The entertainment giant Sony Corporation came under fire a couple weeks ago with accusations that it put secretive software onto its music CDs. Anyone who has purchased a CD printed by Sony in the last several months probably has encountered DRM, or digital rights management.

DRM is a security scheme that prevents people from ripping a CD as MP3s and burning them to blank CDs. There has been plenty of debate about DRM and purchasers’ rights, because copying for personal use is usually considered legal under fair use laws. Until recently, the technology had been rather harmless and easy enough to work around.

Then Sony changed its DRM strategy, using a technology called XCP, or extended copy protection. The only way for Windows users to listen to CDs with XCP on their computer is by using Sony’s built-in audio program.

On October 31, Mark Russinovich, an antivirus software programmer and a writer for the computer security blog Sysinternals.com <http://sysinternals.com/> , made a discovery. He found that on XCP albums, the CDs installed a rootkit on the user’s computer. A rootkit is a strategy often used by spyware creators to hide their program from view. It runs invisibly in the operating system unless software dedicated to finding rootkits is used to search for it. Russinovich also discovered that the company which wrote Sony’s rootkit, First 4 Internet, had programmed it sloppily and could leave the computer vulnerable to viruses. Since then, at least two viruses have been discovered that attempt to take advantage of the rootkit’s vulnerabilities.

At the time of press, Sony was facing at least three different lawsuits and is being investigated by several government agencies from Europe and from the United States. Sony’s claim is that their End User Licensing Agreement (EULA) warned users about the extra software installed, so they can not be held responsible for any problems. Sony says that only about 20 albums use the XCP technology, but the ramifications of this scandal extend beyond the direct consequences of those few albums. I’m not exactly an avid fan of Celine Dion or Ricky Martin, two of the XCP albums. The only listed album I own is Switchfoot’s Nothing is Sound and my copy is a DualDisc, not the infected CD version of the album. I also have a Mac, so I would be spared the brunt of the problems from XCP. But this incident goes to show how vulnerable the Windows operating system is to programs that want to manipulate it. The user is not warned, other than a small blurb in the long EULA, that extra fi les are being put into their system. In this case, Sony was only trying to protect its music. But what if someone wrote a similar program to record your actions on the internet and look for your credit card number?

Another issue is the EULA. Most people see a licensing agreement come onto their screen, and they automatically choose to agree to it. The agreements are usually long and written in legal language. If it seems like a trustworthy source – a big Corporation like Sony, for example – most people do not think twice about the conditions of the license. The Sony scandal challenges our notion of a trusted source, which is worrisome because it could lead to a point where computer users need to consult a lawyer before installing software.

Finally, Mac users are not exempt from this problem much longer. Apple’s next generation computers are going to come with Intel chips which are the same ones used on Windows computers. The Mac operating system will have to be rewritten to run on the new chips. This may make the operating system vulnerable
in the same way as Windows is now.

On the bright side, this situation has opened the eyes of computer users and programmers to the weaknesses of Windows’ security. Fortunately, the First 4 Internet’s program was badly written, but not malicious. Now that people are aware of the problem, steps can be taken to prevent more dangerous code, such as viruses and spyware, from exploiting those weaknesses.

For the complete story and updates on the rootkit story, see Mark Russinovich’s blog at: www.sysinternals.com/Blog

For a listing of Sony’s CDs with XCP, see the Electronic Frontier Foundation’s website: www.eff.org/news/archives/2005_ 11.php#004146

Popularity: 12% [?]