From: Mike '/m' 

I'll repeat a question I asked on another thread.   Why is Sony
punishing those who buy the music they sell?

 /m


On Thu, 17 Nov 2005 06:13:30 -0500, "Geo"  wrote:

>Well, this makes strike 2..
>
>Geo.
>
>http://software.silicon.com/security/0,39024655,39154285,00.htm
>
>
>Record label Sony BMG Music Entertainment said on Tuesday that it will
>recall millions of CDs that, if played in a consumer's PC, will expose the
>computer to serious security risks.
>
>Anyone who has purchased one of the CDs, which include southern rockers Van
>Zant, Neil Diamond's latest album, and more than 18 others, can exchange the
>purchase, Sony said. The company added that it would release details of its
>CD exchange programme "shortly".
>
>Sony reported that over the past eight months it shipped more than 4.7
>million CDs with the so-called XCP copy protection. More than 2.1 million of
>those discs have been sold.
>
>The company said in a statement: "We share the concerns of consumers
>regarding discs with XCP content-protected software, and, for this reason,
>we are instituting a consumer exchange programme and removing all unsold CDs
>with this software from retail outlets. We deeply regret any inconvenience
>this may cause our customers."
>
>The company made the announcement - its second public apology since the CDs'
>risks came to light last week - just as security researchers found several
>other potentially dangerous flaws in the software.
>
>Princeton University computer science professor Ed Felten yesterday wrote in
>his blog that he and a fellow researcher had confirmed that Sony's initial
>web-based uninstall tool - designed to uninstall the copy-protection
>software deposited by Sony's CDs - actually exposed a critical vulnerability
>on computers.
>
>The tool downloaded a program that causes a user's hard drive to accept
>instructions from websites. But the program remained active on the user's
>hard drive after it had been instructed to uninstall the Sony software. The
>program could then be triggered by almost any code from any website,
>including malicious instructions, the Princeton researchers said.
>
>Felton and fellow researcher J Alex Halderman wrote in their blog: "Any web
>page can seize control of your computer; then it can do anything it likes.
>That's about as serious as a security flaw can get."
>
>Sony later replaced that web-based uninstall tool with one that downloads a
>program with its own instructions, as opposed to one that accepts
>instructions from websites. The researchers said the new program appeared to
>be safe.
>
>For anyone who did use the earlier tool, the researchers' blog has
>instructions for removing the Sony component.
>Separately on Tuesday, security company Internet Security Systems released
>its own new advisory on Sony's software. It warned that flaws in the
>copy-protection software - not just in the early uninstall tool - could
>allow an attacker to take control of a user's machine.
>
>Previously, security researchers had spotlighted the online release of
>several Trojan horse viruses that piggybacked on the Sony software to hide
>their presence on hard drives.
>
>The Trojan horse software, once installed, automatically connects to an
>internet chat network and allows an attacker to take remote control of an
>infected computer.
>
>Although more than two million of the Sony discs have been sold, it's still
>unclear how many of those were actually played in a Windows-based computer,
>thus triggering the security risks. Sony notes that the copy-protection
>software is not activated on an ordinary CD or DVD player, or on a Macintosh
>computer.
>
>Security researcher Dan Kaminsky said he estimated that at least 500,000
>computers had installed the Sony software.
>Once installed, the Sony software can relay data, which indicates what CDs
>are being played, to an outside server. To relay the information, the
>software has to find its destination by contacting the internet's domain
>name system address servers, where a publicly available record of that
>request is left behind.
>
>Kaminsky said he counted more than 568,000 separate requests. The method
>counts any request coming from the same network but only once. So it might
>not include repeated requests coming from offices or schools, where numerous
>computers use the same network, he said.
>
>Kaminsky said: "The thing that's proved here is not the upper bound. This is
>a lower bound. This is a pandemic."
>Sony's copy-protection software was created by British company First 4
>Internet. The software is installed on a computer's hard drive when certain
>Sony compact discs are put in the CD player and the listener accepts a
>licence agreement.
>
>The software then hides itself using a controversial programming tool called
>a "rootkit", which takes over high-level access to some
computing functions.
>The rootkit blocks all but the most technically savvy users from being able
>to detect its presence.
>
>Sony has worked with antivirus companies to help their products pierce this
>veil of invisibility, and has posted a patch on its website that will
>uncloak the hidden software. It also said it would temporarily stop
>manufacturing discs using the First 4 Internet tools.
>
>Lawsuits have been filed against the record label in California and New
>York, and others are expected.
>

--- BBBS/NT v4.01 Flag-5