Educational CyberPlayGround ®

LEARN ABOUT DIGITAL RIGHTS MANAGEMENT, Palladium and Trusted Computing
DRM Embedded in New Intel Macs

INFORMATION ON DIGITAL RIGHTS MANAGEMENT

Music: Free Music Book

 

The Real Purpose of DRM by Ian Hickson
https://plus.google.com/107429617152575897589/posts/iPmatxBYuj2
Discussions about DRM often land on the fundamental problem with DRM: that it doesn't work, or worse, that it is in fact mathematically impossible to make it work. The argument goes as follows:

  1. FALSE The purpose of DRM is to prevent people from copying content while allowing people to view that content
  2. TRUE You can't hide something from someone while showing it to them
  3. TRUE And in any case widespread copyright violations (e.g. movies on file sharing sites) often come from sources that aren't encrypted in the first place, e.g. leaks from studios.

It turns out that this argument is fundamentally flawed. Usually the arguments from pro-DRM people are that #2 and #3 are false. But no, those are true. The problem is #1 is false.

The purpose of DRM is not to prevent copyright violations. The purpose of DRM is to give content providers leverage against creators of playback devices.

Content providers have leverage against content distributors, because distributors can't legally distribute copyrighted content without the permission of the content's creators. But if that was the only leverage content producers had, what would happen is that users would obtain their content from those content distributors, and then use third-party content playback systems to read it, letting them do so in whatever manner they wanted.
Here are some examples:

A. Paramount make a movie. A DVD store buys the rights to distribute this movie from Paramount, and sells DVDs. You buy the DVD, and want to play it. Paramount want you to sit through some ads, so they tell the DVD store to put some ads on the DVD labeled as "unskippable". Without DRM, you take the DVD and stick it into a DVD player that ignores "unskippable" labels, and jump straight to the movie. With DRM, there is no licensed player that can do this, because to create the player you need to get permission from Paramount -- or rather, a licensing agent created and supported by content companies, DVD-CCA -- otherwise, you are violating some set of patents, anti-circumvention laws, or both.

B. Columbia make a movie. Netflix buys the rights to distribute this movie from Columbia, and sells access to the bits of the movie to users online. You get a Netflix subscription. Columbia want you to pay more if you want to watch it simultaneously on your TV and your phone, so they require that Netflix prevent you from doing this.
Now. You are watching the movie upstairs with your family, and you hear your cat meowing at the door downstairs.
Without DRM, you don't have to use Netflix's software, so maybe just pass the feed to some multiplexing software, which means that you can just pick up your phone, tell it to stream the same movie, continue watching it while you walk downstairs to open the door for the cat, come back upstairs, and turn your phone off, and nobody else has been inconvenienced and you haven't missed anything.
With DRM, you have to use Netflix's software, so you have to play by their rules. There is no licensed software that will let you multiplex the stream. You could watch it on your phone, but then your family misses out. They could keep watching, but then you miss out. Nobody is allowed to write software that does anything Columbia don't want you to do. Columbia want the option to charge you more when you go to let your cat in, even if they don't actually make it possible yet.
C. Fox make a movie. Apple buys the rights to sell it on iTunes. You buy it from iTunes. You want to watch it on your phone. Fox want you to buy the movie again if you use anything not made by Apple.
Without DRM, you just transfer it to your phone and watch it, since the player on any phone, whether made by Apple or anyone else, can read the video file.
With DRM, only Apple can provide a licensed player for the file. If you're using any phone other than an iPhone, you cannot watch it, because nobody else has been allowed to write software that decrypts the media files sold by Apple.

In all three cases, nobody has been stopped from violating a copyright. All three movies are probably available on file sharing sites. The only people who are stopped from doing anything are the player providers -- they are forced to provide a user experience that, rather than being optimised for the users, puts potential future revenues first (forcing people to play ads, keeping the door open to charging more for more features later, building artificial obsolescence into content so that if you change ecosystem, you have to purchase the content again).
Arguing that DRM doesn't work is, it turns out, missing the point.
DRM is working really well in the video and book space. Sure, the DRM systems have all been broken, but that doesn't matter to the DRM proponents. Licensed DVD players still enforce the restrictions. Mass market providers can't create unlicensed DVD players, so they remain a black or gray market curiosity. DRM failed in the music space not because DRM is doomed, but because the content providers sold their digital content without DRM, and thus enabled all kinds of players they didn't expect (such as "MP3" players). Had CDs been encrypted, iPods would not have been able to read their content, because the content providers would have been able to use their DRM contracts as leverage to prevent it.
DRM's purpose is to give content providers control over software and hardware providers, and it is satisfying that purpose well.
As a corollary to this, look at the companies who are pushing for DRM. Of the ones who would have to implement the DRM, they are all companies over which the content providers already, without DRM, have leverage: the companies that both license content from the content providers and create software or hardware players. Because they license content, the content providers already have leverage against them: they can essentially require them to be pro-DRM if they want the content.

