Feeds

On the Beastie Boys 'virus' CD

Does not attempt world domination

  • alert
  • submit to reddit

SANS - Survey on application security programs

Review Widely-circulated claims that the Beastie Boys' new album To the 5 Boroughs exhibits virus-like copy-control behaviour are unfounded, according to tests. EMI's statement regarding these claims, however, is incorrect, since the album does install software if played on a Windows PC. The tests also show that the copy control system on the disc is so weak that Mac and Linux users won't even realize it's there. That's fine with us, say sources in the recording industry.

The allegations of virus-like behavior have been rampant because the US and UK versions of the Beastie Boys' album are not copy-controlled, so many users were unable to verify them first-hand and simply spread the rumour. I contacted EMI in Italy, where the record is protected by Macrovision's CDS 200. The company kindly sent a sample of the copy-controlled version of the album, which was tested under MacOS X, Windows XP and Linux.

The disc contains a data session and an audio session. It's not a CD, as it doesn't carry the Philips "Compact Disc" logo. The data session includes 128-kbps compressed versions of the tracks of the audio session, a custom player (player.exe) and some DLL files.

When inserted in a plain-vanilla Windows XP system, the file autorun.inf is run automatically, launching the player. The first time the player runs, a warning is displayed, stating that "a number of files need to be updated on your PC". Some files, including the DLLs, are then installed, as logged in the install.log file, which is also written to disk in the root directory.

This essentially contradicts EMI's initial statement that "CDS-200 does not install software applications of ANY KIND on a user's PC". However, one might argue that DLLs are not "applications", so perhaps EMI is left with some wiggle room.

In any case, this is clearly not virus-like behaviour. The user is warned, albeit tersely, that something will be installed. An uninstaller is also provided, in the form of the uninstallplayer.exe program on the disc. The record sleeve also bears a "Copy Controlled" logo and microscopic warnings, which may baffle non-English-speaking buyers.

The installed software, moreover, does not cripple the PC in any way, apart from raising CPU usage to a steady 100 per cent during disc playback (overclockers beware). The audio session of the disc can be accessed and played by simply pressing the Shift key during disc insertion or by using Microsoft's TweakUI or similar utilities to disable the Windows Autorun function. CD burning is not impaired in any way.

From a computer-security standpoint, the copy-control system would seem to be extremely ineffective. Nero 5.5 and a standard DVD/CD burner had no trouble ripping the audio tracks and burning a copy of the disc, which played without audible errors both on a Windows PC and on available home and car stereos. All the user needs to do is select the audio session for ripping after overriding the Autorun function, which is probably already disabled by most security-conscious users.

Life is even easier for Mac and Linux users. When inserted in a Mac OS X system, the disc simply plays in iTunes. No DRM warnings is displayed and no software is installed, and iTunes imports the tracks perfectly. On a Linux system (Mandrake 10.0 was used for the test), the user can simply choose between playing the audio session and browsing the data session. CD burning programs for Linux, such as k3b, are able to burn a copy of the audio tracks without errors. Essentially, the only way a Linux or Mac user will notice that the record is copy-controlled is by reading the warning on the sleeve.

When asked why they even bother with such an apparently ineffective copy control scheme, sources within EMI Italy had an interesting comment to make. Sure, it's weak DRM, but it's still good enough to make a difference, they claim. The reason is that most Windows users are not computer-savvy enough to know the Shift-to-kill-Autorun trick, so a significant number of buyers will not be able to copy the disc. Mac and Linux users are so few that they are essentially irrelevant.

The current copy control system, in other words, is not intended to block all copying, but simply to stop the average computer user from ripping the Beastie Boys for his friends. It will prevent only a few thousand illegal copies and do nothing against organized piracy, but that's all it takes, the EMI source claimed. Sales are now so low in some countries (Italian families, for example, buy less than two legitimate CDs per year, according to recording industry figures) that just a few thousand more copies sold thanks to weak copy control can carry an album to the top of the charts and spare a record company from having to fire employees.

© Paolo Attivissimo - www.attivissimo.net

Related stories

Beastie Boys claim no virus on crippled CD
Beastie Boys CD installs virus

3 Big data security analytics techniques

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.