Beware of Sony cd's

[BobK]

Those of you that buy cd's might want to stay away from Sony.

Privacy and security experts charged that the technology built into many of Sony's music CDs since March is unnecessarily invasive and exposes users to threats from hackers and virus writers.

"Here you have one of the biggest name-brand corporations on the planet getting into what many people in other circumstances would consider hacking," said Richard Smith, a security and privacy consultant based in Boston. "That's just not acceptable."

Earlier this week, computer security researcher Mark Russinovich published an analysis showing that some new Sony CDs install software that not only limits the copying of music on the discs, but also employs programming techniques normally associated with computer viruses to hide from users and prevent them from removing the software.

Russinovich's findings -- posted on the Web site (http://www.sysinternals.com/) that he runs with another researcher -- indicated that the CDs in question use software techniques that behave similarly to "rootkits," software tools that hackers can use to maintain control over a computer system once they have broken in.

He found that traditional methods of uninstalling the program would not work, and that attempts at removing it corrupted the files needed to operate his computer's CD player, rendering it useless.

Wahington Post

You may wish to read the article. It seems other hackers can also take advantage of your machine.

 

[zakur]

Is this the same malware that you can prevent from installing by holding down the SHIFT key when loading the CD?

 

[BobK]

Is this the same malware that you can prevent from installing by holding down the SHIFT key when loading the CD?

Not that I'm aware of. I don't do much with cd's except archive data. So I'm not really up on this stuff. Just posted it for those that might be interested.

LOL it seems World of Warcraft hackers have already found a way to use the Sony copy protection to hide game cheats from Warcraft's monitoring system.

Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.

Security focus

 

[cyborg]

Is this the same malware that you can prevent from installing by holding down the SHIFT key when loading the CD?

Or by running any non-Windows system one would assume.

 

[Dogbreath]

This does not apply to Linux or OS X. However it is the same tech used by root kits. It will intercept system level calls. It just needs to be run once and it will infect a Windows system. This has been all over Slashdot and Digg.com, Hard OCP.

 

[alfaniner]

I initially thought this was an urban legend, but have seen it reported on news pages. How does that get into your computer? I can't see it just by playing the CD. Do you have to actually install something from it?

 

[zakur]

As a result of the recent bad publicity, Sony has released a patch to remove the cloaking component of the rootkit:

http://cp.sonybmg.com/xcp/english/updates.html

 

[alfaniner]

If we're not aware it's on our computers, how do we know if we need the patch?

 

[jnelso99]

You can follow the fun at http://www.sysinternals.com/Blog/. I'm not one to take company boycotts seriously, but this is starting to make me rethink any future possible Sony purchases.

 

[richardm]

How does that get into your computer? I can't see it just by playing the CD. Do you have to actually install something from it?

Nope. When you insert the CD Windows has a shufti at it to see what it is - a program, music CD, DVD or whatever. In this case Sony appear to have set things up so that Windows finds this program and installs it, which is a bit naughty. You can bypass this by holding down shift when you insert the CD, or I think there's a setting that you can unset to permanently disable it. But most people like the autoplay feature and will get caught.

 

[jnelso99]

A class-action lawsuit has been filed against Sony in California:

http://blogs.washingtonpost.com/securityfix/2005/11/calif_ny_lawsui.html

I wonder how many new music pirates this whole episode has created...

 

[kevin]

Nope. When you insert the CD Windows has a shufti at it to see what it is - a program, music CD, DVD or whatever. In this case Sony appear to have set things up so that Windows finds this program and installs it, which is a bit naughty. You can bypass this by holding down shift when you insert the CD, or I think there's a setting that you can unset to permanently disable it. But most people like the autoplay feature and will get caught.

This is incorrect. The software is installed when you use the player on cd to play the songs on the cd. The player is REQUIRED to be used to play the songs. If you have autorun turned off the CD won't automatically install the rootkit, but it will as soon as use the player.

From the blog:

The DRM reference made me recall having purchased a CD recently that can only be played using the media player that ships on the CD itself and that limits you to at most 3 copies.

 

[alfaniner]

I thought it had to be something like that. I did that once with a DVD, installed the InterActual player. It wasn't necessary as I already had a DVD player on my computer, and I usually watched DVD's in my separate, dedicated player anyway. I think at that time I needed InterActual to view some of the content on the DVD, but I will never install from a media disc again.

 

[geni]

But most people like the autoplay feature

Why

 

[kevin]

BTW, Sony may be targeting Mac's too.

http://www.macintouch.com/#tip.2005.11.10.sony

Uses software from a different company. nobody had hunted down exactly what the mac version does yet.

this is why I buy most of my music from emusic.com. Pure MP3's, no DRM!
http://www.emusic.com/

 

[ohms]

A trojan has already appeared to exploit this.

http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/

 

[deanerk]

emusic.com rocks. I have had a little resistance in trying to get people interested in it though, because they sell strictly independent label stuff. You won't find all the rockin' teen hits playing on the radio. Nice clean MP3s. I also love my Archos GMINI400 media player for similar reasons. http://www.archos.com/products/gmini_402/index.html No pesky invasive software to install and I can do whatever I want with the files that I OWN. I only wish Archos had the resources and marketing power of Apple with the iPod.

Who actually buys CDs anymore anyway? Shame on Sony...

 

[jimlintott]

Who actually buys CDs anymore anyway? Shame on Sony...

Well I still by CDs and I buy DVD Audio discs. The basic downloaded MP3s ripped at 128kps sound awful. Sure they sound OK in a car deck, (barely on mine) a portable or computer but put them on a good home system and they suffer greatly. Might be okay for quiet background music but for serious listening they are completely unnacceptable.

I don't know why the music business doesn't counter MP3 downloads with DVD Audio discs. I guess maybe no one cares about real fidelity anymore.

 

[kevin]

Well I still by CDs and I buy DVD Audio discs. The basic downloaded MP3s ripped at 128kps sound awful.

Emusic used to rip at 128 constant bit rate, but they use 192 variable bit rate now. I won't claim CD quality, but much better than they used to be.

I rip my own CD's at 320, 'cause disk space is cheap

I have an ipod (I've had one since the first release), but only a handful of iTunes music store songs (I don't even download their free ones any more, emusic's free download of the day is usually better and you get 7/week).

iPod and iTunes are perfectly willing to work with MP3's and non-DRM AAC files. iTunes can rip to MP3 and non-DRM AAC too. Unlike the windows media player it doesn't default to ripping in DRM enabled mode.

Like the Mac, I've found the iPod interface to be far better than other players I've experimented with.

 

[kevin]

I don't know why the music business doesn't counter MP3 downloads with DVD Audio discs. I guess maybe no one cares about real fidelity anymore.

People care about fidelity, just not as their sole determiner. People moved from vinyl to CD for fidelity, portability, and reduction in physical volume of their collections.

MP3s are the latest format because of portability, shareability, and cost (emusic tracks cost me $.22/track). Those that care about fidelity more than those properties can get that fidelity at a reduction of shareability.

DVD Audio probably won't take off because it doesn't offer the advantages over even regular CD's, except in fidelity -- which isn't enough to get people to switch and buy new players, etc....