[JPL] more on the sony copyright situation

JazzCorner at aol.com JazzCorner at aol.com
Wed Nov 16 04:22:04 EST 2005

Sony's Plan To Fix Infected Copy Protection Only Makes Matters Worse Sony's 
suggested method for removing the program actually widens the security hole the 
original software created, researchers say.
By Brian Bergstein, The Associated Press 
Nov. 15, 2005 

BOSTON (AP) -- The fallout from a hidden copy-protection program that Sony 
BMG Music Entertainment put on some CDs is only getting worse. Sony's suggested 
method for removing the program actually widens the security hole the original 
software created, researchers say. Sony apparently has moved to recall the 
discs in question, but music fans who have listened to them on their computers 
or tried to remove the dangerous software they deposited could still be 
vulnerable. "This is a surprisingly bad design from a security standpoint," said Ed 
Felten, a Princeton University computer science professor who explored the 
removal program with a graduate student, J. Alex Halderman. "It endangers users in 
several ways." The "XCP" copy-protection program was included on at least 20 
CDs, including releases by Van Zant, The Bad Plus, Neil Diamond and Celine 

When the discs were put into a PC - a necessary step for transferring music 
to iPods and other portable music players - the CD automatically installed a 
program that restricted how many times the discs' tracks could be copied, and 
made it extremely inconvenient to transfer songs into the format used by iPods. 
That antipiracy software - which works only on Windows PCs - came with a 
cloaking feature that allowed it to hide files on users' computers. Security 
researchers classified the program as "spyware," saying it secretly transmits 
details about what music the PC is playing. Manual attempts to remove the software 
can disable the PC's CD drive. The program also gave virus writers an easy tool 
for hiding their malicious software. Last week, virus-like "Trojan horse" 
programs emerged that took advantage of the cloaking feature to enter computers 
undetected, antivirus companies said. Trojans are typically used to steal 
personal information, launch attacks on other computers and send spam. Stung by the 
controversy, Sony BMG and the company that developed the antipiracy software, 
First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that 
uninstalls XCP. But the uninstaller has created a new set of problems. To get 
the uninstall program, users have to request it by filling out online forms. 
Once submitted, the forms themselves download and install a program designed 
to ready the PC for the fix. Essentially, it makes the PC open to downloading 
and installing code from the Internet. 

According to the Princeton analysis, the program fails to make the computer 
confirm that such code should come only from Sony or First 4 Internet. "The 
consequences of the flaw are severe," Felten and Halderman wrote in a blog 
posting Tuesday. "It allows any Web page you visit to download, install, and run any 
code it likes on your computer. Any Web page can seize control of your 
computer; then it can do anything it likes. That's about as serious as a security 
flaw can get." Sony BMG spokesman John McKay did not return calls seeking 
comment. First 4 Internet was not making any comment, according to Lynette Riley, 
the office manager who answered the company's phone Tuesday evening in England. 
Mark Russinovich, the security researcher who first discovered the hidden Sony 
software, is advising users who played one of the CDs on their computer to 
wait for the companies to release a stand-alone uninstall program that doesn't 
require filling out the online form. "There's absolutely no excuse for Sony not 
to make one immediately available," he wrote in an e-mail Tuesday. Other 
programs that knock out the original software are also likely to emerge. Microsoft 
Corp. says the next version of its tool for removing malicious software, 
which is automatically sent to PCs via Windows Update each month, will yank the 
cloaking feature in XCP. Sony BMG said Friday it would halt production of CDs 
with XCP technology and pledged to "re-examine all aspects of our content 
protection initiative." On Monday night, USA Today's Web site reported that Sony BMG 
would recall the CDs in question.

Jazzcorner - home of complete websites for more than 180 artists and 
organizations as well as Speakeasy - the busiest bulletin board on the net for jazz

Jazz Cares -  Musicians helping Musicians

More information about the jazzproglist mailing list