By Brian Krebs
washingtonpost.com Staff Writer
Wednesday, November 2, 2005 6:50 PM
Irate music fans who posted to dozens of online blogs vowing to never again buy Sony CDs as long as the company keeps using a suddenly beleaguered anti-piracy software program may find that their outbursts have been partially rewarded today.
On the heels of the Internet uproar over security concerns with its copyright-protection measures, the company that developed the software for recording-industry giant Sony BMG Music Entertainment says it is providing computer users with a "patch file" that will mitigate some of the features that alarmed security researchers when they were discovered earlier this week -- especially the program's built-in ability to hide files on the user's system.
Privacy and security experts charged that the technology built into many of Sony's music CDs since March is unnecessarily invasive and exposes users to threats from hackers and virus writers.
"Here you have one of the biggest name-brand corporations on the planet getting into what many people in other circumstances would consider hacking," said Richard Smith, a security and privacy consultant based in Boston. "That's just not acceptable."
Earlier this week, computer security researcher Mark Russinovich published an analysis showing that some new Sony CDs install software that not only limits the copying of music on the discs, but also employs programming techniques normally associated with computer viruses to hide from users and prevent them from removing the software.
Russinovich's findings -- posted on the Web site (http://www.sysinternals.com/) that he runs with another researcher -- indicated that the CDs in question use software techniques that behave similarly to "rootkits," software tools that hackers can use to maintain control over a computer system once they have broken in.
He found that traditional methods of uninstalling the program would not work, and that attempts at removing it corrupted the files needed to operate his computer's CD player, rendering it useless.
Sony spokesman John McKay said the technology has been deployed on just 20 titles so far, but that the company may include it on additional titles in the months ahead.
The music industry is aggressively defending its works from Internet and other forms of piracy, going so far as to sue individuals alleged to be trading large numbers of song titles online. The industry loses roughly $4.2 billion worldwide to piracy each year, according to the Recording Industry Association of America.
Russinovich discovered that the techniques employed by the Sony program to conceal its files from the user and to make them harder to remove could also be used by virus writers and hackers to hide malicious files on any computer running the anti-piracy program.
In response to criticisms that intruders could take such advantage, First4Internet Ltd. -- the British company that developed the software -- will make available on its Web site a software patch that should remove its ability to hide files, chief executive Mathew Gilliat-Smith said.
Russinovich called the offer of a patch "backpedaling and damage control in the face of a public-relations nightmare" and emphasized that users who try to remove the files manually after applying the fix will still ruin their CD-Rom drives.
Sony's move is the latest effort by the entertainment companies to rely on controversial "digital rights management" (DRM) technologies to reverse a steady drop in sales that the industry attributes in large part to piracy facilitated by online music and movie file-sharing networks like Kazaa and Limewire.
DRM technologies by their very nature need to be secretive, according to Peter Ullman, a partner with Woodcock Washburn, a Philadelphia law firm that specializes in intellectual property matters.
"If the software is put there to protect valuable content from being misused, then the software has to be able to protect itself from being subverted, so the companies that produce this security technology tend not to want to publicize how their technology works," Ullman said.
At issue is whether Sony has provided customers with adequate notice about what they can expect when installing the software, said Ari Schwartz, deputy director of the Washington-based Center for Democracy and Technology.
"Sony needs to be more transparent in how and what they're installing so that consumers can make informed decisions," Schwartz said.
Windows users cannot listen to tracks on the CD without agreeing to install the anti-piracy program, which merely advises that "it will install a small proprietary software program" that will remain there "until removed or deleted."
But according to Mikko Hypponen, director of research for Finnish antivirus company F-Secure Corp., users who want to remove the program may not do so directly, but must fill out a form on Sony's Web site, download additional software, wait for a phone call from a technical support specialist, and then download and install yet another program that removes the files.
Hypponen agreed that Sony's software could help hackers circumvent most antivirus products on the market today. He added that installing the Sony program on a machine running Windows Vista -- the beta version of the next iteration of Microsoft Windows -- "breaks the operating system spectacularly."
While the anti-piracy software allows consumers to make a limited number of additional copy-protected discs, it also imposes compatibility and portability constraints. Users of Apple Inc.'s iPod -- the dominant portable media player on the market -- have no way of transferring tracks from protected Sony CDs to their device, since Apple has not yet licensed its own DRM technology for use with copy-protected discs.
"We're still in this new digital era where the entertainment industry wants to protect ... their content, without due consideration of the consumer's right to use that content in a fair way," Russinovich said. "We need to have an open discussion as to where we should draw the line."
David Eisner, a blogger and software developer at the University of Maryland's Computer Aided Life Cycle Engineering Center, believes the record label's actions will ultimately backfire and drive otherwise legitimate customers to download pirated music from the online file-sharing networks.
"The people they're trying to stop from stealing their music are always going to find a way around these types of technologies," Eisner said. "Sony is just hurting people who obtain their products legally, and many of these same people are now going to think twice about doing so."