Original URL: https://www.theregister.co.uk/2005/11/11/secfocus_sony_analysis/

Sony BMG faces digital-rights seige

Ripped over anti-rip rootkit

By SecurityFocus

Posted in The Channel, 11th November 2005 11:56 GMT

The criticism of music giant Sony BMG Music Entertainment and its surreptitious copy protection software went up an octave this week as attorneys and law firms readied nearly a half dozen legal complaints against the company on behalf of consumers.

Ten days after two security researchers took Sony BMG to task for its invasive copy protection, labeling the software a "rootkit," a digital-rights organization and four law firms are preparing cases against the music giant. Moreover, the company's assertion that its software did not harm users' security was weakened on Thursday when a Trojan horse attempted to take advantage of the code to hide itself on freshly compromised Windows systems that had Sony BMG's technology installed. The events raise the stakes in the battle between content companies and a variety of consumers - from legal users to casual pirates - over how much leeway media companies should have to protect their copyrights. "The issue that has been lurking for a long time is how invasive can content companies be as to monitoring your computer," said Jason Schultz, a staff attorney for the EFF. "I think that Sony has gone too far here and violated the personal property rights of computer users."

The mounting pressure by consumers, security experts and, now, attorneys comes the week after two teams of researchers independently and separately reported that music giant Sony BMG used software hiding techniques more commonly found in rootkits to prevent removal of the company's copy protection software. A rootkit is software that hides its presence on a computer while controlling critical system functions, and security professionals have lately warned that the addition of the technology to a variety of Internet threats - from bots to spyware - makes the malicious code more difficult to find and remove.

Sony BMG's content protection scheme, developed by U.K.-based firm First 4 Internet for the music giant, has apparently been included with thousands of titles. Using Google, a search of Amazon.com for "CONTENT/COPY-PROTECTED CD"--the site's label for music CDs that include the First 4 Internet or similar protections--turns up 32,800 hits. Because of potential duplicates, the number of hits is likely much higher than the total number of titles. Moreover, other copy protection schemes, such as one from SunnComm International, are likely included in the total as well. The Electronic Frontier Foundation has verified at least 19 CD titles that have the Sony BMG copy protection code.

Both antivirus firm F-Secure and security information site SysInternals.com identified the copy protection scheme as a rootkit. F-Secure and other antivirus firms - including Symantec, the owner of SecurityFocus - have release signatures for their antivirus software suites to detect the presence of the Sony BMG code.

Other events in the last week have laid bare to consumers the security implications of having a poorly designed rootkit installed on their systems. Last week, some enterprising hackers in the online game World of Warcraft discovered that the rootkit could be used to hide other programs, including tools designed to help players cheat at the game. On Wednesday, antivirus firms reported that the first Trojan horse to attempt to use the Sony BMG cloaking code started spreading, but bugs in the program prevented it from operating correctly.

"It is the first malware to use the Sony rootkit," said Mikko Hyppönen, chief research officer for F-Secure. "It won't be the last." Sony BMG released a limited statement on its site a week ago and also posted a patch that Windows users can run using Internet Explorer to remove the copy-protection software from their system. However, at least one security researcher found that following the uninstall process was onerous, requiring multiple e-mails to Sony BMG to remove the software.

"The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution," Sony BMG said in a statement posted on its site last week. "It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system."

Neither Sony BMG nor First 4 Internet have responded to multiple requests for comment from SecurityFocus.

Consumer advocates and attorneys have rushed to disagree with Sony BMG's portrayal of the program and its effect on computer systems. Firing the first shot the day after initial accounts of the aggressive copy-protection program were published, attorney Alan Himmelfarb filed a class action lawsuit against Sony in Los Angeles County Superior Court for three violations of consumer and business codes.

"Once installed on the system, the rootkit hides itself by cloaking all associated files, labeling certain operational files with misleading names, and assumes a continuous resource-depleting - and copy prevention - monitoring of the computer system in perpetuity," the complaint stated. "The rootkit program cannot be uninstalled without damage to the system." On November 4, the legal battle spread to the international arena. The Italian digital rights group Associazione per la Libertá nella Comunicazione Elettronica Interattiva (ALCEI) filed a criminal complaint with that nation's Economic and Financial Police Division to investigate whether Italy's consumers were affected by the Sony BMG cloaking technology and, if so, whether the company, and any other music company, violated national laws and should be prosecuted.

