[Security] With XCP, It Can Only Get Worse for Sony

[Reply] [View by Thread] [Help]
[Back To Article Discussion Forum]

View and vote on the article here: With XCP, It Can Only Get Worse for Sony

With XCP, It Can Only Get Worse for Sony

Category

Security

Summary

Body

Sony has a PR disaster on their hands. After their little XCP rootkitting exploit was discovered by Dr. Mark Russinovich, who incidentally knows a whole lot more about the subject of operating systems than the entire pack of script kiddies Sony apparently hired to protect their copyrighted content, He went public with the news. In what is becoming all too typical when a large corporation tries to cover it's exposed rear-end, things only seemed to go from bad to worse for Sony and its DRM (Copyright protection) vendor, First 4 Internet.


Mathew Gilliat-Smith, chief executive of First 4 Internet, who sold the XCP rootkit to Sony, said that Mr. Russinovich had problems removing XCP because he tried to do it manually, which was not a "recommended action". Instead, said Mr. Gilliat-Smith, he should have contacted Sony BMG, who gives consumers advice about how to remove the software.

Well, if Dr. Russinovich been a mere consumer and had contacted Sony, perhaps they wouldn't look like such fools! Instead, Dr Russinovich treated the rootkit to an intensive analysis.
As he stated in his blog,"Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall." He also pointed out that the EULA (End User License Agreement) for the proprietary CD player that an XCP protected disc requires a consumer to install makes no mention of either the hidden files or the lack of an uninstall.

Yet it gets worse. Sony is desperately contacting various providers of antivirus software to try to convince them that any identification of XCP by their software should be considered a "false positive", thus allowing their rootkit to remain on consumers' computers.

And worse. Sony's offer of "Consumer Assistance" to remove this little problem will only reveal it, not remove it. Trying to remove it manually, as Mr. Gilliat-Smith stated, is not a "recommended action". Even more than that, the fact is, trying to remove the software renders any other CD player useless.

And worse. The so-called patch provided by Sony and First 4 (called SP2) only serves two purposes: it updates the DRM and installs MediaJam. This creates a folder called MediaJam (which turns out to be empty) and MediaJam cannot be uninstalled. Attempting to do so may cause the computer to crash due to a poorly designed uninstaller.

And worse. Dr. Russinovich says, "The EULA also makes no reference to any "phone home" behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony?s site and sends the site an ID associated with the CD. I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player?s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. (This screenshot) shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID. In response the Sony web site reports the last time a particular file was updated. I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it?s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it."

And worse. Thomas Hesse, president of Sony BMG's Global Digital Business division: "Most people, I think, don't even know what a root kit is, so why should they care about it?"

The rootkit can be used to hide cheats while playing World of Warcraft or any other online game or service that checks the systems of its users. It also allows any file to be hidden on a Windows system as long as the file is prefixed with $sys$. This means that any malicious code an antivirus or malware detector might have caught before is now capable of being hidden.

Both Sony and First 4 Internet have repeatedly changed the EULA and FAQ sections of their respective sites over the past week in order to try and cover themselves. They have also made several public announcements that the software is not a security risk, How can a company claim there's no security risk when they knew it would hide anything system-wide that started with $sys$?

First 4 Internet has also said that they have sold this technology to a number of other music labels, so playing any music CD with copyright protection may be dangerous. Quite a number of Systems Administrators are warning that playing music CDs at work may cause massive system vulnerabilities.

This one's not going away, and the legal ramifications are likely to spur legal battles in several countries as well as a serious blow to music sales.

To check if this rootkit is installed on your Windows computer or the systems you are responsible for, right click on your desktop, select "New" from the menu, select "Folder" from the submenu, and name the folder $sys$test. If the folder disappears, your system is compromised.
At this point, the average user will have to wait for a solution as the "patch" from Sony may cause your computer to crash.

