Slyck Chatbox - And More

Sony Orders Recall on XCP Protected CDs

Discuss Slyck's latest news
Forum rules

Sony Orders Recall on XCP Protected CDs

Postby SlyckTom » Wed Nov 16, 2005 2:15 pm

If ever there were an exception to the adage "there's no such thing as bad publicity", the Sony-BMG circumstance would be it. All things considered, it's probably been the worst two weeks for any major corporation since the Enron scandal. As most know by now, Sony-BMG was called out for placing a rootkit on customer's machines. The purpose of this rootkit was the hide the existence of the third party protection scheme known as XCP, or Extended Copy Protection. Today, Sony-BMG announced they have recalled their XCP product. Let’s take a look at events leading up to this.

<b>October 31, 2005</b> - Mark Russinovich, one of the writers of <a href= target=_blank></a> and considered an expert on the Windows operating system, discovers evidence of a rootkit on his computer. After an extensive investigation, he discovers his Sony-BMG CD by the Van Zant brothers, <i>Get Right with the Man</i>, had installed the suspected rootkit on his machine.

The rootkit cloaks the XCP copy protection scheme created by First4Internet. This discovery causes an outrage for several reasons; namely Sony-BMG did not disclose the existence of the product, the clandestine nature of the product, and the damage caused if one attempted to remove the rootkit. In addition, it was revealed the Sony-BMG media player "phones home" with information. Although the information appears harmless, it is not mentioned in the End User Licensing Agreement.

<b>November 2, 2005</b> - After harsh criticism, Sony-BMG agrees to offer information on how to remove the rootkit software. Sony-BMG releases the following statement on the issue:

<i>This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."</i>

The above-mentioned technique is provided in two different ways - a web based patch and a downloadable file. The first web based method is buried in the FAQ section of Sony-BMG's website, and requires a dizzying amount of patience. The individual must first find the removal section, fill out a form, receive a confirmation email, fill out another form, and then receive instructions on its removal. Potentially, this could take days.

Another technique is to head over to Sony-BMG's software update section and download a mysterious patch. Yet the patch does not uninstall the DRM software. Rather, it only decloaks and replaces the rootkit DRM with non-rootkit DRM.

Sony-BMG is further criticized for making the removal technique confusing, difficult and near-impossible to obtain. In addition, the patches are criticized for being <a href= target=_blank>technologically incompetent</a>.

<b>November 4, 2005</b> - <a href= target=_blank>Computer Asssociates</a> identifies Sony-BMG's rootkit as spyware and a trjoan.

"The following are the Spyware Encyclopedia pages for the pests which relate to Sony BMG's rootkit-based Digital Rights Management software, which is being distributed on audio CDs. These CDs install the pest XCP.Sony.Rootkit, which is a trojan that opens security vulnerabilities through rootkit functionality. They also launch Music Player, which is a media player that phones home to Sony BMG, sending information which could be used to compile profiles of the CDs played on a given computer."

Computer Associates offers a patch that removes the rootkit DRM trojan.

<b>November 7, 2005</b> - Despite mounting criticism of Sony-BMG's rootkit DRM, the company continues to <a href= target=_blank>defend</a> its position.

Thomas Hesse, president of Sony-BMG's Global Digital Business, tells <a href= target=_blank>NPR News</a> that "Most people, I think, don't even know what a Rootkit is, so why should they care about it?"

If you thought people were angry at this point, the arrogance displayed by Sony-BMG only adds fuel to the fire.

<b>November 8 & 9, 2005</b> - Public relations issues turn into possible legal concerns for Sony-BMG. An Italian group called ALCEI-EFI (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy), files a <a href= target=_blank>complaint</a> with Italy's cyber-crime unit. If the Italian investigation yields a crime has been committed, criminal charges may be brought against Sony-BMG.

In the United States, a <a href= target=_blank>nation-wide</a> class action lawsuit was filed against Sony-BMG. This is in addition to the California-wide class action suit filed on November 1st. Both lawsuits call for Sony-BMG to discontinue their copy protection scheme and compensate affected consumers.

Symantec is more considerate to Sony-BMG than Computer Associates. Although their anti-virus software will identify the rootkit, it will not uninstall it. Rather, it points to the convoluted instructions on Sony-BMG's homepage.

"We're trying to reinforce here that we're not talking about a virus, or malicious code, we're talking about technology that could be misused," Symantec Senior Director Vincent Weafer said to <a href= target=_blank></a>. "We're trying to work co-operatively."

<b>November 10, 2005</b> - Although Sony-BMG and First4Internet both claim there is no security danger with their rootkit DRM, the <a href= target=_blank>first viruses</a> that exploit these cloaked files begin to appear.

According to anti-virus firm <a href= target=_blank>Sophos</a>, the "Stinx-E" trojan hides itself to \System\$sys$drv.exe. Since Sony-BMG and First4Internet cloaked all files beginning with "$sys$" and the simplistic virus' name begins with "$sys$", there is no way for any anti-virus or spyware program to locate the intrusion.

<b>November 11, 2005</b> - Still unapologetic, Sony-BMG <a href= target=_blank>announces</a> they will halt production of all CDs that contain XCP technology.

"We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at:"

<b>November 11, 2005</b> - Criticism continues to mount. This time, it comes from the <a href= target=_blank>United States Government</a>. During an event hosted by the US Chamber of Commerce, Stewart Baker, assistant secretary for policy of Homeland Security, landed Sony-BMG a gut shot.

"It's very important to remember that it's your intellectual property- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

<b>November 15, 2005</b> - A critical flaw is discovered in Sony-BMG/First4Interent's web based rootkit removal tool. The web based patch uses an Active X control called CodeSupport. The Active X control receives commands from the Sony-BMG website to uninstall the rootkit software. That in and of itself is ok, however CodeSupport is poorly written. Once you leave the Sony-BMG website, CodeSupport remains on the infected customer's machine. Compounding the issue is that CodeSupport can receive instructions from any website. When CodeSupport was written, no security measures were put in place to only accept commands from the Sony-BMG website.

This means that any website can be established to give malicious commands to CodeSupport. The malicious website can command CodeSupport to do virtually anything, including the takeover of the customer's computer. This remains an extremely security issue whose implications are not yet known. Princeton University professor Ed Felton and grad student Alex Halderman's <a href= target=_blank>blog page</a> have detailed information on the safe removal of the rootkit.

It is believed the executable version (aka download version) of the Sony-BMG patch is safe. In response, Sony-BMG discontinues distribution of the web-based patch.

<b>November 16, 2005</b> - After two weeks, the fiasco is finally over. In a <a href= target=_blank>press release</a>, Sony-BMG has announced a recall of all XCP CDs from stores currently selling the defective merchandise and to remove such products from their shelves. In addition, Sony-BMG will exchange any crippled CD with a CD free of copy protection technology at no charge.

Sony-BMG also resolved the issue of obscurity, as in large capital letters; “INFORMATION ON XCP COPY PROTECTION” is featured on the bottom of the homepage. The link provides information on the subject and promises to “…shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer.”

It took Sony-BMG 16 days after discovery to resolve this situation. In that amount of time, the visibility of copy protection content has been launched into the mainstream. While it’s true that many people did were not familiar with rootkits as Sony-BMG president Thomas Hesse said, just one week later it’s virtually inescapable knowledge.
Follow us on Twitter @SlyckDotCom
Join our Facebook Fan page
Posts: 5713
Joined: Fri Jul 26, 2002 7:22 pm
Location: New York City

Postby Repzak » Wed Nov 16, 2005 2:37 pm

Great article, and great news!

I wouldn't say knowing about rootkits is inescapable at this point - I'm pretty sure my parents wouldn't have a clue what it is - but it's certainly been brought into the mainstream somewhat.
Posts: 381
Joined: Sat Oct 01, 2005 9:34 am

Postby Doobie » Wed Nov 16, 2005 2:43 pm

Sony's use of a rootkit on your PC is one thing. Sony's Blu-Ray is far more sinister. But, with Blu-Ray, you can't blame Sony because you knew "they" owned it before you "bought" it.
Posts: 417
Joined: Sat Jul 27, 2002 1:55 am

Postby Widdle » Wed Nov 16, 2005 2:49 pm

Blu-Ray and any other standard that sony champions will not succeed. The simple reason being that they don't understand that in order to get a formate going, you cannot hold a strangle-hold on it. They have been screwing this point up for YEARS. They never win, and they never change their strategy. They are idiots. On top of that, they allow their various business units to influence their other units, creating products that don't function as well as other companies products just because they also happen to own a media company.

