Sony's DRM Rootkit: The Real Story

This is my sixth column for Wired.com:

It's a David and Goliath story of the tech blogs defeating a mega-corporation.

On Oct. 31, Mark Russinovich broke the story in his blog: Sony BMG Music Entertainment distributed a copy-protection scheme with music CDs that secretly installed a rootkit on computers. This software tool is run without your knowledge or consent -- if it's loaded on your computer with a CD, a hacker can gain and maintain access to your system and you wouldn't know it.

The Sony code modifies Windows so you can't tell it's there, a process called "cloaking" in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can't be removed; trying to get rid of it damages Windows.

This story was picked up by other blogs (including mine), followed by the computer press. Finally, the mainstream media took it up.

The outcry was so great that on Nov. 11, Sony announced it was temporarily halting production of that copy-protection scheme. That still wasn't enough -- on Nov. 14 the company announced it was pulling copy-protected CDs from store shelves and offered to replace customers' infected CDs for free.

But that's not the real story here.

It's a tale of extreme hubris. Sony rolled out this incredibly invasive copy-protection scheme without ever publicly discussing its details, confident that its profits were worth modifying its customers' computers. When its actions were first discovered, Sony offered a "fix" that didn't remove the rootkit, just the cloaking.

Sony claimed the rootkit didn't phone home when it did. On Nov. 4, Thomas Hesse, Sony BMG's president of global digital business, demonstrated the company's disdain for its customers when he said, "Most people don't even know what a rootkit is, so why should they care about it?" in an NPR interview. Even Sony's apology only admits that its rootkit "includes a feature that may make a user's computer susceptible to a virus written specifically to target the software."

However, imperious corporate behavior is not the real story either.

This drama is also about incompetence. Sony's latest rootkit-removal tool actually leaves a gaping vulnerability. And Sony's rootkit -- designed to stop copyright infringement -- itself may have infringed on copyright. As amazing as it might seem, the code seems to include an open-source MP3 encoder in violation of that library's license agreement. But even that is not the real story.

It's an epic of class-action lawsuits in California and elsewhere, and the focus of criminal investigations. The rootkit has even been found on computers run by the Department of Defense, to the Department of Homeland Security's displeasure. While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be. And lawsuits are never the whole story.

This saga is full of weird twists. Some pointed out how this sort of software would degrade the reliability of Windows. Someone created malicious code that used the rootkit to hide itself. A hacker used the rootkit to avoid the spyware of a popular game. And there were even calls for a worldwide Sony boycott. After all, if you can't trust Sony not to infect your computer when you buy its music CDs, can you trust it to sell you an uninfected computer in the first place? That's a good question, but -- again -- not the real story.

It's yet another situation where Macintosh users can watch, amused (well, mostly) from the sidelines, wondering why anyone still uses Microsoft Windows. But certainly, even that is not the real story.

The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us.

Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda.

What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.

But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case.

McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." Thanks for the warning.

Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software."

The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization.

You might expect Microsoft to be the first company to condemn this rootkit. After all, XCP corrupts Windows' internals in a pretty nasty way. It's the sort of behavior that could easily lead to system crashes -- crashes that customers would blame on Microsoft. But it wasn't until Nov. 13, when public pressure was just too great to ignore, that Microsoft announced it would update its security tools to detect and remove the cloaking portion of the rootkit.

Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions. And Sysinternals, of course, which hosts Russinovich's blog and brought this to light.

Bad security happens. It always has and it always will. And companies do stupid things; always have and always will. But the reason we buy security products from Symantec, McAfee and others is to protect us from bad security.

I truly believed that even in the biggest and most-corporate security company there are people with hackerish instincts, people who will do the right thing and blow the whistle. That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.

Microsoft I can understand. The company is a fan of invasive copy protection -- it's being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers.

What happens when the creators of malware collude with the very companies we hire to protect us from that malware?

We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.

Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?

These questions are the real story, and we all deserve answers.

EDITED TO ADD (11/17): Slashdotted.

EDITED TO ADD (11/19): Details of Sony's buyback program. And more GPL code was stolen and used in the rootkit.

Posted on November 17, 2005 at 9:08 AM

Comments

Chase VentersNovember 17, 2005 9:21 AM

I'm personally hoping that all this preverse DRM and malware nonsense over the last several years will simply to a more mainstream adoption of the open source desktop.

After all, given that companies only tend to care about their own interests, and often not that of their consumers at all, who do we have to trust but the programmers writing software for the sake of writing good software?

Pat CahalanNovember 17, 2005 9:38 AM

Bruce -

Thanks for pulling all of the details of this sad and sordid affair together into one place that I can point the less security aware toward to get the whole story.

Feeding one individual column after another just wasn't putting the whole thing in perspective...

NocturnNovember 17, 2005 9:43 AM

You are very right in your assesment, the AV companies and Microsoft sold out their users.

I stated on my site a couple of days ago:

"Most conventional media and even AV/Software companies are carefull in their wording, calling this program rootkit-like or spyware-like. This is very untrue. This program is spyware containing a rootkit. It fits all the requirements to be called that and quite frankly, to the end user, it does not matter if it is intended to prevent copying or to connect to rogue irc channels.

This is a piece of software that damages your system and puts your security at risk without your consent. It is not only immoral, but also illegal in most countries (criminal prosecution is already on it's way in Italy) and for the sake of our future security, I hope that Sony is prosecuted to the fullest extend allowed by the law for doing this."

This is a key point, why should a mega-corporation be allowed to do what is illegal for a criminal organisation or a lone cracker.

David DurantNovember 17, 2005 9:45 AM

It's worth considering that companies like McAfee and Symantec might be very wary of declaring this as "bad" code and removing it lest Sony sue them under the DMCA for tampering with their DRM. I fully expect this will not be the last time this will happen.

Jam OnNovember 17, 2005 10:04 AM

The story Bruce referenced about Sony pulling the XCP disks from store shelves is dated 11/14. As of last night, 11/16, the Target store in Columbia, MD, still had the Van Zant and Neil Diamond disks, all with the XCP label on the back.

More lies from Sony or is Target just out of the loop?

Andre LePlumeNovember 17, 2005 10:05 AM

The other "deafening silence" comes courtesy of certain anti-security research folks. The same people who have argued publicly that identifying vulns should be a crime, and that only vendor employees or contractors should be permitted to do it. The same corporate officials who say that their firms will "of course" look after the customer by fielding only reasonably secure SW, since it would be against their interest not to.

These people just got a nice strong dose of "I told you so", and they now need to admit that the Russinoviches of the world are performing an important service. I won't be holding my breath waiting for this admission. After all, these folks are the same ones who'd have had Russinovich shut up and just report the issue to Sony. That'd be funny, if it weren't so pathetic.

Donkey DerbyNovember 17, 2005 10:08 AM

David Durant stated that thought that first came into my mind when reading of the AV companies failure to act on the Sony DRM. Could they have been sued for libel if they called the DRM a 'rootkit' or 'spyware'?

This won't make any mainstream users jump to Linux. It might shift some to Apple but not many. Some dual booters might ditch the MS partition but they would be likely to anyway.

Jude SuszkoNovember 17, 2005 10:09 AM

Bingo! You hit the nail squarely on the head.

I've always thought that it was only a matter of time before our so-called "security" products would be compromised by parties having more money than the customers. I have never trusted Microsoft's firewall because I am fairly certain that it has deliberately been made pervious to traffic that Microsoft doesn't want me to control. I used to think McAfee and Symantic were OK, but this episode has forced me to reevaluate.

It suspect that all for-profit companies are susceptible to the lure of cash, and most or all of them will turn against their own customers when enough money is at stake.

ACNovember 17, 2005 10:21 AM

Bruce, I think you failed to use proper terminology. That what you call "the cloaking device" is in fact what it make it the rootkit.The name of the whole package can be, for example, the Sony's DRM enforcement software, and not "the rootkit". However the whole "enforcement software" is even without the rootkit feature very mean -- it hooks deep to the system, to the CD-ROM drivers, making potential problems for other uses, it phones home each time you play the protected CD.. The "uninstallation software" was even meaner.

Had all this been done by some person, he'd get a sentece for a very long time in jail. Sony did this and nobody was punished. That's really inexcusable!

MichaelNovember 17, 2005 10:25 AM

"The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us."

Thank you for saying that, Bruce. That was brilliant incisive truth-telling, and it needed to be said. Anyone who buys security software now needs to think very carefully about whom they buy it from.

I generally use OS X, but I was thinking about buying a ThinkPad so that I had Windows XP available to me, too (and Linux if I dual boot). But you know what? It comes with Symantec's Norton antivirus, and I'm *really* not happy about that. First 4 actually claims to have consulted Symantec about the rootkit before they shipped it - and I haven't seen Symantec deny that yet. There's just no way I will have Symantec products on any of my machines now.

Ship it with F-Secure or Kasperksy, Lenovo, and I'll think about it.

I hope a lot of sites link to this piece, because people need to be aware of this.

Doug R.November 17, 2005 10:29 AM

Another aspect for which Sony is not (yet?) being held accountable is their organizational culture. A culture which
seemingly institutionalizes that:

- Play-list payola is not wrong.
- Faking movie reviews is not wrong.

Now we learn that in the Sony culture:

- Rootkit'ing is not wrong.
- Uninstallers that don't uninstall, is not not wrong.
- Infringing on the copyrights of others, is not wrong.

What's next from Sony? Dunno. But I wouldn't be shocked by much of anything at this point.

-doug

Ian WoollardNovember 17, 2005 10:30 AM

"It suspect that all for-profit companies are susceptible to the lure of cash, and most or all of them will turn against their own customers when enough money is at stake."
Ironically, Sony haven't made money from this, they've lost it, together with lots of respect; and it's unlikely that they would ever make money from DRM- DRM is inherently too easy to circumvent. There's always the analogue hole.

RobinNovember 17, 2005 10:32 AM

You've miss the real story of what this is about.

Sony does not like Apple. Sony especially does not like the iTunes store and the iPod, which pretty much wrote paid to the Sony Walkman. Sony cannot compete with iPod, so they introduced this "dirty trick" that supersedes even Watergate.

This DRM makes huge chunks of the available "name" music unplayable in iTunes and unable to be written to the iPod. Thus, iPod users would have to turn to Sony technology as a result.

Always follow the money - and the $$$$ here is Sony's attempt to deal Apple a death blow.

Tom GrantNovember 17, 2005 10:41 AM

"A tale of extreme hubris..."

Well said Bruce.

Security and trust are interwoven. Can we now trust anything from Sony?

I know I won't...but feel free to take your own chances.

Personally, I am outraged by Sony's actions and response.

And they made such quality gear at one time...sigh.

I am now going to re-visit my portfolio to make sure I am not invested in any funds that own Sony shares.

PO'edNovember 17, 2005 10:47 AM

I will never purchase music again from a big-name label, but only directly from the artist.

I will subsidize artists I like who do not make their music available via direct channels by attending their live performances.

Any big-label released music I like, I *will* pirate and I *will* file-share.

Brian ThomasNovember 17, 2005 10:52 AM

I absolutely agree.

Of course, I've always tended to view antivirus firms with a jaundiced eye, as I do any business that profits from others' misfortunes, legitimately or otherwise.

I just can't shake the image of that cartoon of the vulture sitting with his buddy and saying "Patience my a** - I'm going to kill something!"...

jammitNovember 17, 2005 11:04 AM

This sony thing is turning into a geek version of the "Jerry Springer" show. I can understand the hesitation of the anti-virus and anti-spyware vendors. I can even understand Microsoft not jumping on it the minute the sony DRM package was unveiled. They were probably shocked and confused that a big company like sony would do something like this and decided to tread lightly. It's almost like finding bodies in your moms basement. It's always a little harder to see the enemy within. But now the cat is out of the bag and sony (and hopefully others) are now realizing there is a point when their property becomes mine. As I've said before the ph33r over pirating isn't from the P2P end user, but from the first generation pirate. It's just easier to go after the little guy.

