I’m proud to announce a significant victory in the ongoing Sony Digital Rights Management (DRM) saga; Sony has capitulated almost
. While not publicly admitting blame for distributing a rootkit, providing no uninstall for the DRM software, implementing a music player that sends information to Sony’s site, and supplying a remotely-exploitable ActiveX control for the on-line uninstall they eventually made available – all without any disclosure to users – they have come close.
Sony BMG’s site now includes a prominent link on its front page, “INFORMATION ON XCP CONTENT PROTECTION,” that takes visitors to a page with a statement from Sony that declares its concern over the security issues raised by its software. The first paragraph points out that Sony licensed the software from First 4 Internet, which while true, does not hold Sony any less responsible for its use of the software or the contents of the End User License Agreement (EULA).
The paragraph continues by saying that Sony will offer consumers that have purchased the spyware-laden CD’s with unprotected versions, that they are suspending production of the rootkit-based CD’s and that they are recalling existing from store shelves, which they’ve said elsewhere comes to around 2 million units. Furthermore, Sony has finally withdrawn the spyware-like uninstall-request process, which included the download of an ActiveX control that’s proven to be its own security risk , and promises the imminent release of a stand-alone uninstaller. Note that because the control is also used in the update patch, I strongly recommend that you do not apply the patch to disable the cloaking, but instead follow the manual steps I've outlined to disable the rootkit and wait for Sony to address the flaws.
Why did I qualify my statement regarding their response? Two reasons: first, as I’ve stated, they don’t admit wrongdoing, only that the software was a security concern. Second, there’s no statement on Sony’s site or their press releases regarding future policy. They go as far as saying that they “will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music”, but say nothing about their stance on rootkits or disclosure during software installation.
Speaking of disclosure, I hope this story isn’t over. Attention now needs to turn to the broader issues that go beyond DRM to software in general. They include acceptable behavior of commercial software, from both legal and ethical standpoints, and appropriate disclosure of software behavior. We’ve been living in a world of hazy laws surrounding EULAs and ideally this case will lead to more clearly defined laws and standard judicial principles.
There are several pending class action lawsuits, likely more to come, and its my expectation that a U.S. government agency will eventually announce a formal investigation. The Federal Trade Commission is the one most likely to take up the case and if so, some of its recent actions against spyware vendors may have set promising precedents.
Of course, this first victory would not have happened without your participation in bringing the story to the attention of the media both in this blog and in other publications. I congratulate everyone that voiced their concern over the trend Sony’s software portended and I encourage you to continue to fight for a long-lasting resolution on the issue of software installation and disclosure.
Thank you for finding this problem. Without your great detective work, the general public would probably not know about the Rootkit. Given enough time, Sony may have pushed this software to all of it's CD's, and other publishing companies would have followed suit with other similar programs. Hopefully this general outcry will help to prevent that from happening.
11/16/2005 8:00:00 AM by Tartarus612
I think your first link about Sony's capitulation is incorrect. It's about virus creators, but not specifically about Sony ;)
11/16/2005 8:31:00 AM by Ytram
It was particularly relevant, I felt, that Sony have now confessed that 50 titles are affected and not the 20 they have been claiming for a while now. I don't believe for a minute that they didn't know how many titles were affected.
The word deceitful springs to mind.
11/16/2005 8:39:00 AM by kenny
Mark, why don't you get together with Kaminsky at doxpara.com and send all of your data to the FBI. A criminal investigation is the only way to get these people to take what they did seriously. Otherwise they'll just wait and try to sweep it under the carpet.
11/16/2005 8:48:00 AM by Captain555
SONY claims on their website that they have contacted their retailers and requested that they pull the copy protected CD's. Well... AMAZON.com can't be real hard to get a hold of and the current Neil Diamond CD is still available
Complete with XCP for your enjoyment.
11/16/2005 8:51:00 AM by JTOR1138
First, it is wrong for Sony to continue to hide security features from consumers.
Second, people ARE stealing in vast quantities from Sony BMG.
Intellectual property rights will NOT be enforceable by individual corporations.
Mark, you want to say “Shame on Sony” but who is going to pay them for the goods and services they have provided?
FOR INSTANCE, I've been very impressed with your work and I am going to BUY your book. I tell this to a friend and he offers to burn me a CD of your book no cost to me. On principle I refuse, but I know in the end my purchaseing YOUR book is really paying for 10 other people to steal YOUR book.
