Sony BMG faces digital-rights seige

Ripped over Anti-Rip Rootkit

By SecurityFocus
Published Friday 11th November 2005 11:56 GMT

The criticism of music giant Sony BMG Music Entertainment and its surreptitious copy protection software went up an octave this week as attorneys and law firms readied nearly a half dozen legal complaints against the company on behalf of consumers.

Ten days after two security researchers took Sony BMG to task for its invasive copy protection, labeling the software a "rootkit," a digital-rights organization and four law firms are preparing cases against the music giant. Moreover, the company's assertion that its software did not harm users' security was weakened on Thursday when a Trojan horse attempted to take advantage of the code to hide itself on freshly compromised Windows systems that had Sony BMG's technology installed. The events raise the stakes in the battle between content companies and a variety of consumers - from legal users to casual pirates - over how much leeway media companies should have to protect their copyrights. "The issue that has been lurking for a long time is how invasive can content companies be as to monitoring your computer," said Jason Schultz, a staff attorney for the EFF. "I think that Sony has gone too far here and violated the personal property rights of computer users."

The mounting pressure by consumers, security experts and, now, attorneys comes the week after two teams of researchers independently and separately reported that music giant Sony BMG used software hiding techniques more commonly found in rootkits to prevent removal of the company's copy protection software. A rootkit is software that hides its presence on a computer while controlling critical system functions, and security professionals have lately warned that the addition of the technology to a variety of Internet threats - from bots to spyware - makes the malicious code more difficult to find and remove.

Sony BMG's content protection scheme, developed by U.K.-based firm First 4 Internet for the music giant, has apparently been included with thousands of titles. Using Google, a search of Amazon.com for "CONTENT/COPY-PROTECTED CD"--the site's label for music CDs that include the First 4 Internet or similar protections--turns up 32,800 hits. Because of potential duplicates, the number of hits is likely much higher than the total number of titles. Moreover, other copy protection schemes, such as one from SunnComm International, are likely included in the total as well. The Electronic Frontier Foundation has verified at least 19 CD titles that have the Sony BMG copy protection code.

http://www.theregister.co.uk/2005/11/11/secfocus_sony_analysis/

This also violates the definition of what an audio CD format should be.

I'd like to see Phillips sue for copyright infringement, if that's possible.

I don't know if it is possible, but it would be interesting to see.

These companies are lining themselves up for an all-out war, and I don't think they're going to like where it goes. Lord knows they don't really give two whits for consumers, but they're starting to step on the toes of other corporations and the ability of even unrelated corporations to maintain internal security. That's pissing people off who have power.

:popcorn:

So they don't have beef with Sony about this. It only means that the CD could not be called a CD since it violates their definition and it wasn't called a CD. On a CD you'll find that "Compact Disc" logo and that one is missing from the Copy Protect CDs. The logo means that it will work on any CD player.

And Philips sold their music division (Polydor/Island etc.) to Universal a long time ago, so they are no competitors anymore.

Let's show a picture.

A good CD has this label:


And on a copy protect CD there is a new logo


The logo changed to "HiFi" with two weird icons indicating a stereo and a computer underneath (because in some cases the CD didn't play on car CDs and walkmans ;) )

November 09, 2005
Are You Infected with Sony-BMG's Rootkit?

EFF Confirms Secret Software on 19 CDs

San Francisco - News that some Sony-BMG music CDs install secret rootkit software on their owners' computers has shocked and angered thousands of music fans in recent days. Among the cause for concern is Sony's refusal to publicly list which CDs contain the infectious software and to provide a way for music fans to remove it. Now, the Electronic Frontier Foundation (EFF) has confirmed that the stealth program is deployed on at least 19 CDs in a variety of genres.

The software, created by First 4 Internet and known as XCP2, ostensibly "protects" the music from illegal copying. But in fact, it blocks a number of legal uses--like listening to songs on your iPod. The software also reportedly slows down your computer and makes it more susceptible to crashes and third-party attacks. And since the program is designed to hide itself, users may have trouble diagnosing the problem.

snip/more

http://www.eff.org/news/archives/2005_11.php#004146

For EFF's list of CDs with XCP: http://www.eff.org/deeplinks/archives/004144.php

The "legalese rootkit" - Sony-BMG's EULA: http://www.eff.org/deeplinks/archives/004145.php

Sony-BMG Rootkit: EFF Collecting Stories, Considering Litigation

FF is collecting stories from EFF members and supporters who have purchased Sony-BMG CDs that contained the rootkit copy protection software. We're considering whether the effect on the public, or on EFF members, is sufficiently serious to merit EFF filing a lawsuit.

If you satisfy the following criteria, we would like to hear from you:

1. You have a Windows computer;
2. First 4 Internet's XCP copy protection has been installed on your computer from a Sony CD (for more details, see our blog post referenced above or the SysInternals blog, http://www.sysinternals.com/blog/2005/10/sony-rootkits-and- digital-rights.html);
3. You reside in either California or New York; and
4. You are willing to participate in litigation.

We have not made a final decision about filing any legal action, but we would like to hear from music fans who have been harmed by the Sony-BMG rootkit copy protection technology. Please contact allison eff.org for more information.


Passing the Buck: or, the Printer as a Fine French Wine

Xerox responded to our research on how printers made by Xerox and other companies track the origin of documents you print. Its new "Xerox Statement on Counterfeit Detection" contains some bizarre suggestions. The most prominent of these is that Xerox's invasions of privacy are OK because other privacy invasions are worse.

"Unlike much of the computer spy-ware prevalent on the internet today, the yellow dots do not 'contact' Xerox or the government and send user content or location," the statement reads. "In a world where your cell phone gives your location, all your phone calls are logged and available on the net, your credit card transactions compiled and your network browsing stored, the 'yellow dots' are innocuous and they give considerable protection against specific criminal behavior, such as counterfeiting."

That's right: Xerox defends its decision because it's not as big an intrusion as spyware, wiretapping, or spying on you through your cell phone. It's the everybody-else-is-doing-it excuse. The company seems to be channelling Sun CEO Scott McNealy, who told a group of journalists in 1999 that "ou have zero privacy anyway. Get over it."

EFF and other privacy advocates have been fighting for years to reverse the trends Xerox mentions, or to enhance the tools available to the public for defending themselves. This month, we won major victories as courts, agreeing with our legal arguments, restricted the government's ability to use cell phones to track individuals' movements. We also fought for the public's right to use encryption to send private e-mail and make private telephone calls, and we supported the development of Tor to help users browse the Internet without identifying themselves. We argued for computer users' rights to remove spyware from their own computers and to teach others how to do so. EFF fought and won court cases protecting the anonymity of on-line critics. Through these cases, we helped extend the U.S. tradition of legal protection for anonymous pamphleteers firmly into the on-line world.

Xerox goes on to say that we should actually be reassured by the tracking, since it's for our own protection. "Many products--cars, food, medicines, computers, toys and many more, have such features for the protection of customers. French wines put this proudly on their label."

While it's comforting to know that our office equipment has something in common with a fine wine, our privacy is threatened in a particular way by tracking systems embedded in our communication technologies, in a way that it is typically not threatened by toys or beverages.

For the full Xerox statement:http://www.eff.org/Privacy/printers/?f=xerox-statement.html
For more analysis:http://www.eff.org/deeplinks/archives/004151.php

We've recently learned that the fed will no longer be issuing detailed disclosures regarding the money supply. Laws are being put in place with the stated intention of tracking counterfeit currency, and -- this being the kicker for me -- I was recently required to attend a lecture by a SS agent on counterfeit money. When I asked whether the company itself organized the lecture or whether it was asked to do so, I got one of those non-response responses that made me realize I wasn't supposed to ask the question in the first place.

No conclusions here, just suspicions.

music and film corporations are not persons and, despite the false doctrine of corporate personhood, thusly do not deserve copyright- period.

They are not persons. They do not deserve to hold or enforce copyrights.

I only wish I could convince the rest of the world of this, including some people here.

If very many people read this thread, expect intense disagreement.

http://www.eff.org/deeplinks/archives/004144.php

As we've mentioned before, Sony-BMG has been using copy-protection technology called XCP in its recent CDs. You insert your CD into your Windows PC, click "agree" in the pop up window, and the CD automatically installs software that uses rootkit techniques to cloak itself from you. Sony-BMG has released a "patch" that supposedly "uncloaks" the XCP software, but it creates new problems.

But how do you know whether you've been infected? It turns out Sony-BMG has deployed XCP on a number of titles, in variety of musical genres, on several of its wholly-owned labels.

EFF has confirmed the presence of XCP on the following titles (each has a data session, easily read on a Macintosh, that includes a file called "VERSION.DAT" that announces what version of XCP it is using). If you have one of these CDs, and you have a Windows PC (Macs are totally immune, as usual), you may have caught the XCP bug.

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

Several other Sony-BMG CDs are protected with a different copy-protection technology, sourced from SunnComm, including:

My Morning Jacket, Z
Santana, All That I Am
Sarah McLachlan, Bloom Remix Album

- more . . .

http://www.eff.org/deeplinks/archives/004144.php

too bad . . . I was kinda interested in that new Neil Diamond CD that Rick Rubin produced . . . getting great reviews everywhere . . .

http://www.boycottsony.us/

and a petition, for those so inclined . . .

http://www.petitiononline.com/bcsony/petition.html

To: Sony
I hereby announce that I will not purchase any Sony products from this point until the company ends it's new "copy protected CD" policy that prevents me from playing my legally purchased CD's on legally purchased equipment. This includes all media, or hardware made by Sony.

Sincerely,

The Undersigned

http://www.petitiononline.com/bcsony/petition.html

pay actual money for is over 10 years old. And I was sitting here lamenting my graying hair and complete lack of hip.

Most of my collection is vinyl.