|
http://www.pollstar.com/news/viewnews.pl?NewsID=6465Gigs
& Bytes:
The
Rootkit Of All Evil?
Anon
Updated 23:56 PST Thu,
Nov 17 2005
A major label's latest
attempt to protect its music from pirates has become a major problem for
Sony BMG Music
Entertainment – a problem that has sparked at least two class
action suits, forced the label to recall CDs by as many as 50 artists,
and may result in states bringing charges against the record label.
 Sony's
problems started October 31st when computer security researcher Mark
Russinovich posted an item on his
blog
detailing how he had discovered a "rootkit" on his computer.
Rootkits are
generally employed to hide files and programs, and are usually used in
tandem with Internet worms and other nasty computer viruses.
Furthermore, rootkits can enable someone to take control of a machine
without the owner's permission. In short, a rootkit is malware.
And what's
Sony BMG's connection to the rootkit Russinovich found on his computer?
As Russinovich detailed on his blog, it turns out that the rootkit in
question came from copy protection technology called XCP, which was
created by United Kingdom company
Van Zant's
Get Right With The Man.
But XCP does
more than prevent unauthorized copying. It also deposits hidden files on
computers running Microsoft's Windows operating systems. The files are
extremely difficult to find and even more difficult to remove, as
Russinovich found out when he tried to manually remove them, only to
discover his actions disabled his CD drive.
What's more,
the XCP copy protection program does this covertly.
There's a
word for programs placed on a computer without the owner's permission,
programs that function in a way unbeknownst to the user: spyware.
Furthermore, some states, such as
California,
have laws prohibiting spyware. It's conceivable that Sony could find
itself in the legal cross-hairs of more than one state's attorney
general.
But Sony's
use of technology that placed rootkits on computers was only part of the
problem. Rootkits are generally used to hide files that allow a third
party to gain control of the machine. And, as news of Sony's blunder
grew, so did the number of viruses suddenly appearing on the Net that
took advantage of the XCP rootkit.
When news
first surfaced, Sony BMG tried to minimize the damage by having its
president of global digital business talk to the press. However, Thomas
Hesse didn't inspire too much consumer confidence when he appeared on
National Public Radio's
"Morning Edition"
and said, "Most people don't even know what a rootkit is, so why should
they care about it?"
That was
November 4th. Now it appears just about everyone who buys CDs cares
about it, and Sony is just now discovering music consumers aren't all
that crazy about virtually unremovable files on their computers.
As news of
the rootkit spread, Sony issued a patch for removing the rootkit, but
not the actual files placed on consumers' computers. However, some
security experts are saying the patch only worsened the problem.
"This is a
surprisingly bad design from a security standpoint," said
Princeton University
computer science professor Ed Felten, who, along with grad student J.
Alex Halderman, explored the removal program issued by Sony. "It
endangers users in several ways."
According to
Felten, the program enabling the download does not confirm that the
uninstall program should come from either Sony or First 4 Internet,
thereby making the computer vulnerable to virus attacks.
"The
consequences of the flaw are severe," Felten and Halderman posted on a
blog on
November 15th. "It allows any Web page you visit to download, install,
and run any code it likes on your computer. Any Web page can seize
control of your computer; then it can do anything it likes. That's about
as serious as a security flaw can get."
Sony has
recalled the CDs embedded with the XCP antipiracy technology, and has
released a
list
identifying which discs are affected. Included on that list are CDs by
Neil Diamond, Our Lady Peace, Celine Dion and, of course, Van Zant.
It should be
noted that not all copy-protected CDs use First 4 Internet's technology,
and consumers should not confuse First 4 Internet's XCP copy protection
methods with those employed by other antipiracy companies such as
digital rights management company Sunncomm. In other words, read the
label before you buy.
Sony BMG
really dug itself a deep one this time, and it may be months before the
label can crawl out of the mess caused by First 4 Internet's XCP copy
protection. Not only have two class action suits been filed, but there
have been calls for a Sony boycott. Consumer trust in Sony has been
almost completely eradicated and there are now reports that some
companies are considering prohibiting their employees from playing CDs
in the workplace.
Plus, when
you consider that government employees, including members of the
military, might play CDs on their computers, Sony's rootkit debacle is
probably going to get a lot worse before it gets better. That is, if it
gets better.
While not
referring to Sony by name, Homeland Security assistant secretary for
policy Stewart Baker did have some harsh words for labels that protect
their music by installing hidden files on computers.
"It's very
important to remember that it's your intellectual property, it's not
your computer," Baker said during a conference on, ironically,
intellectual property piracy. "And in the pursuit of protection of
intellectual property, it's important not to defeat or undermine the
security measures that people need to adopt in these days."
When you
consider all the implications – making computers vulnerable to virus
attacks, placing hidden files on consumers' machines and generating more
bad press in two weeks than most companies accrue in a lifetime, what
were the execs at Sony thinking when they greenlighted First 4
Internet's XCP copy protection technology?
That is, if
they were thinking at all.
|