David HarmonNovember 17, 2005 11:08 AM

I'm reminded of the old saying, "The Net interprets censorship as damage, and routes around it." In this case, Sony's attempt to "control the situation" ran afoul of the larger system comprising the Internet -- and that larger system reacted almost as an organism, progressively invoking more and more defense strategies in response.

Congratulations, Bruce -- you're part of the Internet's immune system! ;-)

Ed T.November 17, 2005 11:09 AM

@Robin - while you may be right, I think this story is like the proverbial onion -- as you peel away one layer, you find more waiting beneath. There are certainly many facets to the story, and I think Bruce's commentary is a good warning to all of us as to what we can expect if the interests of the media companies (or the telecom companies, or any other monopoly-wannabes) succeed in getting our legislatures to give them all they ask for.

-EdT.

Fred PageNovember 17, 2005 11:26 AM

"The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization."

"Multinational corporation" and "criminal organization" are not exclusive sets.

Doug R.November 17, 2005 11:30 AM

I earlier questioned the culture at
Sony that could institutionalize and
reward the choices made by Sony execs ...

Is Sony the rogue in the entertaiment
and gaming industries? Willing to
attempt to gain a competitive advantage
unfairly?

Or; are they simply running-in-place and
trying to keep up with their competitors?
i.e. Unfortunate industry laggards that are
playing the game so poorly that they are
the first to be apprehended.

I have seen a few mentions that EMI and
Warner also license the XCP rootkit, but
they are not of a nature that I consider
fully trustworthy. Anyone have authoritative
data re: other possible XCP licensees?

-doug

PhaedrusNovember 17, 2005 11:31 AM

You ain't seen nothin yet.

TCG/TCPA/Palladium are gonna lock down the PC pretty damn tight.

Your cellular will be no better. Heck, even your disk-on-key will have DRM capabilities (e.g., SanDisk's Gruvi).

All this (and more) made possible because the masses (1) have zero comprehension of the technology and its implications, and (2) are easily cowed by sufficiently grave men saying "national security" in appropriate baritones.

Dark ages, here we come...

DaedalaNovember 17, 2005 11:34 AM

Remember this wonderful C|Net quote: “The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.��? It used to be in this article: http://news.com.com/...

The article now reads, "First 4 Internet, said the cloaking mechanism was not a risk. The company's team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said."

What happened here? I see no notice of the change on the web page. I'm contacting the author of the article to find out.

JMMNovember 17, 2005 11:59 AM

Bruce: This is an exelecent article, giving an overview of the situation, and some editorilizing, rather then just the latest blow and a summary of yesterday's article, like most news orginizations have been doing.

However, I have two questions: You mention that this has been going on since '04. Why did nobody notice before now? I assume you do not put yourself in with those you accuse of bending to corporate, rather then customer, interests. Also, why do you accuse Sony and First4Internet of criminal acts, and then call them "not a criminial orginization"?

Bruce SchneierNovember 17, 2005 12:02 PM

"You mention that this has been going on since '04. Why did nobody notice before now? I assume you do not put yourself in with those you accuse of bending to corporate, rather then customer, interests."

It's a good question. Part of it is the CD transmission vector. Part of it is that the anti-virus companies don't look in those places. But a lot of it is that the anti-virus companies don't consider things that corporations do to be malware.

"Also, why do you accuse Sony and First4Internet of criminal acts, and then call them 'not a criminial orginization'?"

Because a criminal organization is one that is primarily devoted to crime, not an organization that happens to commit crime.

urfiredNovember 17, 2005 12:11 PM

My first experience with Root kits cost me my job. When I saw the $...$ my heart jumped. Short story:

I worked doing tech support for a pc/printer company. Every once in a while we would get a call where the printer would stop talking to the pc and it would generate the same series of error messages. I found myself at a pawn shop several months later (helping a friend find tools stolen out of his garage) and bought a pc that just came in. What do you know....same error messages when I installed the driver! Some friends and I poked around on it for weeks and found a cloaked program hidden deep in the system. It logged several things like keystrokes, modem use, and files accessed on the system. It also tried to call an IP that seemed to exist sometimes and then disappear. Anyhow, we found that the virtual port that the printer driver created would get corrupted and lose connection with printer. We brought this up to some of the staff on campus. At first they were enthusiastic....and then not. I was fired a little over a week later for time clock manipulation. I guess being on time is manipulation. I still don't know what I found. For the last four years the IP still appears and then disappears in the Baltimore and Virginia areas....weird!!!

PhilNovember 17, 2005 12:13 PM

@anonymous: "That's nameservers, not computers."

Since each nameserver filled a request for at least one client machine behind it, that means that the number of nameservers puts a lower bound on the number of affected machines. In some cases, like, say, AOL's nameserver, the one nameserver could easily represent a million client machines.

stvwlfNovember 17, 2005 12:25 PM

You asked the question "What happens when the creators of malware collude with the very companies we hire to protect us from that malware"?

Substitute words like "makers of weapons", "purveyors of oil", etc, in the 1st half of your sentence, and replace "with the very companies we hire to protect us" with something like "with the government that we elect (and the intelligence agencies it has established) to protect us" in the second half of your sentence, and we have a pretty clear picture on what's been going on. Callous disregard for anything except self-interest.

Can't speak out against Sony - they buy 25,000 copies of our software. Plus we don't want anyone pirating our software either - I feel your pain, Sony.

This attitude is poisoning our country, with deep and not very pleasant future ramifications.

GaryNovember 17, 2005 12:27 PM

Excellent commentary, Mr.Schneier.

Well researched and thought out article. Now, we can only hope Symantic,
McAffee, Sony and Microsoft step up to the plate, be good corporate
citizens, and answer the call (HA!)

Pat CahalanNovember 17, 2005 12:37 PM

@ Daedala

> The article now reads, "First 4 Internet, said the cloaking mechanism was not a risk.
> The company's team has worked regularly with big antivirus companies to ensure the safety of its
> software, and to make sure it is not picked up as a virus, he said."

Wow, are you serious? There's a bad "feature" of the Internet... reactive version control. C|Net should take some pretty severe criticism for that one, I wonder how much of their ad revenue comes from Symantec?

MichaelNovember 17, 2005 12:44 PM

@ Daedela: "Remember this wonderful C|Net quote: 'The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.'"

Yes, I do. Wow! Gone just like that ...

I'm reminded of those old Soviet photographs from which various embarrassing figures would be silently airbrushed out.

Just how deep do the ramifications of all this go?

DaedalaNovember 17, 2005 12:47 PM

@Pat

Quite serious. Ask the Google Cache.

http://www.google.com/search?...

The para may have been changed for a legitimate reason, but there's no notice on the page about any corrections.

--
What I say does not represent the views of my employers, my friends, my cats, or myself.

Paul BolleNovember 17, 2005 12:55 PM

"Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions."

According to an entry in their weblog poste on November 2nd, 2005 which was titled "Please stop flaming us" (http://www.f-secure.com/weblog/archives/archive-112005.html#00000694) F-Secure "started working on this case on 30th of September when a user of our F-Secure BlackLight rootkit detector started discovering these files on his system and contacted us". They "were in the middle of discussions with Sony BMG and First 4 Internet when Mark [Russinovich] broke the news on Monday."

It would be rather nice to know the details of those "discussions".

By the way, F-Secure "didn't go public with the info right away as [they] were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$")." How should we feel about that line of reasoning?

PhilNovember 17, 2005 1:10 PM

The senior editors at cNet can be contacted via these email addresses: jais@cnet.com, sard@cnet.com, Jon.Skillings@cnet.com (pulled from the news.com.com "contact us" page). I advise that people concerned about this sort of editorial revisionism contact them and let them know.

AnonymousNovember 17, 2005 1:25 PM

I highly suggest everyone to go to First 4 Internet web site and read their press releases. Very interesting information.

FalconNovember 17, 2005 1:41 PM

Excellent article! For me, this raises the question: what's the difference today between organized crime and organizations acting criminally? :) As governments become increasingly challenged to enforce controls due to interconnectivity, who will protect the people?

Also anonymousNovember 17, 2005 1:42 PM

re:"It's unlikely that this Sony rootkit is the only example of a media company using this technology."

I bought a Blue Note Jazz (EMI) disk that also had copy protection software. When I inserted the CD on my Windows XP machine, a dialog box opened, explaining that new software had to be installed in order to play the CD. I clicked "no" and the CD (is it really a CD when it does this?) was apparently accessed normally. I later did the simplistic check for the Sony rootkit - ensured that $sys$xxx.txt did not disappear - and it appears I was not infected by Sony's DRM. If EMI is not associated with Sony, then I think they are another example of a media company playing with fire.

LarryNovember 17, 2005 1:50 PM

What doesn't seem to be getting much comment is the relationship between the DMCA and rootkit removal. I see a very interesting legal challenge here, irrespective of any EULA. Thots?

EspenNovember 17, 2005 1:56 PM

Bruce,
the next twist in the saga is even more bizarre: It seems that Sony got some of their code for the rootkit from open source, in particular from Jon Johansen ("DVD-Jon"). (See http://nanocrew.net/2005/11/16/... for some links and background.)

If this holds true, and Sony's use of this is a violation of the open source copyright, then we can have the deeply ironic situation that DVD-Jon can sue a music company for intellectual property violation. Talk about turning the tables...

LarryNovember 17, 2005 1:56 PM

Now enter Blu-ray and it's copy protection scheme. How does it work? ...and how will Sony react?

chuckNovember 17, 2005 2:02 PM

Brilliant! I wonder why there’s no public backlash against companies who actually make this `legalized malware’. I realize that Jim Bell’s ideas (assassination politics) are just that – ideas – but surely someone must hate these guys enough to do something against them in real life!

Pat CahalanNovember 17, 2005 2:19 PM

@ Paul

> By the way, F-Secure "didn't go public with the info right away as [they] were worried with the implications (especially
> with the info on how virus writers can use this to hide files which have names starting with "$sys$")." How should we
> feel about that line of reasoning?

Makes sense, that's reasonable behavior when discovering something fishy that a vendor does... give the vendor a chance to fix it.

Of course, the problem with "full-disclosure, just not right away" policies is that there's no guarantee that the vendor will fix anything without an outcry (Bruce has brought this up before).

The correct thing for F-Secure to do would have been to send an alert to CERT, rather than engage in "discussions" with Sony.

Pat CahalanNovember 17, 2005 2:27 PM

Subject: editorial revisionism

From: Pat Cahalan
Date: Thu, 17 Nov 2005 12:25:16 -0800
To: jais@cnet.com, sard@cnet.com, Jon.Skillings@cnet.com

Gentlemen:

An article posted on your web site (http://news.com.com/Sony+CD+protection+sparks+security+concerns/2100-7355_3-5926657.html?tag=nefd.lede) has been edited without noting a revision since the Sony DRM/Rootkit story broke.

See here for details:

http://www.schneier.com/blog/archives/2005/11/...

Specifically, this line:

“The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.��?

Was changed to this line:

"First 4 Internet, said the cloaking mechanism was not a risk. The company's team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said."

Modifying the posted article, as opposed to posting a revision which explains this change, smacks of irresponsible news reporting, and leads at least one reader to wonder how much of your advertising revenue comes from Symantec, and whether this had an affect in the decision to modify this article.

An explanation to the community of CNET readers would be in order.

William PollockNovember 17, 2005 2:29 PM

Hello Bruce,

Long time reader, first time writer...

Your critique of other security firms begs the question: Did Counterpane detect Sony's software "calling home" from any of its customers' systems?

Pat CahalanNovember 17, 2005 2:40 PM

@ William

I haven't checked on the "calling home" details myself, but the original post on Mark's sysinternals blog said this:

"Btw, I checked with a sniffer. The DRM system connects to connected.sonymusic.com and www.sonymusic.com and tells them an id number, apparently identifying the album. So, sony knows your ip address and what you listen to. "

If it's port 80 traffic, it's unlikely to get noticed, I'd imagine.

