Schneier on Security
A blog covering security and security technology.
« Reminiscences of a 75-Year-Old Jewel Thief |
| Surveillance and Oversight »
November 21, 2005
The Sony Rootkit Saga Continues
I'm just not able to keep up with all the twists and turns in this story. (My previous posts are here, here, here, and here, but a way better summary of the events is on BoingBoing: here, here, and here. Actually, you should just read every post on the topic in Freedom to Tinker. This is also worth reading.)
Many readers pointed out to me that the DMCA is one of the reasons antivirus companies aren't able to disable invasive copy-protection systems like Sony's rootkit: it may very well be illegal for them to do so. (Adam Shostack made this point.)
Here are two posts about the rootkit before Russinovich posted about it.
And it turns out you can easily defeat the rootkit:
With a small bit of tape on the outer edge of the CD, the PC then treats the disc as an ordinary single-session music CD and the commonly used music "rip" programs continue to work as usual.
The fallout from this has been simply amazing. I've heard from many sources that the anti-copy-protection forces in Sony and other companies have newly found power, and that copy-protection has been set back years. Let's hope that the entertainment industry realizes that digital copy protection is a losing game here, and starts trying to make money by embracing the characteristics of digital technology instead of fighting against them. I've written about that here and here (both from 2001).
Even Foxtrot has a cartoon on the topic.
I think I'm done here. Others are covering this much more extensively than I am. Unless there's a new twist that I simply have to comment on....
EDITED TO ADD (11/21): The EFF is suing Sony. (The page is a good summary of the whole saga.)
EDITED TO ADD (11/22): Here's a great idea; Sony can use a feature of the rootkit to inform infected users that they're infected.
As it turns out, there's a clear solution: A self-updating messaging system already built into Sony's XCP player. Every time a user plays a XCP-affected CD, the XCP player checks in with Sony's server. As Russinovich explained, usually Sony's server sends back a null response. But with small adjustments on Sony's end -- just changing the output of a single script on a Sony web server -- the XCP player can automatically inform users of the software improperly installed on their hard drives, and of their resulting rights and choices.
This is so obviously the right thing to do. My guess is that it'll never happen.
Texas is suing Sony. According to the official statement:
The suit is also the first filed under the state’s spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems.
And here's something I didn't know: the rootkit consumes 1% - 2% of CPU time, whether or not you're playing a Sony CD. You'd think there would be a "theft of services" lawsuit in there somewhere.
EDITED TO ADD (11/30): Business Week has a good article on the topic.
Posted on November 21, 2005 at 4:34 PM
• 37 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What copy protection? As far as I know none of those so called "copy protections" have done absolutely nothing to actually prevent copying.
"Copy protection" describes the intent of the software, not necessarily the actual effect. Even if these things are ineffectual, if they are intended to prevent copying, then they qualify as copy protection.
"Let's hope that the entertainment industry realizes that digital copy protection is a losing game here"
[RIAA Prez] Cary Sherman: The problem with the SonyBMG situation is that the technology they used contained a security vulnerability of which they were unaware. They have apologized for their mistake, ceased manufacture of CDs with that technology,and pulled CDs with that technology from store shelves. Seems very responsible to me. How many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?
If the DMCA makes antivirus software impotent, do FCC requirements for devices to accept harmful signals make all defensive security software (such as firewalls, antivirii, etc) illicit?
I suppose sony has dealt the ultimate in anti-copying measures. If nobody buys their music, then nobody can copy it. I'm still trying to understand just how this invasive anti copying "rootkit" is supposed to help? This would only stop grandma from trading her copies of Snoop Dogg. The real pirates have absolutely no problems working around such measures.
When there's a security problem with my OS (Ubuntu Linux), I'm happy to simply install the update and continue with my life because the software does something for me. I gain a lot from the ability to run that software on my computers, so I'm willing to forgive an occasional mistake on the programmers' parts.
XCP adds no value for the user; it keeps him or her from doing things they want to do. There are no benefits to the user to offset the problems XCP causes, so users don't have the same patience.
Kudos to the guys doing the disassembly. I hope the EFF defends them if Sony hits them with a DMCA suit.
Maybe Sony should just build death robots that go around killing people likely to listen to their music. That's not much more stupid than what they've done so far, including suing a bunch of kids (aka customers) and now this little fiasco.
