Talk:Sony BMG copy protection rootkit scandal/Archives/2013

This page is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

I think we should use Sony BMG instead of Sony.58.93.100.70 15:37, 22 November 2005 (UTC)

Done. - ^Рэд_хот 18:19, 14 September 2006 (UTC)

Being involved, I will not contribute to the article, but here are a few corrections:

• the rootkit does not contain "comments" as far as I know
• the rootkit does not contain the string "copyright (c) Apple Computer, Inc. All Rights Reserved.", but a ROT13 version of it (see http://sam.zoy.org/blog/2005-11-18-the-fuss-about-sony-s-drm to know why and for more warnings about uncontrolled speculation)
• I do not think the code comes from an iTunes DRM circumvention program by Jon. Jon wrote a program that does that (amongst other things) called SharpMusique, but it is in C#. There is another program doing that called Playfair, but it was done by an anonymous developer and its decryption code comes from VLC. So there is a high probability that the stolen code comes from VLC (and was therefore written by me and Jon).
• Also, the part about LAME should be merged with the part about VLC, they are quite the same except the LAME code was discovered a lot sooner. Sam Hocevar 23:22, 18 November 2005 (UTC)

---

• PLEASE do not be inhibited about contributing.
• "comment" = "a data field containing bytes where each byte represents a letter or number or similar character" you think "string" would be more widely understood??
• The digital thing we are talking about contains zeros and ones or pluses and minuses or filled spots and unfilled spots ... it does not contain images of letters ... ASCII EBDIC ... ROT13 ASCII ... whatever ... one representation is as valid as another and saying it doesn't contain "A" it contains "ROT13 A" gives undue reality to one transscription scheme over another. WAS 4.250 02:56, 19 November 2005 (UTC)

But saying that it contains the string "copyright (c) Apple Computer, Inc. All Rights Reserved." is IMHO misleading, because that string only has a functional purpose, and does not establish copyright of anything (which could be inferred by reading the article). The story about this specific string should be either clarified or omitted.

As for contributing, I may do it when my work on the subject (http://sam.zoy.org/blog/2005-11-21-suspicious-activity-indeed) has been quoted elsewhere. Otherwise it constitutes original research. Sam Hocevar 09:08, 26 November 2005 (UTC)

The article says

People don't realize that Sony's DRM technology they implemented is protected by the DMCA, as well as standard copyright law. First, it is illegal to reverse-engineer copyrighted software. This means that the parties who decompiled the software to view the source code violated both the DMCA and standard copyright law.

I dispute the claim that in general "it is illegal to reverse engineer copyrighted software" under copyright law or the DMCA. Schoen 03:35, 19 November 2005 (UTC)

I put in a more NPOV wording, such that it *may* be illegal to do such things. Just what is or isn't legal under the DMCA won't be firmly established until there is more case law about it; thus far, some attempted applications of the law (to protect garage door openers and printer cartridges from reverse engineering) were struck down by the courts, while others (such as suppressing DVD Jon's DeCSS) were upheld, but decompiling for the purpose of regaining control of one's own system from surreptitiously installed malware in the form of CD DRM has no court precedent. *Dan T.* 04:03, 19 November 2005 (UTC)

That is a big improvement. There is another error in this section. The statutory damages in United States copyright law are actually calculated on a per work basis, not on a per copy basis. That is, a copyright holder can recover statutory damages (without showing actual damage) in an amount from $750 to $30,000 per infringed work (regardless of the number of copies infringed). (Depending on the infringer's intent, it may actually be adjusted by the court to range from $200 to $150,000.) Thus, it is not correct that the statutory damages regime would award each copyright holder of an infringed work $30,000 (or $150,000) per infringing CD copy. Indeed, statutory damages are meant as an alternative to "actual damages"; in claiming "actual damages", a copyright holder may need to prove how many infringing copies were made. By contrast, in seeking statutory damages, this showing is not necessary and does not determine the amount of the award. The reason that RIAA plaintiffs have claimed enormous statutory damages were available to them in principle against alleged infringers of sound recording copyrights was that they alleged a large number of distinct works infringed, not a large number of infringing copies made. See 17 USC 504. Thanks to Fred von Lohmann for pointing this out. Schoen 08:45, 19 November 2005 (UTC)

I don't really understand why this is treated as a matter of "some say ... others say". Surely this isn't a POV dispute. The U.S. copyright law at 17 USC 504(c) says

[T]he copyright owner may elect, at any time before final judgment is rendered, to recover, instead of actual damages and profits, an award of statutory damages for all infringements involved in the action, with respect to any one work, for which any one infringer is liable individually, or for which any two or more infringers are liable jointly and severally, in a sum of not less than $750 or more than $30,000 as the court considers just. For the purposes of this subsection, all the parts of a compilation or derivative work constitute one work.

