What is on the Sony CDs?

The CDs involved are loaded with a relatively new kind of content protection created by British company First 4 Internet. When a listener puts the album into a computer's CD drive, it pops up a license agreement. If the listener accepts, it installs the copy protection rootkit onto the hard drive.

The rootkit element of the software is used to hide virtually all traces of the copy protection software's presence on a PC, so that an ordinary computer user would have no way to find it. The software acts to limit the number of copies that can be made of the CD and prevents a computer user from making unprotected MP3s from the music.

from ZDnet


The Sony BMG software installs itself deeply inside a hard drive when a CD is played on a PC. The technology uses rootkit techniques to hide itself. Experts blasted the cloaking mechanism, saying it could be abused by virus writers. The first remote-control Trojan horses that take advantage of the veil provided by Sony BMG have surfaced.

from Cnet.com

Now the Legalese Rootkit: Sony-BMG's EULA
November 09, 2005

If you thought XCP "rootkit" copy-protection on Sony-BMG CDs was bad, perhaps you'd better read the 3,000 word (!) end-user license agreement (aka "EULA") that comes with all these CDs.

First, a baseline. When you buy a regular CD, you own it. You do not "license" it. You own it outright. You're allowed to do anything with it you like, so long as you don't violate one of the exclusive rights reserved to the copyright owner. So you can play the CD at your next dinner party (copyright owners get no rights over private performances), you can loan it to a friend (thanks to the "first sale" doctrine), or make a copy for use on your iPod (thanks to "fair use"). Every use that falls outside the limited exclusive rights of the copyright owner belongs to you, the owner of the CD.

Now compare that baseline with the world according to the Sony-BMG EULA, which applies to any digital copies you make of the music on the CD:

1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

8. You have no right to transfer the music on your computer, even along with the original CD.

9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.


So this is what Sony-BMG thinks we should be allowed to do with the music on the CDs that we purchase from them?

from the news blog


SONY is now facing lawsuit but they are still holding out.

Although Sony has done some minimal damage control -- last week it released a patch that revealed the once-hidden files -- it continues to refuse comment and makes it extremely difficult to obtain an uninstaller.

Sony has yet to post any links to the patch or uninstaller on its Web site.

In other Sony BMG news, a slew of security firms warned Thursday of the first appearance of malware that uses Sony's rootkit to hide from anti-virus programs.

Dubbed "Backdoor.Rycos" by Symantec and "Stinx.e" by Sophos, the Trojan arrives as an attachment to an e-mail purportedly from a British business publication. If the attachment is launched, the Trojan copies itself as "$sys$drv.exe" to the hard drive. Any file beginning with "$sys$" is automatically cloaked by the XCP rootkit.

"Sony's DRM copy protection has opened up a vulnerability which hackers and virus writers are now exploiting," said Graham Cluley, senior technology consultant for Sophos, in a statement Thursday. "We wouldn't be surprised if more malware authors try and take advantage of this."

The Trojan opens a backdoor on the compromised PC, and takes commands from its controller to, for instance, install additional files or delete data.

...

"What Sony is saying with this software is that 'Our intellectual property is more deserving of protection than your intellectual property,'" Kamber told the Post.

from yahoo news