|Subject: [NYLXS - HANGOUT] More Sony DRM
Sony DRM is worse than you might think
Comment Active exploits and no help from Sony
By Charlie Demerjian: Thursday 03 November 2005, 09:40
Click to Visit
SONY SCREWED UP WITH its rights removal to protect its profit margins
philosophy and there is no way the use of rootkits can be justified.
Caught with its pants down, what did it do? Make things right? Heck no,
it blamed the user, and doesn't do anything more than window dressing to
deflect what are valid criticisms.
If you read the Sony PR spin masquerading as a FAQ here, the tepid
responses it give are laughable. Number one states that the technology
is used to prevent copying, but that is true for only Windows boxes, so
why the discrimination? It only affects legitimate users. If you want to
copy the music, all you need to do is hold down the shift key when
inserting it and you are free to copy. That or have a non-Windows
To make matters worse, a cursory check of the file trading networks
shows that the Van Zant album is available for download on a whim. The
pirates who don't want to pay will have no trouble getting it, but those
who abide by the law will get punished. Also, if you look at FAQ Number
4 under equipment compatibility, it cuts iPod users out of the mix. Hmm,
Sony only sells Windows based computers, and sells a competitor to the
iPod. Sense a conflict of interest there that you are paying for?
So to Number 2. "How do I know if a Sony/BMG disc is" DRM infected? It
says it is clearly marked on the label, and yup, it's right, it is. I
went over to Best Buy tonight and found it on the label plain and clear.
There was also absolutely no listing of rootkits being forcibly
installed on your PC, and not being uninstallable, however.
There was no warning that you had to play it through their player, or
that it would spit out the disc if you had programs open that it did not
like. If you don't like these terms and rights removals, and you try to
return it, those few places that will take back open recordings tend to
charge a restock fee. In the case of Best Buy tonight, it is 15%, I
asked. I don't think Sony will refund you that money.
Number four tells you to consult the EULA when you want to copy the
disc. Which madhouse did we step into that now means a CD needs a EULA?
I stopped buying CDs so I wouldn't have to give money to rapacious
weasels years ago, and none of the CDs I own have a EULA on them. It is
madness. So, at Best Buy tonight, I tried to consult the EULA before I
bought the Van Zant CD.
It wasn't on the CD package, not on the shelves near by, and the blue
shirted aisle trolls had no idea what I was talking about. No, they
could not provide me with one, I did ask though. So, if you are dumb
enough to buy a Sony CD, and don't want to rootkit your machine, you
can't find out beforehand, have to agree to a one sided contract that
you can't read before you say yes, and can't get your money back.
Wonderful, thank you Sony.
The last part of the FAQ is Number 6, which claims that its CDs are not
spyware/malware infected. The prefix 'mal-' according to Merriam-Webster
means 1) bad 2) abnormal 3) inadequate. -ware is short for software.
This means malware is defined as bad software.
If you look at the Sony rootkit, it does several things. It strips you
of your rights, it potentially causes your computer harm, it breaks your
computer if you remove it, and eats your CPU time. All of these things
are bad, no question there. It also does the end user no good in any
way, shape or form, not even by the most demented stretch of the
imagination. It only hurts those who spent money to buy it.
It does Sony no good either because the files are rippable on a whim by
anything more intelligent than a half-drunk monkey. So, you have
software that does you flat out harm, and no good for the producer. What
isn't malware about this, and how can Sony claim this? This is the
service pack from hell.
If you want to look at this another way, take a different example.
Imagine that you walked up to a person that you know and said: "Hey
friend, check out this new cool CD I made". He drops it in his computer,
and without his permission, it installs a rootkit on his machine. Good
Say you want to remove the Sony stuff. According to no less a source
than The Washington Post, the bare minimum you have to do to remove the
rootkitted DRM infection is give up your privacy. If you go to the Sony
page, here, you have to give Sony your email at the very least, and
according to the WP story, Sony then grills you about your reasons for
not liking being rootkitted.
So, if you want to remove it, go here and click the link. Don't use
Firefox though, it won't work, it's Internet Explorer only. If you are
concerned enough about security, you probably know enough not to use IE.
Once again, brilliant Sony, just brilliant.
The funniest part is that you don't actually remove the software with
this tool, only make it visible, and you are still infected up and down
with DRM. Should you be lucid enough to realise that you don't want this
crap within a few miles of your system, you have to go through the
grilling process above. Want to make it seem even more surreal? If you
remove the malware and DRM infection, you can't play the CD anymore.
Nope, the money you spent on Sony products is gone. Mal-way or the
If you try to remove it yourself, you risk breaking your optical discs,
or it kills them for you. Mark from Sysinternals is more than smart
enough to figure out how to fix this, but are you? Off the top of your
head, how do you do that again, no looking it up? To make matters worse,
it installs itself so it runs in safe mode, and if it conflicts with
something, you are really hosed. Sony's response? "This component is not
malicious and does not compromise security.". There are already exploits
out there that take advantage of this.
Sony compromised your system and will not directly allow you to remove
it without compromising your privacy. It also will not replace your
defective CDs with non-infected ones. If you hose your computer or
network with this infection, and want to play your music, do not pass
go, do not collect $200. Really, it won't help customers who simply
don't want this, read #3 in the FAQ.
Sony is generously working with anti-virus companies on this. Now, this
means to deal with the problem, you have to know it's there, and that's
kind of hard because the malware rootkit that Sony infects you with is
designed to prevent this.
Now, let's just pretend we don't realise that the the antivirus
companies themselves are not complicit. If you want to mass-rootkit
people, just ask Symantec beforehand. Look at what Cnet had to say about
it. "The creator of the copy-protection software, a British company
called First 4 Internet, said the cloaking mechanism was not a risk, and
that its team worked closely with big antivirus companies such as
Symantec to ensure that was the case." But there are active exploits
already, as we pointed out earlier.
All this makes you wonder a lot about Microsoft's upcoming security
software, doesn't it?
So, rather than come clean, Sony minimises the problem, blames the user,
and refuses to help you out. If you have CDs infected with this rootkit
and DRM, Sony has to replace them. They are, flat out, a danger to
computing. Don't believe me? Look at that Washington Post article again.
The head of F-Secure says that the Sony malware, when running on Windows
Vista "breaks the operating system spectacularly". Nope, that can't be
right, just ask Sony, because it said so in the FAQ. It won't fix the
problem, they won't let you work around it legally and still listen to
the music you paid for, and won't help you.
As of four hours ago, these things were still on the shelf at Best Buy.
To end on an up note, just think about these two things. What you are
seeing is the light and happy side of rights removing DRM infections.
There is a bill going through congress to remove more of your rights.
Yes, they can't control the analogue hole, and can't legally force you
to bow to them, so they are buying government to change the laws and
accomplish both goals. No good will come to the end user because of
this, but it sure will make a lot of people rich.
More happy news? These merchants are designing the next generation
drives called Blu-Ray with much more DRM built into the hardware. It is
bad enough to make me back the views of Bill Gates on the subject with
absolute open arms. These are scary times people, and if we let Sony get
away with this now, it will only get worse and harder to stop later. µ