11/16/2005 8:55:00 AM by Adam Gates
Thanks for exposing Sony's spying tactics. I had my suspicions about them a year ago when my wife bought me a Sony MP3 player. Some wording in the EULA left me a little uncomfortable but I was not sure why. I returned the MP3 player and got a SanDisk which does not rely on proprietay software.
Perhaps you might look into how Sony's MP3 player software spies on its users. I no longer trust Sony and will probably avoid buying their products in the future. It is a shame because I have always thought highly of them.
11/16/2005 9:00:00 AM by Joe
From our side, I would hardly call this "Victory". From the corporation side this is just a small bump on the roadmap. There is no real FBI or FTC investigations, no arrests, nothing. Same virus/trojan/rootkit spread by individual would have been treated differently.
There is no longer "We the People", Congress/Parliament only deals with "We the Special Interest Groups".
There is something fundamentally wrong when the "People" are like slaves cannot own stuff, just be given "restricted rights" to using it.
So, rest asure, they'll be back one way or another, and stronger than before. Microsoft will embed unified DRM in the OS, Intel/AMD will be forced to implement DRM in hardware ...
Just boycott Sony as much as you can, that's what I am doing.
11/16/2005 9:02:00 AM by Enough
thanks for all ! and the first link should have been http://news.bbc.co.uk/2/hi/technology/4441928.stm i think.
(Sony has capitulated almost entirely. )
11/16/2005 9:07:00 AM by pcve
Thank-you. Great job. The fight will continue.
11/16/2005 9:22:00 AM by srynas
Mark has humbled Goliath! I’ll bet Sony’s legal staff is now running around like a bunch of ants who have just had their ant hill stepped on.
11/16/2005 9:51:00 AM by Jim Stuart
Link in the article should be:
11/16/2005 10:17:00 AM by Hooper3.0
Thank you Mark for a truly outstanding piece of forensic work! Without your efforts, the world would still be in the dark about these insidious practices. The world is a better place, knowing "technocrats" won't let anybody trick us with technical wizardry disguised as legitimate benevolent software.
Mark you've made a significant difference. I think other special interest groups will heed your warnings, and not dare commit the same stupidity as Sony. Too much to lose! Let’s face it; they are only interested in the bottom line, so their actions are so predictable.
I wonder how much ROI this episode will cost Sony. Negative I suppose. Reputation is priceless. That reputation is completely tarnished now; They are reaping what they sow. They treat their customers like criminals with prejudice, assuming we will do wrong.
Now Sony’s customers are treating them likewise. In business, when there is a conflict of interest, history tells us the consumer ultimately wins! Why? Because corporations require customers, but the converse is not true. Consumers have plenty to choose from.
As consumers, let’s make it count and vote with our dollars. I for one only patronize those who deserve my business, and treat me respect. Goodbye Sony and good riddance! Let this be a warning to all other wannabe corporations;
Treat your customer well, or suffer the consequences.
11/16/2005 10:28:00 AM by Kad
Well done Mark, good work. Though it still amazes me why these big companies use DRM on CD's in the first place; it doesn't stop determined crackers in the least and only hurts legally purchasing customers. It's ironic that if you want a good clean copy of a CD you have to download it...
11/16/2005 11:26:00 AM by Ray
I hope you find this as disturbing as I do. Regardless of all the bad publicity that the Sony case has generated, Sony is currently bragging (apparently for good reason) that their Santana CD (Arista, with XCP content) is "the #1 Artist Album today" (as of Nov. 9) on the Billboard charts and the #2 entry in the charts (next to the Now compilation). So much for hurting them in the pocketbook, apparently consumers do not care (or know). To add salt... a Neil Diamond CD (XCP also) is the #6 CD in Amazon regardless of the fact that there have been hundreds of reviews warning purchasers. Amazon is still selling these CDs regardless of the recall. If you want to upset your stomach read the Sony release on Santana under the news section of the SonyBMG web, http://www.sonybmg.com/ This is the same website that states that the CDs are recalled.... Gee
11/16/2005 11:30:00 AM by el cpu
I think they should remove the rootkit from all CDs except for Neil Diamond. Anyone who buys a Neil Diamond CD deserves to have malware installed.
Yes, I'm kidding. =)
P.S. Shame on Sony.
11/16/2005 11:32:00 AM by Irreligious
"[We, Sony,] will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music."