Pat CahalanNovember 17, 2005 2:43 PM

edit to the last post:

If it's port 80 traffic to a commercial (ie, supposedly well-known and benign) web site, it's unlikely to get noticed.

I imagine Counterpane's traffic analysis would notice lots of port 80 traffic to, for example, a web server running off of an IP with no reverse lookup or a dhcp assigned address or something of that nature.

But this would look as "normal" as traffic to, say, www.espn.com...

DonNovember 17, 2005 2:46 PM

"That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst."

That's a pretty strong statement, Bruce, given that we didn't hear anything out of Counterpane either. While the CD vector creates boundary-passing problems, apparently there was no detection of the phone-home behavior that was happening on their monitored customer's network. Does the failure of your Sentry devices to detect that recurring contact constitute 'incompetence'?

I don't approve of Sony's actions but the reality is that they distributed a piece of software that took advantage of a design decision in Windows, patching the system calls. The various virus detectors didn't notify anyone of this but should they have? To some extent we have to accept that they serve in a reactionary role - there are things that perfectly legitimate software does (send mail, for example) that is unacceptable when something we consider a virus or worm does it. Do they therefor alert the user every time such an event happens?

I suspect the average user wouldn't have the slightest idea of the import of that kind of notice. Personally I used Zone Alarm for all of 1 hour because it alerted me to so many things that were legitimate that its chance of warning me of something important was almost nil. How do the virus scanner companies watch for this kind of thing (before any indication that a malicious piece of software that does it has been identified) and alert the user without being more false-positives than can be tolerated?

Pat CahalanNovember 17, 2005 2:56 PM

@ Don


> How do the virus scanner companies watch for this kind of thing (before any indication that a malicious piece of
> software that does it has been identified) and alert the user without being more false-positives than
> can be tolerated?

Virus scanners used to just run on code fingerprints, but since viruses are getting trickier at embedding themselves (you could write a whole dissertation on virus cloaking methods), most virus scanners have a "suspicious behavior" scanning method as well.

Having processes running that aren't reported to the operating system, regardless of where they come from, seems to be a pretty giant red flag.

Besides, even if you assume that this wasn't a coding problem, there are references here to First4Internet talking to "big anti-virus companies" before the software was deployed, which is *really* the issue -> whether or not A-V companies were technically capable of catching the virus doesn't matter... they already knew about this dicey bit of software and chose to ignore it, to the detriment of their customer base.

See my last post about port 80 traffic to a fairly 'legitimate' web site as to why Counterpane may not have noticed it.

DaveNovember 17, 2005 3:14 PM

I don't really understand the comment about Microsoft having "sold out its users"? Regardless of you politics on the matter, the fact remains that content owners have, under US and International law, the right to control the distribution of intellectual property which they own. You might not like it but that is the way it is. What Sony did was wrong. Way wrong. They secretly compromised user’s computers. Why they did it, however, is another matter.

What is needed is a way for content owners to control how many times their content can be backed up and how they can allow fair use while at the same time disallowing the rampant piracy that happens today. Microsoft’s DRM technology facilitates all of this as does that being touted by its competitors

This is not a sell-out. This technology allows me to purchase music 1 song at a time without paying for the other 14 pieces of crap on a CD, allows artists to be paid, and prevents me from going beyond what is considered fair use.

DRM is not a matter of putting one's own business interests before those of one’s customers, it is a matter of balancing the interests of all parties involved in the creation, production, distribution and consumption of intellectual property.

DonNovember 17, 2005 3:18 PM

I don't fault Counterpane for not finding it, I merely brought it up to indicate that if we're prepared to use a word like 'incompetence' with regard to their not noticing possibly legitimate system changes (vs ethical lapses like not blowing the whistle just because someone is big money) then I think we need to be prepared to apply it to not monitoring port 80 traffic for consistent destinations & strings, at least till they are whitelisted.

After all, for someone to connect to cnn.com and GET / repeatedly is expected. To connect to any host and repeatedly do a GET with the same multiple parameters and a non-standard user-agent is more unlikely.

It's easy to engage in Monday-morning quarterbacking on this and thinking about it perhaps a reasonable security measure for finding this kind of phoning-home would be to monitor the user-agents coming out of any machine and one-time flag when it changes. Yeah, upgrades from Firefox 1.1 to 1.2 would likely give you a burp but you could add a whitelist of -progressions- as they arrived too.

With the advantage of that hindsight, of course.

DonNovember 17, 2005 3:20 PM

Dave says: and prevents me from going beyond what is considered fair use

Here's the problem Dave: Fair Use isn't codified into law. So "what is considered" is REALLLLL different depending on who you ask. Perhaps not surprisingly, Sony consideres it a lot more tightly than I do.

TomBNovember 17, 2005 3:24 PM

Is there a good open-source anti-malware package? If not, maybe there should be. It seems Symantec, etc can not be trusted.

DaveNovember 17, 2005 3:37 PM

Don says: "Fair Use isn't codified into law"

I think that there is a significant amount of legal precedent that does define fair use. We know, for example, that’s its ok to record TV shown on DVRs, we can make backup copies of software, I think (at least in France) its even ok to backup Video DVDs.

If the definitions are not tight enough, they will become so as cases are brought before the courts.

NathanBNovember 17, 2005 3:41 PM

Dave, Microsoft (and other security software vendors) sell out their users when they don't fight malware that comes from a big commercial entity like Sony.

Regarding your other point, piracy is a smokescreen for the real reasons for DRM: killing fair use (time shifting, quoting, etc...), killing the right of re-sale, and vendor lock-in (once you've bought a bunch of DRMed iTunes songs, you're not likely to buy anything else but Apple hardware that uses that DRM.)

It looks like we can't trust commercial security software vendors anymore.

I wonder why Mark Russinovich wasn't prosecuted under the DMCA for the thought crime of talking about how to defeat a DRM technology.

Pat CahalanNovember 17, 2005 3:51 PM

@ Dave

> I don't fault Counterpane for not finding it, I merely brought it up to indicate that if we're
> prepared to use a word like 'incompetence' with regard to their not noticing possibly
> legitimate system changes then I think we need to be prepared to apply it to not monitoring
> port 80 traffic for consistent destinations & strings, at least till they are whitelisted.

Fair enough.

DaveNovember 17, 2005 4:11 PM

NathanB

How does anything you mentioned "kill fair use"?

If you don't like the conditions a vendor puts on the his/her product, nobody is forcing you to buy it. Now if they hide these conditions.... Thats probably an ethical problem.

As for malware: Microsoft does attempt to fight it. Nothing is perfect however and malicious coders will always manage to get 1 leg up on their targets, even if only for a short time. I agree though that MSFTs inability to detect and prevent root kits is a real hole in their security model as the vast majority of users run as Admin on their machines.

BroamNovember 17, 2005 4:20 PM

"Is there a good open-source anti-malware package? If not, maybe there should be. It seems Symantec, etc can not be trusted."

Google ClamAV. :)

yet another BruceNovember 17, 2005 5:38 PM

It's not that the antivirus companies somehow didn't notice because it was delivered on CDs.

According to a news.com story,
"The company's [First 4 Internet] team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said.".

Bruce SchneierNovember 17, 2005 5:40 PM

"Remember this wonderful C|Net quote: 'The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.' It used to be in this article: http://news.com.com/...

"The article now reads, 'First 4 Internet, said the cloaking mechanism was not a risk. The company's team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said.'

"What happened here? I see no notice of the change on the web page. I'm contacting the author of the article to find out."

I think I had a hand in that. I originally that that quote in my Wired piece. My editor at Wired knew the author of that quotes piece, and asked him about it. It's a big deal, after all, as it is evidence of collusion. The author backpedaled about the quote, and I guess he decided to rewrite history and his story.

Bruce SchneierNovember 17, 2005 5:43 PM

"Your critique of other security firms begs the question: Did Counterpane detect Sony's software 'calling home' from any of its customers' systems?"

We did not. We monitor security products, so if the products don't flag something we don't see it.

Bruce SchneierNovember 17, 2005 5:46 PM

"I don't really understand the comment about Microsoft having 'sold out its users'? Regardless of you politics on the matter, the fact remains that content owners have, under US and International law, the right to control the distribution of intellectual property which they own."

Microsoft is not a content owner. I expect my operating system vendor to be looking out for my best interests, and not for the best interests of content owners.

Or do you really not mind if the company who sells you a lock for your home door also gives a copy of the key to media companies, so they can more easily control the distribution of their intellectual property?

DaedalaNovember 17, 2005 5:53 PM

@Bruce

"I think I had a hand in that. I originally that that quote in my Wired piece. My editor at Wired knew the author of that quotes piece, and asked him about it. It's a big deal, after all, as it is evidence of collusion. The author backpedaled about the quote, and I guess he decided to rewrite history and his story."

I had such a nice conspiracy theory going, too. Damn.

That makes sense, though; he may have not been thinking, and meant the "such as Symantec" as an example of a "big antivirus companies" rather than really meaning Symantec, specifically, was involved. I've done similarly sloppy things. Still, the lack of a revision notice is uncool.

How many "big antivirus companies" are there?

Davi OttenheimerNovember 17, 2005 5:55 PM

Ok, just one little question. Et tu Trend Micro?

According to all the case studies and press releases Sony uses Trend Micro internally for anti-malware, so it makes me wonder when/if Trend started flagging the rootkit?

PGPNovember 17, 2005 6:26 PM

I just finished reading your article on Wired (http://www.wired.com/ news/privacy/0,1848,69601,00.html). Of all the egregious behavior by
the many parties you mention, Sony & Microsoft and Security vendors
have a lot of explaining to do.

But in the end, Mac owners like me have less explaining to do (or at
least an easier time explaining) now, about why we own Apple products.

I think it's ironic that Sony will now have to contend with trust
issues, in order to sell music, PCs, and ... the Walkman (any of
which apparently could ship with bootlegged spyware).

Anyway, good stuff ... looking forward to my first issue of Crypto-Gram.

goodnightbertNovember 17, 2005 6:29 PM

This is a wake up call :

Switch to a real operating system like Linux, BSD, etc. or continue to fund the AV/Closed source OS mafias of the world.

DaedalaNovember 17, 2005 6:30 PM

@Davi

There are a lot of anti-malware vendors, but only a few really big players. Symantec, McAfee, Trend, maybe Sophos, maybe MS.... Anyone else?

Trend, BTW, has been resoundingly silent. XCP isn't on their website at all.

--
What I say does not represent the views of my employers, my friends, my cats, or myself.

DaveNovember 17, 2005 6:59 PM

Microsoft is a player platform (Windows) and a distribution mechanism (MSN Music). The platform and distribution mechanisms allow artists, music companies and yes, Microsoft to get a cut of the 99 cents/tune I pay while limiting my ability to drop the songs onto a P2P network (yes, I know that this is easy to circumvent).

Like I said, Microsoft has to balance the interests of all parties involved in digital media distribution and consumption because at the end of the day production and distribution costs money and there should be a way to make a profit on it. As a consumer, nobody is forcing me to buy it. I’ve just discovered pod friendly podcasting so it is unlikely I’ll ever buy music from the likes of Sony again.

As for buying locks, it’s up to me whether I accept what the lock vendor is doing. As long as I understand what’s going on up front, I can make a decision to buy, to buy elsewhere or to punt. If I choose to click through the EULA, who’s at fault?

John BorlandNovember 17, 2005 7:17 PM

Some of you have noted a change in the original Sony rootkit story that I published at Cnet News.com on Nov. 1. The story was initially changed to clarify what I thought was my own poorly worded sentence. After later following up with Symantec, we learned that the company had worked with First 4 Internet on imaging software, but *not* on the rootkit issue. Hence the correction now posted on the story. Thank you for close reading, and for keeping us attuned to the details.

