This is heavily offtopic on this list but I couldn't stand to let
anyone here get into the pitfall which would be even more serious to
anyone using his/her PC for business.
Sony BMG and their subsidary record labels [1] have released a couple
of music CDs that contain malicious software claiming to simply be a
copy protection system called "XPC".
As long as the issue has been opened on-list I'll cross-post David
Pogue's NY Times e-column on the subject which is just a bit less
flamitory:
Thursday, October 10, 2005
From the Desk of David Pogue
Sony BMG's Copy-Protecting Watchdog
My In box usually bursts to the seams with reader reaction to stuff I've
written. What was unusual this week, though, was the amount of mail that
came in on a topic that I've never even mentioned: the Sony BMG rootkit
tactic.
The story goes like this. Starting in June 2004, Sony BMG records began
copy-protecting its pop-music CD's. Over the months, the company has
used several software schemes for preventing you, the customer, from
making illegal copies of its discs. But 20 albums are protected by a
scheme devised by a company called First 4 Internet-and it's caused an
incredible online furor.
These CD's, all bearing "Content Protected" labels on the packaging
(meaning "copy protected"), do something very sneaky if you try to play
them on a Windows PC: they install a proprietary watchdog program that
prevents you from copying the CD more than twice. (On a Macintosh or
Linux machine, these CD's play just fine, without any copy protection.)
Last week, a programmer and blogger named Mark Russinovich dug a little
deeper, and found out something disturbing: the Sony watchdog program
not only installs itself deep in the core of Windows-it's what's called
a rootkit-but it also makes itself invisible.
The record company doesn't dispute Russinovich's findings. "The cloaking
is an additional level of protection to hide the protection files
themselves," Mathew Gilliat-Smith, CEO of First 4 Internet, told me.
"It's an extra speedbump to make it that much more difficult [for
prospective music pirates] to circumvent the protection." But Sony BMG
didn't seem to be prepared for the outcry from privacy advocates and
ordinary citizens who felt violated.
To them, Sony BMG's tactic was dangerous, sneaky, intrusive and maybe
even illegal. Some of the problems:
* The hidden-rootkit trick has been used by virus writers to conceal
their tracks. It doesn't give you such a rosy feeling to know that Sony
BMG is treating you the same way.
* Once hidden, the copy-protection software is invisible to antivirus
programs, too. So the baddies of the Internet could, in theory, use
Sony's software as a backdoor to infect your machine, and your virus
checker would miss it.
* If you try to remove the software manually, you risk disabling your CD
player completely. (Instead you should use the Uninstall link on Sony
BMG's customer-service Web site, whose link appears on the Help screens
of Windows Media Player. Of course, then you can't play the CD on your
computer.)
* When you insert one of these music discs into your PC, one of those
software license agreements appears. It says explicitly what's about to
occur: "This CD will automatically install a small proprietary software
onto your computer. The software is intended to protect the audio files
on this CD. It will reside on your computer until it is removed or deleted."
But this note does not say that the software hides itself. And, even
more damning, you don't see this note until you've scrolled down to the
third page of legalese in the license agreement. Let's not kid
ourselves: NOBODY ever reads those license agreements. They're too long,
too opaquely written and generally of little use to anyone except the
lawyers.
* Sony's copy-protection software prevents you from playing the music
you've bought on your iPod, which happens to be the world's most popular
music player.
Once the true nature of the Sony BMG software tactic became public, the
company wasted no time in attempting to defuse the issue. Within 48
hours, it released a patch that makes its software visible again; you
can download it from http://cp.sonybmg.com/xcp. (Click the Software
Updates button.) Sony also provided the rootkit-cloaking information to
antivirus-software companies, so that the software will no longer be a
potential virus magnet.
At that same Web site, you'll find, incredibly, a link to a
Sony-sanctioned workaround that lets you copy the protected songs to the
iPod. (Sony says it will send you the workaround by e-mail once you
supply the name of the CD and other information.)
Finally, Sony has abandoned the rootkit protection method. (It says, in
fact, that it had planned to do so even before the trick became public.)
It still intends to install copy-protection software on every audio
CD-but it will use other methods.
For now, then, it seems that the cloaked-rootkit issue is dead. If you
bought one of the 20 affected CD's, you can uncloak the software, and
Sony won't be using this scheme anymore.
My take? Audio CD's that install software onto your PC are just creepy.
I believe that distributing copies of a CD to the Internet at large is
wrong, so I understand the record companies' concern. But installing
secret, self-masking code onto customers' computers seems just as wrong.
It's an "any means necessary" approach to the problem, like dealing
drugs to raise money for charity.
Personally, I can't understand why any music fan would buy one of these
discs. If you really want a song from Sony BMG, why not just buy it from
one of the online music stores and avoid the whole issue? Sony BMG would
soon get the message that customers don't like being treated like criminals.
I was also surprised at how dismissive Sony BMG and First 4 Internet
seem to be. "It's a tempest in a teapot," Mr. Gilliat-Smith says. "It's
benign content protection. It's not malware, it's not spyware-it's innocent.
Consumers, for eight months, have been using these discs with positive
feedback. When the issue arose, we addressed it very quickly."
I wondered if he could even understand why consumers might feel a bit
violated. I pointed out that the usual damage-control plan for
public-relations disasters (see also Tylenol; Perrier; Pentium bug) is
not to haughtily dismiss customer fears, but to apologize profusely.
But the closest thing Mr. Gilliat-Smith would say is, "We understand
what the concern was, but there was no intent. We reacted as quickly as
we could, took responsive issues. And now, hopefully, we move on."
Join a discussion of David Pogue's columns.
This week's Pogue's Posts blog.
Visit David Pogue on the Web at DavidPogue.com.
_______________________________________________
Finale mailing list
Finale@shsu.edu
http://lists.shsu.edu/mailman/listinfo/finale