Which is a code phrase for, "we're sorry we got caught this time, but invasive DRM will be back." After all, meeting the demands for flexibility in how consumers listen to music is easy: plain on music CDs with no DRM. Complete flexibility. Because some people engage in copyright infringement, Sony wants to treat everyone like a criminal. In Sony's mind our computers, our CD players, and our DVD players will be guards that actively try to thwart the very people who purchased them. It's a pretty good deal: Charge customers more for hardware with less functionality. No rational customer would say, "Yes, I'd like to pay the extra money to cripple my DVD player so I can't play movies imported from Japan. Oh, and I'd like to pay a bit more to ensure that I can't route my DVD player through my VCR."
11/16/2005 11:32:00 AM by Alan De Smet
The argument presented by Adam Gates is still trotted out every time DRM is discussed, and still doesn't hold water.
The faulty assumption is that anyone who "steals" an item is a potential lost customer. The fact that digital music is easy to "steal" is not the fault of the consumer who is willing to pay for something of value.
So regarding the other 10 people that Adam is "paying" to steal Mark's book? If 9.9 of them were never going to buy it in the first place, how does that hurt Adam or Mark?
11/16/2005 11:53:00 AM by Zanzibar Buck-Buck Mcfate
Congrats for all your work that helped to make this public!
11/16/2005 11:54:00 AM by Diego Calleja
I agree with Mark in that this is a kind of victory.
I started monitoring this story from the first time I read the first post in your blog.
I monitored news.google.com Sci/Tech news and this story came from being totally underground to be the FIRST story there.
What this means to me, is that it is POSSIBLE for the "internet community" to make their voice heard to fight against non fair issues.
I am not from U.S. but I think this would show Americans it is possible to be heard. A lot of rights have been taken from us and this should show us we can fight back.
Thank you Mark!
11/16/2005 12:14:00 PM by xtracto
Regarding the comments made by xtracto "A lot of rights have been taken from us and this should show us we can fight back.".... yes we can fight back but as my previous post on this page mentioned, regardless of the terrible worldwide publicity Sony has received, consumers continue to buy these CDs like nothing happened. I think real victory is still not at hand and will not be until and if consumers stop rewarding SonyBMG.
11/16/2005 12:24:00 PM by el cpu
Someone brought along a cd from a company that make a flash type player saying that had copy protection included. Does anyone know about their solution?
11/16/2005 12:47:00 PM by Art Cube
I think Sony's problem is that they can't accept the idea that they should lose even one sale. They need to grow up and get over it.
It would be like a farmer who couldn't accept that there will be some natural loss, however small, from his crops and consequently sprays them with a pesticide that he knows to be dangerous to health (or even illegal to use, like DDT). That farmer wouldn't care if the food he grew harmed his customers so long as some pest didn't get a small percentage of it - and the government didn't catch him breaking the law.
This situation is much the same.
Even more absurdly, the truth is that studies have shown that the largest group of music downloaders is pretty much the same as the largest group of CD buyers. These people simply consume more music. For the most part they probably download a track here or there and if they like it buy the CD.
So all this probably gains Sony nothing. They need to stop being so infantile and accept that there will be some "natural wastage" and realize that it's not worth harming their customers in a vain effort to ensure that the inevitable won't occur.
Sony's attitude to DRM not only gains them nothing: it actually loses what they have - like the farmer getting DDT poisoning himself from having sprayed it.
Sony lost the portable music market, having won it with the Walkman cassette/CD players, because they got greedy and tied up their computer-file based player with a "DRM implementation was so nasty you would have had to have been insane to buy the product."
Apple were not so stupid and not so greedy. Consequently, the market now belongs to the iPod. And over the rootkit affair, Sony now stands to lose who-knows-what in litigation.
Sony haven't hurt "pirates". They've hurt their customers, and finally they've hurt themselves.
It's all been about greed. For all the big talk about "artists", the record labels have never tried to do anything other than maximize their own share of the loot. A band would have to sell tens of thousands of albums to even break even. In fact, most bands would probably do better giving away their music as downloads and hoping instead to make money on live appearances. People like Sony aren't going to give them a fair cut of what their own labor has produced.
11/16/2005 12:49:00 PM by Damian
It should be interesting to take a look at the stand-alone uninstaller when it comes out.
There's absolutely no reason why sony couldn't produce a decent uninstaller. They probably have good coders in their computer division. Remember this whole DRM fisco was down to their Sony/BMG music division contracting out the copy protection element of their cd production to an outside company--First4.
Incidentally, it seems someone here has taken exception [or wants it to appear that way] to my nickname "ruy_lopez" [the 'Spanish' chess opening].
The other morning, as I was reading comments on this site, I got hydra'd from the Universidad de Santiago de Compostela in Spain! of all places. The fact that this is the only place I've used the nick ruy_lopez, leads me to suspect that it originated here.