Surely it's clear that RIAA's claims for statutory damages were seeking $30,000 per work not $30,000 per copy -- since they never claimed a particular number of copies. The whole point of statutory damages is that you don't have to show how many copies were made in order to get the statutory damages. That's why they're given as an alternative to actual damages (17 USC 504(b)), which do require you to prove "the actual damages suffered by [the copyright holder] as a result of the infringement, and any profits of the infringer". Surely Wikipedia is allowed to say that people are wrong about something when they just misremembered how something works, right? Schoen 07:05, 21 November 2005 (UTC)

Please feel free to make the appropriate edits. Be bold. WAS 4.250 12:39, 21 November 2005 (UTC)

I would, but, like Sam Hocevar, I'm involved (which I should have been clearer about mentioning) and therefore reluctant. My employer filed a lawsuit about this today. Schoen 02:57, 22 November 2005 (UTC)

I wish to thank the contributors who have in the last couple of days made the article less mealy-mouthed and more specifically accurate. WAS 4.250 01:36, 22 November 2005 (UTC)

Who is Dan Kaminsky and why is he an "internet expert" as written in the article?

Reading [1] he's probably more internet expert than you and I. Shinobu 17:00, 21 December 2005 (UTC)

I've read up on this issue, and was horrified to see some inaccuracies on this entry (Texas lawsuits, "removal program"-- note it doesn't remove). I've tried to fix it up a little to improve its accuracy and give the lastest links. Additionally- what about the larger questions? See the new section and link. I've tried to be impartial so take it from here.Lgreen 06:28, 22 November 2005 (UTC)

The last section needs a seeing to - less an encyclopedia than a /. rant? -Perks

Formerly from the article:

"additionally it appears that the LAME code was added only to permit detection of attempts to rip the CD using LAME (not to actually implement LAME or call functions from it)"

There is nothing that appears this way in the slightest, as LAME is not a CD ripper; it encodes audio from .wav to .mp3, but does not contain any functions from CD audio. The situation that the used source supposedly "permits detection" of doesn't exist. I suspect that this was a weak attempt at defense of their practices by Sony, rather than anything that was actually found by an independent body.

I've removed the erroneous text from the article. Wikipedia's purpose is to diseminate information, not propaganda. --HBK|Talk 00:08, 26 December 2005 (UTC)

I'm not sure whether "Sony CD copy protection controversy" is a proper title for the article. Perhaps scandal would be more appropriate, as AFAIK, the news was universally badly received.

Or am I just nitpicking? Or am I simply wrong? If that's the case, I'd appreciate being told so. --FrostyBytes 23:09, 28 April 2006 (UTC)

No, you're right. There's no controversy at all, Sony was simply wrong, and they knew it. I will move the page. Shinobu 00:41, 20 May 2006 (UTC)

It's moved, but still in the category "controversies". Is there a category "scandals" or should we leave it as it is? Shinobu 00:46, 20 May 2006 (UTC)

There is a scandals category here. I will remove this article from the controversies category and add it to the scandals category. Jesse Viviano 02:43, 29 May 2006 (UTC)

Okay. Shinobu 20:40, 29 May 2006 (UTC)

those who purchased an XCP CD will be paid $7.50 per purchased recording and given the opportunity to download a free album, or be able to download three additional albums from a limited list of recordings if they give up their cash incentive.

I think if they caught a pirate, they would not ask for $7.50 for each pirated album. -- Toytoy 16:16, 16 May 2006 (UTC)

From the article: "It appears that, since LAME is under the LGPL, this situation could be rectified by SONY BMG offering a copy of the LAME source code, as well as adding a notice that it was using code from the library (though this would not be a defense against past damages)."

This isn't even remotely what the LGPL requires of derivative works. If code from LAME had been lifted (sources?) and put directly into the rootkit, then the LGPL would function no different from the GPL. Sony would have to make their derivative work either LGPL or GPL.

The LGPL only differs from the GPL when linking. Non-(L)GPL code can link to an LGPL library if the developers provide object files which others can link against ABI-compatible modified versions of the LGPL library. Note that using dynamic linking satisfies this requirement.

Furthermore, the LGPL does not contain an advertising clause ("adding a noice that it was using code from the library"). Shaunm 21:19, 19 June 2006 (UTC)

Whoever authorized this procedure within Sony will be unemployed in the near future. There is no way Sony could benefit from this action.

Other businessmen with more savy are going to see this as an indicator, having a direct effect on the price on Sony stock. Wherever this person goes he will have increasing difficulty finding work.