Under the DMCA it would be illegal to stop these 'copy protection' robots.
The Sony rootkit fiasco also puts a new light on the "remote self-destruct" part of the Blu-ray specs. After all, we see how security savvy Sony is, obviously we'd be stupid to trust them to protect us from crackers using that ability to turn our electronics hardware into junk. Or even Sony doing it themselves, "by mistake".
Someone should start to publicize this before the media momentum of the rootkit dies off. Anyone know some investigative reporters?
Let's hope that Sony gets more than a "hand slap" and future attempts at this type of DRM are stopped in their tracks.
Otherwise, it would seem that all a virus/spyware/trojan writer will need to do is to include some piece of "content" (could be just about anything) along with their virus/spyware/trojan, include some form of "EULA", and call their virus/spyware/trojan software "DRM protection" for whatever "content" might be included. Any attempt to defeat or remove the virus/spyware/trojan "DRM protection" software would then be illegal under DMCA and whatever Sony might get away with.
@Bill McGonigle - "I hope the EFF defends them if Sony hits them with a DMCA suit."
Indeed, but does the DMCA protect people or organisations who distribute rootkits, virii, worms and the like from having their code dissassembled? I'd have thought self protection would be a watertight defense against someone trying to hide their negligent or malicious code behind a DMCA charge?
About the terminology discussion in the first few comments: I prefer the term "copy restriction". That's a much more direct description of what the software is for. "Protection" is misleading because nothing is really being protected.
I don't understand why people are suing sony. This should be treated as a criminal matter in the same way as a virus writer would.
Courtesy of BoingBoing, the link to the offical Texas AG's statement: http://www.oag.state.tx.us/oagNews/release.php?...
"The suit is also the first filed under the state’s spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems."
In the U.S.A., they're alleged to have violated laws both in the Criminal and Civil Federal code, as well as a number of state laws. Criminal laws are enforced by the government bringing a suit; Civil laws are enforced by the wronged party bringing a suit. Sony's going to be facing a lot of lawsuits.
Because (the government of) Texas probably didn't contribute to that code, nor were they assigned the copyrights. Someone who has would need to sue them to enforce the GPL.
"RIAA President says Sony did nothing wrong."
I guess that depends on your definition of "wrong."
after what we've learned, what kind of an incredible rube/chump/sucker would you have to be to buy music cd's from a store instead of just downloading them off the web?
"With a small bit of tape on the outer edge of the CD, the PC then treats the disc as an ordinary single-session music CD and the commonly used music "rip" programs continue to work as usual."
Wow. Someone did a great work in finding a very simple solution.
By the way, weren't there once CDs with copy protection that could be disabled with a line from a felt pen on the inner ring? If I remeber correctly, these were also Sony CDAs
Here is a comment by Kaspersky:
AV companies seem to take the stance that since Sony did not have malicious intent, then XCP is not malware. This is so wrong. For example, there were many viruses without a payload, which were written only to spread.
Were they discovered and cleaned by AV? Yes.
Did they have malicious intent? Not necessarily.
Were they unwanted? Certainly.
Another famous example is the Welchia worm. It was a worm written with good intent – to remove MyDoom. On the other hand, it harmed systems, was removed by AV, and its author went to jail.
The key criterion here is not "malicious" or "not malicious" intent. The keyword here is "wanted" or "unwanted". Welchia was unwanted. Viruses are unwanted. Sony XCP protection is by any means unwanted, and even if we add the "intention" factor in the equation, then Welchia and no-payload viruses had clearly better intentions than the ones Sony had for its users. (And Welchia author did it for free, unlike Sony).
I have to agree fully with Bruce Schneier. Politics play an important part of any business, and especially in information security. In this case, it was clearly more important not "what", but "who" did it. Businesses (with few and notable exceptions) put their monetary interests in front of the line. Big information security companies are certainly businesses. They see danger to their interests by publicly declaring that Sony has done wrong. This basically puts us at the mercy of large corporations, since they can attempt any measures that they deem will gain them profit, and AVs and other security companies will be reluctant to engage in a public combat against them. As long as security companies do not have a firm ground to stand upon in cases such as this one, we can safely say that they protect us from smaller fish, but we are not protected from the big guns.