Now, as if rootkitted music CDs weren't a big enough problem, the First 4 web site provides the following information:

"Sony BMG's copy-protected CDs incorporate First 4 Internet's XCP2 (extended copy protection) technology. The company is the first major label to offer XCP2-protected CDs to consumers, although Sony BMG already ships some CDs using MediaMax copy protection from SunnComm. The new effort uses different technology, but with the same end result for consumers: a limited ability to copy. By the end of this year, Sony BMG says, most of its CDs sold in the United States will incorporate one of these technologies. The company is currently working on versions for DVDs and online music files, Gilliat-Smith says. Sony BMG will ship the DVD technology to U.S. movie studios for use in prerelease copies of movies by late 2005, he hopes, and will introduce a version for commercial DVDs later. He declines to say which movie studios have expressed interest in using the technology."

1746

Sources

Ward, Mark; Sony slated over anti-piracy CD
BBC News Thursday, November 03 2005. Accessed Thursday, November 03, 2005
http://news.bbc.co.uk/2/hi/technology/4400148.stm

Russinovich, Mark; Mark's Sysinternals Blog
Monday, October 31, 2005. Accessed Friday, November 04, 2005.
Sony, Rootkits and Digital Rights Management Gone Too Far
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html#113095730006659439

Russinovich, Mark; Mark's Sysinternals Blog
Friday, November 04, 2005. Accessed Friday, November 04, 2005.
More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

F4i XCP AUrora web site
Copyright Crackdown
August 01 2005 Source: PCWorld.com. Accessed Saturday, November 05, 2005
http://www.xcp-aurora.com/press_article.aspx?art=aug_05_art2

F4i XCP AUrora web site
First 4 Internet - Independent Record Labels Turn to Content Protection Technology
August 09, 2005 Source: Business Wire. Accessed Saturday, November 05, 2005
http://www.xcp-aurora.com/press_article.aspx?art=aug_05_art3

This article was imported from zZine. (original author: 1746)

There are no replies to this post yet.