Spike Holmes 04:06, 28 June 2006 (UTC)

But others are going to see this as an indicator that as long as they are not some college kid, but instead a boss in a big multinational company, they won't go to jail for what is a serious computer crime in many countries world-wide. Unauthorized modification of a computer etc

"A number of parties have sued Sony BMG for their actions in distributing the infected CDs." Great choice of words, in my opinion. --151.201.58.185 09:45, 21 August 2006 (UTC)

I RV'ed, hopefully for a good reason. ... I think we over-pruned the LINKS section on that last edit, some of the links like the NPR story are very relevant ... and the Sony links listing the return program, the effected CDs, shows objectivity in the article. Rather than just deleting the links you think are excessive, how about rolling them into footnotes where they're more appropriate? That is, using the <REF> tag. Discuss amongst ourselves. ;) --^~DBS ^Talk/_Contribs 20:13, 22 November 2006 (UTC)

I'm going to spend a few minutes trying to incorporate the more reputable external links as footnotes..... ^~DBS ^Talk/_Contribs 23:19, 22 November 2006 (UTC)

• Okily-dokely, I just spent over an hour and a half or so converting as many links as possible to proper footnotes. Having done this, I removed as many redundant "external links" as I think were appropriate, and pruned one or two questionable links. Some news links are no longer online and are noted as such in <-- hidden comments -->. --^~DBS ^Talk/_Contribs 01:36, 23 November 2006 (UTC)

Does anyone think the title of this article should be changed to something a bit shorter, Sony BMG copy protection scandal perhaps? 'FLaRN' (talk) 17:32, 23 November 2006 (UTC)

• I was thinking of that last night, though we are now looking at multiple scandals. Sony/BMG in Europe had a flap in 2002(?) with that Natalie Imbruglia (sp?) CD in Germany. Since this article deals predominately with the 2005 scandal, that date needs to be there. Or ... if a more generalized article is written, this could be merged with it at a later date. ... If we do need to change the title, i'd suggest Sony BMG XCP copy protection scandal (2005) or perhaps Sony BMG XCP rootkit scandal (2005). What d'ya think? ^~DBS ^Talk/_Contribs 19:58, 23 November 2006 (UTC)

Using the term "copy protection" in the title is somewhat biased. The claim that the software offers protection takes the view of the music labels and the software authors. The users whose computer systems were harmed by it do not feel "protected".

The term "rootkit" is also questionable. While the software in question contained concealment routines similar to the usual use of the word "rootkit", the concealment was only part of the problem. The problem started with the unexpected installation of undesirable software when the CD is placed in the drive. This is more often referred to in computer security terminology as a "Trojan horse": undesirable software that is surreptitiously bundled with something desirable (namely, the music).

As for legal terminology, the laws of several U.S. states use the expression "computer contaminant" in describing software that does harm to a computer system without the permission of the owner or legitimate user. See this site for various laws. The analogy is to "contaminants" in the chemical or biological sense. --FOo 23:41, 23 November 2006 (UTC)

I think "copy protection" is fine. It's a well-known term which describes the aim of the software well. --h2g2bob 00:09, 24 November 2006 (UTC)

How about "First 4 Internet Copy Protection Scandal", as clearly they were the ones that created it, Sony BMG just distributed it... However we all know that the Americans love to hate Sony, so that will never happen... —Preceding unsigned comment added by 81.174.171.21 (talk) 19:49, 30 March 2010 (UTC)

Never mind previous post.

I'm just tired of this kind of corporate scams and thier nickel & dime schemes. I'm tired of hearing about lawyers and courts and who exactly it was that did what.

Sony is always doing this kind of thing then hides behind legal-mumbo-jumbo.

The fact is that WRONG IS WRONG.

But since Sony has shown that it's ok for them to spy on people & children, and take over a PRIVATELY OWNED PC. Then I believe they've forfieted thier companies rights to take any anybody to court should thier company PC's get hacked...

I don't endorse or encourge hacking activities, but Sony can't spy/steal/sabitage and expect no 'reapercushions' to soften the blows dealt back to them (Sony).

Please update Websters dictionary: Word = Hypocrite (New Defination) Sony —The preceding unsigned comment was added by 209.239.1.115 (talk • contribs).

