Search Slyck  
Sony Orders Recall on XCP Protected CDs
November 16, 2005
Thomas Mennecke
Font Bigger Font Smaller
If ever there were an exception to the adage "there's no such thing as bad publicity", the Sony-BMG circumstance would be it. All things considered, it's probably been the worst two weeks for any major corporation since the Enron scandal. As most know by now, Sony-BMG was called out for placing a rootkit on customer's machines. The purpose of this rootkit was the hide the existence of the third party protection scheme known as XCP, or Extended Copy Protection. Today, Sony-BMG announced they have recalled their XCP product. Let’s take a look at events leading up to this.

October 31, 2005 - Mark Russinovich, one of the writers of and considered an expert on the Windows operating system, discovers evidence of a rootkit on his computer. After an extensive investigation, he discovers his Sony-BMG CD by the Van Zant brothers, Get Right with the Man, had installed the suspected rootkit on his machine.

The rootkit cloaks the XCP copy protection scheme created by First4Internet. This discovery causes an outrage for several reasons; namely Sony-BMG did not disclose the existence of the product, the clandestine nature of the product, and the damage caused if one attempted to remove the rootkit. In addition, it was revealed the Sony-BMG media player "phones home" with information. Although the information appears harmless, it is not mentioned in the End User Licensing Agreement.

November 2, 2005 - After harsh criticism, Sony-BMG agrees to offer information on how to remove the rootkit software. Sony-BMG releases the following statement on the issue:

This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

The above-mentioned technique is provided in two different ways - a web based patch and a downloadable file. The first web based method is buried in the FAQ section of Sony-BMG's website, and requires a dizzying amount of patience. The individual must first find the removal section, fill out a form, receive a confirmation email, fill out another form, and then receive instructions on its removal. Potentially, this could take days.

Another technique is to head over to Sony-BMG's software update section and download a mysterious patch. Yet the patch does not uninstall the DRM software. Rather, it only decloaks and replaces the rootkit DRM with non-rootkit DRM.

Sony-BMG is further criticized for making the removal technique confusing, difficult and near-impossible to obtain. In addition, the patches are criticized for being technologically incompetent.

November 4, 2005 - Computer Asssociates identifies Sony-BMG's rootkit as spyware and a trjoan.

"The following are the Spyware Encyclopedia pages for the pests which relate to Sony BMG's rootkit-based Digital Rights Management software, which is being distributed on audio CDs. These CDs install the pest XCP.Sony.Rootkit, which is a trojan that opens security vulnerabilities through rootkit functionality. They also launch Music Player, which is a media player that phones home to Sony BMG, sending information which could be used to compile profiles of the CDs played on a given computer."

Computer Associates offers a patch that removes the rootkit DRM trojan.

November 7, 2005 - Despite mounting criticism of Sony-BMG's rootkit DRM, the company continues to defend its position.

Thomas Hesse, president of Sony-BMG's Global Digital Business, tells NPR News that "Most people, I think, don't even know what a Rootkit is, so why should they care about it?"

If you thought people were angry at this point, the arrogance displayed by Sony-BMG only adds fuel to the fire.

November 8 & 9, 2005 - Public relations issues turn into possible legal concerns for Sony-BMG. An Italian group called ALCEI-EFI (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy), files a complaint with Italy's cyber-crime unit. If the Italian investigation yields a crime has been committed, criminal charges may be brought against Sony-BMG.

In the United States, a nation-wide class action lawsuit was filed against Sony-BMG. This is in addition to the California-wide class action suit filed on November 1st. Both lawsuits call for Sony-BMG to discontinue their copy protection scheme and compensate affected consumers.

Symantec is more considerate to Sony-BMG than Computer Associates. Although their anti-virus software will identify the rootkit, it will not uninstall it. Rather, it points to the convoluted instructions on Sony-BMG's homepage.

"We're trying to reinforce here that we're not talking about a virus, or malicious code, we're talking about technology that could be misused," Symantec Senior Director Vincent Weafer said to "We're trying to work co-operatively."

November 10, 2005 - Although Sony-BMG and First4Internet both claim there is no security danger with their rootkit DRM, the first viruses that exploit these cloaked files begin to appear.

According to anti-virus firm Sophos, the "Stinx-E" trojan hides itself to \System\$sys$drv.exe. Since Sony-BMG and First4Internet cloaked all files beginning with "$sys$" and the simplistic virus' name begins with "$sys$", there is no way for any anti-virus or spyware program to locate the intrusion.

November 11, 2005 - Still unapologetic, Sony-BMG announces they will halt production of all CDs that contain XCP technology.

"We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at:"

November 11, 2005 - Criticism continues to mount. This time, it comes from the United States Government. During an event hosted by the US Chamber of Commerce, Stewart Baker, assistant secretary for policy of Homeland Security, landed Sony-BMG a gut shot.

"It's very important to remember that it's your intellectual property- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

November 15, 2005 - A critical flaw is discovered in Sony-BMG/First4Interent's web based rootkit removal tool. The web based patch uses an Active X control called CodeSupport. The Active X control receives commands from the Sony-BMG website to uninstall the rootkit software. That in and of itself is ok, however CodeSupport is poorly written. Once you leave the Sony-BMG website, CodeSupport remains on the infected customer's machine. Compounding the issue is that CodeSupport can receive instructions from any website. When CodeSupport was written, no security measures were put in place to only accept commands from the Sony-BMG website.

This means that any website can be established to give malicious commands to CodeSupport. The malicious website can command CodeSupport to do virtually anything, including the takeover of the customer's computer. This remains an extremely security issue whose implications are not yet known. Princeton University professor Ed Felton and grad student Alex Halderman's blog page have detailed information on the safe removal of the rootkit.

It is believed the executable version (aka download version) of the Sony-BMG patch is safe. In response, Sony-BMG discontinues distribution of the web-based patch.

November 16, 2005 - After two weeks, the fiasco is finally over. In a press release, Sony-BMG has announced a recall of all XCP CDs from stores currently selling the defective merchandise and to remove such products from their shelves. In addition, Sony-BMG will exchange any crippled CD with a CD free of copy protection technology at no charge.

Sony-BMG also resolved the issue of obscurity, as in large capital letters; “INFORMATION ON XCP COPY PROTECTION” is featured on the bottom of the homepage. The link provides information on the subject and promises to “…shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer.”

It took Sony-BMG 16 days after discovery to resolve this situation. In that amount of time, the visibility of copy protection content has been launched into the mainstream. While it’s true that many people did were not familiar with rootkits as Sony-BMG president Thomas Hesse said, just one week later it’s virtually inescapable knowledge.

This story is filed in these Slyck News categories
Technology News :: DRM

You can discuss this article here - 33 replies

© 2001-2018