--> The people against DRM are the users, and the player creators who don't license content. In other words, the people over whom the content producers have no leverage. <--

2013 Six Strikes U.S. Copyright Surveillance RIAA Transparency Already Broken
the Center for Copyright Information - revealed that its "independent" reviewer was Stroz Friedberg, a lobbying firm that represented the Recording Industry Association of America in the halls of Congress from 2004 to 2009. Needless to say, RIAA's former lobbying firm is hardly an "independent" reviewer. And CCI could have discovered the relationship between Stroz and the RIAA - it's on the public record, in reports that lobbyists must file with Congress every year.
Nearly every significant detail of how the massive P2P monitoring scheme will work is redacted out of the public version. What remains is this: CCI hired a company called MarkMonitor, which will join BitTorrent networks and collect the Internet Protocol addresses of computers that are sharing certain movies and songs (MPAA and RIAA members supply the lists). Their software, described only as "collection mechanisms" and "scanning systems" in the public version, compares the beginning, end, and some of the middle of the file against a reference version, and, if they match, emails the ISP with the IP address of the accused file-sharer. The ISP then sends an escalating series of warnings and punishments to the subscriber, including mandatory "copyright education" and potential bandwidth throttling or blocking of popular websites.
There's a lot we simply can't tell from this heavily redacted report. Most importantly, we have no way of knowing if legal, non-infringing uses of copyrighted movies and music will be flagged as infringing, leading to escalating "mitigation measures" for law-abiding Internet subscribers. We don't know what, if any, protocols other than BitTorrent the system will be snooping on. And we don't know how, or how accurately, the ISPs match IP addresses to the names of actual human beings. That process, says CCI, was described in another Stroz Friedberg report that hasn't been released.

 

Piracy and Music files:
The term is being misused. A reasonable definition of piracy from Wikipedia: Piracy is an act of robbery or criminal violence at sea. The term can include acts committed on land, in the air, or in other major bodies of water or on a shore. It does not normally include crimes committed against persons traveling on the same vessel as the perpetrator (e.g. one passenger stealing from others on the same vessel). The term has been used to refer to raids across land borders by non-state agents.

Register Of Copyright Suggests That Personal Downloading Should Not Be Seen As 'Piracy' 2013
We've been discussing Maria Pallante's plans for copyright reform, which include a whole bunch of ideas -- some good, some bad and many as yet undetermined. In hearings today before the House Judiciary Committee, Pallante discussed a lot of this, but one surprising point that she had not clearly stated before is that "piracy should not be about the teenager downloading music at home." Instead, she talked about focusing on "the big pirates" who were doing it as a business. This is a fascinating statement as it may be the first time I've heard the Copyright Office suggest that personal use maybe shouldn't be considered infringement. I'm sure we'll have more on the (still ongoing) hearing later, but for now, this admission was a bit of a surprise worth noting. techdirt

Self Publish 2013
Indie Booksellers Sue Amazon, Big Six over E-book DRM
The bookstores are asking the court to issue an injunction prohibiting the publishers and Amazon from “selling e-books with device and app specific DRMs,” while also requiring the big six publishers to allow independent bookstores to directly sell open-source DRM e-books, though it's not clear what the complaint means by open-source DRM. The suit also seeks an injunction preventing Amazon from selling DRM specific, or non-open-source, dedicated e-readers, alternative e-reader devices, and apps. Among the issues the suit, filed by Creizman PLLC of New York and Blecher & Collins of Los Angeles, asks the court to examine are whether the publishers and Amazon entered into a series of contracts which "unreasonably retain trade and commerce" in the e-book market, and whether Amazon has unlawfully monopolized or attempted to monopolize the e-book market.

