Sony BMG's copy-protection problems grow Robert Lemos, SecurityFocus 2005-11-16 http://www.securityfocus.com/print/news/11357
Sony BMG Music Entertainment announced plans on Wednesday to pull from store shelves nearly 2.6 million CDs that include a controversial copy-protection program, offer consumers an opportunity to return the discs, and create a more secure program to help remove the software from people's computers. The announcement preceded a congressional hearing held that day where Republican and Democrats alike criticized the overly broad digital protections used by some media companies to guard their content. Underscoring the impact such protections can have on consumers, a Princeton University professor's asserted on Tuesday that the software utility created by the media giant to remove its copy-protection program from consumers' computers actually opens up the systems to attack. The revelations had Sony BMG reversing course on its copy protected CDs. The company had already ceased to manufacture the CDs that included the troublesome technology, known as Extended Copy Protection (XCP) software, created by U.K.-based First 4 Internet. "We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets," Sony BMG said in a statement sent to the media on Tuesday and posted on its Web site on Wednesday. "We will shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer." The announcements further highlight the security problems created by the copy protection used by Sony BMG to guard its music CDs. Two weeks ago, two security groups--SysInternals.com and antivirus firm F-Secure--revealed that the XCP software essentially takes control of PCs in the same way as a rootkit. Since the publication of their findings, consumer and security complaints against the content company have gained legal backing, with at least five cases filed or ready to be filed against the music giant. Earlier this week, the digital-rights advocacy group Electronic Frontier Foundation published a list of steps that its staff believed Sony BMG should take to repair the situation. The open letter to Sony BMG called for many steps that media giant has now taken, such as recalling the CDs and offering to exchange the discs. However, the letter also requested that Sony BMG reimburse consumers for any damage to their PCs, a step that has not yet been taken by the media giant. Sony BMG did not respond to request for comment on the EFF letter. Further spotlighting Sony BMG's response to recent events, a congressional subcommittee held hearings on Wednesday regarding fair use and copyright protections. In statements, Republicans that head both the Committee on Energy and Commerce and its Subcommittee on Commerce, Trade and Consumer Protection voiced support for fair use and stated that current copyright legislation, especially the Digital Millennium Copyright Act (DMCA), has gone too far in limiting consumer use of media. "I am concerned that some attempts to protect content may overstep reasonable boundaries and limit consumers¹ legal options, particularly in the light of the emerging technologies that we are beginning to see in the marketplace," Republican Rep. Joe Barton of Texas, chairman of the House Committee on Energy and Commerce, said in a published opening statement. "It boils down to this: I believe that when I buy a music album or movie, it should be mine once I leave the store," Barton said. "Who doesn¹t believe that? Does it mean I have unlimited rights? Of course not. But the law should not restrict my fair-use right to use my own property." Yet, the response to Sony BMG's copy protections is less about the system being too restrictive and more about the technology's affect on consumer's systems. Many security experts--including antivirus firms F-Secure and Symantec (the parent company of SecurityFocus) and software giant Microsoft--have labeled at least a portion of the XCP software to be malicious code. Antivirus firms now detect the presence of the software and a few offer tools that can remove some part or all of the functionality of the system. The reaction by the security community shows that media companies cannot assume that they have the right to install whatever software they wish on a consumer's computer, said Ari Schwartz, associate director for the Center for Democracy and Technology, a Washington, D.C.-based technology-policy think tank. "This incident does show companies that they can't just ignore consumer expectations and do what they want to do, no matter how justifiable it might be under the law," Schwartz said. The impact on corporate networks of the Sony BMG software may be severe, if recent data discovered by security researcher Dan Kaminsky holds up. Kaminsky worked from a list of 9 million domain-name servers, about 3 million of which are reachable by computers outside their networks. The security researcher sent DNS requests to the 3 million systems, asking each to look up whether certain addresses used by the XCP software were in the systems' caches. He found 568,000 DNS servers had previously been asked to look up the same domains as used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet. While other factors may increase or decrease the number, Kaminsky stressed that the experiment was about finding out the magnitude of the impact of Sony BMG's software. "My goal is not to get absolute accuracy, but to get orders of magnitude," Kaminsky said. "As security professionals, we have different levels of response for hundreds of host versus hundreds of thousands of hosts. Without a shadow of a doubt, this is a world-class pandemic." You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.