They just plain suck at this stuff.
User avatar
Posts: 523
Joined: Tue May 31, 2005 10:17 am
Location: Sherwood Forest

Broader Impact

Postby scorcher14 » Wed Nov 16, 2005 3:03 pm

Great summary of how Sony got busted. I have to point out that Sony has not only tainted their own reputation (severely I might add -- would you buy a Vaio laptop now considering that something like the rootkit DRM might be pre-installed?) but they have also caused damage to emerging digital distribution networks across the industry. In the mind of the consumer, the idea has been firmly planted that DRM AND COMPUTER VIRUSES ARE THE SAME THING. Any company that launches a product or service that includes any form of rights management will now be suspect as a security risk.
Posts: 1
Joined: Wed Nov 16, 2005 2:55 pm

It even gets better :)

Postby takeda » Wed Nov 16, 2005 3:30 pm

It even gets better: ... rt-II.html

Looks like the code has some LGPL licensed code in it (LAME encoder). That was already proved. The only thing left is to figure out if it breaks the license (LGPL is less restrictive than GPL)
Tired of Internet Explorer? Try Opera
User avatar
Posts: 134
Joined: Mon Aug 18, 2003 9:56 pm

Postby webe3 » Wed Nov 16, 2005 4:05 pm

This is GOLDEN...

"After two weeks, the fiasco is finally over. In a press release, Sony-BMG has announced a recall of all XCP CDs from stores currently selling the defective merchandise and to remove such products from their shelves. In addition, Sony-BMG will exchange any crippled CD with a CD free of copy protection technology at no charge. "

LOL! They did all of this to provide very STRONG protection for their CD' that they have angered the public....they are eating crow and offering to give out NON-DRM CD's!!! That is just too funny. I guess they really did get hit hard. They deserved it, with the attitude they had tword it.

Mabye NOW is a good time for all the other companies looking to try and pull this stunt to look to Sony and see what happened to THEM. And they are a huge company, if THEY are held accountable, then ANY COMPANY that trys this should be held accountable also. No Exceptions.

Mabye now companies will realize there has been a LINE DRAWN when it comes to malicious DRM.
Posts: 756
Joined: Sat Jul 27, 2002 2:01 pm

Postby OhMyGod » Wed Nov 16, 2005 4:54 pm

The only way to play an XCP DRM Protected Sony BMG music CD on a computer is through Music Player, a media player provided on the CD. Other players will not recognize the CD as an audio CD, and will instead try to open the files on it as a data CD. When launched from the CD, Music Player sends information back to Sony BMG, indicating which album is being played.
from ... =453096364

Who would want to buy a CD that they couldn't play on Windows Media Player, WinAmp, Quicktime, VLC, JetAudio, etc....

I like to choose which media player to play a music file on myself.

Sony image is completely distroyed by this root-kit, I will never buy another Sony or BMG Music product again!

Even if they don't get in trouble for this root-kit, they have lost a lot of customers. But I hope that they will hang for this and set an example for anyone who wants to add secrete root-kit spyware to their products.

Thanks. :D
User avatar
Posts: 245
Joined: Mon Nov 22, 2004 4:39 pm

What DRM??

Postby falcon788 » Wed Nov 16, 2005 5:05 pm

i had a CD with the sony protection software on it. it was from a group called Our Lady Peace, and i bought it when it came out Aug 30th. The drm installed i'm sure, but that was before anyone knew about it. i have since reinstalled windows for other reasons, but i don't get it. they went through all that trouble to make and release this DRM and i was still able to get protectection free mp3s from the CD (althought it did take a while longer than it usually does.
Posts: 1
Joined: Wed Nov 16, 2005 5:00 pm

Postby curzlgt » Wed Nov 16, 2005 5:54 pm

Thanks! Great Sum up SlyckTom.

Perhaps this fiasco is not over yet......
“The music business is a cruel and shallow money trench, a long, plastic hallway where thieves and pimps run free, and good men die like dogs. There's also a negative side,” - Hunter S Thompson
User avatar
Posts: 3923
Joined: Fri Jul 29, 2005 1:17 am
Location: Land of the tall corn

Postby DBG » Wed Nov 16, 2005 6:22 pm

Well as disappointing as this is to see, it's not going to effect me when buying audio cds or other products from Sony. I never buy copy protected CDs, and will continue to avoid them. I understand how others could be more offended by the actions of Sony, but it just comes off as a bad corporate move to me. They will no less be paying for this for years to come, and I only hope it has gone to alert all media regarding what people will and won't stand for.
Posts: 36
Joined: Fri Feb 11, 2005 10:15 pm


