Spyware On Some Sony CD's

[MrsSpringsteen]

By Hiawatha Bray, Boston Globe Staff November 8, 2005

Sony is spying on thousands of listeners who buy and play its music CDs on their computers, a leading computer security firm said yesterday.

Computer Associates International Inc. said that new anticopying software Sony is using to discourage pirating of its music also secretly collects information from any computer that plays the discs.

One of the world's largest software and information technology companies, Computer Associates is the latest to wade into the growing controversy over Sony's efforts to curb theft and illegal pirating of its music.

The software works only on computers running Microsoft Corp.'s Windows operating system. It limits listeners' ability to copy the music onto their computers, and locks copied files so they cannot be freely distributed over the Internet.

But Computer Associates said the antipirating software also secretly communicates with Sony over the Internet when listeners play the discs on computers that have an Internet connection. The software uses this connection to transmit the name of the CD being played to an office of Sony's music division in Cary, N.C. The software also transmits the IP address of the listener's computer, Computer Associates said, but not the name of the listener. But Sony can still use the data to create a profile of a listener's music collection, according to Computer Associates.

''This is in effect 'phone home' technology, whether its intent is to capture such data or not," said Sam Curry, vice president of Computer Associates' eTrust Security Management unit.

''If you choose to let people know what you're listening to, that's your business. If they do it without your permission, it's an invasion of privacy."

Sony and the British firm that wrote the antipirating code for the music company flatly denied the software snoops on listeners.

''We don't receive any spyware information, any consumer information," said Mathew Gilliat-Smith, chief executive of First 4 Internet Ltd., which makes the software for Sony BMG Music Entertainment.

So far, Sony BMG has installed the software on about 20 titles in its music catalog, including works by jazzman Dexter Gordon, singer Vivian Green, and the new issue by country rockers Van Zant, ''Get Right with the Man."

It was the Van Zant disc that led to the controversy over Sony's new software.

In late October, a well-known Windows computer engineer, Mark Russinovich, stumbled across the Sony software on one of his personal computers while running a security scan. Russinovich had used the computer to play the Van Zant CD, not realizing that it had installed the anticopying program.

When he tried to remove it, Russinovich found that the program lacked the ''uninstall" feature found in most Windows software. Indeed, key components of the software hid themselves deep in his computer by applying the same techniques used by data thieves to conceal their activities. Even a skilled user who identifies the correct files can't safely remove them, said Russinovich.

''Most users that stumble across the cloaked files . . . will cripple their computer if they attempt the obvious step of deleting the cloaked files," he wrote on his technology website, SysInternals.

Computer Associates yesterday concurred with Russinovich's assessment. Curry said Sony has made it so difficult for listeners to uninstall its software that some could lose all their data in the process.

''It can damage the operating system and the operating system's integrity, so it can't reboot at all," Curry said. ''As an expert in security, I can say this is bad behavior."

Indeed, Computer Associates has added the software to its list of spyware programs that collect personal information from computer users without their permission.

Russinovich also said that a patch Sony and First 4 released Friday to stop the software from hiding inside computers malfunctions and can cause an irreparable loss of computer data.

Gilliat-Smith of First 4 said he knows of no case in which this has happened. Sony offers a website where users can obtain a program that uninstalls its software. He said both efforts should prove that Computer Associates and Russinovich's complaints are unfounded.

''In theory there should be no concern," Gilliat-Smith said.

 

[Popmartijn]

In short: don't buy Sony CDs. Rip them, download them, but don't buy them.

*wants to find out first if the new Born To Run reissue also has this crap before making the exception to the rule*

 

[LarryMullen's POPAngel]

Nice.

 

[If you shout...]

From TMT:

Sony Virus Gets All Up in Your Shit

Just so we're clear, a few years ago someone decided it would be a clever idea to put copy-protection technology into CDs, as to prevent them from being pirated. While the idea seemed intelligent from a wallet's point of view, the technology instead prevented the CDs from working in all the existing players bearing the Compact Disc logo. Today you will notice that new discs from a major label will not feature the logo due to legal reasons, mainly because you can't put it on media that doesn't play nice with everyone.

The technology present on these new CDs usually contains some kind of media player that is installed on your system so it can understand the encoded tunes. An incredibly proficient Windows user recently took a closer look at one of these players and noticed some interesting data that is left behind on your system, even after it has been deleted.

The software installs what is called a rootkit, which allows for certain files and processes to be hidden from diagnostic tools, leaving a massive unlocked door for hackers. This sort of cloaking technology is also used by malware developers to hide their tracks on your system and report back to HQ about the all the porn you've been surfing. I know this is primarily a music site, so if you're confused by any of my nerd-words, all you need to know is that Sony is essentially installing a virus onto your computer. Using a word like virus may seem a little extreme, but when this brilliant Windows user attempted to remove the rootkit from his system, the CD-Rom drive stopped working. You read that correctly slim, by removing the software that a legally purchased cd installs on your computer, you also disable the ability to play ANY other cd.