David MohringNovember 17, 2005 7:57 PM

Hey Bruce, why haven't you been as vocal about Intel and the operating system vendors hard-wiring this kind of functionality into their upcoming products?

August 02, 2005:
"Remote Attestation" and content access monopolies
http://itheresies.blogspot.com/...

"Hollywood and the recording industry hold an effective monopoly on a large section of popular content. Both Microsoft and Apple are now offering the ability to content providers to demand that users must use unmodified systems to view said content. It locks you out of parts of your system that will inevitably be abused by third parties wanting to abuse you."

Davi OttenheimerNovember 17, 2005 8:05 PM

@ Daedela

Ok. Define big.

You have to weed through the number licensed agents (revenues), number of installed agents (adoption), number of active agents (live feed/information base), and so on, not to mention the deployment on edge and in-line devices, the number of staff working on code and detection, as well as activity in the malware community and marketing/news.

Take one ISP, for example, who selects vendor X over vendor Y (only two choices provided as OEM), thus providing in-line protection to 3 million users. Does that make vendor X a big player? I can tell you this, they're not on your list.

I am surprised you did not include f-secure, as I find them to be one of the bigger authorities and a useful/timely source on the subject of malware (as I noted in the log on the 4th and 14th):
http://www.schneier.com/blog/archives/2005/11/...
http://www.schneier.com/blog/archives/2005/11/...

I don't know for certain yet, but I suspect Trend hasn't said much, as I pointed out above, because Sony has (had?) a huge contract with them.

If you search for the word "Sony" on the TrendMicro site (http://www.trendmicro.com/search/google/en-us/results.asp?q=sony), this is the top hit:

http://www.trendmicro.com/NR/rdonlyres/...

"SONY UK CHOOSES TREND MICRO TO PROTECT ITS MESSAGING ENVIRONMENT AGAINST COMPUTER VIRUSES"

Here's a related quote from Nov 3rd:

http://www.newsfactor.com/news/...

"While acknowledging the potential risks involved with the Sony rootkit, David Perry, global director of education with Trend Micro Latest News about Trend Micro, said that the practical threat is very small. 'The only time when we see people use these vulnerability is when [the tool] reaches a substantial percentage of the public,' Perry said. 'As of yet this has a very small impact.'"

Hmmm, define small.

Rob DavisNovember 17, 2005 10:29 PM

Thank you for your fantastic submission to Wired News today! We need more coverage for this extremely important issue. (Will Walt Mossberg cover it?)

HonestJoeNovember 17, 2005 10:59 PM

PO'ed wrote: "Any big-label released music I like, I *will* pirate and I *will* file-share."

Unfortunately, this thievery is the reason that Sony produced these malware-infected CD's in the first place.
If people PAID for their music instead of just stealing it, we wouldn't have this problem

EnginerNovember 17, 2005 11:26 PM

Another issue is the gosh-awfull Digital Millennium Copyright Act of 1998. You may recall that it makes it a crime to even try to circumvent copyright protection. That doesn't mean Sony has the right to put malicious (our definition - not theirs (see tort law)) code on our computer, but it MIGHT make it illegal for Symantec to try to intercept it and it is definitely illegal to try to remove it once it's there. The DMCA is a bad dude. Needs reworking, bad.

DamianNovember 18, 2005 3:33 AM

John Borland now says:

"Some of you have noted a change in the original Sony rootkit story that I published at Cnet News.com on Nov. 1. The story was initially changed to clarify what I thought was my own poorly worded sentence. After later following up with Symantec, we learned that the company had worked with First 4 Internet on imaging software, but *not* on the rootkit issue."

Yes, but the fact remains: What did Matthew Gilliat-Smith say? Borland was supposed to be quoting Gilliat-Smith. Did Gilliat-Smith specifically mention Symantec by name? The "answer" from Borland dodges that one.

If Gilliat-Smith did not say that, then why did Borland write it? That would be most extraordinary.

But if that was what was said then it should have stood for the record not been "airbrushed out". Borland could have added an extra sentence to say that he had followed this up with Symantec, and they had denied it - as he has now here (when it's become embarrassing not to). But he didn't. He silently amended it.

I shall read any of his journalism with the deepest suspicion now.

TomCSNovember 18, 2005 6:27 AM

Thans for pulling together the Sony/xcp/Windows saga.

What I want to know now is precisely what the Sony/Sunncomm Mac software is and what it does, and I want any audio disc which asks me to install any such software to give me a clear description of what it is and what it does (eg does it create data files and if so where?), and provide a simple and complete uninstaller. I want to know if it has a "phone home" capacity (in which case it's a spyware), whether it only runs when I insert an audio disc, or whether it's sitting there burning cycles all the time (in which case I want at least to have given explicit agreement). Does it affect all the content on the disc, or only "extra" or "additional" tracks? I want to know explicitly how severely it restricts my copying and media-shifting rights. Is a kernel extension preferable to a rootkit in any significant way?

At the very least there is an honesty in labelling issue here, which may well make the EULA moot: I can only give my consent to what is explained to me.

We are in danger (and I am not a natural conspiracy theorist) of tacitly endorsing the Sunncomm approach as an acceptable form of content control, in the feeding frenzy over the almost unbelievably incompetent xcp version, and the relative smugness of Mac users over their relative immunity. But it's only relative. Is it designed to take the heat, and smuggle through an almost equally objectionable, if technically less crass, variety.

So let's get to the bottom of Sony/Sunncomm/Mac as well, and work out a response that covers what is objectionable there as well.

PO'edNovember 18, 2005 7:24 AM

@HonestJoe
> Unfortunately, this thievery is the reason that Sony produced
> these malware-infected CD's in the first place.
> If people PAID for their music instead of just stealing
> it, we wouldn't have this problem

I think I detailed several ways in which I am more than willing to pay for music. I will buy MP3s directly off artists' web sites. I will attend live concerts, for which I will pay for tickets. What I will NOT do any longer is give money to record labels who add no value, but steal from everyone in sight (artists included). I consider their actions (culminating in this one) to make it "open season" on their sorry asses.

Ross SmithNovember 18, 2005 7:34 AM

TomCS: "I want any audio disc which asks me to install any such software to give me a clear description of what it is and what it does"

Well, there's your fundamental mistake right there. There is no conceivable honest reason why an audio (or video) disc should ask you to install anything at all.

(Or at least anything more specific than "something that can play this fornat". Of course any format that requires a specific application to play it should be considered extremely suspect right from the start.)

TomCSNovember 18, 2005 8:04 AM

Ross Smith

You know that and I know that. But not even all Mac users know that, and I continue to see this as in effect a social engineering virus which is likely to fool a sizeable proportion of those ordinary folk who use Macs more as home entertainment tools than as computers. I want proper labelling, and ideally retailers to have to sell these crippled audio discs in separate racks from compliant CDs.

AqualungNovember 18, 2005 8:52 AM

Question, referring to your criticism of AV companies on their deafening silence and failure to respond suitably to this "infection"; while it's understandable that we'd want AV companies to prevent our computers from being rooted like this by Sony's invasive DRM, wouldn't any company that that actively prevented this rootkit from functioning be liable under the DMCA for interfering or circumventing a copyright protection mechanism, no matter how flawed/broken/evil? Just a thought...

GeoDNovember 18, 2005 9:15 AM

Certainly SONY should be at the forefront for making such a poor choice of a software
vendor to protect their music and I believe they should bear the expense of cleaning up
the mess. What about First4Internet though? They built this package. They sell it for the
express purpose of content protection. SONY was probably not even aware of the underlying
(rootkit like) method employed (not an exuse anyway, they should have been aware).

First4Internet is responsible designing, building and selling a hazardous software product
that has caused and will continue to cause real financial losses for millions of PC users.
They must be held accountable as well.
~GeoD

DaedalaNovember 18, 2005 9:19 AM

@Davi

All I meant by "big" was "size of corporation." I suspect that's what the article meant as well. F-Secure is fantastic, but not terribly big.

Mike TNovember 18, 2005 9:32 AM

Sony will not provide genuine Microsoft Windows CDs with their computers for the purposes of recovery and reinstall.

I smell a really big rodent in the room here.

LyleNovember 18, 2005 10:18 AM

The real purpose of DRM is not to prevent piracy. There is always the analog hole. All it takes is for ONE competent person with good audio equipment to make the conversion and it can spread throughout the world in minutes. It's the spreading that needs to be stopped in order to prevent the piracy. DRM does nothing to stop the spreading.

No. The real purpose of DRM is to circumvent the existing laws which allow personal recordings. To stop you from making a copy of your best friends CD - something that is legal in most countries, I believe. This whole Sony DRM rootkit fiasco was perpetrated in order to steal away your rights. Not to stop piracy.

The US has the DMCA which makes it illegal to circumvent technology. Too bad there isn't a law making it illegal to use technology to circumvent the law.


Moshe YudkowskyNovember 18, 2005 11:39 AM

I speculate that there's more and less that meets the eye. "Any software that implements digital rights management (DRM), no matter how terrible it is, is protected by the Digital Millennium Copyright Act (DMCA). Any attempt to circumvent that software, remove it, or otherwise tamper with the software can result in horrific penalties." Perhaps that's why the companies didn't remove Sony's rootkit. Full text on my blog at http://www.PebbleAndAvalanche.com/weblog.

TomBNovember 18, 2005 2:32 PM

"Any attempt to circumvent that software, remove it, or otherwise tamper with the software can result in horrific penalties"

But Sony would lose any DMCA case because their rootkit could, in principle, compromise copyrighted material on MY PC--that is, someone could crack into my home movies. I think it would be a legal stalemate.

davidNovember 18, 2005 5:10 PM

Thank you for writing this. In a way it's proof that the big companies won't take the world over, whilst ever there are people like you out there.

wwNovember 18, 2005 7:37 PM

Dave, in an 11.17.05 post, said:

>> Regardless of you politics on the matter, the fact remains that content owners have, under US and International law, the right to control the distribution of intellectual property which they own.

This is incorrect as to the history of intellectual property infringement law (including copyright law), at least in the US. We have undergone this cycle of paranoia on the part of large distributors (almost never creators of the content, though; Metallica loudly excepted) for quite a while. Something quite similar happened with piano rolls in the late 19th century. And again with radio beginning in the 20's. Congress finally intervened and provided for an automatic and involuntary license (payment via ASCAP or BMI; there are similar arrangements elsewhere). And again with magnetic audio tape just after WWII, and again with magnetic video tape about 30 years later. In the US, the Supremes settled that in the 'Betamax case'. And is happening again in the last decade or so regarding digital media. Recall that the digital audio tape died stillborn -- in my view from copyright owner opposition, which was strenuous. See Professor Lawrence Lessig's book on copyright history (available on line); the "Conger" was an example of copyright holder overreach in an earlier time.

In fact, all a copyright owner (however that ownership was obtained from the creator) has only the right to license or not license, and sometimes not even that (see Congressionally mandated revisions in such rights as noted above). And the right to appeal to the courts for assistance in the case of copying infringement, just as in any other damages case. Nothing special about copyright holders' recourse to recover or prevent damages. No content producer has the well-established right to interfere with existing rights (eg, fair use or fair dealing, both very well extablished for more than a century both in statue in some places and in precedent in others), or to the use of one's computer for other purposes than music or video or whatever the copryright holder is concerned about. It is recoverable damage to the interests of a computer owner if that computer is so altered in its operation as to make it more vulnerable to some third party in (eg, Bulgaria or the Phillipines or ...). Consider the case of someone snipping the phone line to your private security system, and doing nothing more. Your home is invaded shortly thereafter with no alert phoned to the security company or police or even relative. The snipper has done committed a kind of vandalism more serious, dangerous, than egging a front door. If caught, the snipper could be charged for the snipping and the resultant effects (ie, the home invasion).