 

Piracy and Publishers Two Parts of a Single Problem
Harvard Business Review Press Goes DRM-Free And Platform Independent By Tim Cushing Sept 14, 2012
from the DRM:-keeping-pirates-in-business-since-1995 dept
http://www.techdirt.com/articles/20120903/17193420258/harvard-business-review-press-goes-drm-free-platform-independent.shtml
Despite the growing evidence that consumers absolutely hate DRM, many publishers still hold harbor fantasies that locking down digital goods prevents unauthorized copies from spreading across the internet. Most DRM ends up serving one purpose: to make authorized copies less functional than unauthorized versions.
This practice is particularly prevalent in the book publishing industry. With rare exceptions, most major publishers still keep their products under digital lock and key. There are a few exceptions. Baen was one of the first publishers to go DRM-free, recognizing the limitations far outweighed the benefits to it or its authors. O'Reilly Media has also shunned DRM for the same reasons, noting that unauthorized sharing leads to more readers without an appreciable drop in sales. TOR has attempted to do away with most of its DRM, although it has been hampered by publishers insisting the DRM remain in place. Perhaps noting, as Cory Doctorow pointed out, that "no one's ever bought a book because it has DRM," another publisher, Harvard Business Review Press has opted to go DRM-free.
[H]BR have adopted the “buy once, read anywhere model” and that anywhere includes a Kindle. This means their consumers aren't locked into a device or format. And it means that their purchases are 'future proof' to a good degree. It also means that if they want to share a book, there are no 'technical' things stopping that. To be sure, selling an HBR eBook is illegal but this mode is more tolerant of sharing. Here's HBR's official statement, one that treats its customers with respect.
We make our ebooks available to you DRM-free so you can read them on the device of your choice. We trust that our customers will abide by copyright law and refrain from distributing ebook files illegally. Please note that in the case that you download a PDF, it will be personalized with your email address.
This small statement asking readers to respect its copyright is preferable to installing DRM and treating every paying customer like a thief. Additionally, HBR is offering multiple formats which gives readers more options and keeps them from being locked into any particular device. Joshua Gans points out that offering this freedom to its customers should pay off for HBR, whose target audience is a bit different than most publishers. [snip]

Defeat DRM -- Defeat Apple DRM -- Defeat DVD DRM

Removal of Restrictions Can Decrease Music Piracy
ScienceDaily (Oct. 7, 2011) The research was funded by Rice and Duke universities.
Contrary to the traditional views of the music industry, removal of digital rights management (DRM) restrictions can actually decrease piracy, according to new research from Rice University and Duke University. Marketing professors Dinah Vernik of Rice and Devavrat Purohit and Preyas Desai of Duke used analytical modeling to examine how piracy is influenced by the presence or absence of DRM restrictions. They found that while these restrictions make piracy more costly and difficult, the restrictions also have a negative impact on legal users who have no intention of doing anything illegal.
Because a DRM-restricted product will only be purchased by a legal user, …"only the legal users pay the price and suffer from the restrictions," the study said. "Illegal users are not affected because the pirated product does not have DRM restrictions." "In many cases, DRM restrictions prevent legal users from doing something as normal as making backup copies of their music," Vernik said. "Because of these inconveniences, some consumers choose to pirate." The research challenges conventional wisdom that removal of DRM restrictions increases piracy levels; the study shows that piracy can actually decrease when a company allows restriction-free downloads. "Removal of these restrictions makes the product more convenient to use and intensifies competition with the traditional format (CDs), which has no DRM restrictions," Vernik said. "This increased competition results in decreased prices for both downloadable and CD music and makes it more likely that consumers will move from stealing music to buying legal downloads."
"Unlike in earlier literature, we examine consumers' choices among all the major sources of music," Desai said. "By analyzing the competition among the traditional retailer, the digital retailer and pirated music, we get a better understanding of the competitive forces in the market." The research also revealed that copyright owners don't necessarily benefit from a lower amount of piracy. "Decreased piracy doesn't guarantee increased profits," Purohit said. "In fact, our analysis demonstrates that under some conditions, one can observe lower levels of piracy and lower profits." Vernik, Desai and Purohit hope that their research paper, "Music Downloads and the Flip Side of Digital Rights Management Protection," will provide important insights into the role of DRM.

"[The late] Steve Jobs said it best: 'Why would the big four music companies agree to let Apple and others distribute their music without using DRM systems to protect it? The simplest answer is because DRMs haven't worked, and may never work, to halt music piracy.'" Vernik said. "And our research presented a counterintuitive conclusion that in fact, removing the DRM can be more effective in decreasing music piracy than making the DRM more stringent."

K 12 Public Education Hacker Ethics
See Technology Ethics Defined

Terminology: The first thing you need to know is there are words that are constantly misunderstood and incorrectly used by the media.