It is very interesting that Sony, who is not primarily Software Company and doesn't make operating systems, puts this kind of stuff on users' computers. It is amazing that antivirus companies have remained silent on this issue. We can imagine what Microsoft and similar companies’ dos and how it affects our security and privacy in digital world.
I'd like to be happy that Texas and the EFF are suing Sony, and that people are filing class-action lawsuits.
But if the past is any guide:
* the Texas AG will settle with Sony for some token amount.
* the class-action lawsuits will be settled with millions for the lawyers, token payments to a few selected plantiffs, and coupons for discounts on Sony CDs for all the other class members.
* Sony will settle with the EFF under confidential terms.
* And Sony will keep doing whatever they can get away with.
The only way I can see anything changing is if Sony executives wind up in jail. And what are the odds of that?
"and coupons for discounts on Sony CDs for all the other class members"
...with latest version of the rootkit that contain more malicious code ready to go. Hahah, I'm actually laughing. Good one.
Yup, if Dwight's scenario plays out, I can just imagine the Sony execs sitting back, laughing, talking about how well their recent DRM "beta test" came off (and how little it cost them). Now that all the experts worked all the bugs out of their v1.0 DRM for them, they can come back DRM v2.0!
> * Sony will settle with the EFF under confidential terms.
I find this extremely unlikely. Are you even familiar with the EFF's goals and raison d'etre? Have you read the EFF's complaint? One of the things the EFF is asking for is a court order prohibiting Sony from ever again publicly claiming that XCP or MediaMax is not a massive security hole.
Imagine this scenario: Greenpeace files a class-action lawsuit against Exxon with potential punitive damages measured in the billions of dollars. What are the odds, do you think, that Greenpeace would settle under confidential terms?
I don't think things look good for Sony, right now. I think the EFF is looking to make an example out of them in exactly the same way that the RIAA made examples out of 10 year old girls downloading mp3s.
"I find this extremely unlikely. Are you even familiar with the EFF's goals and raison d'etre?"
Sorry. I don't like raisins: regular, golden, or d'etre.
More seriously, yes, I am familiar with the EFF, and have even donated money to them.
Do I think they'd reach a confidential settlement with Sony? I think it depends on the costs and benefits: fighting a lengthly and expensive legal battle, that might set an unfavorable precedent if there's a ruling against them, or an out-of-court settlement under favorable but confidential terms?
I'm not anti-EFF (and I encourage everyone to support EFF), or anti EFF suing Sony: I'm just cynical about the chances of anything good coming out of it. We may have to agree to disagree on this.
I think the odds of the EFF reaching a confidential agreement with Sony are exactly zero.
I can't imagine AV-Software isn't allowed to remove the rootkit.
I don't know the details of the DMCA, but doesn't it depend on the fact, whether the user removes a security technique, to copy music and violate copyright?
And needn't the consumer be informed before installing such a rootkit? He wasn't.
Isn't removing the rootkit a kind of self-defense? Malware, which hides itself with help of the rootkit could violate the users right, by spreading his private data.
And I don't think pure spyware/trojan/virus writes have benefits, if I am wrong, since going to court to fight for their rights, they would have to make theirselfes public.
(Please excuse my bad english.)
>Bruce -- A great piece in Wired on the Sony fiasco. One other very disturbing aspect of the Sony software I haven't seen discussed anywhere has nothing to do with its malware dung. apparently, from reading the SonyBMG FAQs, the CD's require you to use the player that comes on the disc. As I take it, that means if you have an Itunes library, you're just screwed. While this isn't quite as outlandish as exposing your computer to viruses, etc., it is just another thumb in the eye by a company that clearly knows what's best for its customers and their listening habits. The whole episode is an amazingly unique display of corporate arrogance "Sony style." -- David
Rootkits and other forms of malware are totally unnecessary to preserve the rights of copyright owners when digital content is distributed, in the physical or virtual worlds.
We have pioneered a simple to use, consumer-ready solution that encrypts downloaded content files uniquely to each individual, so that only that individual may unlock and access the encrypted media.
We call this patent-pending process "Personal Encryption", and our technology preserves the privacy of each user, secures and ensures the purchased content may only be accessed by the authorized party, and finally, prevents copies of the content from being made and distributed, beyond the "Fair Use" provisions that everyone wants.
