|
Sony's XCP
Copy Protection Debacle |
In the spring of 2005, Sony BMG released a flawed copy protection scheme that can caus serious computer damage. |
| Return to main article | |
| Read about another copy protection scheme |
Around April of 2005 Sony BMG began releasing CDs that were protected against unlimited copying on Windows computers. Since a CD cannot be written to, that protection had to involve the user's computer to limit the number of copies that could be made.
This DRM scheme, called XCP, installs software on the computer that is then "cloaked" so it cannot not be seen by the Windows operating system. There is no indication that it is installed and there is no means of removing it. The method used to cloak the software is often called a "Rootkit". Rootkits are generally considered to be malicious since they grant undesired "root access" to the computer.
"Root access" means that you have "god rights" to the entire file system on the computer starting with the root path, which is C:\ on a Windows machine. Root access also means you have full permission to do anything you want on the system.
In early November 2005 a security specialist was testing rootkit detection software he had just written. He was shocked to find a rootkit hiding on his own computer. It took a few days to determine what this rootkit did and how it got there. Once he put the pieces together Sony's world was quickly turned upside down. Just what types of problems can Sony's rootkit cause? Try these:
- It modifies the Windows operating system so that its files cannot be seen.
- It cannot be detected on the system and it cannot be removed.
- It sends information to Sony each time the CD is played, identifying the CD and the machine playing it.
- It could identify the owner of the CD but it is not known if that capability is being used at this time.
- If it is removed the computer can "blue screen" (crash) repeatedly and / or the CD drive may cease functioning.
- It can grant outsiders easy access to the computer so they can plant malicious files on the hard drive.
- It generates extra Internet traffic as large numbers of computers communicate with Sony.
Sony has released a patch to remove their rootkit but trying to find it or implement it is another matter. Initially their Website did not mention the patch at all; you had to know to go the "FAQ" section. To obtain the patch you would have to fill out an on-screen form, wait for a reply, and then fill out another form so you can receive a unique code that will allow you to remove the rootkit from the computer from which you sent the request. All of this seems overly complex and problematic:
- It can take many hours for Sony to send the message with the software patch.
- The patch works on only one machine and only within a certain number of days after receipt.
- The patch does not disable DRM, rather, it replaces the flawed DRM scheme with a new one.
- Sony's Terms and Conditions state that your e-mail address may be shared with others for marketing purposes.
So, Sony has caused major problems for many people. They are telling the media, but not visitors to their Website, about the problem and its cure. They put the user through hoops to get the patch, and they maintain the right to use the user's e-mail address for marketing purposes.
If you install the patch, Sony will know your name, your e-mail address, and your computer configuration. Whatever claims they may have made regarding not being able to associate a given CD with the person playing it would seem to be invalid at this point.
Just how problematic is the Sony rootkit? We know of one Government agency that has instructed its user community not to play any Sony CDs. The IT staff (the network people) have removed the DRM software from a number of computers, which now have non-functioning CD drives. They will have to schedule a time to re-install Windows XP in order to get those CD drives working again. This also means assisting the user to back up the data on their hard drive prior to making the repair.
The IT department has already spent quite a bit of time diagnosing the Sony problem and making stopgap repairs. They will soon be spending yet more time correcting these problems properly. Their anti-virus server was inundated with Sony CD activity and had to be upgraded to handle the load.
That is only ONE agency. Try to imagine the effects of Sony's DRM software on hundreds or thousands of large companies and Government agencies worldwide, plus countless numbers of end users who may have to pay to have their computers serviced.
Sony is pulling the CDs from the shelves and offering replacements to affected users but they are not admitting they have done anything wrong, only that their software needs to be updated.
Below is a statement from the Sony BMG Website regarding the XCP copy protection scheme. We have made some notes in the right hand column.