  • A security cracker is a person who breaks computer security systems for questionable reasons.
  • A software cracker is one who circumvents software copy protection schemes for questionable reasons.
  • A software hacker is one who investigates how the software works as part of their education.
  • A software Hactivist is one who discovers and reports on defective or crippled software for the sake of protecting the public's right to know and defend themselves against the problems.
  • Black Hat Hacking is the act of compromising the security of a system without permission from an authorized party, with the intent of accessing computers connected to the network for the sake of knowledge and protecting the public from abuse.

Report Sony Cracking to: The U.S. Department of Justice
10th & Constitution Ave., NW
Criminal Division,
(Computer Crime & Intellectual Property Section)
John C. Keeney Building, Suite 600
Washington, DC 20530
Main (202) 514-1026 * Fax (202) 514-6113
Media Inquiries: Office of Public Affairs * (202) 514-2007
IP: 149.101.1.119
Company Name: US Dept of Justice.
Location: Maryland, USA 149.101.0.0 - 149.101.255.255
CIDR: 149.101.0.0/16
NetName: USDOJ
NetHandle: NET-149-101-0-0-1
Parent: NET-149-0-0-0-0
NetType: Direct Assignment
NameServer: JUSTICE2.USDOJ.GOV
NameServer: NS22.USDOJ.GOV
RegDate: 1994-12-02
Updated: 2002-06-05
RTechHandle: ZU85-ARIN
RTechName: U.S. Department of Justice
RTechPhone: +1-202-307-6846
RTechEmail: EWS@usdoj.gov




2011-05-06 Sony failed to use firewalls to protect its networks and was using
obsolete Web applications, which made the company's sites inviting
targets for hackers
, a Purdue University professor testified May 4 to a Congressional committee investigating the massive data breach of the Sony game and entertainment networks. Sony disclosed on April 26 that thieves had stolen account information of up to 77 million users on the PlayStation Network and Qriocity. A week later, the company admitted on May 2 that the Sony Online
Entertainment gaming service had also been breached, affecting an additional 24.6 million users. About 101 million user accounts have been compromised to date. The stolen data included names, addresses, email addresses and dates of
birth. Some credit card information may have been stolen, but Sony claimed the numbers were securely saved as a cryptographic hash.

Macs - iMacs/Mac Mini/MacBook Pro are designed by Apple, not Intel. It's Apple's responsibility to tell their customers what is inside their machines, not Intel's. Apparently Apple is trying to use the TPM to lock OS X to Apple hardware, but it doesn't work and can't work. Mac users can now run Windows XP or OSX and switch between them with the newly released Boot Camp.
Mac has installed the DRM protection in its Infineon TPM chip. Infineon is the name of a chip manufacturer. An Infineon TPM has nothing to do with Intel. The basic idea of Trusted Computing is that security on a computer is obtained via hardware, through a specific chip dedicated exclusively to this task and called Trusted Platform Module (TPM). Originally sold as a beneficial security system for users (which is partially true), trusted Computing and Palladium risk to open the doors to inviolable copy-protection systems and to censorship and surveillance issues to unprecedented levels.
The Next-Generation Secure Computing Base (NGSCB), formerly known as Palladium, is a software architecture designed by Microsoft which is expected to implement controversial parts of their Trustworthy Computing concept on future versions of the Microsoft Windows operating system. Microsofts stated aim for NGSCB is to increase the security and privacy of computer users but critics assert that the technology will not only fail to solve the majority of contemporary IT security problems, but also result in an increase in vendor lock-in and a resulting reduction in competition in the IT marketplace.

"Palladium/Trusted Computing DRM": These are three different things.
Palladium is a Windows-specific technology that is not shipping and will not be shipped any time soon (if ever). Macs don't contain Palladium. The TPM is indeed part of trusted computing, but actually using a TPM to implement strong DRM is very difficult - it requires the OS to be redesigned to provide mandatory security.


Paladium

" As Seth Schoen of the EFF paraphrases Microsoft, "So the protection of privacy was the same technical problem as the protection of copyright, because in each case bits owned by one party were being entrusted to another party and there was an attempt to enforce a policy." (3rd bullet point)

11 July 2002. See Microsoft's second digital rights management patent issued a week before this one, invented by the same three persons

10/8/10 BitDefender released a free removal tool targeting all known variants of the Stuxnet worm, as well as the rootkit drivers that are used to conceal critical components of the worm.

DEFINITION OF ROOTKIT

New Word: Rootkit - Rootkit.com's 41,533 members do rootkit source code anonymously, then discuss and share the open source code. Buy and install F-Secure to protect your machine against any root kit. The trend is toward embedding stealth technologies with varying forms of spyware and malware, such as Backdoor-CEB, AdClicker-BA, W32/Feebs,Backdoor-CTV, Qoolaid, PWS-LDPinch, Opanki.worm, and W32/Sdbot.worm.