Actually, we are embodying our biometric DRM into two devices: a set-top digital PVR, and a mobile player that docks on the TV host media center.
No malware, no invasion of the customer's PC and network, just two simple to use devices and a P2P network that preserves anonymity for users, and ensures rogue copies of delivered content don't show up on KaZaA.
I realize this comment is a bit late, but I just heard a discussion about this on Marketplace (on my local NPR station) and realized that the rootkit must be installed or enforced as part of the CD's autorun feature.
The band member being interviewed stated that the copy protection could be circumvented by holding down the Shift key when inserting the CD in the PC. Such situations are why I've been a long time advocate of disabling the autoplay feature. I think Microsoft finally set it to false with SP-2.
(originally posted Dec 18th, killed by spam filter?)
There is a lot of blame being tossed at Sony for having XCP on their CDs. You're suggesting blame should also be leveled at the anti-virus/security companies for not alerting consumers. There seems to be one other terribly obvious company that deserves blame for the XCP mess, mainly Microsoft.
In 1995 when Windows 95 came out there was a decent argument for Autorun to exist. Pretty well all CDs were commercially produced and music CDs were generally just that, strictly music CDs. By 2000 though this had changed, CD-recorders might not of been common but, there were plenty of them around. In 2003, when Windows XP was released, everyone had a CD-recorder and DVD-recorders were starting to spread.
In the former case, CDs and therefore Autorun wasn't a major security threat (though occasionally virii did manage to sneak onto commercial CDs). In the latter case though, Autorun becomes a massive security hole. Aside from commercial malware the old threat of traditional virii, this time on CDs instead of floppies, has become huge.
I'm surprised some enterprising hacker out for a reputation hasn't produced such. Imagine the virulance of a virus which uses Autorun as the infection vector. All such a virus then needs to do is attach itself to the Windows CD-burning feature and cause all new CDs to have copies of itself. Heck, while they're at it they could make it bootable via the El Torito and grab the system at boot time as well (just in case Autorun was disabled). Nowadays CDs are the floppy disks of today, they need to be treated as such, not some extra secure medium.
(end part A, continued...)
(continuation from part A, above)
Then there is online piracy. There are numerous unanswered questions about online music trading.
How much is going on? We know how much is being sold through iTunes, but there aren't any reliable numbers for other methods. Almost certainly the music industry is taking the largest numbers they can find and then adding an order of magnitude. There are also numbers from some of the file sharing clients, but are those numbers any less biased? What of other methods that aren't via some easily measureable central system?
How much damage is being done? There is even less information here, in fact absolutely no reputable information. The music industry likely takes their inflated numbers, equates each transfer as the loss of one CD sale and then adds on another order of magnitude for good measure. First starting with an inflated number of trades. Second, CDs hold multiple songs so it takes multiple transfers before you've lost a CD. Third, there are absolutely no numbers for how these relate to sales.
How many of these people would of bought the CD if they didn't download it? (losses) How many people have already bought the CD and are merely saving themselves the trouble of ripping it themself? (no effect on sales) How many people are induced to purchase the CD because they've heard the file and decide it is worth the purchase of a higher-quality audio track? (gains) If the real net is to be quantified, all three questions *must* be answered. We might even find out that trading results in a net gain. I should mention is that this turns the market into a brutal meritocracy. The sales of mediocre songs get crushed, while good songs tend to garner extra sales.
In short, there is not enough information for any sort of conclusions. Finally there are two things to note. It is worth noting prices, $10 is the absolute bottom price for a CD, and tend to have merely one good song, perhaps 5 minutes of good content. By contrast cheap DVDs are sold for $5, for better than 2 hours of audio and visual content. Yet the costs of producing video are an order of magnitude greater! On the basis of entertainment value per dollar basis, there is a massive mismatch here. Does the music industry have any right to be outraged? Those prices are positively _gilded_, and they're surprised people aren't buying? Lastly seems worth pointing to this article:
There it is, a slice of the entertainment industry with rampant piracy, and yet they rarely prosecute and still turn massive profits. Perhaps the music industry needs to rethink how they run their business. Make friends of your customers and make what people want and you will easily liberate their wallets.
(end part B)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.