#1-3: Banning CDs will eventually happen -- businesses started to ban floppies in the day of boot sector viruses. If the CD's capacity to introduce malicious code becomes better-known, we may well see an outright ban on CDs.

However, the technically-versed among us will note that the rootkit only installed if the user had autoplay enabled *AND* was logged in interactively as an admin.

#4/5: I would hope not very many. Any corporate/gov network that still runs its everyday users as admins is asking for it. Seriously.

#6: (Hopefully successful) lawsuits. It's probable that the courts will force them to cough up a pretty penny, particularly given the poorly-written EULA.

#7: I'd bet money there would be complaints leveled about such behavior from an adversary, and probably some sort of economic or other action.

#8: The evidence in the news reports seems to suggest that the control was actually authored by First4Internet, the same people who wrote the original DRM software.

#9: No reports as yet, but I'm sure it will be only a matter of time before the buggy uninstaller (or perhaps even vulnerabilities in the rootkit) are exploited.

#10: They appear to have a standalone uninstaller now available that has no "patch" component, and no requirement for a system-specific download link.

#11: It does appear that the new uninstaller is safe from a security point-of-view. Further, the new uninstaller removes the previous buggy ActiveX control.

#12: Only time will tell.

#13: It's obvious that there were missed opportunities somewhere at Sony. One of two things went down: Sony failed to research the specifics of the product it was licensing, or Sony failed to comprehend the ramifications of the software's impact.

I suspect that it was a little bit of both. Sony probably didn't hear about the ridiculous bugginess of the software they were licensing, or that its code could be subverted by viruses. Similarly, Sony probably failed to understand that what the software was doing was invasive.

The lack of attention paid to the rootkit component in the EULA demonstrates a certain degree of ignorance on Sony's part to the potential impact of the code. I suspect Sony heard a story that made this code sound a lot nicer than it was.

It's obvious that neither Sony nor F4I understood how powerful this software was, though there's no telling now who was the first offender or the worst.

#14: As I said before, it appears Sony really didn't get the full story on how invasive this technology really was. This is the danger of outsourcing something as sensitive as copy-protection: sometimes you get a product that is effective, yet dangerous in other areas. In F4I's case, you got the latter, but not the former.

#15: No idea *who* made the decision, but I can tell you what it was motivated by: the breakability of SunnComm's MediaMax. MediaMax could be disabled simply by stopping a service. The irony? XCP could be disabled the exact same way. It offers next-to-zero protection above that offered by MediaMax. And, bottom line: they both offer negligible protection, even when fully deployed.

#16: I suspect that there were a whole group of people involved in the decision to implement XCP. I imagine these are the same people who made the decision to implement MediaMax. Sony would never tell us with lawsuits pending about whether or not these people have faced sanctions, though. So, I suspect we'll never know this until the legal dust has settled on this case.

#17: For love of God I hope someone has! Even if not his own subordinates, I hope someone really let him have it for that. I can't imagine the look on the face of the NPR folk when they heard that gem. It really goes to show the lack of investment Sony had in figuring out what this software did: the ignorant relying on ignorance. Surprise, surprise.

#18: I'm not a fortune teller.

#19: A Google search for legal actions specifically being taken against F4I proves fruitless. It appears that most all of the legal hoopla involves Sony's *distribution* of the malware, rather than F4I's production of it.

#20: None of the XCP developers do. That much is obvious.

#21: Given the repeated mistakes that F4I made (including an insecure uninstaller for an insecure product), I'd venture to say that the decision-makers at F4I don't have either clue or care.

#22: Microsoft and a lot of the other AV vendors. Granted, Microsoft's delay was particularly lengthy. This is accounted for by two facts: Redmond's general lack of speed on security matters, and its huge investment in DRM.

Indeed, the PC-compatible portion of these disks used the Windows Media Audio (WMA) format for audio storage. Microsoft ends up a huge winner if WMA remains the predominant format for DRM'ed music, so they don't want to necessarily rock the boat. That said, their decision to wait until the consequences of not blocking it were staring them in the face was probably a bad one.

#23-26: Microsoft did not appear to be aware of the rootkit. The spin-up of Redmond's bureaucratic wheels is evident from reading the blogs of the MSRC and the Anti-Malware team.

F-Secure seems to be the only AV company that had any kind of a lead on this (because of field reports from users of its BlackLight product), and they published early after Russinovich's disclosure. The loopholes in the rootkit had more than likely not been fully analyzed.

#27: Yes. There is a fantastic amount of evidence indicating that Sony's code violates not only LGPL but GPL as well. As for whether it would hold up in court, no idea.

Symbols, procedure components, and other pieces of what are believed to be LGPL/GPL code are CLEARLY visible in the media player that Sony ships with its crap. I'd therefore set the odds at about 10000 to 1 that Sony is in violation of one or both licenses.

#28: XCP-infected CDs have been recalled by Sony, though you'll never hear them say "recall". As a result, the only party guilty of an *ONGOING* GPL violation would be F4I. I've heard no comment from F4I "addressing" this license violation in any form. They seem to be playing dumb and pretending it doesn't exist.

#29: Sony BMG is supposedly starting a program to notify customers who registered their purchases online. That would only permit them an exchange, not a refund, to my knowledge. I haven't heard of any other retailers offering programs equivalent to Amazon's. For a place that gets knocked routinely for its service, Amazon did a good job on this one.