Sony is a Cracker - Boycott SONY

Andy Lack of Sony BMG Music Entertainment Division was responsible for the rootkit cracker software fiasco and as of 4/4/06 resigned from Sony.

12/2006 Sony BMG, jointly operated by Sony and Bertelsmann Music Group settles rootkit case. Under the agreement, Sony BMG is prohibited from using similar DRM software in the future.

Record label to pay $4.25 million a year after acknowledging that it secretly installed antipiracy software on music CDs to a consortium of 39 states after acknowledging the company loaded antipiracy software on music CDs without notifying buyers. Sony BMG will also pay up to $175 apiece to consumers whose computers were damaged by the software. The music label announced similar deals with Texas and California, each receive $750,000. The 13 states that started the settlement process with Sony BMG including New York, Florida, Oregon and Pennsylvania will each receive $316,538, while the rest will get $5,000, Sony must still contend with an investigation into the matter by the Federal Trade Commission.

Learn how to uninstall the Sony Root Kit.

The root kit problem was first found by a Finnish researcher named Muzzy - scroll down for this . . but on Oct. 31, Windows Expert Mark Russinovich revealed that Sony installed a rootkit to hide its "XCP" DRM software on users' PCs in his blog: Sony BMG Music Entertainment distributed a DRM copy-protection scheme on 52 music CDs that secretly installed a rootkit on computers. This software tool is run without your knowledge or consent -- if it's loaded on your computer with a CD, a hacker can gain and maintain access to your system and you wouldn't know it. Sony also ships a separate system called SunComm on 27 other CDs (all shipped in the US) is also sypware. Sony didn't disclose its practices in its installer or even in its license agreement. Sony initially provided no uninstall for the rootkit, and when Sony added an uninstaller, the process was needlessly complicated, prone to crashing, and a security risk.
Problem: The web-based uninstaller that SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony's other DRM, XCP it is possible for a malicious web site to use the SunnComm hole to take control of PCs where the uninstaller has been used. In fact, the the SunnComm problem is easier to exploit than the XCP uninstaller flaw.


SunnComm threatened J. Alex Halderman with charges of violating the DMCA's anti-circumvention provisions a few years ago when he revealed how their technology could be thwarted by holding down the shift key.
Princeton University computer scientist J. Alex Halderman compared the different DRM approaches between Sony's use of First4Internet's XCP DRM they said was intended only to protect their CDs from music pirates and MediaMax DRM rootkit another form of DRM it was using on music CDs from SunnComm, Inc.
Their product activation and other forms of copy protection aren't really about stopping piracy - they admit their DRM won't stop the software counterfeiters.
Halderman findings discovered the spyware attributes of the Sony CDs equipped with MediaMax which "phones home" every time you play a protected CD with a code identifying what music you're listening to. And in the SunnComm server's response to these transmissions Halderman also uncovered a very important clue to what Sony's really up to: a URL including the term "perfectplacement." An e-commerce revenue generation "feature of dynamic on-line and off-line banner ads. Generate revenue or added value through the placement of 3rd party dynamic, interactive ads that can be changed at any time by the content owner."
Sony's EULA, using MediaMax has already installed a dozen files on your hard drive and started running the copy protection code. Even if you say NO to the EULA, files still remain and Sony CDs provide no option for uninstalling the files at a later date.

Major labels will become licensing houses.
http://techcrunch.com/2009/03/08/big-music-will-surrender-but-not-until-at-least-2011/

"You want to save the music?
Make stuff people want to own for decades. And sell it to them in a way they want to listen to it. The whole MUSIC business has been irreparably harmed. By the inane actions of ignorant people under the moniker of saving the music. Elected officials walk away from crises. They only want to be involved if they can grandstand to great effect. Defending the labels is not going to benefit them with the public. The CD recall is going to cost Sony BMG tens of millions of dollars! And, they get more money from Microsoft and the Silicon Valley players than they do from these old wave mafia-type operators in the music industry". ~ Bob Lefsetz

CD DRM: Threat Models and Business Models Record Label Goals and Monetizing the Platform even beyond its effect on controlling copying and use of content . The DRM vendor's primary goal, obviously, is to provide value to the record label, in order to maximize the price that the vendor can charge the label for using the DRM technology. In the case of CD DRM, the system's goals are purely economic, and the technical goals of the system exist only to protect or enable the business models of the record label and the DRM vendor.