Maybe just a coincidence.
Good work everyone!
11/16/2005 1:36:00 PM by ruy_lopez
I think the bigger picture is lost here behind this DRM stuff.
What Sony did, was not only reprehensible, but criminal. As someone said, if an individual had done the same thing they would be dragging him to jail right now.
They've exposed an incredible amount of computer around the world to virus/trojan/malware (take your pick). Then they also created an incredible amount of useless traffic on the internet (check doxpara.com), which is basically stealing bandwith to legitimate purpose.
If enough people complain to congress, maybe somebody will take notice.
Of course people will keep buying the CDs, how many people don't read news on the internet.
11/16/2005 2:19:00 PM by Captain555
If you are inclined to write and/or leave postings:
F. James Sensenbrenner, Jr., Chairman
Committee on the Judiciary
U.S. House of Representatives
2138 Rayburn House Office Building
Washington, DC 20515
Joe Barton, Chairman
The Committee on Energy and Commerce
U.S. House of Representatives
2125 Rayburn House Office Building
Washington, DC 20515
11/16/2005 2:31:00 PM by srynas
Reply to Zanzibar-
Whether they are a "potential lost customer" does not matter. They are STEALING. They have no right to listen, look, etc at the property without the owners consent.
With your logic I should have to leave the keys in my car to make it easier for someone to steal it, "It's not like they were going to pay for it anyway."
Or instead of paying at the pump you should just leave what you own in a big fish bowl after or decide how much you owe for that tank of gas.
While Sony's response has been unethical and plain stupid, the public is not crying out at the millions and possibly billions of dollars stolen every year.
The common person thinks it is perfectly okay to steal music, movies, video games, etc.
The government/s are not enforcing the law.
What can companies and individuals who have intellectual property do?
Trust people will pay for what that use on good faith?
11/16/2005 3:33:00 PM by Adam Gates
A couple of predictions if I may:
1. Some form of DRM will reappear in the future - Sony have just been 'unlucky' and got caught with their 'pants down' by Mark. The recording companies, rightly or wrongly, are determined to try to stem the tide of falling sales which they perceive as happening because of increasing levels of piracy. Whether their perceptions of the problems is true or not (and many would argue it is more to do with pricing and other factors) they are determined to press ahead with their plans - so we may well have to go through this all again yet.
2. I predict that ultimately Sony will try to 'wash their hands' of this affair, and I wonder whether First4Internet will be offered up on the altar as the sacrificial lamb ?
3. Mark is right in his comments - this whole affair is the mere tip of a very much larger iceberg ! I've been dismayed at the levels of arrogance displayed by software companies (particularly several VERY large software companies) over their attitude of 'we own your computer' and 'we can install whatever we like, for any reason', without even so much as a 'by your leave' ! Again often, software copyright control is cited as the reason for their actions. I'm convinced most of this is a smokescreen, and the real reasons are more to do with locking in a customer so they can't escape, even if they want to.
11/16/2005 4:28:00 PM by Calvin
Adam Gates said:
"While Sony's response has been unethical and plain stupid, the public is not crying out at the millions and possibly billions of dollars stolen every year.
The common person thinks it is perfectly okay to steal music, movies, video games, etc.
The government/s are not enforcing the law."
I'm not sure this is a fair analysis, especially the part about the government not enforcing the law.
Practically running in tandem with this SONY/DRM story has been the story about Attorney General Gonzales' proposed toughening of the Copyright law.
An example just pulled from google news as I write this comment:
Many are concerned about the proposed introducton of jail terms of "unspecified length" even for "casual piracy."
I'd hardly call jail terms of "unspecified length" an example of governments not enforcing the law.
11/16/2005 5:36:00 PM by ruy_lopez
somebody please think of the profits! Adam, as much as you must loooove trolling (or are you really serious?), please take this issue up on another day. Profit protection and Sony's actions are separate animals - please treat them as such.
11/16/2005 5:40:00 PM by Nick
I hope Vista can halt this spyware garbage. I have no idea how the built in firewall will work but I would like it to give control back to the user like this and block installations from automatically adding themselves to the trusted list without your explicit consent:
Vista: "The following application is requesting permission for outbound network communication."
Source: [Serice name or executable]
Reason as stated by the application/vendor : "Dear Sony BMG customer- XCP would like to enhance your music playing experience by updating itself to the latest version and further protect the content you have licensed. In compliance with the EULA you must accept this notice. Please visit our website for the latest copy of the EULA as we continue to improve it."