Technology community websites such as Slashdot and Digg have been heavily discussing this issue for the past two days, and a few astute members noticed that Sony may even be overstepping their bounds outlined in the End User License Agreement. You know, those blocks of text above the "I understand and accept the above agreement" button when you install software. Most of the other members agree that taking the risk of being sued by the RIAA is less of a hassle than grappling with the crippling technology employed by these new CDs and online music stores. I would be inclined to agree with them, except I run Linux and I live in Canada, which makes me exempt from Windows viruses and the RIAA.

If you've been straddling the fence on whether or not to buy that new Van Zant brothers album, I would leave it on the Best Buy shelf, instead opting to download the content 'illegally' off a torrent site. Seems to me that music pirates are offering a cleaner and more computer friendly product for the user, which begs the question of why we're bothering to put up with the shenanigans of these millionaires anyway.

I should quietly note here at the bottom that yesterday Sony revealed plans for a tool that allows you to remove the hacker-bait from your machine. They haven't issued a report on why the software was included in the first place, but at least you can remove it without even having to know more than where that damn sliding cup-holder is.

 

[indra]

''In theory there should be no concern," Gilliat-Smith said.

I love that line.

 

[hiphop]

fuckin DRM systems. the ipod has its very own DRM but doesnt fuck with consumers like that (to my knowledge).

way BAAAAAD PR for Sony. People can sue them for damaging their computer. Don´t they have lawyers there?

 

[beegee]

In short: don't buy Sony CDs.

i don't.

i get them for free.

 

[babyman]

Why the hell do they sell cd burners if it´s not allowed to burn cd´s?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?

 

[If you shout...]

Why the hell do they sell cd burners if it´s not allowed to burn cd´s?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?!?

They call it "capitalism." I call it something far less attractive, these days.

 

[yolland]

From TMT:
...
If you've been straddling the fence on whether or not to buy that new Van Zant brothers album, I would leave it on the Best Buy shelf, instead opting to download the content 'illegally' off a torrent site. Seems to me that music pirates are offering a cleaner and more computer friendly product for the user, which begs the question of why we're bothering to put up with the shenanigans of these millionaires anyway.

In other words, we refuse to lay down any of our arms until the powers that be prove that they have laid down all of theirs.

I find the prospect that Sony is engaging in this kind of illicit subterfuge appalling, but this sentiment is just as reprehensible and just as responsible for the climate of mutual distrust underlying all this. Fair trade is not just a right, it is also a responsibility, and it is hypocritical and wrong for any party involved to hold that responsibility hostage to their getting precisely what they want. If consumers refuse to negotiate in good faith, it is most unlikely that producers will do so either.

 

[DaveC]

It seems to me that the producer has more responsibility to not invade the privacy of the consumer or add on unknown extras that could be damaging to the purchaser, than the consumer has to purchase the product.

I won't be buying another Sony CD unless I have a damn good reason to from now on. About the only thing that I can think of is a Roger Waters CD that's supposed to come out. But hell, I'll just download it off Puretracks if the software's on it.

 

[indra]

In other words, we refuse to lay down any of our arms until the powers that be prove that they have laid down all of theirs.

I find the prospect that Sony is engaging in this kind of illicit subterfuge appalling, but this sentiment is just as reprehensible and just as responsible for the climate of mutual distrust underlying all this. Fair trade is not just a right, it is also a responsibility, and it is hypocritical and wrong for any party involved to hold that responsibility hostage to their getting precisely what they want. If consumers refuse to negotiate in good faith, it is most unlikely that producers will do so either.

I agree. If I didn't want to buy Sony cds because of this, but wanted a Sony cd because I like a certain band or artist I would send a letter or email to both the band and the label telling them exactly why I am not buying their cd.

But I wouldn't download it from an illegal source, I'd just do without.

 

[joyfulgirl]

http://pitchforkmedia.com/news/05-11/11.shtml#sony

Sony Music Sued Over Anti-Piracy Software

Jonah Flicker and Amy Phillips report:
In the slow and perhaps inevitable movement towards microchip implantation of the entire human race, Sony BMG Music just took the lead. According to the Washington Post, a class action lawsuit filed in Los Angeles Superior Court November 1 alleges that the label's anti-piracy software, installed in several recently released CDs, is harmful to computers.

The suit claims that when a copy-protected CD is loaded onto a hard drive, it installs a hidden program known as a "rootkit," which not only keeps track of the computer's activity, but depletes the drive's resources in the process. So Sony is basically eating up your hard drive space while keeping track of all the porn you watch, just because you actually spent money on a My Morning Jacket CD.

Thanks, guys. This is even better than getting the RIAA to sue us.

The rootkit also makes the computer more susceptible to viruses. Sony falsely states that its copy-protection software can be easily removed, when in reality, getting rid of a rootkit can be damaging.