Postby jt3204 » Wed Nov 16, 2005 6:53 pm

I'm glad that this has been found. I didnt want to go out and buy a PS3 next year and sony having the same kind of thing on it and knowing what games i'm playing after i go online! :wink:
But i dont think they'd try that now.
Posts: 1
Joined: Wed Nov 16, 2005 6:45 pm

Postby zbeast » Wed Nov 16, 2005 7:50 pm

Think about this one.
unlike file trading. the recall of those CD's are going to be real cash losses on Sony's books.
Posts: 6783
Joined: Thu Apr 01, 2004 5:20 pm
Location: Behind that itch. yes, that one right there.

Postby Memnoch » Wed Nov 16, 2005 8:27 pm

wern't there also problems with the activex thing you had to download?? I remember read somewhere people being able to force your computer to restart when you simply visit a site and they were working on other exploits...

Posts: 39
Joined: Wed Sep 29, 2004 1:54 pm

Postby takeda » Wed Nov 16, 2005 8:44 pm

Mark Russinovich openned Pandora's Box for the Sony, no doubt :)
Tired of Internet Explorer? Try Opera
User avatar
Posts: 134
Joined: Mon Aug 18, 2003 9:56 pm

Postby Exothermicus » Wed Nov 16, 2005 9:36 pm

Now we need to investigate this PS3 game console patent partaining to a way to lock games to a specific console to prevent the sale of used games. We need to defend our right to buy and sale used (royalty free) media.

The same goes for PC games that require key association for online game play. There is not a fool proof way to know a player is using pirate media, unless you catch multiple people using the same game / key pair at the same time.

Remember the consumer is always right.

User avatar
Posts: 587
Joined: Sun Jun 29, 2003 3:04 pm

Postby takeda » Wed Nov 16, 2005 10:02 pm

While I agree that this is bad. I doubt we have any chance with this. I think the only option is to fight by refusing to buy such products. It's their right to put whatever protections they think are necessary in their OWN products.

The difference between what you wrote and that DRM rootkit is that they installed their code on users computers without user knowledge, without any way to remove it. Also it gave them potential to spy on people and know what they're listening currently.

I don't think they (sony) should be treated any differently than people who write viruses or trojans,but of course I doubt anyone from sony will go to jail. This just shows that some are above the law, and that's not right.
Tired of Internet Explorer? Try Opera
User avatar
Posts: 134
Joined: Mon Aug 18, 2003 9:56 pm

Postby AussieMatt » Wed Nov 16, 2005 11:42 pm

Another Event to add to the Article Tom

The United States Computer Emergency Readiness Team (US-CERT) part of the Department of Homeland Security has issued an Alert about Sony XCP DRM software

First 4 Internet XCP DRM Vulnerabilities
added November 15, 2005 | updated November 16, 2005

US-CERT is aware of several vulnerabilities regarding the XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs. The XCP copy protection software uses "rootkit" technology to hide certain files from the user. This technique can pose a security threat, as malware can take advantage of the ability to hide files. We are aware of malware that is currently using this technique to hide.

One of the uninstallation options provided by Sony also introduces vulnerabilities to a system. Upon submitting a request to uninstall the DRM software, the user will receive via email a link to a Sony BMG web page. This page will attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control is marked "Safe for scripting," which means that any web page can utilize the control and its methods. Some of the methods provided by this control are dangerous, as they may allow an attacker to download and execute arbitrary code.

More information about this vulnerability can be found in the following US-CERT Vulnerability Note:

* VU#312073 - First 4 Internet XCP "Software Updater Control" ActiveX control incorrectly marked "safe for scripting"

US-CERT recommends the following ways to help prevent the installation of this type of rootkit:

* Do not run your system with administrative privileges. Without administrative privileges, the XCP DRM software will not install.
* Use caution when installing software. Do not install software from sources that you do not expect to contain software, such as an audio CD.
* Read the EULA (End User License Agreement) if you do decide to install software. This document can contain information about what the software may do. ... tml#xcpdrm

Posts: 1044
Joined: Wed Mar 03, 2004 10:03 am

Postby Christopher » Thu Nov 17, 2005 2:13 am

Maybe the government will finally get off their asses and realize that DRM=bad, very, infinitely bad.

