Friday, November 11, 2005

Sony Audio CD's Hack Your Computer

I've hesitated to blog about this topic; first, because it's still evolving and, second, because it can get a little technical. But I've decided to boil it down as best I can.

Since at least April, 2004, Sony CD's have had copy-protection software installed on them. The ostensible purpose of this software was to prevent people from making copies of these CD's and uploading them to file sharing programs like Limeshare, Grokster, and others. So far, so good. I don't think anyone is going to argue that Sony doesn't have some vested interested in protecting it's intellectual property. The problem is the way that it's been implemented.

The software that Sony used is from a company called First 4 Internet (I'm not including any links to this company or even Sony; as will become obvious as you read more, both of these companies have engaged in some highly unethical actions - I don't even trust browsing their websites.)

First 4 Internet makes a product called XCP copy protection. This program uses what we in the industry call "rootkits." Rootkit is a generic term for programs most commonly used by hackers to hide the fact that they've broken into your machine.

F4I uses their rootkit to hide the $sys$aries driver that's Sony's CD installs on your computer. This is what controls how many copies you can make of the CD you bought. The reason for hiding the $sys$aries (and related) drivers is to prevent you from uninstalling their software. Ever. So you can look at directories, run REGEDIT, even scan for it with your anti-virus program - it won't be found. It's hidden.

Well, so what? you may ask. The problem with this software is that any low-level hacker anywhere in the world can name their virus $sys$ whatever and it's hidden. It can't be found and, since it can't be found, it can't be removed.

Here in the IT security world, we've been howling about this for a week. Primarily because we view it as unethical, but also because of the inherent security risks associated with this dangerous program. And now virus writers have taken advantage of this software and are releasing viruses that use Sony's root kit to hide from your anti-virus program. Security pros have identified at least three that use this crap to hide from your anti-virus program and if we can see three, then there's at least ten times the number in the wild - we just haven't found them yet.

You can read about them at:

Trojans exploit Sony's copy-protection software

Computer worm exploits software on Sony's CDs

Viruses exploit Sony CD copy-protection scheme

Even when this software is working perfectly normally, it's dangerous. Reasearch has shown that this program tracks what CD's your listening to, what type of operating system you have, what browser your using and other info. This is stealthily reported back to Sony. The software is virtually impossible to uninstall. User's who've attempted to manually remove the software have lost all use of their CD drives - the drives disappear and Windows can't find it. Other users have had their machines crash and found it impossible to boot them back up again.

For more info on this dangerous software, see:

Sony Ships Sneaky DRM Software

Sony CD protection sparks spyware row

Is SonyBMG spreading malware?

Sony CD protection sparks spyware row

If you're a geek and want the ugly, technical details, read:

Sony, Rootkits and Digital Rights Management Gone Too Far

More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Sony: You don’t reeeeaaaally want to uninstall, do you?

Sony has argued that by accepting their "EULA" (End User Licence Agreement) you're agreeing to all this intrusive BS. The Electronic Freedom Foundation has analyzed Sony's EULA and you'd be surprised what your agreeing to by installing this Spyware:

  1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
  2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."
  3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.
  4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
  5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.
  6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.
  7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.
  8. You have no right to transfer the music on your computer. Even if you own the original CD.
  9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.
The bottomline is to avoid this software at all costs. I'm a huge fan of Sony electronics, but I couldn't be more worried about their audio CD's. This stuff is dangerous and, with the hundreds of thousands of these CD's already in circulation, it's going to continue to be dangerous for many years. A search of Amazon's website reveals more than 24,000 CD's identified as being from Sony and having copy protected software loaded on them. For a sample, read the user ratings of Van Zant's "Get Right with the Man." I feel sorry for any artist associated with this mess.

Well, there's more, but that's enough for now. Read the links I've listed above and make up your own minds. Personally, I'm still going to buy Sony's electronic products, which are excellent - but I'm definately going to avoid any Sony audio cd's for a long, long, long, long, time.

No comments: