Thursday, November 03, 2005

sony DRM installs malware

security guru mark russinovich discovered something funky on his computer. it appeared to be a kind of trojan horse known as a "rootkit". this didn't make much sense, since russinovich works for sysinternals and is generally too smart (and too careful) to get hit with malware. so using the tools of his trade, he investigated the problem... and tracked it a copy-protected "music" cd from sony.

meanwhile, another internet security firm, f-secure, led their own investigation and came to the same conclusion: sony's digital rights management software was behaving a lot like malware, in such a way that would be easy for hackers to exploit and damned difficult for normal users to uninstall.

wired explains, in language a bit less techy than the security firms use:

A rootkit is a particularly insidious type of Trojan horse that hides its existence from users and programs by tampering with the operating system on the most fundamental level. Where normal malicious code might be content to choose a deceptive file name, a rootkit "hooks" operating system calls that might reveal its presence, and essentially reprograms them to lie -- like bribing the coroner to conceal a murder.

And the lie the First 4 Internet code tells is a whopper. Under the program's influence, Windows will deny the existence of any file, directory, process or registry key whose name begins with "$sys$." Russinovich verified this by making a copy of Notepad named "$sys$notepad.exe," which promptly vanished from view.

That means that any hacker who can gain even rudimentary access to a Windows machine infected with the program now has the power to hide anything he wants under the "$sys$" cloak of invisibility. Criticism of Sony has largely focused on this theoretical possibility -- that black hats might piggyback on the First 4 Internet software for their own ends.

DRM is generally a pretty stupid idea (and this was poorly coded, to boot): it prevents legitimate owners from using their legally-owned content in legitimate ways, but hackers who are determined to make copies always find a way to do so, quickly and easily. but now sony (and first4internet, the company that provides the software, called XCP2) had stepped over a major ethical line. it was distributing and installing software that behaves like a virus without a payload. the software was doing nefarious things to users' computers, none of which was mentioned in the license agreement, and if a typical user somehow discovered the software and tried to uninstall it, they would be likely to completely disable their cd drive.

once caught, tried to claim that it had done nothing wrong. but still sony offered a patch—though the patch only reveals the hidden files; it doesn't uninstall the software. if you are infected with xcp2 and want to uninstall it, you're in for some trouble. either you can do it the super-techie way that russinovich did, or you can do it the way sony wants you to. brian krebs from the wapo explains:

Mikko Hypponen, F-Secure's director of antivirus research, said hackers could easily take advantage of Sony's software to hide their own files, even from antivirus software. An attacker would only have to make sure that their file starts with "$sys$", the convention the antipiracy program uses to hide its own files.

"As long as the attacker's file begins with that prefix, it will go undetected by most antivirus programs out there," Hypponen said. He added that installing the Sony program on a machine running Windows Vista -- the beta version of Windows' next iteration -- "breaks the operating system spectacularly."

Hypponen said the only way to uninstall the program in the conventional sense (without running the risk of hosing your system or CD-ROM drive) is to contact Sony BMG directly via a Web form and request removal.

At that point, a real, live person will call you back and ask for all kinds of information about your system, and your reason for wanting to remove the software. You're then directed to a Web page that downloads an ActiveX program (yes, you must be using Microsoft's Internet Explorer to do this), which determines what version is installed and reports that back to First4Internet. Then you get an e-mail containing a link to another site that downloads something that finally uninstalls the Sony program.

all that, and yet the software isn't even very effective at preventing people from making "illegal" copies. f-secure's hypponen was able to rip the files with ease. mac users reportedly have no trouble making copies easier. weirder still, if you contact sony to complain that you can't rip the music to your ipod, sony will actually give you instructions on how to circumvent the DRM!

there wouldn't seem to be any point to including DRM on the cds if sony is just going to tell you how to get around it anyway. but according to engadget, the point isn't to prevent piracy.

According to Variety, the new copy protection scheme — which makes it difficult to rip CDs and listen to them with an iPod — is designed to put pressure on Apple to open the iPod to other music services, rather than making it dependent on the iTunes Music Store for downloads.

ipod and itunes use a DRM system called fairplay. the labels want apple to open up fairplay so that ipods will work with digital content that is purchased from other sites. apple has long been the king of closed, proprietary systems (the macintosh would probably be the dominant computing system today if apple had embraced open systems 25 years ago, in the way that ibm and pc manufacturers did), and has no intention of opening up its cash-cow ipod to competition.

sony apparently thought that using xcp2 on its cds would prompt thousands of disgruntled users to beg apple to open up fairplay. and those users are disgruntled all right, but they're pissed at sony, not at apple. the bands are pissed, too, as they are often not told that their releases will be crippled, and only find out once the fans start complaining.

i've never purchased a DRM-crippled cd and i never will if i can help it. i can't even remember the last time sony put out a cd i even wanted. the last sony release i remember buying is kool keith's black elvis: lost in space, which came out years ago (and which i bought on vinyl anyway). but i listen to weird music anyway.


syntax said...

i've only purchased a very small handful of cds in recent years; some of them have been major label releases (i think the last two were the most recent sonic youth album and green day's american idiot [brilliant album, imho, but i widely digress]), but none of them have been sony/bmg releases. i do have a couple of sony md recorders, but one of them is a piece of shit net-md thing that has the most ridiculous drm scheme i've ever seen. (installing that "sony sonicstage" software was probably the most idiotic thing i've ever done to or on a computer - i had to reload windows xp eventually because of it.)

i got to thinking about disc two of john oswald's plunderphonics box, which (iirc) was uncopyable because of a strange quirk in the red book standard. something like that could be used instead of sneaking malware onto the computers of their customers! that's what pisses me off the most about this, the little regard that sony/bmg has for its customers. they'll eat anything the media conglomerates put in front of them, and they know it.

and that's why i started a netlabel.

stAllio! said...

i thought the problem with disc 2 of 69 plunderphonics 96 was that it actually broke the red book standard... namely, they tried to be cute by having the disc start at track 27, and the result was that the disc was unreadable in many players (and most computers).

i can't find an actual copy of the standard online, but i do know that it requires that all tracks be a minimum of 4 seconds long, so i can certainly see how that disc would have broken the standard.

other than silly arty reasons, i can't really see why someone would want to start anywhere other than track 1 anyway, and i've never heard of anyone else trying that. so i do think that seeland was just trying to be arty and didn't understand the consequences of that choice. kind of ironic that now the majors are intentionally breaking the standard, for drastically different reasons.