DRM like this is not to keep pirates from being able to copy music CD's, it is to lock customers as hostages to Sony and other music manufacturers so that you have to buy and use their software and products or your purchases won't work.
I am just waiting for some kind of DRM that not only tells you that you can't have a DVD or CD Burner in your computer, but also tells you that you CAN have a CD or DVD burner, it just has to be the brand of the person who made the copy protection. :roll: :twisted:

I wouldn't put it past these people, not one bit.
I am not as stupid or naive as people would like to believe I am.
Posts: 829
Joined: Sun Mar 27, 2005 9:43 am

Postby takeda » Thu Nov 17, 2005 2:44 am

I think the biggest problem is when stuff like DRM will be integrated into hardware.

I think best thing is to let other people know about it, I'm sure that only small part of people wouldn't mind this. Companies such as microsoft are lying that it will solve such problems as hacking, viruses, spyware, spam and cure cancer (ok, I made up the last one, but I hope you see my point).

If people will hear that it will solve all their problems (which is not true), they will buy computers with it. The truth about TCPA (I guess they renamed it again) is that will implement something like Sony's DRM, but on hardware level. It will be really hard (perhaps impossible for regular users) to remove it.
Tired of Internet Explorer? Try Opera
User avatar
Posts: 134
Joined: Mon Aug 18, 2003 9:56 pm


Postby captainrondj » Thu Nov 17, 2005 3:41 am

Great article, Sony finally realizes that the public does have a say. They will not rebound from this very easily as many people I have spoken with who trusted Sony products have decided to go other routes. Me? Heck I don't buy CD's anyway lol :P
"Chaos Inc. Enriching life through madness!!!
User avatar
Posts: 19
Joined: Sun Nov 06, 2005 10:27 am
Location: Longview,WA

Postby Wolffi » Thu Nov 17, 2005 7:13 am

It would seem the DRM contains some GPL code from the VLC-project, written by none other than Jon Johansen.

The party just keeps on going. In addition to above mentioned LAME code found here, it appears there's GPL code as well. I'm not a lawyer, but this could be a DMCA/EUCD violation too? The code in question is VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM. The control flow is the same, the constants are equal, the two magic arrays are equivalent as well. This includes the p_secret2 string which is rot13'd Apply copyright string.

Jons Blog entry about it.
Posts: 41
Joined: Wed May 04, 2005 1:19 pm

Postby SlyckTom » Thu Nov 17, 2005 9:29 am

Another Event to add to the Article Tom

Definately! Added November 15 event...
Follow us on Twitter @SlyckDotCom
Join our Facebook Fan page
Posts: 5713
Joined: Fri Jul 26, 2002 7:22 pm
Location: New York City

Postby ashton » Thu Nov 17, 2005 9:53 am

Does this include Macs or can you just not play their BS CD's on a Mac? I hate sony products anyway, they need to get out of the computer business and after this perhaps the Music business. Sad.... :evil:
"There is a very thin line between genius and madness"
User avatar
Posts: 290
Joined: Thu Nov 20, 2003 5:22 pm
Location: New York City

Postby DBG » Fri Nov 18, 2005 10:53 pm

Exothermicus wrote:Now we need to investigate this PS3 game console patent partaining to a way to lock games to a specific console to prevent the sale of used games. We need to defend our right to buy and sale used (royalty free) media.

The same goes for PC games that require key association for online game play. There is not a fool proof way to know a player is using pirate media, unless you catch multiple people using the same game / key pair at the same time.

Remember the consumer is always right.


Please don't try to make trouble where there isn't any. First off, the patent in question was taken out before the PS2. Sony is a large company that has lots of divisions that would be interested in copy-protection (hopefully some method smarter than their last). Not only that but the PSP could of have all of their games region coded (as their movies), but Sony decided against it. To top all of that off, Sony has already announced publically that said patent will not be made use of in the PS3. I'm sorry if this posts seems aggresive, but there is already enough bad stuff happening that is confirmed to be real, there is no need to pick up on rumours and run with them. I am not going to get into the other crazy things you said. Companies have the right to protect their product, and online key checking is a great way to do that. I am all for protection, as long as it doesn't cause problems for legit users (which is why Sony's last effort was a flop; you cannot unleash something that is harmful to everyone, just to protect your investment).
Posts: 36
Joined: Fri Feb 11, 2005 10:15 pm


Return to Slyck News

Who is online

Users browsing this forum: No registered users and 4 guests

© 2001-2008