Here's the crux of the suit, straight from the legal papers: "As a result of Sony's failure to disclose the true nature of the digital rights management (‘DRM') system it uses on its CDs, thousands of computer users have unknowingly infected their computers, and the computers of others, with this surreptitious rootkit. This rootkit has been responsible for conflicts within computer systems, crashes of systems, and other damage."

The suit, which accuses Sony of "fraud, false advertising, trespass, and violation of state and federal statues prohibiting malware, and unauthorized computer tampering," claims that the suspect software has been included on certain Sony BMG Music CDs since this spring. Albums to watch out for include Amerie's Touch, My Morning Jacket's Z Kasabian's Kasabian, Neil Diamond's 12 Songs, Cassidy's I'm a Hustla, Kings of Leon's Aha Shake Heartbreak, and, appropriately, the Bad Plus' Suspicious Activity and the Coral's Invisible Invasion, among others.

In short: if you're about to load that new My Morning Jacket disc onto your hard drive, STOP. Sell the album back to the record store and buy something on Dischord.

* Learn about rootkits: www.rootkit.com
* Sony Music: www.sonymusic.com

 

[indra]

an update to the story.

Sony to Suspend Making Antipiracy CDs

By TED BRIDIS (Associated Press Writer)
From Associated Press
November 11, 2005 7:46 PM EST

WASHINGTON - Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.

Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the "XCP" technology as a precautionary measure. "We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," the company said in a statement.

The antipiracy technology, which works only on Windows computers, prevents customers from making more than a few copies of the CD and prevents them from loading the CD's songs onto Apple Computer's popular iPod portable music players. Some other music players, which recognize Microsoft's proprietary music format, would work.

Sony's announcement came one day after leading security companies disclosed that hackers were distributing malicious programs over the Internet that exploited the antipiracy technology's ability to avoid detection. Hackers discovered they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony technology.

A senior Homeland Security official cautioned entertainment companies against discouraging piracy in ways that also make computers vulnerable. Stewart Baker, assistant secretary for policy at DHS, did not cite Sony by name in his remarks Thursday but described industry efforts to install hidden files on consumers' computers.

"It's very important to remember that it's your intellectual property, it's not your computer," Baker said at a trade conference on piracy. "And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Sony's program is included on about 20 popular music titles, including releases by Van Zant and The Bad Plus.

"This is a step they should have taken immediately," said Mark Russinovich, chief software architect at Winternals Software who discovered the hidden copy-protection technology Oct. 31 and posted his findings on his Web log. He said Sony did not admit any wrongdoing, nor did it promise not to use similar techniques in the future.

Security researchers have described Sony's technology as "spyware," saying it is difficult to remove, transmits without warning details about what music is playing, and that Sony's notice to consumers about the technology was inadequate. Sony executives have rejected the description of their technology as spyware.

Some leading antivirus companies updated their protective software this week to detect Sony's antipiracy program, disable it and prevent it from reinstalling.

After Russinovich criticized Sony, it made available a software patch that removed the technology's ability to avoid detection. It also made more broadly available its instructions on how to remove the software permanently. Customers who remove the software are unable to listen to the music CD on their computer.

 

[KhanadaRhodes]

i'm glad this has a happy ending, but i wonder what would've happened if people hadn't made mention of this and how many more titles would've been released with this crap on it.

 

[learn2kneel]

too little, too late on sonys part. way to, yet again, give itunes the sales advantage.

 

[melon]

Just to reiterate, the files you buy from the iTunes Music Store do have DRM in them. That is, you can't take a file you downloaded from that store and share it with all of your friends. But the success of this format, I believe, is because it is a very loose DRM that does not cripple most users at all. And, of course, no viruses or rootkits.

Melon

 

[Sweet Tart]

does anyone know how to get that off my computer...i heard sony's uninstaller causes more problems???

 

[unforgettableFOXfire]

If you still want to buy music by sony artists but don't want to get that crap on your computer, there are ways to deal with it...

First, you can prevent your CD from auto-playing when you stick it in your cd drive, either by going to my computer, right clicking your cd/dvd drive, clicking the autoplay tab, and changing the settings to 'take no action' for every option, or 'prompt me'.

You can also prevent autorun manually on a use-by-use basis, if you'd rather not mess about with settings, by holding down the shift key until your cd/dvd drive stops trying to read the cd.

In either case, once it's stopped, you're free to rip the tracks to MP3 and put the cd in your cd rack to collect dust, because there's no point in switching your cds in and out of your computer all the time when digital format is available.


Additionally, since prevention is the best solution to these sorts of things, if your cd does auto-run the program that installs it... don't worry. If you decline to agree to their lisencing agreement, there will be no permanent changes made to your computer, and a reboot will remove the software.

If you click 'yes' however, and install it... you're basically screwed, because its the devil to try and get that crap out of your registry... and if you're not handy with computers, screwing about with your registry is a no-no.