Forgive me if I'm wrong, but wasn't the initial uproar about privacy invasion. The rootkit wasn't nearly invisible to the user and there was no mention of it when the user played back the CD. The article doesn't seem to stress this. In fact, privacy is not even linked in the article. Again, I might be wrong. 70.104.16.217 18:04, 18 March 2007 (UTC)

Some of the initial concern had to do with the software "phoning home". However, a lot of this IIRC got eclipsed by the sabotage aspects (Windows systems getting rendered unusable) and the security holes. --FOo 19:36, 18 March 2007 (UTC)

Has anyone tested the effects of these discs on machines running Windows Vista? As the rootkit "driver" files were written for previous versions of Windows, will Vista allow them to be loaded in to memory and are the CDs usable under Vista? This would make another excellent argument against DRM. Nobody can guarantee the DRM software will be developed for future operating systems and any "offline" DRM which is shipped with the media certainly can't be guaranteed to work in the future. So where does this leave the consumer? With a crippled product with a lifespan of the OS its designed run on. —The preceding unsigned comment was added by 82.47.104.215 (talk) 01:42, 30 March 2007 (UTC).

Interesting question. Any takers? Pizzachicken 23:08, 3 May 2007 (UTC)

Vista has UAC (user account control) as the Root kit has to have admin rights UAC would prompt you to play an Audio disk (that be strange but that probably think its OK), but as it stands most users will ignore it and click Allow when it pops up, and vista does not Like Malware that was made for XP so it most likely brake the OS (constant restarting/crashing explorer.exe or other random BSOD)

If UAC is off most likey install and be hidden or may not install due to OS check maybe ?

so users of Vista do not randomly click continue/Allow when putting disks in Leexgx (talk) 04:32, 23 November 2007 (UTC)

How does the rootkit protect the CDs from being ripped? It doesn't seem to cover it all in the article? Pizzachicken 23:08, 3 May 2007 (UTC)

Found details about it. It's explained here. Can someone add some of the technical details to the article.

http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453096362

XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.

Furthermore, XCP.Sony.Rootkit installs a device driver, specifically a CD-ROM filter driver, which intercepts calls to the CD-ROM drive. If any process other than the included Music Player (player.exe) attempts to read the audio section of the CD, the filter driver inserts seemingly random noise into the returned data making the music unlistenable.

XCP.Sony.Rootkit loads a system filter driver which intercepts all calls for process, directory or registry listings, even those unrelated to the Sony BMG application. This rootkit driver modifies what information is visible to the operating system in order to cloak the Sony BMG software. This is commonly referred to as rootkit technology. Furthermore, the rootkit does not only affect XCP.Sony.Rootkit's files. This rootkit hides every file, process, or registry key beginning with $sys$. This represents a vulnerability, which has already been exploited to hide World of Warcraft RING0 hacks as of the time of this writing, and could potentially hide an attacker's files and processes once access to an infected system had been gained.

To put it simply, a rootkit interferes with the computer in such a way as certain files and entries will not be seen by a user using the windows system tools. XCP used a rootkit to cover up its own presence, but in so doing created a vulnerability whereby other malware could also hide behind the cloak. To track down rootkits, you need software which scrutinises the raw data on the hard drive, without relying on the normal routines within windows.

Ignoring the rootkit aspect, the XCP software was very badly written for numerous other reasons, and created all sorts of other problems on pc's it was installed on. It is arguable that the prupose that XCP was supposed to serve is impossible to achieve.

The underlying problem is that CD standards were created before people had computers or the internet and do not cater for copy protection, and existing stand-alone players are not capable of being modified to facilitate changed CD standards. Consequently, all attempts to prevent copying CD's on pc's have to involve either (a) contriving a CD which will play on a standalone player, but is malformed in such a way as a pc cannot play it, or (b) making a CD with software on it as well as the music contect, where the software interferes with the use of the computer.

The problem with (a) is that increasingly, computer type cd drives are being used in stand-alone players and you end up with CD's that won't play in some players (eg some car CD players), and with (b) is that interfering with how the user has proper access to their computer also interferes with computer security.

Essentially, the basic content must be on the CD in an unencrypted and playable form, which means that any DRM which does not pose a security threat to the computer, is also very easy to circumvent. For example, with the XCP disks, if they were put in a pc where the autorun is totally disabled (by using a utility like TweakUI, for example) they would not start. The user could then explore the disk and copy the CDDA content to the pc, and from here create a CD of the content that was totally unprotected.

