|
|
Sony's DRM - Why You Should CareBy George Ziemann -- Nov. 11, 2005
The story begins on Halloween, when Mark Russinovich posted a very detailed description of how Sony's DRM had installed potentially dangerous software in his computer and traces it back to First 4 Internet, a UK partner of Sony. The next day, November 1, a class action suit was filed in Los Angeles Superior Court, asking the court to stop Sony from selling any more CDs containing the DRM and seeking monetary damages for California consumers who already bought any of them. November 2 -- Sony offers a Service Pack which "removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security." [Emphasis added] Sony and First 4 Internet said the patch was offered as a precaution, not because of any security vulnerability."There should be no concern here." November 3 -- Edward W. Felten, professor of computer science and public affairs at Princeton University, reports on the Service Pack: "The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they're not just taking away the rootkit-like function - they're almost certainly adding things to the system as well. And once again, they're not disclosing what they're doing." November 4 -- Russinovich weighs in on Sony's quick fix, concurring most of Felten's observations and also publishes further research showing that the DRM software appears to be in communication with Sony's Web site, something that had not previously been disclosed. A criminal complaint about Sony's software is filed with the head of Italy's cyber-crime investigation unit. Thomas Hesse, Sony's president of Global Digital Business, appears on National Public Radio, saying, "Most people, I think, don't even know what a rootkit is, so why should they care about it?" November 7 -- Symantec adds First4DRM to its list of security risks, just as First4Internet offers Service Pack 2, which "includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch." November 9 -- Washington Post finds out about the California class action suit, noting that a "second, nationwide class-action lawsuit is expected to be filed against Sony in a New York court, seeking relief for all U.S. consumers who have purchased any of the 20 music CDs in question." November 10 -- A computer security firm discovers the first virus "that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc." Microsoft is "concerned" ("We are evaluating the current situation to determine if any action from Microsoft is necessary.") but does nothing, while Sony releases a statement "deeply regretting any disruption that this may have caused." Meanwhile, in a soon-to-be-related story, the U.S. Federal Trade Commission points out that a U.S. court has shut down three Internet companies for secretly bundling malicious "spyware" with ring tones, music programs and other free high-tech goodies. Payback's a Bitch First4Internet CEO Matthew Gilliat-Smith told the Christian Science Monitor, "I think this whole issue is about intent. There's no question there was no intent to create a hypothetical security breach here." First of all, it is no longer hypothetical. If you are a Windows user, naively bought one of the 20 infected CDs and put it in your PC, there's a new computer virus out there and it's aimed right at you, thanks to Sony. They created a very real security breach and seem to think you shouldn't care. So let's talk about intent. In October 2001, the RIAA tried to get legislation passed which would have immunized them from the consequences of exactly what's happening right now. They've thought about this for a long time. There's no consideration for intent in the RIAA's lawsuits against consumers. They want to play hardball. They are pointedly suing minor children with no regard to anyone's intent. Their position is that you've done something wrong and you must pay, no matter what your intentions may have been. They don't want to hear your excuses. Sony should be given exactly the same leeway on intent that they are giving to the targets of their lawsuits -- none whatsoever. Follow-up -- It's still November 11 and there are a few new events that effect this story. For starters, another version of dangerous Sony DRM has appeared, and this version, which appears to come from software devised by SunnComm, will poison a Mac with OSX. This revelation comes as Sony (who just days ago was saying "Why should you care?") announces that they are temporarily ceasing production of discs containing First4Internet's malware. Of course, Sony has yet to admit they even have a real problem. This is merely a "precautionary measure," while they check to make sure their DRM "continues to meet our goals of security and ease of consumer use." Here comes the scary part, in a story I missed yesterday. The Justice Dept. is asking for a bill which "would widen intellectual-property protections to cover those who try but fail to make illicit copies of music, movies, software or other copyrighted material." U.S. Attorney General Alberto Gonzales made the pitch, which he termed "a reflection of the sustained commitment on the part of the Bush Administration, including the Department of Justice, to ensure that we are doing everything we can to combat this problem." Maybe I've seen too many episodes of 24 or CSI, but so far, I can only come up with two reasonable theories about the motives behind this behavior. Theory 1 -- Incomprehensible Blind Stupidity The Justice Dept. wants to jail people "who try but fail to make illicit copies." To be perfectly blunt, why would they bother chasing people who are too stupid to successfully duplicate a CD? That's like only chasing the terrorists who don't know how to build bombs. Or car thieves who look at a car and can't figure out how to steal it. What benefit could this possibly create, even for the record labels? There had better be a good reason because, theoretically, a printer jam could trigger this offense. So could making a CD of authorized music, if you thought you were making an illicit copy but made a legal one instead. You tried and failed. Theory 2 -- Even Worse If the DOJ is not staffed by complete idiots, someone would have asked how in the hell they were going to discern who has tried but failed to make a CD? After all, it would be lunacy to announce that they want to go after people that they have no chance in hell of identifying. What would the evidence be? Not having illicit CDs? Unless they already knew how Sony's new DRM worked, including the "phone home" features and thought it was a good idea, bringing us back to Theory 1. |