#30: I believe that this debacle will send a really strong signal to other labels (i.e., EMI) that use aggressive copy-protection to be more careful and more obvious about their software's actions. If nothing else, the Sony BMG case should establish (and hopefully codify) the precedent that the user's computer is not a playground for your software, no matter what its "purpose" is.

#31/32: Congress is at least generally aware of the issues in DRM'ed media. HR 1201 (the "Digital Media Consumer Rights Act") proposed in March attempts to rectify some of them. In particular, DMCRA would remove limits from Title XVII, Section 1201 (the anti-circumvention clause of DMCA) as well as requiring labels on copy-protected discs. I personally will be supporting both components of the bill. There is also evidence from recent congressional hearings that members of Congress believe current copy-protection to violate fair use. One can assume that the Sony rootkit could only serve as an impetus for consumer-rights efforts already underway.

#33: Pretty sad, but definitely very strange. The funnier thing was that early copy-protected Sony titles wouldn't play on Sony's *OWN* media players -- only those of competitors -- because the protected audio wasn't in Sony's ATRAC format.

#34: Couldn't tell you. I'm not sure they even understand the ramifications their choices have had as yet.

#35: I won't. That said, there are plenty of enraged customers who feel no obligation to respect the property rights of a label that screws up their property (their computers). Ultimately, the number of file sharers created by this will depend on how many people value helping artists over spiteful behavior toward the labels marketing them.

#36: It certainly offers those who do use file sharing a justification. When they can't use the music they buy, what reason do they have to buy it?

#37: Apparently not, because they continue marketing CDs with SunnComm's protection on them, in spite of the fact that they are also a subject of the EFF lawsuit.

#38: MP3s cannot be copy-protected and still be legal MP3. As for the quality, Sony advertises them as "equivalent" to CDs, meaning that they will probably be at 128kbps.

#39: Quite a few. EFF has sued Sony over SunnComm's jokeware as well as XCP, claiming that both are deceptive, invasive and risk damaging user PCs.

#40: With XCP being out of circulation, Sony should really concentrate on the problems with its MediaMax EULA (raised by EFF). I'd imagine that this EULA has a "right to alter" clause that would permit Sony to further inform users about the functionality of its CDs without invalidating previous EULAs or opening themselves up to additional legal problems WRT MediaMax.

#41/42: That's difficult to get a picture of, because CD sales are already dropping. Some consumers won't buy a "protected" CD, while others will simply associate Sony's name with this incident. Particularly if the lawsuits against Sony are decided in favor of the complainants, Sony will have a widespread reputation as an arrogant corporation without regard for consumer rights. That will *REALLY* hurt sales.

#43: More than likely. Sony's decision *NOT* to withdraw MediaMax in spite of claiming to be "re-evaluating its strategy" shows that it will most likely continue to use some form of DRM/copy protection. Even when Sony suspended sales of the XCP'ed CDs, they stood by their "right" to "protect" the music. They aren't going to change this, in all likelihood, as a result of the XCP mess.

#44: A good portion of it, it already has.

a) Recall (Already taking place)

b) Remove Statement Calling XCP "Non-Malicious" (Done)

c) "Widely publicize" risks (Done for XCP, highly unlikely for MediaMax)

d)

1) Waive DMCA rights to MediaMax/XCP (done, in response to EFF request)

2) Offer anti-virus companies tools to remove them (done for XCP, again unlikely for MediaMax)

e) Refund/Replace "Protected" CDs (Sony allows replacement, even for MediaMax, but not refund, to my knowledge -- HR 1201 would require that)

f) Compensate damaged customers (horribly unlikely, without a legal ruling against it)

g) Thoroughly test future DRM (surely they will after this -- though their *UNDERSTANDING* of the functionality and its impacts is what's important)

h) Letter certifying lack of cloaking software (unlikely to formally happen, though future Sony CDs may well include a statement about the XCP mess).

#45: I am leaning toward the latter. Sony's refusal to abandon the horribly flawed DRM on the basis that offers no real protection is not encouraging. It is more likely that Sony will simply try to make future copy-protection more targeted.

#46: The big one here is EMI. If they are smart, they will at least learn from it that the insertion of your CD is not a license to springboard your software into the user's system and permanently bury it there.

#47: I think the people who would switch OSes over this are the types that generally can't stand Microsoft's DRM, and as a result, aren't using Windows as is. Most Windows users recognize the way to avoid this scumware: run as a non-admin or disable autoplay.

#48: Unfortunately, Microsoft's market monopoly means most of us will just take it on the chin. One of the flaws with a market that protects intellectual property as well as the United States is that users cannot expect competition in every sphere without software authors willingly giving up some of their property rights. This is disappointing, but most users will have to deal with it.

#49: NO! Anti-spyware laws in several states, for instance, prohibit preventing a user from uninstalling software. Sony's rootkit attempts that. This is precisely the basis of the suits against it.

Further, if a business model needs that level of protection as a matter of survivability, the enforcement for property rights violations is far too weak and needs to be stepped up. Sony doesn't need that level of protection -- it is merely a convenience to them.

Last thing to note is perhaps the biggest irony of it all: XCP really doesn't *PROTECT* anything. If you stick into a Windows PC that has autorun disabled, hold the shift key while the disk is being inserted and scanned, or insert it while not logged on, you are home free on the copy protection front. You can then rip away with any of various programs (Sony BMG-distributed Switchfoot recommend CDex) and have wholly unprotected copies of your music.

So, in essence, Sony was willing to do this all for, at best, marginal protection. Shows how much emphasis they place on the gullibil... rights of the customer.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/370/32718#32718