That Sony did this secretly is relevant, as nearly as I can tell, only in that it shows evidence of intent to commit something which would not withstand the light of day and which was therefore somewhat carefully concealed. The possibility of a claim of innocent mistake as a defense would seem to have been chucked out the window by that action.

>>What is needed is a way for content owners to control how many times their content can be backed up and how they can allow fair use while at the same time disallowing the rampant piracy that happens today.

The economically significant piracy cannot be stopped by any sort of DRM for which there has been any public knowledge. It's done in large modern plants in remote corners of the world which can turn out thousands of copies of optical media an hour. No DRM measure to date has even slowed them down. All known DRM attempts, so far, have been unanimously poorly engineered and incompetent attempts to to do something -- whether you agree with the purpose or not. This has been Bozo quality research and development. The incompetence has been at minimum cryptographic (lawyers and marketing suits seem incapable of any clear crypto thinking), and socially in that these companies and associations have been attacking their customers with a very ham-handed legal strategy. Suing 13-year old kids for hundreds of thousands of dollars is not a way to win friends, retain customer good will, or evade the slashdot class horselaugh. Anyone remember DIVX? It was hald-owned by an LA law firm. They deserved their loss because of their belief in a crock system design, regardless of the hostility to the customer (They're all criminals! We must stop them now!) embedded in the whole thing. Not much improvement aomongst these clueless counselors and suits years down the road.

More legally significant may be that, to the limited extent they work at all (preventing misuse as defined by the suits and attorneys), these DRM measures forcibly interfere, on a programmed and inflexible basis, with existing rights. Fair use allows for personal copies for backup purposes, for transfer to other media of the purchased content (ie, to an 8-track for playback in the car), and so on. No DRM thus far recognizes any of this. Further, even the copyright owners can shoot him/theirself in the foot as long as DRM measures are in use. Thus, I contract with Sony to use their copyrighted content in my laser broadcasts to Jupiter's moons (for the benefit of the folks under the ice on Europa, of course), but the DRM knows nothing about this right to use (for which I've paid and have now discovered, in essence, that I've been cheated by another of Sony's divisions, one with too many suits and lawyers). Lawsuit follows.

>This [technology, ed] is not a sell-out.

Well that depends on whose ox is being gored. Microsoft's Vista is likely to seriously interfere with my use of my computer because of the Palladiumamic surpervision built into its shriveled, if Trusted, heart.

I've been sold out, and I sure as shootin' won't be exposing myself to any further rootkits from Sony. Someone just lost a customer, and I'll be informing all their artists of my decision as well. Microsoft gets license fees for its DRM software from various sources, sells it to me, but because I bouthg only one license and don't have a Redmond resident representative, MS won't listen much to me. Sold out again, because MS is collaborating with Sony (in this example) to limit my right to use the content I've paid for down at the store. I've long ago converted to Linux (SuSE distro) so the crashing shards of Windows are effectively behind me. I do have a machine which has no connection to the Internet for Windows software I have to use.

This is all a mess, most of what's being actively done (publicly, or sneakily. or by buying legislation) is pernicious from any sensible public policy perspective. The extension of US copyright term to protect the Mouse is a particularly gross example of pandering to large industrial interests. Reading Mark Twain on The Gilded Age will seem quite cheekily familiar. And he's funny, though what he was excoriating wasn't then and isn't now.

>>DRM is not a matter of putting one's own business interests before those of one’s customers, it is a matter of balancing the interests of all parties involved in the creation, production, distribution and consumption of intellectual property.

It is exactly that, as DRM as so far implemented in many an (incompetent) instance has shown no recognition of existing purchasers' interests or rights.

The balance is entirely on the side of large copyright owners who see a large business at risk and so are willing to arrange for legislation, invent deranged kinds of DRM, impose them without warning or permission on customer equipment that is used for many other things than music or video playing, most of them far more valuable to their owners than either music or video, all at the behest of marketing suits and legal beagles who simply don't have a clew (imagine Peter Sellers/Clouseau here -- the match in lack of competence is quite extraordinary).

Sorry Dave, you're multi-dimensionally wrong on this.

WW

supercatNovember 18, 2005 8:26 PM

//But Sony would lose any DMCA case because their rootkit could, in principle, compromise copyrighted material on MY PC--that is, someone could crack into my home movies. I think it would be a legal stalemate.//

More significantly, Sony's software directly infringes on some other people's copyrights (the authors of some of the libraries used), therefore copyright law would seem to allow those authors to not only permit, but demand its removal.

Stefan WagnerNovember 18, 2005 10:45 PM

@geoD: "SONY was probably not even aware of the underlying (rootkit like) method employed (...)."

They were probably not aware, and set up servers as connected.sonymusic.com and www.sonymusic.com, listening for incoming messages, by accident?

Hard to believe.

btw.: The second part of the name of the corporation "Sony BMG" means 'Bertelsmann Media Group". The Bertelsmann-Group is a big player in the German newspaper and television-broadcasting market.
I searched their news-site on 'stern', a weekly news-and-stories - magazine for 'Sony', for 'rootkit' and 'sony bmg' without success.
One hit came up for 'xcp', which was linked to 'Financial Times Deutschland', another product of their house.
Other news-sites show much more news to this topic, and make it more easy to find them.

Concentration of big, global companies is another problem we can study on this case.

Would we believe vulnerability-news, published by a competitor?

Steve SummitNovember 19, 2005 12:26 AM

Others have noted this already, but it's worth repeating: one big reason that the security companies
have been so tepid in their response, and that they've tended to limit their attention to the "cloaking"
half of Sony's rootkit, is almost certainly: the DMCA. This affair therefore demonstrates yet another bad
side (yet another unintended consequence) of that misguided piece of legislation.

AnonymousNovember 19, 2005 12:50 AM

Hi Bruce,

If you want evidence of Sony BMG & F4I stealing LAME code, check out this site:
http://hack.fi/~muzzy/sony-drm/
and
http://www.the-interweb.com/serendipity/...

The evidence is indisputable. I reckon if you run some debugger on the process you can step through those code.

Funny to hear some reader advocating DRM as a way to protect IP. The only safe way to protect your IP is not to let it out of your sight or closet.

It is part and parcel of the world. All these so called legislation and digital laws are only placing consumers at a disadvantage and unfair positions. I am so disappointed the so called consumer protection agency are not there to get a fairer and more consumer-friendly EULA. Check out SongBMG to see what I mean.

AnonymousNovember 19, 2005 1:16 AM

Hi Bruce,

Since this is a Blog by a security expert, I would like to bring up a number of security related issues highlighted by this seedy affair by SonyBMG.

1) While Windows 2000+ has a fairly strong security system (I am not saying perfect nor starting a religious war on OS), but so many have chosen to run with the security system turned off using Administrator Account. With this account, programs can write anything or destroying anything, including system stuff.

There are strong evidence presented in www.sysinternals.com/blog that had these users run using the 'Least Privilege' account principle, they would have been alerted and questioned why playing a sound on a CD needing admin rights?

So many of my fellow developers are running with the security off:-(

2) Since they've turned off the security as in 1), they then loaded up their machine with all these tools, anti-virus, anti-hack, etc. to consume valuable CPU and memory resources only to find that they are either in collusion with the attacker or the attack was not spectacular to be labelled as such.

I have encountered virus attacks days before the AV vendors have sent out alerts and updates. But I managed to defeat them. BTW I do not run AV continuously - only on demand.

3) It is really silly on Microsoft's part to support this thing called Autorun. Long ago when the only portable media was floppy disk, the spreading of virus via the floppy disk triggered by booting from it was well known and everyone knew not to leave floppy disk in the drive to boot.

It seems this lesson has been lost in the newer generation.

Had this feature not available, the attacks used by XCP and SonyBMG's other DRM by SunnComm would have no effect and you can simply rip their tracks out with no hindrance. Incidentally, SunnCom's DRM left rubbish around even if you decline to accept the EULA. To me this is a fair game to reverse engine what they gave us free;-)

I have always either hold down the shift key when I pop in the CD/DVD for those machines that are not mine or have all my machines' autorun perminently turned off.

Hopefully after this seedy affair, everyone become smarter, wiser, more security alert, and less trusting of any company, particularly SonyBMG.

In Digital world, trust nobody and treat every installation as hostile act is my motto.

Richard the CurmudgeonNovember 19, 2005 2:20 AM

If you like a good conspiracy theory, consider this: in Australia, the largest media organisations are without exception either partners of, or (in the case of News Corporation) participants in "big content".

And in Austraila, with only two exception (SmartHouse Magazine,
www.smarthouse.com.au; and the national broadcaster, ABC.net.au), the first reaction to the rootkit story was to shut up. In the first five days of the story, it got nothing at all from local writers.

Here are the first stories that weren't syndicated links in Australia:
http://www.smarthouse.com.au/Computing/...
http://www.smartofficenews.com.au/Computing/...

These are dated November 1 and November 2, respectively.

The Australian didn't notice the story until much later: November 8; and even then, its attention to the story was in the form of a Sony PR-driven piece from a newswire.
http://australianit.news.com.au/articles/...

Yet Sony plus copy-protection is a Real Story in Australia: it has been for ages, because Sony ran, and lost, a court case trying to ban modchips in Australia.

I suppose it would be redundant to add that Sony is a major advertiser in the Australian market?

karlNovember 19, 2005 9:05 AM

As a canadian, I am protected against privacy invasions as described in the Personal Information Protection and Electronic Documents Act (PIPEDA)

I have since visited sony.ca and made an official request and made and official request, as I am allowed to do under PIPEDA, for all information sony has collected on me which could identify me (namely during my short visit on their website). This could include my IP address, resources I visited with said IP address and possible other HTTP Headers typically sent with my browser.

I encourage all canadians to do the same thing:
http://www.privcom.gc.ca/information/...

It's possible that if you've used other sony products, such as their online games as well as this rootkit, you could also ask them for information with respect to that.

JoeNovember 19, 2005 9:37 AM

Bruce's comments are an eye-opening commentary on the unthinking abuse of our rights by a large corporation. Im shocked that Sony executives havent been hauled up to Capitol Hill to explain their actions in front of a Senate Investigative Panel. If this code had leaked out of Sony so that the virus writers were ready when it was first released, the effect would have been devastating and no one would have known how they did it. Where's the spooks? We're talking about a potential National Security breach, thousands of goverment computers are "infected" not to mention government employees home computers. The only blessing is that the crackers were seemingly caught napping on this.
We all have Sony to thank for giving virus and malware writers some new tools and ideas to attack us with. It seems to me that this story will get much worse, I believe crackers will "go to school" on this rootkit and it's abilities and begin to produce their own with sweeping enhancements in concealment, communication and non-removability. Piggybacking exploits onto the Sony rootkit is only the start. While rootkits have slowly increased in the wild recently, this new flap should get "rootkits" noticed in a big way. If I were organized crime, I believe I would quietly start slipping this stuff onto black market audio and data cd's etc and start infecting things through multiple sources, not just internet related. I fear Sony, in one fell swoop, has changed the trickle into a river of trouble.

AnonymousNovember 19, 2005 9:46 AM


Good stuff. But I think you missed a reason -- DMCA fear.

Everybody fixing this rootkit is circumventing a TPM (hmmm, even Sony-- as the aren't the right-holder to all works protected by it...). I'm
not clear at all why any of the disclosures w.r.t. the Sony rootkit are even legal given the precedents of Coreley and Sklyarov. The courts have read the DMCA very straightforwardly. If TPM (a) is circumvented
by software or published technique (b), (b) is in violation. Certainly I don't think it's clear at all that McCaffee and Symantec are in the
legal clear w.r.t. adding the rootkit removal. I sure don't read an "oops" clause in the DMCA (where a publisher can "at will" denounce a
TPM). The only exemption mechanism is a periodic (bi-annual) review by the Library of Congress.

Here's another example. I had a discussion with some managers at a certain large software company.

