The Sad Saga of Sony BMG

November 18th, 2005

Everywhere you look on the Web these days, you will no doubt find the words “Sony,” “copy-protection,” and “rootkit” floating around–but what is all the babble about? Malicious corporate Digital Rights Management bullshit, in a few choice words. Bullshit that may very well have affected you without your knowing.

Perhaps within the last month or two you’ve bought a new CD by…Celine Dion, let’s say (we’ll leave the question of why in hell you’d ever buy a Celine Dion CD in the first place for another day), on the Sony BMG label. You may or may not have noticed printed on the CD’s spine the words “Content Protected” and a few little graphics. Big deal, right? Even if you noticed it–you are, after all, a Smart Consumer wise enough to keep your eyes peeled for these things–you may have thought: “Oh, well, just another anti-CD-copying scheme that can be defeated by drawing on the CD with a Sharpie.” But then, when you inserted the CD into your Windows machine in order to rip the tracks that you legally bought having purchased the CD so you can copy them onto your iPod or just add them to your iTunes library for convenient listening, a little autorunning window perhaps popped up asking you to install certain software in order to listen to your CD. If that happened, and you stupidly clicked YES, you’ve been infected by Sony’s “XCP” rootkit - which isn’t a copy-protection scheme so much as it is a malicious piece of software “intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user’s knowledge”.

OK…maybe it didn’t work that way. Maybe you just heard about the hub-bub and realized, “Oh, shit - I own a Sony computer! Maybe they just installed that crap on their by default!” like I did. Well, there are a few simple commands you can use to determine whether you’re infected. (Fortunately, I was not: Sony computers are manufactured by a completely different wing of the megaconglomerate, completely unrelated to Sony BMG.)

So….What do you do if you are infected? A quick Google search will show that Sony has caved to negative pressure and is offering an uninstaller for download. DON’T EVEN THINK OF USING IT. Sony’s online uninstaller leaves you vulnerable to even greater security holes than those of the damned rootkit itself.

Now here does that leave you? In a word: fucked. As of 18 Nov 2005, Sony has yet to offer its many, many, many dissatisfied customers any kind of safe, reliable recourse for removing their rootkit. The best you can do is sit and wait for them to act before some trojan-writer decides to release his/her-own little fourth-party piece of software to take advantage of it. It’s only a matter of time.

Oh, and Mac people? Don’t give me your smug, Steve-Jobs-fellating “Macs are better than Windows” schitck. You’re at risk, too. Fortunately, you can reassure yourself that it will be a lot harder to infect your machines - but that only makes sense, considering that OS X is a more secure OS, by default.

Nonetheless, if you are NOT infected, then your only option is to avoid being infected in the first place! First of all, it would only make sense for you not to buy ANY CDs bearing the Sony BMG label, period. But, if you must, for some reason, buy a CD from the Sony BMG label, at least make sure it isn’t any of the CDs listed here. (Be aware that a number of Sony CDs are also infected with DRM software produced by SunComm, which is somewhat different than the XCP rootkit, but still Bad Business.) I strongly suggest boycotting any and all Sony BMG offerings, however, as any company as contemptuous of your consumer rights as Sony Music is does not deserve a penny of your hard-earned money.

It’s also a smart idea to turn off Windows’ stupid autorun feature, Just In Case. For those of you who don’t know, autorun is a feature of Windows that automatically starts certain programs on CDs when they are inserted into your CD/DVD drive. You’ve almost certainly encountered autorun programs when inserting driver or software installation CDs into your drive. Shutting off autorun will not leave those installation CDs unusable: you’ll just have to navigate to the appropriate drive via Windows Explorer and doubleclick “Setup.exe” or whatever in order to launch the installation routines. It’s the only way to be sure a malicious software package hiding in the depths of an audio CD doesn’t automatically install itself on your hard-drive.

And finally, if you want the full scoop on the whole Sony XCP rootkit fiasco, Buce Schneier has an excellent summation of the Whole Story.

By Derek C. F. Pegritz on November 18th, 2005 | Scategory: Computer Nerdery, Open Culture |