Sony Numbers Add Up to Trouble By Quinn Norton
11/ 15/05

More than half a million networks, including military and government sites, were likely infected by copy-restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts Tuesday. Sony BMG has been on the run for almost two weeks with the public relations debacle of its XCP copy-restriction software, which has installed an exploit-vulnerable rootkit with at least 20 popular music titles on PCs all over the world.The damage spans 165 countries, with the top five countries beingSpain, the Netherlands, Great Britain, the United States and Japan. <snip> Sony's suggested method for removing the program actually widens the security hole the original software created, researchers say.

New rules: don't buy a Sony

January 21, 2006 MP3 comes down with a crash
Software glitch has left users unable to transfer tunes to new player.SONY is advising consumers not to use software supplied with its new range of digital music players after hundreds of users complained that it caused their computers to crash. The new Sony MP3 Walkman was billed as the company's long-awaited answer to the iPod and became one of the biggest-selling electrical items for Christmas.But Sony admitted that the software sold with the player has “major problems”, which has left many owners unable to use the players. The Connect Player programme is designed to transfer music from the user's computer to the player and to connect them to Sony's music sales website. But distraught buyers have been posting messages on websites cursing Sony. Others have returned their £199 players for a refund.

Sony has used a CD with skanky code (installing a rootkit) onto your machine which executes flawed code can now be used by hackers to molest your machine too AND you can't get their crap off your machine, so you're totally screwed. [aka RIAA's "Benjamin" virus ]

I know you don't understand.
Rule: just don't buy a sony cd and put it into your machine and you won't have a problem.

Sony BMG, which had embedded aggressive copy-protection software on the Van Zant CD suspended the use of that software after security companies classified it as malicious. At least two Internet-born worms were discovered attempting to take advantage of the program, which the CD's transferred to computers that played them. And the company was facing lawsuits accusing it of fraud and computer tampering in its efforts at digital rights management, or D.R.M. The removal tool that First4Internet supplies is an ActiveX control marked "safe for scripting". That means it can be invoked by any web page -- and it can be used to install new software on your machine.... The problem was first found by a Finnish researcher named Muzzy; see http://hack.fi/~muzzy/sony-drm/ for details.

What is the difference between a A Massachusetts 17 year old teenager pleaded guilty to cracking who exposes the personal records of 300,000 consumers and Sony breaking the security of hundreds of thousands of innocent computer users?

BACKDOORS

 

CPU BACKDOORS

It's generally accepted that any piece of software could be compromised with a backdoor. Prominent examples include the Sony/BMG installer, which had a backdoor built-in to allow Sony to keep users from copying the CD, which also allowed malicious third-parties to take over any machine with the software installed; the Samsung Galaxy, which has a backdoor that allowed the modem to access the device's filesytem, which also allows anyone running a fake base station to access files on the device; and Lotus Notes, which had a backdoor which allowed encrypted files to be decrypted.

Sony BMG copy protection rootkit scandal

 

Deceptive, illegal, and potentially harmful copy protection measures implemented by Sony BMG on about 22 million CDs.

Sony CD's are shipped with XCP copy protection technology. Apparently this commercial product contains GPL DRM-circumvention code. Sony CDs protected with their technology automatically install several megabytes of files without any meaningful notice or consent, silently phone home every time you play a protected album, and fail to include any uninstall option. The scope of the misstep has left the realm of public relations and entered that of the criminal. Sony has recalled affected CDs and announced an exchange program to swap customers' affected CDs for XCP-free replacements.

DRM on a Sony CD installed a rootkit on a customer's PC
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. See Rootkit Resources

Sony, Rootkits and Digital Rights Management Gone Too Far Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, sony cd drm software deposits a hidden directory, several hidden device drivers, and a hidden application in your OS.

World of Warcraft hackers using Sony BMG rootkit sony offers a patch but researchers say it is extreamly complicated to use and it will leave your OS damaged.

Sony non apology apology - Sorry seems to be the hardest word . . .

Welcome To Planet Sony

The latest copy-protected CDs from Sony DADC
- Key2audio, Sony DADC - Campaign for Digital Rights

Oh Yeah, and by the way . . .
Where was your security company? Why didn't they protect YOU and report the Sony malicious code instead of keeping quiet?

Why did Microsoft provide the functionality that allows a hidden program on an audio CD to automatically install software on the PC that is invisible to the user? Why didn't it's protection software detect and stop it?

