All Your Bases Are Belong to Sony

This has to be the most shocking story I have ever read. The scale of what it represents, in our new and exciting Media-driven techno-phile society is what I have found frightening. The lack of attention in a lot of the media is also worrying, compared to the ultra-hype coverage of other large virus outbreaks in the past.

The timing of this story breaking is also fortuitous for me as it was a theme I was sort of exploring in my NaNoWriMo novel (excerpts available), where the future Earth is a Media-driven society. Everything is filmed and photographed. New content for consumers is the raison d’etre of almost all industry, including the exploration of space. The directors of the big news agencies have all the power and they wield it.

The background to this story is thus: Sony BMG Music Entertainment have a digital rights management system on some of their Audio CDs. The software is supposed to allow you to make reasonable backups of the audio, to files on your computer or copy those to your MP3 player, even duplicate the disk a couple of times but prevent you knocking off a hundred copies to sell to a few of your closest mates at the Barras.

“Fair enough.” you might say.

Here’s how it does it: You put your shiny new CD into your computer and a pretty interface pops up and shows you images of the star and other bonus content while letting you play the audio on the CD. In the meantime it has installed, without your permission, a piece of software called XCP created by First 4 Internet limited.

XCP installs itself under your system folder in a sub-folder called $sys$filesystem. It adds a key in your registry called HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\$sys$aries which instructs windows to start the file it has copied into the aforementioned folder as a device driver service. When the computer next starts up, this service will load and it will have the following effects: It will attend to the copy protection matters I told you about already. It will also cause any file that begins with $sys$ to be hidden from the operating system, this of course means that the folder the software is installed in can not be seen. It also causes any processes (running programs) who’s names begin with $sys$ from being visible. Lastly it prevents any key in the registry that begins with $sys$ from, you guessed it, being vissible thus obliterating any other indication of it’s presence on the system.

Does this behaviour remind you of any other sorts of program? Of course it does. It’s called a virus. More specifically this is a rootkit – it is a program designed to conceal running processes, files and data and itself to maintain it’s presence in the system and allow further access. Further access? Well of course, anyone infected with XCP is vulnerable to any virus where the author has had the foresight to call his malware $sys$MyVirusEatURAzz.exe. It could happily hide under the cloak XCP provides for it as could any other starting with the simple string $sys$. One virus has already been discovered that does just that.

Luckily for us, someone noticed and complained. My usual response to finding malware is to delete it and remove it from the registry. Following this procedure, however will make matters worse. The software has installed itself as a low level filter on your CD ROM. In short, once you remove it your CD ROM will stop working. Fixing this will require even more digging in the registry and a special program to run the editor as the Local System account. Your average user couldn’t do it.

Sony’s initial response to the discovery: “Most people don’t even know what a rootkit is, so why should they care about it?” (Thomas Hesse, Sony BMG 4/11/2005). A rootkit is a nasty piece of malware that adversely affects their computer. They should care. Their current response is a little more contrite and they provide a patch that removes the cloaking capability of the software. Not the software itself. In a bizarre twist, the uninstaller that was available actually leaves your system with a different severe vulnerability. At time of writing a new uninstaller is not yet available, Sony thank us for our patience and understanding.

And why?

“We placed the technology on certain discs to prevent unlimited copying and unauthorized redistribution of the music on the disc. Content protection technology is an important tool to protect intellectual property rights.” (ref)

They also say that

“Ultimately, the experience of consumers is our primary concern, and our goal is to help bring our artistsí music to as broad an audience as possible. Going forward, we will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music.” (ref)

Which I find striking for two reasons. Firstly, their primary concern is surely either to protect their intellectual property or to improve the experience of consumers. You’ll note that they actually say that consumer experience is their primary concern, not that it is be a good experience. Installing malware on a computer is not a good experience for a consumer, in my humble opinion, and the only other purpose it serves is protection of IP. Secondly, the meeting demands for flexibility bit: I can be very flexible indeed with a plain old bog standard CD, I can play it in anything with a CDROM drive, copy it onto an MP3 player or make a backup copy. What the sentence actually implies is that they will continue to make software with this sort of purpose. “It’s a fair cop, but I’d do it all again gov’nor.”

The covert distribution of this software has been going on for eight months now, and neither Microsoft nor security software vendors like Symantec or McAfee seem to have noticed or done anything about it. Their responses now (Microsoft Symantec McAfee) are all to remove the concealment properties of the software, not to remove it entirely. It is interesting to note that finding anything about it on Microsoft’s website is quite hard, try searching for XCP yourself.

Bruce Schneiner’s article on Wired is a must-read assessment of why these other companys behaved like this, but in short it’s because Sony did it. Rather than, say, a criminal. Pamela Jones also has a worthwhile assessment on Groklaw where she points out that First 4 Internet admitted that they had colaborated with Symantec and others over the rootkit.

Why do I find all of this so frightening and worthy of much more wide-spread examination? Well, my summary goes like this: Corporate Giant Sony deliberately distributes a piece of software which by its very nature is a security threat. They did this without anyone stopping for a second and asking any questions like “Is this ethical?”, “Will this harm our customers?” or “Are there any potentially bad consequences of doing this?”. Or if they did, they decided the answers were all “No.”, which is even worse. Next the companies we rely on to provide security for our computing colaborated with this. Again no one at Symantec, when asked “Will you help us conceal our software?” thought to reply “No, that is the polar opposite of what we are supposed to achieve.”. And why? Because protecting profits (by preventing low-level piracy amongst consumers) is more important than anyone’s computer security or privacy.

It simply strikes me as being quite horribly invasive. The likes of Sony and I shall never see eye-to-eye on matters relating to Digital Rights Management, intellectual property or the fair use of copyrighted materials but the contempt this demonstrates to me for their customers is nothing short of stunning. Not only is the assumption that you are going to pirate their material if you are not watched unwarranted, the measures they take are positively draconian as well as dangerous.

Behavior like this is not only not ok it is surely reprehensible. Suggesting it is OK because people do not know what a rootkit is abominable.

In a world increasingly reliant on computers and a society hooked on the consumption of media, events like these require serious investigation – they have the potential to affect our society very deeply indeed.

2 Replies to “All Your Bases Are Belong to Sony”

  1. Gareth blogged about this too. I’m going to keep a sharp eye out on all CDs I might want to buy to check they’re not made by Sony…

  2. I actually have a large number of links on the subject, with commentary, that I need to post tonight or tomorrow. Keep an eye on my livejournal for them, but the one which I think will crack you up the most is Sony’s copyright infringement. Because the media player bundled with their malware uses open source code. Without, of course, acknowledging such or including any of the legal niceties that using something licenced under the LGPL requires.
    There are already multiple class action lawsuits heading for Sony in California and NY. Copyright infringement will just add the the problems.

    What a mess – and when their CD sales plummet because of this, you know who they’ll blame.