Another problem with XCP type software, is that if numerous different labels use different products like that, they can conflict with each other and collectively hog resources. XCP, once installed on a computer, could hog 2% of the cpu usage even when a cd was not being played. You wouldn't need many similar bits of software on a computer before the whole pc starts to run slowly all the time. 82.29.215.250 12:58, 19 July 2007 (UTC)

Just raising a flag here. Google News: Sony Rootkit USB 68.237.226.207 05:55, 29 August 2007 (UTC)APassingVisitor

We know what it did to Windows, but what did it do on the Mac? IIRC, it disk would not play. —Preceding unsigned comment added by Flightsoffancy (talk • contribs) 20:00, 30 January 2008 (UTC)

The rootkit would have little to no effect on Linux, either at enforcing DRM or interfering with the OS. Linux would just see there are both data and audio tracks with the option to read either. The windows rootkit could possibly be run under Wine (a Windows API implementation), but Wine runs in user mode (as a process, not as a driver) with the user's permissions so the worst it could do is put rubbish in the user's ~/.wine folder and not change anything at the system level. I don't think it would get that far, it would probably just confuse wine and not run.

Not sure if these discs contained any Mac software, but as modern Mac OSses are unix based, the same restrictions would apply as in Linux I would imagine.82.47.104.215 (talk) 17:03, 6 March 2008 (UTC)

Hello all,

I've expanded the Background section by naming the disc (Natalie Imbruglia's White Lilies Island that was subject to copy protection in Europe. I've added the fact that NSync's last album was copy protected in the US and Germany (but not the UK). All of this happened in 2001. Everything added has refs as well. - Thanks, Hoshie 05:46, 24 August 2009 (UTC)

As clearly First 4 Internet are the ones that developed it, and bodged up the removal tool that allowed virus and trojans to run wild. I know it's fashionable to spread crap about Sony and other non-American companies, but surely Wikipedia already has a bad rap for misinformation, this just makes this laughable worse... —Preceding unsigned comment added by 81.174.171.21 (talk) 19:53, 30 March 2010 (UTC)

Well, let's see:

• Sony-BMG purchased the malware from its authors and distributed it to users.
• The malware was detected by users who had bought Sony-BMG products.
• It was reported in the media as an issue with Sony-BMG products.
• Sony-BMG issued a recall of the products in which it had included the malware.
• The states of Texas, New York, and California took legal action against Sony-BMG.

So, I think the rest of the world, including authoritative sources, think that this case has a great deal to do with the actions of Sony-BMG, and that Wikipedia's saying so is entirely in accordance with good encyclopedic practice and not at all a case of "spreading crap" as you imply. Shame on you for spreading crap about Wikipedia. --FOo (talk) 08:05, 3 April 2010 (UTC)

I'm no fan of Microsoft (I've been an almost-exclusive Linux user for years) but this section is riddled with both bias and errors, and is largely unsourced to boot. It comes across as implying that the choice by Sony-BMG to attack users' computers is Microsoft's fault.

Obvious errors in the section:

• The setting to disable AutoRun/AutoPlay on a drive in Windows XP is not hidden. It's actually easier than in Windows 2000 and arguably easier than in 95/98/Me. See this Annoyances.org page for instructions and make your own comparison.
• The bug in Windows XP with disabling autorun applied to network drives, not to CD drives -- as is stated on the cited Microsoft Support page.

Dubious bits:

• The relevance of StickyKeys is not explained. It's my understanding that StickyKeys is triggered when you tap a modifier key five times, not when you hold it down.
• The overall implication of the section is that Microsoft made the above changes in order to facilitate CD-ROM DRM; there is no evidence offered for this implication.

As it stands, I think the section should be removed, and the factual content about Microsoft's anti-spyware software moved to a section on security industry response (along with other antivirus and anti-spyware responses). --FOo (talk) 07:35, 3 April 2010 (UTC)

Anybody knows if there is a video (preferably on youtube or such) that discusses this incident? I am having trouble finding any. --_{Piotr Konieczny aka Prokonsul Piotrus| talk} 19:19, 25 April 2010 (UTC)

Their software Interlock also installs rootkit type malicious stuff all over the computer and does so even when you click "NO" to the request to install on software that includes it. They're a smaller company and would be easier to win a class action suit against than Sony. -Reticuli — Preceding unsigned comment added by 64.93.132.79 (talk) 06:23, 10 July 2011 (UTC)

Would it be a good idea to include in the main article the easiest way to detect if a machine has been infected? According to Steve Gibson (http://www.grc.com/securitynow.htm) the rootkit hides any filename starting with $sys$, so he creates a filename called, say, $sys$canary.txt on his desktop and if it ever disappears, then that machine is infected. This property of hiding specific filenames is also mentioned above in the "how does the rootkit work" section. — Preceding unsigned comment added by 67.133.62.41 (talk) 09:08, 17 August 2012 (UTC)

If a rootkit is any good, then by definition it's hard to find. The scenario you paint pertains to one specific rootkit only and is therefore not a general solution for rootkit detection. Socrates2008 (Talk) 10:47, 18 August 2012 (UTC)