Who are the security companies really working for? Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time. What happens when the creators of malware collude with the very companies we hire to protect us from that malware? We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.

F-Secure Chief Research Officer Mikko Hypponen helped to get info about Sony out there when no one was listening. I bought and recommend you buy F-secure for your computer ~ KE
According to F-Secure, a Finnish antivirus vendor, the German DVD release of "Mr. & Mrs. Smith," contains a digital rights management
protection tool that uses rootkit-like cloaking technology. The movie is distributed by 20th Century Fox. Archives

Symantec bites the hand that feeds... 12/ 6/05
Just over ten years ago (95-09-15) *Hobbit* wrote a little tool called netcat (aka nc), swiftly dubbed the "TCP/IP Swiss Army knife". *Hobbit* was affiliated with the l0pht, which was later purchased by @stake, which was later purchased by Symantec. At some point (circa 1998), Weld Pond ported the netcat utility to Windows. Weld was an
original member of the l0pht and later the Director of Research and Development with @stake. Weld's version was distributed at @stake for some time. Suffice it to say, the l0pht, @stake and its members/employees supported netcat's use and distribution.
Jump forward to today, and Symantec now classifies netcat on a system as a High Risk Impact. As aj reznor asked, "is that to say that SYM bought a company known then for offering naughty things?" Let us also remember that Symantec owns SecurityFocus which conveniently offers
the tool in their tool repository.<snip>


BAD PRESS - POLICE INVESTIGATION - SCANDAL IN PROGRESS

Sony faces police investigation into DRM code 44/8/05
ALCEI-EFI (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) has filed a complaint with Colonel Umberto Rapetto of the Guardia di Finanza, head of Italy's cybercrime investigations unit, requesting a criminal investigation of Sony BMG for its use of copy-protection software that acts as a rootkit. ALCEI-EFI alleges that the software damages computers and contains malicious features forbidden under Italian law. First 4 Internet, developer of the Sony software, says use of rootkit features was necessary to prevent users from working around the copy-protection. Computer Associates has classified the Sony copy- protection as a form of spyware.

CLASS ACTION SUIT BEGINS

Isn't it interesting that all the negative publicity has been directed at SONY, not BMG.
BMG doesn't have a famous brand name in the U.S. Bertelsmann is a faceless corporation. The average person is unaware that the German company owns Sony Music. Andy Lack is the head of Sony Music.
The law firms of Green Welling, LLP, and Lerach, Coughlin, Stoia, Geller, Rudman and Robbins, LLP, and the EFF are suing Sony BMG which is also facing at least six other class action lawsuits nationwide and an action by the Texas Attorney General.

Spitzer Gets on Sony BMG's Case
New York's Attorney General has turned his attention to Sony BMG's copyright-protection fiasco. Sony BMG Music Entertainment is getting a lot of unwanted attention for its use of copyright-protection software that left CD users open
to computer viruses. They have also admitted to Plugola & Payola activity costing them 10 million $'s.

Proposed Settlement 12/30/05 Sony reaches provisional settlement in rootkit fiasco PDF
It may provide the starting point for a future statute that protects against the misuse of digital rights management technologies.

Don't Mess with Texas <:-)

Sony is being sued by the state of Texas, which contends that the electronics giant violated the state's new spyware law.
"Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," said Greg Abbott, the Texas attorney general.

United States Computer Emergency Readiness Team
Vulnerability Note VU#312073

A vulnerability has been reported in First4Internet XCP's uninstallation ActiveX control, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the "CodeSupport.ocx" ActiveX control that is installed via Internet Explorer when the user un-installs the XCP DRM software by visiting the vendor's website.
The ActiveX control is marked safe-for-scripting and supports several potentially dangerous methods like "RebootMachine", "InstallUpdate", and "IsAdministrator". This may be exploited to install arbitrary code on the user's system.