"Sony has, of course, the right to protect its own assets, but in our opinion, this right cannot be stretched up to the point of using measures that damage someone else's goods," Andrea Monti, chairman of ALCEI, said in an e-mail interview with SecurityFocus.

According to Monti, the criminal complaint could lead to prosecution of the person or company responsible for the rootkit included on Sony BMG's CDs. Italy's copyright laws, however, have been amended several times since passing in 1941 to favor the entertainment and software industries, he said.

At least three other firms are preparing class-action lawsuits as well. New York attorney Scott Kamber is preparing a case against Sony BMG on behalf of multiple clients. San Francisco-based law firm Green Welling will be filing a lawsuit against Sony to recover damages caused to consumers by the media giant's copy protection scheme, said Robert Green, a partner with the firm. A number of people have contacted the firm after the Sony BMG software, or their attempts to remove the software, damaged their systems, Green said.

In addition, Chicago-based law firm Cirignani Heller Harman & Lynch will be filing a class-action law suit, said Ethan Preston, an attorney working with CHHL. <hr class="PageBreak" "Taking my lawyer hat off and putting my consumer hat on, it is deeply unfortunate that such a large and hithertofore respected corporation would do this and make it so difficult for their users," Preston said. "To make installing this program akin to a strip search when you are checking out of the county jail - it shows there is a deep rift between these media giants and their consumers."

Consumers and their attorneys are not the only ones miffed at Sony BMG's tactics. One label distributed by the media giant, ATO Records, said its artists and customers have complained about the surreptitious software installation and stressed that it never agreed that the media giant could put copy protection on its CDs. Currently, the company is not considering legal action, said a spokesperson, who asked not to be named.

"Our artists and our customers are pretty upset, but we are in talks with Sony BMG about this issue," the spokesperson said. "We are not pursuing any legal avenues yet."

For Mark Russinovich, chief software architect for Winternal Software and one of the original discoverers of the Sony BMG rootkit, the code is taking copy protection to an unpalatable extreme. Russinovich firmly labels the technology a rootkit and spyware, not the least because Sony BMG has placed high hurdles in the way of any consumer that wants to uninstall the program. The copy-protection software cannot be uninstalled under Windows XP except by contacting Sony BMG through a special Web site, receiving a special code and sacrificing some privacy, Russinovich said.

The security researcher is not the only one who believes that Sony's copy protection weakens system security. The emergence of a Trojan horse that attempts to hide itself using the software has at least one antivirus firm - U.K.-based Sophos - offering to disable the protection mechanism, an action that could violate the Digital Millennium Copyright Act (DMCA). Sophos believes that offering the tool is about protecting customers, said Graham Cluley, senior technology consultant for firm.

"I appreciate that Sony had good intentions - we want people to pay for content as well, but we are also against introducing vulnerabilities into people's systems," he said. "I would hope that Sony would be pleased that we are helping them fix their software. And I would hope that, in the future, Sony would want to provide software that does not have a back door in it."

Such anti-rootkit tools raise the question of whether removing the software, even if it one can prove it weakens system security, is legal under the controversial DMCA, EFF's Schultz said. The DMCA protects digital-rights management software from attackers, but also from people who seek to use the content in a historically fair-use context. The DMCA, passed in 1998, makes it illegal for anyone to "circumvent a technological measure that effectively controls access to a work protected under" the law. Whether protecting copyrights trumps protecting a user's system will likely be tested in the coming court battles, Schultz said.

The court cases will also likely focus on Sony BMG's end-user license agreement, which briefly mentions the installation of "a small proprietary software program." Software EULAs have gained notoriety as long legal notices that consumers never read, so the current case may be a good test of whether they are a legitimate contract between the consumer and the software maker, Schultz said.

"Their whole defense to this practice relies on the end user license agreement," he said. "They have set this up so that when someone puts the CD in their drive, this 3,000-word license agreement pops up. Can people give consent in that way to such an invasive practice?"

The flurry of lawsuits and complaints suggest that, for consumers and security experts, the answer is a resounding "no."

Copyright © 2005, SecurityFocus