Monday, November 21, 2005

The unmaking of SONY.

Category: [in English] [Geeky & Tools]

"I've been around so long, I knew Doris Day before she was a virgin" goes one of my many favorite quotes of Groucho Marx. Back in the roaring eighties of last century, I found myself actually writing and tweaking operating systems and device drivers for all kinds of exotic processors, included the 8-bit 6502 and the Motorola 68000. Yes, in assembly (machine) language. There was a time I was even quite proficient in DOS internals. On a sidetrack, I remember designing an original copy protection scheme, based on some glitches in DOS, and selling it to Elsevier, making me some badly needed bucks. Windows got over my head, especially the first versions, which were nothing more than a layer over DOS, but could make a programmers life miserable. After that, I turned to applications, lately just programming in PHP and Javascript. But old geeks never die and I always kept a vivid interest in geeky issues and operation system internals, as well as an obsessive preference for US-qwerty keyboards. A sizeable intro to explain why this article on Geek News Central caught my attention. Sony is in deep legal and marketing trouble and it deserves it.
What happened?

In their fight against rampant piracy and online sharing of copyrighted music, the music industry has taken some drastic steps in the past. Suing naïve teens that offer music on P2P online networks and injecting Kazaa and other file-sharing networks with bogus music files is one of those. But P2P is hard to control so that's why some of the music labels turned to a DRM or digital rights management system, a euphemism for copy protection, also called TPM, technical protection measures. Most of the time it's a way to write CD's in a non-standard fashion, fooling some players. What it does to consumers is make their live complicated when they want to play a TPM-ed CD in their car or on their PC. The music industry has had a lot of critique doing so, for instance by consumer organizations.

But Sony took it a bit further. A bit too far as it turned out now. The ball started rolling when guru Mark Russinovich posted an article on his Sysinternals weblog, titled "Sony, Rootkits and Digital Rights Management Gone Too Far". Mark discovered that when playing a Sony CD on your PC, it installs software to prevent copying of the CD more than 3 times, and it needs a proprietary player. What's worse, it does so by using a poorly written Rootkit, a technique often used by the most malicious viruses. Sony CD's install this virus-like software without the users consent and without his knowledge, and it is uninstallable. A user that tries to remove the hidden files and folders ends up with a system that can't access the CD-drive any more.

Sony's malware (malicious software") replaces original Windows drivers, it modifies original Windows API tables, and it operates in stealth mode, consuming a large and unnecessary overhead on CPU resources. It even starts up in Windows safe mode, against all conventions that non-essential drivers shouldn't be loaded at that time. Its presence is hidden ("cloaking") from all system repair and maintenance tools since it fools the Windows API's to edit and inspect the registry and the file system: "Rootkits are cloaking technologies that hide files, registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden".

For Geeks with some sense for drama and suspense, Mark's story how he discovered Sony's virus reads like a great thriller. Highly recommended Geek-food. His story is complete with all the steps (including disassembly of some of Sony's software), screenshots, and some Google research that pointed to the original vendor, First4Internet, of the virus-like badly written TPM. "XPC, the true meaning of audio security" states its website. Yeah right, by installing a malicious virus.

Mark's story quickly hit the blogosphere and techsites like Slashdot and The Register, raising the whisper into a roaring noise. "My posting Monday on Sony's use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that's reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world". Sony first denied, then confessed, but it was very reluctant to provide de-installation software. Things got worse when it turned out that Sony's poorly written TPM could be a piggyback for other malicious software like trojans. Moreover, it turned to be a phone home type of software, informing Sony of CD's played by users, how many times and when, their type of PC, etc. First4Internet denied this furiously, but this feature has been proved right.

For those interested in a good thriller that started as Geek-food but exploded into a wide debate about do's and don'ts by large companies, the unraveling of the story can be read in full on Sysinternals. It wouldn't be America if Sony wouldn't face a lawsuit soon, and the first one was filed by Himmelfarb (pun intended) in - of course - California. Many suits are to follow. Sony first published a "patch" on its website, which installed in effect a more dangerous version of its criticized TPM, then announced to stop to use the virus-like TPM scheme altogether. It later announced to recall all CD's carrying it and Amazon wants to refund Sony CD-buyers too. But the ghost may be well out of the jar as hackers eagerly started to exploit the flaws in Sony's TPM, which is undoubtedly installed on 100,000's of PC's worldwide.The woes for Sony are not over yet.

On BBCnews, Internet professor Michael Geist explains why Sony's rootkit problems have significant long-term implications for the industry (read here). There are the short-term woes, which may have a Perrier-effect on the Sony brand name: "the company also recalled millions of CDs, losing tens of millions in revenue and effectively acknowledging that the CD was a hazardous product. The recall was even bigger than anticipated as Sony disclosed that there were at least 52 affected CDs. Moreover, researchers estimated that the damaging program had infected at least 500,000 computers in 165 countries.".
But in the long term, Stewart Baker, the US Department of Homeland Security's assistant secretary of policy, admonished the music industry, reminding them that "it's very important to remember that it's your intellectual property - it's not your computer".


Where does it leave us, humble consumers? We have to suffer from, and crank out money for keeping our systems clean from spam, trojans, viruses, trackers, browser hijacks that moronic companies try to dump on our disks all the time. It's difficult and time-consuming for our own PC's as it is. But having been in Asia for a couple of months again, I couldn't find a single Net café were PC's weren't infected with debilitating browser and info "organizers" that kicked me to idiot and loud bad looking porn sites with ugly obese women proudly showing off oversized tits.
For me personally, it is once bitten, twice shy. As a commenter on Mark Russinovich's weblog puts it: "Way to go, Sony. You've really made me want to legitimately purchase music, now that it includes worse viruses than I'll find on Kazaa".

First of all, I won't buy any Sony product again (the Perrier effect) and that includes their digital cameras. A dig cam has to be connected to your PC regularly, and why shouldn't Sony put in a neat little virus in its firmware too? Then, I really got nervous about DRM in general. My Windows Media Player has gone since long since I stumbled on that damned acronym, and moreover, I don't like phone home players like WMP and Realplayer. Anyways. Winamp is just great, it's free, and it's independent.

Of course, buying a CD, any music CD, is out of the question from now on. If Sony did this crap and tried to get away with it, won't every music label do it, and devise even more wicked schemes to hijack our PC's?

This is not a pledge for acquiring copyrighted music the illegal way whatsoever. But if I buy music, I want to buy music, not "bundled" software that takes over or controls my system in any way. Lean music without macro's, code, controls, management, that is.
Sony did a great marketing job for P2P. To end paraphrasing another Groucho Marx quote: "I never forget a brand name, but in Sony's case I'll be glad to make an exception."


Anonymous dof said...

"Of course, buying a CD, any music CD, is out of the question from now on. If Sony did this crap and tried to get away with it, won't every music label do it, and devise even more wicked schemes to hijack our PC's?"

IIRC, Philips has in the past defended their "Digital Audio" logo, and forbidden it's use for non compliant CDs. Only buy CDs with the digital audio logo.

5:43 PM  
Anonymous Anonymous said...

There is one trick to see of your system has been comprimised by Sony's rootkit .

One property of the rootkit is that it hides all files beginning with $sys$

So , if you create f.i a map named $sys$test , and it dissapears , then you know your system has been comprimised

10:33 AM  
Anonymous Anonymous said...


10:00 AM  

Post a Comment