What if your engineers were debugging your CD drivers, and discovers that certain CD's had invalid (table of contents) TOC's. (A known DRM technique)

What happens if (not knowing that invalid TOC's where intended as a TPM) the engineer 'solves' the invalid TOC issue by acting like a CD player instead of a CD-ROM (the known work-around).

What happens when the company ships the product with the "fix" for the invalid TOC's in the next major boxed revision?

Quite correctly, they all blanched. The costs to recall a major launch, and fines for distributing circumvention tool are quite high. Since the
DMCA makes this (c.f. Sklyarov) a criminal offense the record companies wouldn't even have to go toe-to-toe w/ that certain large company.

I'm quite sure that this large software company ensures that their drivers aren't "too good" in this respect today -- that the "succeeds in
failing" test is part of there validation. (Why else would we still need cdex, hmmm?)

If a company as large as that won't fix CD TOC handling -- why would Symantec and McCaffee want to touch this rootkit with a 10' pole?

AnonymousNovember 19, 2005 9:49 AM

Actually I think Sony's been a bit worse than that. Here's a shortlist for others to build upon:

First they install a rootkit without end-user permission (Tresspass to chattels).

Next it turns out that the rootkit interferes with the "anti-cheating" functionality of "World of Warcraft" -- which is TPM preventing unauthorized derivative (hacked copies WoW) works. (DMCA violation)

The rootkit apparently contains pieces of the LGPL'd "Lame" encoder without meeting the publication requirements (Copyright infringement).

Both the original "rootkit" and one of the rootkit uninstaller versions leave a huge security holes on the end-users computer. (Trespass to Chattels and/or Vandalism ... don't know what
law other than civil suits for neglicence -- the EULA limited the damage to $5, but rootkit existance wasn't disclosed in the original EULA).
(see Freedom to Tinker)

Finally, if you press Sony tech support, they will send you instructions to create and non-TPM'd disc (i.e. a real Red Book CD) from there TPM'd CD. "traffic in a ... technology" (DMCA Violation)

another_bruceNovember 19, 2005 11:04 AM

what can a moderately sophisticated user who is not a professional technologist do? i don't trust big corporations, they write and deploy this code for their benefit, not mine. if i play spy versus spy against microsoft or sony, i'm gonna lose. i wouldn't stand a chance in hell of noticing what mark russinovich noticed. why should i buy a software product i don't fully understand to combat the bad features in another software product i don't fully understand (and which i also bought and paid for!)?
one simple, obvious answer is to move to open source. windows is secret. linux is not. i can pay somebody to look at the linux code and tell me anything i need to know, can't do that with windows. i've noticed lots of funny things about windows, one pet peeve i've never seen commented on is that the disk cleanup accessory sometimes fails to remove 100% of the temporary internet files, and the files left over, the ones i have to go into the individual folders to delete, were put there when i checked my hotmail account, and hotmail is owned by...ahh yesssss!

Roy OwensNovember 19, 2005 12:10 PM

@Enginer [sic]

"You may recall that it [DMCA] makes it a crime to even try to circumvent copyright protection."

Then it's a crime for Sony, Microsoft, and Symantec to try removing the rootkit, or even to expose its cloaking.

Let's prosecute the big boys!

ebcdicNovember 19, 2005 12:52 PM

What I find more intriguing is "is (or was) there a collaberation" between Microsoft and Sony? i.e. Microsofts' EULA says you will not do anything to tamper with "the workings" of its' programs. XCP clearly does that as it works at a very low level.

Now, obviously, while many of us would *love* to see a suit from Microsoft against Sony it is probably likely never to happen, which is why the question *should* be asked, imho.... Not only do we have the AV companies not saying anything about it, and their resultant "removal kits" being tantamount to the same as Sonys', but Microsoft has not stood up and questioned this very bad, ugly piece of software.

If not collaberation, then Microsoft is staying quiet because of the deals it has lined up with Sony for (more) DRM for Media Center & Vista - not to mention the blu-ray saga.

I guess that some of us would like the question to be posed to Microsoft and for someone to respond, otherwise they are guilty by association and equally as liable and culpable.

DamianNovember 19, 2005 3:51 PM

@another_bruce: "I can pay somebody to look at the linux code and tell me anything I need to know."

I can pay someone to read Chinese for me and tell me anything I need to know ... oh, wait a minute, I don't speak Chinese, so how will I know he is telling me "anything I need to know"?

There's nothing wrong with Linux. but that's a laughable argument for it.

Ari HeikkinenNovember 19, 2005 9:42 PM

It's hippocrasy at its best. Some kid doing this would be jailed and fined so bad his life would be ruined, but a big multinational corporation won't even be charged. Well, everyone knows microsoft's a joke, but then there's symantec and mcafee. Their security products are supposed to protect your computer from malware, but being american corporations, it's obviously more important for them to play safe and avoid pissing off another big corporation in fear of lawsuits than to protect their paying customer's computers.

Jeffe'November 19, 2005 10:08 PM

I'm sure I am not the only one to have thought of this, but I was wondering, while reading so many articles about the Sony/BMG XCP "copy protection" why they were focusing their anti-piracy efforts on only these 52 CD's? Browsing the list of infected CD's, none of these seem to be very popular or at least any that the "average pirate" would care to buy, let alone copy multiple times and care to share on P2P networks or the like.

My question is, then, has anyone discussed what, of any, information the XCP program returned to Sony/BMG? It seems to me that this was not so much about Copy Protection, or even a proof of concept for DRM, but more of a direct marketing plot. (no, i dont normally wear a tinfoil hat)

There seem to be more Sony/BMG titles that would be more likely to be pirated than Bette Midler and Louis Armstrong. Why wasnt XCP put on more popular titles like Santana, Britney Spears and R Kelly. (I believe these are all under the Sony/BMG control.) It would be easy to track the effectiveness of the copy protection by monitoring these popular titles and possibly track how effective the CP has been. That actually might make some sense. But by infecting the computers of people who would not even think about sharing these CD's let alone creating a massive copying and distribution scheme that the "real" pirates do, they are basically saying that the average buyer of these lower-tier CD's are criminals and have to be controlled.

I think the real reason, whether or not it was implemented to the extent it could have been was to collect data on users, and their music listening, and possibly even buying habits. It could have gone much further than that, though.

Evan HillasNovember 19, 2005 11:24 PM

Reposted on request from my Wired feedback email:

Speaking of "who are they working for?", I've heard that Windoze based virus protection software in general don't actually protect as such but simply go round cleaning up the mess after the damage is done. I've always been puzzled by this backwards approach. Why doesn't the protection software block the intrusions from doing damage in the first place?

One argument might be the performance impact of inline checking. I have serious doubts on this point as I used to use a 0.5 MIPS system with inline checking performing smoothly. What's more, I don't think one could have a more performance degrading setup than what I've seen "Nortons" do to a Windoze box. Luckily, there is still more than one choice for the moment.


Evan

hendersonNovember 19, 2005 11:48 PM

WW nailed it as far as DRM goes. These knuckleheads need to stop with their DRM crap. Let's make sure that this does not turn in to a XCP bad, all other DRM good/ok type of scenario. DRM is bad, misguided and at times evil.
All of the major labels believe DRM will lock-down "their" content. SonyBMG has taken the first hit from the public, but they were not the first to put XCP on a disc. Promotional copies of certain UMG(Universal, the biggest label group) releases have contained XCP for at least the past year. WMG uses watermark protection. EMD goes the SunnCom route.
SonyBMG uses them all. There are still many commercial discs with copy protection that have not been recalled.
Perhaps we can turn this into an event that makes the public aware of the evils of copy protection of all kinds.
I will buy CDs, but only if they contain the clean high-quality digital copy portability that I have come to expect.

JasonWNovember 20, 2005 1:05 AM

Robin and NathanB mentioned it earlier, but it's worth repeating: the whole rootkit fiasco doesn't even have anything to do with copyright protection; rather, it's about Sony trying to coerce Apple into opening up the iPod. Sony wants Apple to allow downloads from stores other than iTunes.

Read the article here for the full story:
http://p2pnet.net/story/6808

Since the rootkit is designed to facilitate economic gain instead of protecting intellectual property, perhaps there is grounds for the Department of Justice to go after Sony after all? Just a thought.

MichaelNovember 20, 2005 3:06 AM

@Jeffe '... has anyone discussed what, of any, information the XCP program returned to Sony/BMG?"

Yes, Mark Russinovich for one:

"... a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID ..."

http://www.sysinternals.com/blog/2005/11/...

"It seems to me that this was not so much about Copy Protection, or even a proof of concept for DRM, but more of a direct marketing plot. "

I don't think so. It seems Sony first said they weren't collecting information; then, when they were shown to be doing so, perforce had to admit that they were, but claimed that they weren't using it ecept for the purpose of updating album art and lyrics.

Maybe the second claim is to be taken with as large a pinch of salt as the first. But I think the *primary* purpose of the software was to "protect" the music on the CDs.

HerbieNovember 20, 2005 3:45 AM

Does anybody know if Sony licensed the patents one needs to commercially distribute MP3 encoders?

KriganNovember 20, 2005 5:13 AM

Antivirus software don't remove Sony's rootkit because removing it is a violation of DMCA and alike laws in several countries.

This kind of laws are a far nasty thing. At digital age, they mean copyrighters can own and use weapons to defend their rights meanwhile we must stay unarmed to defend ours. They are not balanced laws but far unbalanced ones.

NickNovember 20, 2005 6:09 AM

Sony DRM - Why none of the security companies stepped into the breach.

In short they are scared.

Have a look at this web site ...http://www.eff.org/IP/DMCA/?f=unintended_consequences.html

Alex Halderman also had the dogs set on him for suggesting that users hold down the shift key when inserting a copy protected CD, you'd think grown adults would have better things to do. - and this was SunnComm, one of Sonys copy protection suppliers.

Anyway getting to my point - the DMCA is a blunt and very effective tool, used by some of the most powerful and influential companies in the world to crush anyone in their path. Could you afford to defend yourself against Sonys lawyers? Who in their right mind would distribute software that modifies a DRM scheme in the face of the DMCA? No wonder everyone hung back waiting to see what happened.

Personally I think it was only the comments from Stewart Baker that got Microsoft to move on the issue - after all, they knew about it for months due to the blue screens from aries.sys and simply pointed people at First4Internet and Sony.

Mark Russinovich is a very brave man, fortunately he had a balanced approach and he made an excellent job of documenting his evidence. As a result in cyberspace lots of people heard him scream - I dread to think what might have happened if Sony had got to him first, simultaneously letting their lawyers off the leash and dispatching the spin doctors to deal with the press. F-Secure also deserve praise for acting so quickly.

Please change the focus of your attacks to the DCMA and congress - after all they are the real culprits.

- and by the way, I will never buy another Sony product, neither will my children or my childrens' children - I really am that angry.

Mark LyonNovember 20, 2005 11:27 AM

SonySuit.com is tracking the Sony BMG Music Entertainment /
First 4 Internet CVP Rootkit class actions lawsuits, and offers
information about suing Sony in your local Small Claims Court for
those who don't wish to wait for, or be a part of, the class action
lawsuit.

elegieNovember 20, 2005 2:00 PM

"Who are the security companies really working for?"

With anti-spyware software, there have been cases of spyware/adware being delisted. When this happens, the spyware/adware is not detected by the anti-spyware software. Vendors of spyware/adware have used cease-and-desist letters to try and get their software delisted. See http://www.pcworld.com/news/article/... Even if there is a legitimate reason for delisting something, it is still important for users to receive an understandable explanation. How long can a certain item of spyware persist? How often are viruses and other malware delisted? (Obviously they are not the same as spyware/adware in every single way.) In one case, the anti-spyware package from a certain large company downgraded its treatment of certain targeted software. See http://www.eweek.com/article2/... and http://www.schneier.com/blog/archives/2005/07/... Using multiple spyware packages can be useful.

