Webguy,

I was well aware of all the issues mentioned in the story, and it's been a favorite bitch session point for me for months.

Every year sales for the major labels are down. This year by almost 17%. They keep throwing money at these "protections", last year to the tune of almost $2 for every CD sold.

Why not just drop the price by $2? Why not add content like a dual disc with the DVD on the other side, so it's WORTH buying?

The thing with copy protection is this. For all the millions they spend, there will ALWAYS be a software to break it a few months later. Even if no one could create a software to circumvent the copy protection there is ALWAYS the most basic way to make mp3's of the music (I've done this for a few copy protected Madonna CD's).

You simply hook up your CD player to a computer and using the best cables you can find plug one end into the headphones port on the player and the other to the line-in port on the computer and using cool edit or another program record the disc in real time.

once ONE person has done that and the song is put on a peer to peer network, it spreads like wildfire.

THEY CAN NOT BEAT FILE SHARING. THEY NEED TO ADAPT to the new age and make adjustments to how they create revenue.

The old distribution model is gone, and instead of embracing the technology they are pushing people willing to pay for the music AWAY!

Finally, the most ironic part of it all is that many of the labels, Sony being the obvious one, are also in the hardware business. One arm is trying to copy protect CD's while the other arm is busy hawking the latest, greatest mp3 players and CD burners.

It drives me INSANE!

When a friend told me about this a few days ago, this was the first I'd heard of it on CDs. I knew DVDs were doing that and that it had been hacked.

The sad thing is that this kind of copy protection only makes it miserable for the honest people that buy the CDs . . . it doesn't stop the real problem.

Are the CDs that use the "protection" clearly marked as such?

bump - just in case

And it gets even slimier!

After Criticism, Sony Issues Fix for Hidden Rootkits



Walaika K. Haskins, newsfactor.com Thu Nov 3, 5:35 PM ET

Sony (NYSE: SNE - news) has admitted that it included a stealth rootkit on some music CDs shipped in 2005 and has issued an update to remove the hidden software one day after it was discovered. The company had drawn criticism from security experts who warned that the technology could serve as a tool for hackers.

The nearly undetectable monitoring utility, part of the company's digital-rights management (DRM) technology, was aimed at preventing consumers from producing illegal copies of CDs. The software installed itself automatically in Windows systems whenever a CD was inserted. Any files contained in the rootkit are invisible and almost impossible to remove.

Security expert Mark Russinovich of Sysinternals discovered the hidden rootkit and posted his findings on the company blog on November 1st. Russinovich wrote that although he checked in his system's Add or Remove Programs list, as well as on the vendor's site and on the CD itself, he could not find uninstall instructions. Nor, he says, could he find any mention of it in the End User License Agreement (EULA).

Stealth Tactics

A rootkit is a set of tools commonly used by hackers to circumvent antivirus software and control a computer system. Most rootkits are engineered so that common PC monitoring mechanisms cannot detect them. The rootkits are designed to tuck themselves in to the most basic level of the operating system and remain hidden from users.

A Finnish antivirus company, F-Secure, reported that it had spent several weeks recently trying to find the cause of some unknown files reported by a user who suspected an audio CD as the cause.

Mikko Hyppnen, chief research officer at F-Secure, said hackers could use the rootkit to insert their own files by inserting a simple command at the beginning of the file name that would render them undetectable by most antivirus software. On the F-Secure blog, Hyppnen wrote that he heard rumors that Universal is using the same DRM system on its audio CDs.

Privacy? What Privacy?

Although industry analysts said they cannot fault Sony's motives, some saw the company's initial failure to disclose the hidden technology as a violation of U.S. copyright laws. According to Jared Carleton, an analyst at Frost & Sullivan, Sony is overstepping the fair-use clause that gives consumers the right to make backup copies.

"[Sony] is saying, 'No, we are not going to pay attention to U.S. copyright law that's been generally accepted for the past 30 years,' " he said.

Carleton likened the hidden DRM to malware, and said it was no different than adware and spyware. He said that if Sony was shipping DRM-protected CDs, the company needed to put a notice on its packaging. Consumers understand that artists should be paid for their music, he said, but he added that consumers don't like this type of secrecy.