Vista: Do you wish to allow communication to take place? You should only accept if you trust the company and it's product.
Yes - One time
Yes - Always- "Trust this application"
No - One time
No - Never
Advanced - Enable logging, capture packets for analysis, shutdown this service/application.
What is the risk? - click here for details about privacy and protecting your computer from malicious software.
11/16/2005 6:23:00 PM by geek27
I love your column.
Wanted to tell you that you have a typo in the beginning: claoking.
11/16/2005 7:27:00 PM by RoNNY
Great Job!!! I guess this shows that even the "little guys" can stand up to "out of control" corporate interests.
On a side note: You probably are already aware of the attention your blog has recieved as a result of your original report <g>. But in case you needed more financially uplifing evidence check out the How Much Is My Blog Worth? entry at the Business Opportunities Weblog
11/16/2005 7:28:00 PM by Jason Thorn
Adam Gates: please stop using words in a deliberately misleading and incorrect way. Nobody has mentioned stealing anything, except for you. Making a copy of a CD for a friend may be against the law, but it certainly isn't theft.
11/16/2005 7:35:00 PM by sploo22
Perhaps someone should check out the new Sony Media Center PC (Sony® VAIO® VGX-XL1 Digital Living System™VGX-XL1) with 200 DVD/CD changer to see if it is preloaded with tracking software? It could track not just CD's but DVDs and even what you watch on TV!
And, for that matter, what about any Sony PC? They have complete control over the OS install with plenty of opportunity to hide their footprints.
Over the years I have bought dozens of Sony electronics (cameras, radios, CD players and including 5 PC's) and was planning to get the VGX-XL1 for our home this Christmas but never again. And get this, my teenagers are telling all their friends "Just Say No Sony". Sony has become a garbage brand in our book.
11/16/2005 8:18:00 PM by John S.
Stand up to Cor-pirate control freaks speak out against our loss of writes to us our own computers!!!
11/16/2005 9:29:00 PM by wawadave
In answer to Adam Gates:
You are comparing things that can't be compared. Your car stealing example is therefore not usable. One is stealing manufacturing, "sound" goods, the other is "stealing" intangible bits. Stealing a car cost money to the person that brought it, to insurances, to the car manufacturer, to society. Stealing bits, things that do not exist in real life, cost nothing to no one. And don't give the argument of "lost sales". The majority would not have brought it anyway since it's free things they are after...
It's not to say that intellectual property should not be protected, far from it! But it should not be protected in the context of a business model, manufactured goods, that is not adequate for it. An all new business model must be build-up. Some company understand that and exploit the new context and make tons of money. Some don't and try to force the consumer to stay in their inadequate business model. They don't want to change and they protect their turf. It's normal, but they can't succeed.
Just look at what is going on with the new High-Definition disk. They now want to implement protection technologies that will only drive the consumer away! Even if it's moraly unacceptable to steal someone intellectual property, how can these measure do any good to anyone? Everyone lose... And looking at DVD sales, I honestly think they try to fix a problem that don't exist in the first place.
11/16/2005 10:13:00 PM by Bobby Bob
Here's an interesting aside from the Devil's Advocate. I run a music store that will most likely take a total bath this Christmas because the 4 biggest sellers of the season got nixed. Neil Diamond, Bette Midler, Chris Botti, and Jane Monheit. And what's worse, most of my customers buying this stuff aren't the kind of people who are likely to burn copies at all, possibly not even PC owners. Unless Sony can get copies back out to me that you guys can burn and rip to your hearts content in a VERY timely manner, I might not have my store too far into 2006, already hurting because fewer and fewer people seem to feel that they should buy the things they want. I'm the independent businessman, here. The very personification of the good natured small business guy trying to not get screwed. Well, now I'm screwed. Is that cool?
11/16/2005 11:43:00 PM by Rocko
Just FYI, this actually just made the channel 3 6:00pm news here in New Zealand (we only really have 3 major channels).
Apparently Sony is recalling all of the affected CDs here, and replacing them will unprotected discs.
Interestingly enough, Sony doesn't use protection on locally made discs, so those with them must have bought them online or from parallel imports.
11/16/2005 11:44:00 PM by Michael K
Thank you for finding this problem. I have been on line everyday checking to see what the latest news is. This is a huge example of how the voice of the people CAN have an impact. (Or should I say the written word!)
I doubt that Sony is going to dry up and blow away, but it would be nice wouldn't it? I certainly hope that First 4 goes right along with them.
11/16/2005 11:44:00 PM by Glory
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.