Dale UnderwoodNovember 20, 2005 5:53 PM

Here is more on Sony and the root kit bungle. It is from Ars Technica

http://arstechnica.com/news.ars/post/...

Open source code found in Sony's CD rootkit

11/18/2005 2:44:01 PM, by Jeremy Reimer

The copy protection program XCP, which shipped on 49 music CD titles from Sony BMG, and which was found to install a rootkit that opened user's computers to viruses and game hacking tools, has now been found to contain open-source software that was apparently used without permission.

The software, developed by British software firm First4Internet, was found to contain source code from the open-source project LAME, an MP3 encoder and player. "Multiple software components on the CD have references to the LAME open source MP3 code," wrote Finnish software developer Matti Nikki. Others, such as the security software firm Saber Security in Bochum, Germany, have confirmed that the program contains LAME code.

LAME is licensed under the Lesser GNU Public License (LGPL) which requires that any program that tightly integrates its code into its executable must acknowledge this use and release the full source code to their program. If the code was simply used as a linked library, the LGPL would have allowed closed source software to use it, but apparently the code usage was much more deep and thus violated the LGPL rules, which are less restrictive than the general GPL.

That's the flipside of open source: If you don't respect the open source rules, the old regime of copy protection comes back in full force," said attorney and Internet specialist Christiaan Alberdingk Thijm at law firm SOLV in the Netherlands.

Sony BMG, which first denied there was even a problem with the rootkit, then relented under public pressure and agreed to stop using the program and then recalled all the CDs that contained it, has not commented on this new issue. Perhaps the irony of such a staunch defender of copyright and intellectual property violating someone else's copyright was too much for them?

VikingNovember 21, 2005 8:25 AM

Ref. the comment on lack of detection by antivirus programs: A Norwegian antivirus company (Norman) claims that their "sandbox" tool caught the rootkit even before a specific signature was released. http://www.norman.com/News/Press_releases/25791/...

This is of course marketing speak from them, but in general I'm very pleased with Norman's tools. It takes less system resources than any other AV tool I've tried.

MichaelNovember 21, 2005 9:08 AM

Someone in the comments over at the Sysinternals blog says that Sony Vaio laptops come with spyware pre-installed. He say the program is TGCMD.EXE and references a site called Win Patrol that I've never heard of.

I had a quick look in Google and it looks as if NAV has been finding it heuristically on the basis of its suspicious behavior. Does anyone know if this is true, or if it's a false alarm?

Either way, I must say I think after this incident I don't think I'd buy *any* PC from any OEM that did not come with genuine a Windows CD from Microsoft itself. I want to know that I have a clean OS that comes "as intended" from Apple, or Microsoft, or a Linux vendor without anyone else's "helpful" additions.

Steve SummitNovember 21, 2005 10:13 AM

Up above, an anonymous reader commented on the perils of of a too-robust disk driver's "fixing" a "broken" audio CD TOC. But where does that sort of paranoia end? Will Microsoft have to disable the use of the Shift key to disable CD autorun? (HHOS, I guess -- reader "Nick" later mentioned that "Alex Halderman had the dogs set on him for suggesting that users hold down the shift key".)

I'm a very, very big fan of Jon Postel's maxim of being liberal in what a piece of software accepts. I could very easily have been the hypothetical engineer who "`solved' the invalid TOC". I'd hate for Postel's robustness principle to be yet another piece of collateral damage to the DMCA.

Could allowing the playing of a disk with a deliberately broken TOC really be argued, in a court of law, to be "breaking a copy-protection device"? I'm dreadfully naive, I know, but it really seems to me that in that situation you're at most guilty of breaking a *play*-protection device, or of ignoring a be-incompatible-with-the-Red-Book device.

I also wonder: the flip side of a computer manufacturer accidentally fixing their computer's CD-reading capabilities to be able to read one of these deliberately-broken disks is the case where an audio CD player manufacturer accidentally fails to implement one of the inconsequential alleged differences between audio and computer CD players, resulting in an audio CD player that can't play a whatever-protected CD, either. Is it similarly wrong for that manufacturer to correct their mistake? (And if not, why exactly not?)

Steve SummitNovember 21, 2005 11:11 AM

Here's another thing that I'm not the first to have noticed but that needs to be said again (and again). This incident absolutely demonstrates that big, "responsible" corporations can flagrantly abuse trust, and therefore that any code-validation scheme that's predicated on a external trust model is not nearly as secure as its proponents would claim.

To elaborate: if I want to keep my computer secure, one of the obvious things I have to do is control what code runs on it. There are two very different approaches to this. (1) The only code that runs is code that I explicitly invoke, and that I had previously, explicitly installed. (2) Code can automatically and implicitly run under various "convenient" circumstances, and this code will be fetched from external sources and automatically installed if necessary, but there are mechanisms in place to ensure that only "trusted" code is so installed and run.

Needless to say, approach (1) is the one favored by anyone who really takes security seriously. But the consumer computer industry, led primarily by Microsoft, went down road #2 a long time ago, and there's probably no turning back.

Now, lest I be seen as excoriating approach (2) too unilaterally, let me add that I do understand that virtually no security system can ever be 100.000% effective. But my point is this: proponents of approach (2) always make it sound like there's a pretty clear distinction between sources you can trust and those you can't. Even if they admit that there might be some gradiation, they would all tend to assert (or they would have asserted until now) that even if there are gray areas when it comes to unknown, questionably-trusted sources, you can *always* *totally* trust stuff that comes from big, responsible, Fortune-500, multinational corporations. It wouldn't surprise me one tiny bit if, say, some hypothetical future version of Microsoft Windows containing a completely-worked-out trust model were to come preconfigured with certain sources already authorized, such that those sources would therefore not require any further user intervention to confirm. Those sources, of course, would be ones which Microsoft had inked various deals with, and we would have been surprised if a company such as Sony were *not* on the list.

But now, any time someone says they are 100% positive that their brand-new trusted computing platform is 100% perfect, or that its top-tier, 100% trustworthy partnered sources can 100% positively always be trusted, we have but to mention the Sony/BMG fiasco of November 2005. There aren't too many absolute proofs in science, but a single counterexample can absolutely disprove an absolute claim.

Bob DobolinaNovember 21, 2005 12:32 PM

You are all up in the night. The RIAA thinks Sony was right and acted responsibly...

“They have apologized for their mistake, ceased manufacture of CDs with that technology,and pulled CDs with that technology from store shelves. Seems very responsible to me. How many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?��? - Cary Sherman (RIAA President)

http://www.malbela.com/blog/archives/000375.html

You don't believe them? ;)

JustinNovember 22, 2005 1:47 AM

Nice article, well researched with all the links.. it's been a nice ride watching this whole thing evolve. I've done tech support for some time and have seen more and more applications getting ignored by AV/spyware scanners under the guise of 'commercial software'.
Even keyloggers, remote monitoring..etc.

fritzNovember 25, 2005 9:00 PM

I do not mind paying for music I like. However I do not like software that breaks what I do have and have allready paid for. I was going to buy a sony dvd writer. I just ordered a hp. They may have the same problem, but I also ordered zonealarm to stop any phone home stuff, or at least let me know it.

WSMNovember 26, 2005 4:26 PM

If this post over at eWeek is true, maybe your central contention is in doubt -- the corporate edition of Symantec Antivirus could detect the rootkit and it tried to remove it..http://blog.ziffdavis.com/seltzer/archive/2005/11/22/39053.aspx#FeedBack

Bruce SchneierNovember 26, 2005 5:07 PM

"If this post over at eWeek is true, maybe your central contention is in doubt -- the corporate edition of Symantec Antivirus could detect the rootkit and it tried to remove it."

Fascinating. I agree with Larry Seltzer (the author of the essay); Symantec should make a big deal about this if it's true.

SDNovember 29, 2005 12:42 AM

Well, this is not related to any of the latest fray over the Sony rootkit but it is in a small way connected. I have been pondering the next step we may see virus writers take in a attempt to distribute their nasties. Windows XP SP2 shipping with the firewall turned on by default has made networked distribution more difficult and AV vendors helped close the floppy disk boot sector threat years ago (nowadays laptops are even shipping minus floppy drives). I think that the next major virus will probably spread through several venues but I believe that the proliferation of USB memory stick type devices and the ability of the autorun nature of those things would make for a very nasty opportunity. Imagine, the virus/worm infects a windows machine, install a custom password/banking info stealing trojan and then waits for any 'removeable media devices' aka digital camers, mp3 players, cell phones, thumbdrives, jumpdrives, etc. to be connected and then places an autorun file on the device that will automatically launch the infection program on every computer that device is subsequently plugged into. Another good reason for people to disable that extremely annoying 'feature' of windows. And a hint for Idiot$oft, in SP3 for WinXP, why not set autorun for ALL drives to OFF by default? That would be one more small step in your 'trustworthy' computing farce that might actually count for something!

CyentNovember 29, 2005 3:21 PM

I would love to see a blog entry from you on the subject of Disclosure vs
http://www.businessweek.com/technology/content/...

Personally I feel F-Secure failed it's paying customers hugely.

The only reason why they reacted so quickly (as you mention here) is they were actually sitting on the info protecting Sony's butt at the expense of their paying customers.

Nolan LeveNovember 30, 2005 7:43 AM

As we can see,Sony is a stupid company.Remenber the Betamax? And the DAT format? And now,the end of Minidisc? Well,as a consumer,I believe that I have the right to make a copy of any media for private use,I do that since 1965,beguining with my old reel recorders(Geloso) ,continuing with my VHS machines and now,conecting a CD player to my audio board via analog conection and make superb copies in CD for my private use with absolutely no risc like this shit stuff created by Sony.So I´m a lucky guy...:-)) Here in Brazil,honest people like me believes that piracy is outlaw because pirates made copies to sell,that is (never was) my intention..And my way to copy CDs takes more time,uh,but is realy safe,he,he

Nolan LeveNovember 30, 2005 7:51 AM

This is to correct my last post...In the last words,I want to change the sentence to:
Here in Brazil,honest people like me believes that piracy is outlaw because pirates made copies to sell,that is NOT (never was) my intention.

In fact,computers have a CD driver to hear music and to COPY too,for private use only.And it is not a prrivate company like Sony that has the right to modify our freedom condition and/or to impose sanctions to us that,after all,are their clients and consumers.I believe that a boicot to Sony midia and,why not to Sony products (that are not so good after all) may be useful...

compuvegDecember 1, 2005 2:17 PM

I want to file a class action lawsuit against the world over this one. There's not a single entity without blame.

Sony is at fault because they are big enough to have had an internal team (or independent third party) audit the actions of the copy protection scheme which they purchased. Not to mention the fact that the copy protection doesn't even stop the people who are into piracy for profit, because those guys have their auto-run turned off anyway.

Legistlators worldwide are to blame because they should have had laws in place against a number of functions of this copy protection scheme. They also should not have laws on the books (DCMA) prohibiting people from reverse engineering technology they have purchased. The exact opposite should be true, the DCMA should ensure that source code for all software be available to entities who want to verify the software functions as described, without any backdoors.

These same legislators should have already taken action against Sony. Local authorities should have already pulled the software/content off the shelves. If it was an album (dating myself) that had artwork considered to be pornography in it, without the appropriate labelling, local authorities could pull those from the shelves, what's the difference?

Microsoft is to blame because they should concentrate more on fixing the products they've already sold rather than focus on moving the world to whatever new technology they've cooked up. Not to mention that having auto-run enabled for anything is JUST STUPID.

The AV companies are to blame because they are letting folks like Sony, the RIAA, MPA, Microsoft, and Apple push them into ignoring things which they are supposed to protect us against.

While I'm railing against the AV companies and Microsoft, I wanna know WHY WHEN I LOGIN TO MY COMPUTER DOES MY AV TELL ME IT IS DISABLED?!?! FOR CRYING OUT LOUD SHOULDN'T SOME AV ROOTKIT BE LIKE THE FIRST THING LOADED WHEN THE OS WILL ALLOW IT?!?!