November 18, 2005 SONY BMG COMMENCES COMPACT DISC EXCHANGE PROGRAM FOR XCP CONTENT PROTECTED CDS -- Provides Overview of Actions to Date on XCP Software -- |
Our comments are below in green. |
New York, NY - November 18, 2005 - SONY BMG Music Entertainment today announced the commencement of a mail-in program through which consumers can exchange compact discs (CDs) containing XCP content protection software for a replacement version of the same CD without the XCP software, in addition to receiving MP3 files of that CD. |
The new CD does not contain XCP content protection. Does it contain another kind of copy protection? |
| XCP content protection software is included on 52 SONY BMG titles. Further information about the exchange program, including an FAQ for consumers about XCP technology and a list of titles may be found at the website dedicated to providing consumers with information on this subject, http://cp.sonybmg.com/xcp. | |
| Consumers can also download a software update from SONY BMG's website at http://cp.sonybmg.com/xcp. This update addresses the security vulnerabilities associated with XCP software. | This update may introduce problems worse than the original ones. |
| In addition to consulting the list of titles at the website, consumers can identify titles with XCP content protection by checking the back of the CD packaging. If there is a black and white table with the words "Compatible With", and if the URL in that table ends with the letters "XCP" (http://cp.sonybmg.com/xcp), that indicates the disc contains the XCP software. | Now, how would anyone know that when they bought the CD? |
Information on the CD Exchange Program Consumers who wish to exchange their XCP content protected CDs or also receive MP3 files of the titles in addition to their replacement CDs should visit http://cp.sonybmg.com/xcp for a list of titles and versions, specific instructions and shipping information. There will be no charge to consumers for shipping in either direction. |
It takes only a few minutes to "rip" a CD to MP3 files. Why would Sony set up a server farm and an e-mail system to give away MP3s to people who own the CD? |
| In addition to providing replacement CDs by mail, SONY BMG is making available MP3 files to consumers who are exchanging their XCP content protected CDs. Consumers who choose to receive MP3 files will receive an e-mail with a link to the MP3 downloads upon SONY BMG's receipt and verification of their XCP CDs. | Could those MP3 files be customized so they can be traced to you? If they turn up on the Internet, what might happen? |
SONY BMG's Actions to Date Regarding XCP Software SONY BMG has taken the following actions with respect to XCP software: 1. SONY BMG has ceased manufacturing compact discs with XCP software. |
|
| 2. SONY BMG is working with its retail partners to withdraw compact discs with XCP software from distribution and retail chains. It has asked retailers to cease sale of those discs and to return them to SONY BMG. This withdrawal program has been and is being widely communicated. | This is a very good thing! |
| 3. SONY BMG is moving as quickly as the manufacturing process will allow to replace all compact discs with XCP that are present in the chain of distribution with non-copy protected discs. | So, the new discs are not copy protected. The text above did not mention that. |
| 4. As announced today, SONY BMG has commenced an exchange program whereby any consumer who has purchased an XCP-protected compact disc will be able to receive a replacement, non-copy protected disc and MP3 files of the titles. | Sony is going to give you more than you paid for: A CD and MP3 files. |
| 5. Consumers can download a software update from the SONY BMG's website at http://cp.sonybmg.com/xcp/english/updates.html. The effect of this update is to "uncloak" the XCP components on the user's hard drive, thereby allowing anti-virus software to detect it and block any viruses from exploiting it. | Some authorities suggest that the patch that "uncloaks" XCP introduces problems of its own and endangers the computer. |
| 6. SONY BMG is will soon make available a revised and secure procedure for consumers to uninstall the XCP software from their computers. The removal of XCP (and the downloading of the software update) does not affect the consumer's ability to play and use any music from an XCP-protected compact disc already transferred from the disc to the computer. | Probably better to wait for the new un-installer, and wait until after the experts have given it their blessing. |
| 7. In addition, Microsoft and the major anti-virus companies have been made aware of the security issues that have been raised. The anti-virus companies have issued updates to their customers to address potential vulnerabilities arising from the installation of XCP software. | The malware industry is now jumping through hoops since Sony has polluted the waters of the Internet. |
| SONY BMG's Commitment to User Privacy and Software Security SONY BMG is committed to testing, verifying and disclosing to consumers, its use of any copy protection technology. |
So, the copy protection will likely remain in one form or another, but Sony will now tell us about it. |
SONY BMG is reviewing all aspects of its content protection initiatives to be sure that they are secure and user-friendly for consumers. As the company develops new initiatives, it will continue to seek new ways to meet consumers' demands for flexibility in how they listen to music, while protecting intellectual property rights. |
Since you can't modify a stamped CD the only way feasible would be to use the computer hard drive or a remote server to authorize copying, as was done with XCP. |
Background Regarding XCP Software Security concerns have been raised regarding the use of CDs containing XCP software in computers. These issues have no effect on the use of these discs in conventional, non-computer-based CD and/or DVD players. This content protection technology was provided by a third-party vendor, First4Internet, and was designed to prevent unlimited copying and unauthorized redistribution of the music on the disc. |
Yes, but if you some day insert the CD into a computer then there will be problems, especially if you do not exchange yours for one without XCP. Sony licensed XCP from another vendor but they are still responsible for testing what they distribute. |
SONY BMG MUSIC ENTERTAINMENT is a global recorded music joint venture with a roster of current artists that includes a broad array of both local artists and international superstars, as well as a vast catalog that comprises some of the most important recordings in history. SONY BMG is 50% owned by Bertelsmann A.G. and 50% owned by SONY Corporation of America. # # # |
| Return to article 11/24/05 |