Military assessing possible threat posed by Sony security software
By Charlie Coon Stars and Stripes Mideast edition November 23, 2005
It seems innocent enough. A Sony BMG music CD bought at a Power Zone, when inserted into a computer, requires the Sony player be downloaded in order to play the music.
But the software also includes anti-piracy software and a "root kit" that secretly enables Sony to track usage and alter the computer's operating system.
This surreptitious software allows hackers to access data stored on the computer and introduce viruses.
Military network analysts are assessing a possible security threat that could result if the software is installed on government computers, according to Tom Ryan, an information assurance manager with the 5th Signal Command based in Mannheim, Germany.
"It's not so much [a threat] on the classified network because everything on it is already encrypted," Ryan said. "But as far as [operational security], on the unclassified side it's possible for somebody to pull down enough information to put together some really sensitive stuff."
Ryan said that the command is about to install a security patch developed by Defense Information Systems Agency.
"You have a certain amount of time to comply with installing those security patches," Ryan said, adding that the current patch needs to be installed by Dec. 14.
About 2 million Sony BMG music CDs have been sold with the anti-piracy software embedded on the discs, which makes computers running Windows products more vulnerable to hackers.
The CDs, released under 52 different titles, install a program on Windows-based computers that limits the number of copies that can be made, such as is done with MP3 files.
Tim Madden, a spokesman for Joint Task Force Global Network Operations, a component of U.S. Strategic Command that oversees the operation and protection of military networks, downplayed the risk to Department of Defense computer security.
"It doesn't pose any threat," Madden said. "You can't install [the software] because of security configurations on DOD computers.
"If somebody were to get [an affected CD] and put it on a government computer, it asks them to install [the software], but they can't because they don't have the permissions."
When asked if someone could bring an infected computer from home and hook it up to a military network, Madden said, "there are a lot of 'what ifs.'"
"This has not been an issue for DOD computers because of the blocks that have been put in place," Madden said. "Whatever processes and procedures we may do to manage that is something we're not going to talk about publicly."
The Army and Air Force Exchange Service, which operates Power Zones and other stores that sell CDs, is offering customers a full refund for opened or unopened packages.
Army Lt. Col. Dave Accetta, a spokesman for AAFES Europe, said stores are complying with the Sony recall and pulling the affected CDs from its shelves.
"It is a voluntary recall, but we want to make sure customers are aware and are not placing computer systems at risk," he said.
The software does not affect stereo equipment, just computers, according to Sony and AAFES.

COPYFIGHT

Out of tune Los Angeles Times EDITORIAL12/28/05
SONY BMG, THE WORLD'S second-largest record company, shot itself in the foot so badly this month that it may have wounded the entire music industry. Its disastrous dalliance with invasive anti-piracy technology gives music fans yet another reason to view the major record labels as victimizers, not victims.

The court didn't rule P2P networks illegal. The Internet itself is a peer-to-peer network.

sneakernet: /snee´ker·net/, n. Term used (generally with ironic intent) for transfer of electronic information by physically carrying tape, disks, or some other media from one machine to another. “Never underestimate the bandwidth of a station wagon filled with magtape, or a 747 filled with CD-ROMs.” Also called 'Tennis-Net', 'Armpit-Net', 'Floppy-Net' or 'Shoenet'; in the 1990s, 'Nike network' after a well-known sneaker brand.

Copyfight
By JASON L. RILEY 12/26/05; Page A10 WALL STREET JOURNAL EDITORIAL BOARD
It's been six years since the entertainment industry loosed its lawyers on the makers of Internet file-sharing software, and two years since the industry began suing the people who use it. By and large, it's winning these legal battles -- including a court-ordered shutdown of Napster in 2001 and a 9-0 Supreme Court ruling against Grokster in June. But that doesn't mean it's winning the war.
In fact, Americans continue to download music and movies using these so-called "peer-to-peer," or P2P, networks in record numbers. Through its trade association, the Recording Industry Association of America (RIAA), the music industry has sued more than 15,000 people in the past two years alone. Yet over that same period, traffic on file-sharing networks doubled, according to Big Champagne, a media company that measures P2P activity. Halfway through this year, volume had climbed to nearly nine million downloads, a new high and a 20% increase over last year. SNIP
Songwriters tried to sue the player piano out of existence a century ago. Vaudeville performers sued Guglielmo Marconi for inventing the radio. Disney and Universal sued Sony for making the Betamax VCR. And cable entrepreneurs over the years have been dragged into court by everyone from television broadcasters to the Motion Picture Association of America. If music and movie moguls had their druthers, they would have monopoly control over any device or platform capable of reproducing sound or pictures.
Oh yes, one last thing - RIAA threatens anyone who sells their mp3 player WITH the songs still on it with a lawsuit. What a crock. These people are not living in the real world. They are trying to control the secondary market.

World War II code breakers could identify individual German Enigma operators by their style of typing code or Fist. SRI International has found the same approach can identify modern-day typists. BioPassword, a US company, is trying to build a commercial system to identify individuals based on how they type an eight to 16-keystroke password nine times. An online digital media distribution company already uses the technology in its Digital Media Distribution System, which is used to distribute about half of all new music releases to Canadian radio stations.

GO TO PAGE 2