The public is to blame for sitting back and watching everything unfold and not lifting a finger to stop any of it. Oh, the EFF will take care of it for us!

I'm to blame for writing this comment no one will ever read... instead of writing a sentor, congressman, governor, president, or any of the other elected officials who are allegedly there to protect the public.

Ok, I'm not to blame for that because I probably will copy this out of my posting and include it in a letter I'll write, eventually. Doesn't matter anyhow, the government is OWNED by corporate interests and have NO interest in how the public is impacted. I don't care if we're talking about the US or some other country, CAREER POLITICIANS ARE IN IT FOR THE MONEY.

doktorthomasDecember 5, 2005 5:00 PM

I dumped MacAfee in the last millenium; Norton in 2003. They could not cut it then and apparently offer little more now. BTW, I am writing on a Sony PC; wonder who I am calling at the moment . . . Japan, NJ or CA? No more Sony music products for this lad. (Should I mention their payola crimes??) My last dig: I never met a Microsoft product I liked. And I as I read elsewhere, "if Bill was building cars instead of software, he'd be in prison. . . ."

Lampie the clownDecember 10, 2005 9:17 AM

I think your praise of F-Secure is a bit misguided. They held onto the information for almost a month, until it was reported by Mr. Russinovich. They reported it to Sony, and they discussed it with First4internet, but they didn't tell us.

Same as the others.

Lampie

newbie that knows about computersDecember 13, 2005 2:25 AM

i think that this is an great example where corporate greed is larger than the customer's safety. i think that this scenario can and will happen again in the future as long as corporations stand.

David B.December 17, 2005 10:42 PM

While I agree completely with you that the big story about the Sony rootkit, regarding your following quote:

---
Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions. And Sysinternals, of course, which hosts Russinovich's blog and brought this to light.
---

If you read Slashdot you would have found out that F-Secure KNEW ABOUT THE ROOTKIT A MONTH BEFORE THE NEWS GOT OUT TO THE REST OF US! Rather than respond immediately to protect our computers, they were in talks with Sony over the details of an NDA so that they could work out how to let their AV product play nice with the DRM software They're as much scum as the rest of the AV companies!

The best quote I've heard about DRM so far is that it is exactly like spyware because:

1: They need to trick you into installing something you wouldn't install normally.
2: They need to make it virtually impossible to uninstall something you would otherwise remove immediately.

concernedDecember 27, 2005 2:22 PM

it may sound like conspiracy theory but-
with such goings on between sony and some av companies,perhaps it might be wise to question where some of these viruses we are being subject to are originating ,remembering that the antivirus industry is worth very substantial money.
If they are willing to overlook such actions by big business,then they may have no qualms about deceiving interent users!

BixbyJanuary 12, 2006 3:16 AM

I'm wondering about the rootkit removal issue. As only a security amature (and the fact that noone else has mentioned it) I could be completely wrong, but as I understand it, rootkits cannot be removed without wiping the harddrive. Perhaps this is why only the "cloaking" is removed, and why the AV companies aren't working harder to completely remove it?

memyself&iApril 6, 2006 3:47 PM

It surprises me that there were so few responses to one reader's comments about MS's collaboration with Pentium to produce computers with DRM built into them.

The implications go far beyond Sony's rootkit. Rootkits, spyware, and other such headaches are software, and in one way, or another, can be dealt with, as such. However, if Pentium builds DRM into their processors, or their chip sets, it will be virtually impossible to remove. I fully expect that computer/motherboard/chip manufacturers will jump on the bandwagon. The trends are there. When you purchase a new computer, much of Vista will be embedded on a chip. You will not be able to run anything on that computer except that copy of Vista. Your computer will phone home the instant you boot it up. And it will be very difficault to prevent that from happening. As it sits, XP phones home when it is first loaded onto a system. It actually makes an internet connection, before a TCP/IP network is installed (assuming a high-speed connection). I haven't been able to track the destination of the data, because it occurs during the installation, and it may be completely harmless, but I know too much about MS to be trusting. If I need to re-install XP for any reason, I unplug my DSL modem, before the install. Nor do I use XP on the net. I shut down the networks, and un-install all of the internet related Windows apps that can. (however, it will not allow un-installation of TCP/IP!) Xp is a slow and cumbersome OS, and I only use it to run programs that I can't run on any other OS. If Vista is installed on the motherboard, I'd bet a month's pay that I wouldn't be able to do any of the above (except un-plug it).

Think about! A computer that phones home, everytime it is booted. A computer that phones home every time a new program is loaded into it. A computer that phones home when music, or movies are played on it. A computer that may even report to the government where you happen to be surfing, and sends copies of your emails them. A computer that you have very little control over. Yes, there will be ways to defeat the system, but that will become more and more difficult, over time.

And they will sell! The latest and greatest crowd will buy them up like hot-cakes. The average "consumer" will buy them up because the systems will be "safe". They won't have to concern them-selves with such incomprehensible nuisances such as security and privacy.

I've quit buying Pentium ever since they produced the processor with the globally unique ID built into it. I'll be watching AMD very closely for hints that they may be, or will be, doing the same thing.

Can't happen? Government intervention? Take the time to read the Homeland Security Act, and the Patriot Acts, I & II. How about the lack of a meaningful response from the government to the Sony rootkit mess, and that, in spite of the fact that many of their own systems have been compromised with it.

Paranoid? You bet! Scared? You bet!

I love my old 300 Mhz AMD clunker. It's too bad, that one day, it will not be useable on the net.

Victim-For-Years!July 7, 2006 1:17 AM

I am in absolute, horrid, shock! I've followed the Sony debacle for a while, and refused to buy Sony CDs the last year or so (before the rootkit was exposed) just on principle and because I don't trust them. I never thought I'd been infected with a rootkit because I haven't popped a music CD in THIS computer (except REALLY old ones) for a long time.

I haven't thought too much about my usage past the last year or so, because I only today became aware this stuff's been shipping since 2004 from Sony (and for how long from other companies is unknown).

How absolutely, horrificly ready to EXPLODE I am to find out, after spending hundreds of dollars on printers, and EVEN MORE ON A NEW COMPUTER 3 year ago to last month, that 1 other person in the world had ridiculous problems like mine, and the cause is a DAMN ROOTKIT!!!!!!!

Please excuse my swearing in a public forum (if you must, edit that), but I am so livid at this moment I'm lucky I can see straight to type this. I had a part-time business and an expensive-to-produce (hobby) event for which I had to pay a photocopy place (collectively over 2 years) at least a couple thousand dollars to create flyers I intended to do ON MY OWN DAMN COMPUTER FOR LESS MONEY. The first year wasn't a big deal because copies were still cheap, the 2nd year they were a 50 cents to 1 dollar a page (everywhere), and no ink cartridge costs can come close to that!

I have gone through 3 printers, 2 computers, 2 versions of Windows (before getting hooked on the Linux thing, unfortunately it's not possible for me to get completely *off Win-Doze* yet B/C I need to use it for my Bachelors-Master's Degree + Certifications)...not just 2 versions of Windows but 3 OSs if you count the OS that came on the 2nd computer, 1 paid version of Linux (Xandros is NOT what it was cracked up to be, at least not when I had it, and too sick to call support for innummerable months 'till support options had passed), hundreds of hours (low estimate) of lost time and frustration, useless phone calls to both Microsoft and HP so-called *support* (with both computers)...and that's just off the top of my head.

I wondered how any company could not correct its flawed drivers (or OS) and why other people didn't seem to have the problem, and figured the OS and Computer vendors were too lazy (and money-minded) to really investigate to find out whose crappy code and/or hardware was at fault...now I know, NEITHER!

I laughed at the stupid settlement wherein Sony only has to refund people $7.50 per CD and (on some) offerer 1-3 free downloads. Does this preclude any particular individual for placing their own lawsuit? How would I go about pursuing this?

I don't want $7.50, and I *DAMN SURE* don't want any Sony music! I want my thousands of dollars!!! How can I take action that won't cost me more money? Is there anyone who takes on stuff like this pro-bono? Are there any class-action lawsuits going besides the NY, TX and CA ones here in the U.S.?

Would an individual be able to recoup actual losses through class-action, or am I right in thinking I could not do that through class-action?

Are there any class-action suits in the works to recoup any *REASONABLE* damage amounts, in the hundreds or thousand or more per individual?

Please, anyone who has any information who can help me, I have no money whatsoever to pursue hiring a lawyer, all my money right now goes to bills and school (what little I make while I'm in school), I can't even fix the brakes on my car.

I will keep a watch on this. Any guidance is appreciated.

>>> "Every once in a while we would get a call where the printer would stop talking to the pc and it would generate the same series of error messages...at a pawn shop...bought a pc that just came in.....same error messages when I installed the driver! Some friends and I poked around on it for weeks and found a cloaked program hidden deep in the system. It logged several things like keystrokes, modem use, and files accessed on the system. It also tried to call an IP that seemed to exist sometimes and then disappear. Anyhow, we found that the virtual port that the printer driver created would get corrupted and lose connection with printer...I still don't know what I found. For the last four years the IP still appears and then disappears in the Baltimore and Virginia areas."

DanDecember 20, 2006 11:26 AM

I think this type of thing always comes down to national politics. If a large company supports some political candidate they figure that candidate will help them get out of anything. So they're confident enough to try something like this without serious legal remifications. And if they can keep their actions very low profile and out of public view, they will not even face a back lash from them.

tx891January 5, 2007 5:57 PM

does this have anything to do with the recent acquisition of sysinternals by microsoft?

Kim MJanuary 30, 2007 8:14 PM

This whole fiasco to me seems to be just one example of a further trend. That trend is the one in which media companies dump a well defined, working standard (i.e. redbook), and instead use hacked proprietary standards (CDs with incorrect TOCs, & other dirty tricks), which pose as the defined standard to customers.

The problem with this is that there is no guarantee that the discs in question will work on current/future CD players, or that they will be as robust as actual (redbook) CDs.

I feel that this practice is highly deceptive. Philips is right in refusing to let them use the Compact Disc logo.

Another nasty trend is the practice of producing media (whether it be discs, or data files) that contain unnecessary executable code. I do accept that some media contains executable scripts that are designed to run in a sandbox (e.g. Java on BluRay), but such scripts are a well-defined part of the standard, and necessary for the functionality that the standard defines. Aside from standard-defined scripts, media shouldn't contain executable code - it's a huge security hole.

It's a difficult hole to plug for existing formats. An approach for new formats could be for them to define that they are a 'media' format, and for the device/OS to mark everything loaded from them as non-executable. Of course, this will never happen, as media companies want this hole left open so that they can piggy-back future 'functionality' on existing formats.

Jesus|FreakDecember 10, 2007 9:30 PM

I use Linux now. Vista lasted about 15 minutes on my laptop and I installed Ubuntu over my XP installation and installed Ubuntu 64 bit over the Vista installation on my laptop. It is sad that the hardware manufacturers favor Micro$haft over Linux, but I chose my laptop hardware to be as Linux friendly as possible. My install of ubuntu runs perfectly on my laptop. (The laptop is a Gateway with Intel graphic hardware.) I also run Compiz-Fusion on the laptop. Compiz fusion is a 3d desktop manager for Linux. It is much better than Vista's Aero, with fewer bugs. Ubuntu does'nt "Phone home" like Sony's rootkit and Vista does. Vista encourages DRM, and I will go as far to boycott Blu ray and HD DVD, though my laptop has a HD DVD drive in it, I would just use it for data storage. I will not buy a blu ray drive or a stand-alone blu ray or HD DVD. These all have DRM in it. I also boycott iTunes and Napster, as well as Realmedia and Raphsody. Walmart is known to have DRM too. DRM is simply defective by design and I will boycott any CD label that puts DRM on thier CD's.

Comments on this entry have been closed.

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..