what's happening is, people are making assumptions without having run the discs themselves. There is no suggestion that there is any monitoring of what's going on at all...It has not been reported to me that excessive CPU usage is being made here. There is the cloaking technology that had been used up until now, to 'hook and redirect' to disguise the files; [that] might be using minimal CPU usage, but there's certainly no [indication] that it's been making an onerous usage of it." In an update to his original article (http://www.sysinternals.com/Blog/) posted today, Sysinternals' Mark Russinovich elevated his language. Not only does he now refer to XCP directly as a rootkit, he adds that since XCP's built-in media player software (with which limited backup copies can be produced) does establish a connection with a remote server, the DRM software as a whole truly does "phone home," in essence fulfilling the extra requirement necessary to qualify for the hackers' definition of a rootkit. Further, he cites the fact that the end-user license agreement (EULA) shipped with the Sony BMG audio CD does not make mention of this capability. For proof, Russinovich reproduces the entire language of the EULA on a Web page unto itself, highlighting the portion which references the XCP software package directly. In very rudimentary boilerplate language, it states, "The SOFTWARE is intended to protect the audio files embodied on the CD," and will reside on the user's system until removed or deleted. However, it states, the software will not collect personal information of any form. In his update, Russinovich characterized Sony BMG's EULA with these words: "An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications." The EULA, states F4i's Gilliat-Smith, is a matter for Sony BMG to determine for its customers. However, based on his understanding of it, "The EULA is very clear, and it's a very straightforward process. It clearly states that content protection technologies can be loaded. If the user doesn't agree to accept, then the CD does not load, and the program does not load. "This is not malware, not spyware," Gilliat-Smith reiterated. "No one has suggested that it is. What they're saying is that rootkit technology - which this is not, in its entirety - is something that potentially could be used to masquerade behind, and I confirmed that the XCP technology no longer uses the cloaking technologies that this article suggested could potentially pose a threat." But Gilliat-Smith would not go so far as to say current or future versions of XCP would refrain from using stealth techniques going forward - just the "hook and redirect" method discovered by Russinovich. "Going forward in the future, we will obviously take forward any concerns, and we will make sure that the consumer is foremost in our minds in terms of how we do it," he told us. "Because it's a balance between protection and keeping the consumer foremost in our minds...We very quickly alleviated anybody's concerns, and are moving forward, and continuing to perform the task that badly needs to be done." NPD's Ross Rubin sees the same balancing act, but perceives a different solution: "It comes down to the balance argument: Do you really need to be operating that far down in the OS to discourage casual piracy? I don't think you do. The users who are determined to crack the codes are really going to focus time and energy on those kinds of efforts anyway. I wouldn't agree that it's necessary to dig that deep." -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]