Guest:
Subject:
Message:	On 2007-04-29 10:02:18, 1746 wrote >View and vote on the article here: [url=/library/article?id=1420]With XCP, It Can Only Get Worse for Sony[/url]<br/><br/><hr width="90%"/><center><h3>With XCP, It Can Only Get Worse for Sony</h3></center><table width="100%"><tr><td valign="top">[b]Category[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%">Security</td></tr></table></center></td></tr><tr><td valign="top">[b]Summary[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%"> Sony has a PR disaster on their hands. After their little [b]XCP[/b] rootkitting exploit was discovered by Dr. Mark Russinovich, who incidentally knows a whole lot more about the subject of operating systems than the entire pack of script kiddies Sony ap</td></tr></table></center></td></tr><tr><td valign="top">[b]Body[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%"> Sony has a PR disaster on their hands. After their little [b]XCP[/b] rootkitting exploit was discovered by Dr. Mark Russinovich, who incidentally knows a whole lot more about the subject of operating systems than the entire pack of script kiddies Sony apparently hired to protect their copyrighted content, He went public with the news. In what is becoming all too typical when a large corporation tries to cover it's exposed rear-end, things only seemed to go from bad to worse for Sony and its DRM (Copyright protection) vendor, First 4 Internet. ><!--break--> > > >Mathew Gilliat-Smith, chief executive of First 4 Internet, who sold the XCP rootkit to Sony, said that Mr. Russinovich had problems removing XCP because he tried to do it manually, which was not a "recommended action". Instead, said Mr. Gilliat-Smith, he should have contacted Sony BMG, who gives consumers advice about how to remove the software. > >Well, if Dr. Russinovich been a mere [i]consumer[/i] and had contacted Sony, perhaps they wouldn't look like such fools! Instead, Dr Russinovich treated the rootkit to an intensive analysis. > As he stated in his blog,"Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall." He also pointed out that the EULA (End User License Agreement) for the proprietary CD player that an XCP protected disc requires a consumer to install makes no mention of either the hidden files or the lack of an uninstall. > >Yet it gets worse. Sony is desperately contacting various providers of antivirus software to try to convince them that any identification of XCP by their software should be considered a "false positive", thus allowing their rootkit to remain on consumers' computers. > >And worse. Sony's offer of "Consumer Assistance" to remove this little problem will only reveal it, not remove it. Trying to remove it manually, as Mr. Gilliat-Smith stated, is not a "recommended action". Even more than that, the fact is, trying to remove the software renders any other CD player useless. > >And worse. The so-called patch provided by Sony and First 4 (called SP2) only serves two purposes: it updates the DRM and installs MediaJam. This creates a folder called MediaJam (which turns out to be empty) and MediaJam cannot be uninstalled. Attempting to do so may cause the computer to crash due to a poorly designed uninstaller. > >And worse. Dr. Russinovich says, "The EULA also makes no reference to any "phone home" behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony?s site and sends the site an ID associated with the CD. I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player?s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. (This screenshot) shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID. In response the Sony web site reports the last time a particular file was updated. I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it?s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it." > > And worse. Thomas Hesse, president of Sony BMG's Global Digital Business division: "Most people, I think, don't even know what a root kit is, so why should they care about it?" > >The rootkit can be used to hide cheats while playing World of Warcraft or any other online game or service that checks the systems of its users. It also allows any file to be hidden on a Windows system as long as the file is prefixed with $sys$. This means that any malicious code an antivirus or malware detector might have caught before is now capable of being hidden. > >Both Sony and First 4 Internet have repeatedly changed the EULA and FAQ sections of their respective sites over the past week in order to try and cover themselves. They have also made several public announcements that the software is not a security risk, How can a company claim there's no security risk when they knew it would hide anything system-wide that started with $sys$? > >First 4 Internet has also said that they have sold this technology to a number of other music labels, so playing any music CD with copyright protection may be dangerous. Quite a number of Systems Administrators are warning that playing music CDs at work may cause massive system vulnerabilities. > > This one's not going away, and the legal ramifications are likely to spur legal battles in several countries as well as a serious blow to music sales. > > To check if this rootkit is installed on your Windows computer or the systems you are responsible for, right click on your desktop, select "New" from the menu, select "Folder" from the submenu, and name the folder $sys$test. If the folder disappears, your system is compromised. > At this point, the average user will have to wait for a solution as the "patch" from Sony may cause your computer to crash. > >Now, as if rootkitted music CDs weren't a big enough problem, the First 4 web site provides the following information: > >"Sony BMG's copy-protected CDs incorporate First 4 Internet's XCP2 (extended copy protection) technology. The company is the first major label to offer XCP2-protected CDs to consumers, although Sony BMG already ships some CDs using MediaMax copy protection from SunnComm. The new effort uses different technology, but with the same end result for consumers: a limited ability to copy. By the end of this year, Sony BMG says, most of its CDs sold in the United States will incorporate one of these technologies. The company is currently working on versions for DVDs and online music files, Gilliat-Smith says. Sony BMG will ship the DVD technology to U.S. movie studios for use in prerelease copies of movies by late 2005, he hopes, and will introduce a version for commercial DVDs later. He declines to say which movie studios have expressed interest in using the technology." > >1746 > >[b]Sources[/b] > >Ward, Mark; Sony slated over anti-piracy CD >BBC News Thursday, November 03 2005. Accessed Thursday, November 03, 2005 >http://news.bbc.co.uk/2/hi/technology/4400148.stm > >Russinovich, Mark; Mark's Sysinternals Blog >Monday, October 31, 2005. Accessed Friday, November 04, 2005. >Sony, Rootkits and Digital Rights Management Gone Too Far >http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html#113095730006659439 > >Russinovich, Mark; Mark's Sysinternals Blog >Friday, November 04, 2005. Accessed Friday, November 04, 2005. >More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home >http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html > >F4i XCP AUrora web site >Copyright Crackdown >August 01 2005 Source: PCWorld.com. Accessed Saturday, November 05, 2005 >http://www.xcp-aurora.com/press_article.aspx?art=aug_05_art2 > >F4i XCP AUrora web site >First 4 Internet - Independent Record Labels Turn to Content Protection Technology >August 09, 2005 Source: Business Wire. Accessed Saturday, November 05, 2005 >http://www.xcp-aurora.com/press_article.aspx?art=aug_05_art3 ></td></tr></table></center></td></tr></table><br/><br/>This article was imported from [url=http://www.zzine.org]zZine[/url]. <small>(original author: 1746)</small>
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.04615 seconds