Andrew Jaquith, senior security analyst at Yankee Group, said the company behaved badly and that there could be a backlash. He said that the desire to protect intellectual property is understandable, but that Sony should have been upfront about its DRM technology, and would have been better off using industry-standard software.

"I haven't seen a single positive comment about this and it makes them look at little slimy," Jaquith said. "They should have been above-board and should have used software that they hadn't cobbled together themselves."

On the Web page containing the update, which enables users to detect and remove the rootkit, Sony said its technology did not pose a security risk. "This component is not malicious and does not compromise security," the company's post said. "However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

The fix can be downloaded at http://cp.sonybmg.com/xcp/english/updates.html.

So it looks like this doesn't make the CDs copyable . . . it just removes the rootkit that they installed when you put the CD in your computer.

If you put the CD in again, wouldn't it put the rootkit right back on there again?

I think you are on the right track JR. With the Internet and digital delivery, I think the artists are going to eventually realize that they don't need the record companies so much.

There may be sites for other types of music, but indieheaven.com is a service to independent Christian artists to get their music out. I believe that the site's fees are to handle orders and send out the CDs and that's all they do. I think the artists have to supply the site with their own CDs and keep their own area up to date.

It kind of looks like a good model to me.

I really feel the need to take a shower after reading that slimy stuff.

As a consumer. I should have the right to buy a copy of the music...and if I want to make a copy for my car or a compilation...its mine...I bought it.

It seems like the record companies are going after the "little" fish...the same fish that are keeping them afloat...bad move.....dont tick off your customer base...

Worried about sales...find some fresh new artists people want to hear...include added value in a disc like a cd-rom or dvd.

Speaking of fresh new artists...no Late Night Drive Disc will ever be manipulated with software....just good old fashioned music.

You're not alone JR.

I've read more and more stories now where people are really mad at Sony for this stunt. They are all saying the same thing . . . that they will never buy another Sony anything again.

Ok, so get this.

I restored my computer to October 30. That was a day BEFORE I downloaded that crappy patch from Sony.

So now the Cyndi Lauper disc plays, and if I use the software that came with it I can make up to three copies.

When I finished copying it I restored my computer again to remove the software.

I'll bet ANYTHING that there is actually nothing done to the disc itself, if I pop it back in now I bet it's reset to the full 3 burns, which would mean the protection is worthless.

I'll test my theory later tonight.

Another black eye for Sony....

Experts: Sony BMG Rootkit 'Fix' Only Makes Things Worse

Tuesday, November 15, 2005

BOSTON — The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony's suggested method for removing the program widened the security hole the original software created, researchers say.

Sony has moved to recall the discs in question. But music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable.

"This is a surprisingly bad design from a security standpoint," said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. "It endangers users in several ways."

The "XCP" copy-protection program was included on at least 20 CDs, including releases by Van Zant, The Bad Plus, Neil Diamond, and Celine Dion. Sony BMG said 4.7 million were shipped, with 2.1 million sold.

When the discs were put into a PC — a necessary step for transferring music to iPods and other portable music players — the CD automatically installed a program that restricted how many times the discs' tracks could be copied, and made it extremely inconvenient to transfer songs into the format used by iPods.

That antipiracy software — which works only on Windows PCs — came with a cloaking feature that allowed it to hide files on users' computers. Security researchers classified the program as "spyware," saying it secretly transmits details about what music the PC is playing. Manual attempts to remove the software can disable the PC's CD drive.

The program also gave virus writers an easy tool for hiding their malicious software. Last week, "Trojan horse" programs emerged that took advantage of the cloaking feature to enter computers undetected, antivirus companies said. Trojans are typically used to steal personal information, launch attacks on other computers and send spam.

Stung by the controversy, Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP.

But the uninstaller created a new set of problems.

To get the uninstall program, users were asked to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet.

According to security experts, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.

"The consequences of the flaw are severe," Felten and Halderman wrote in a blog posting Tuesday after being tipped by a Finnish researcher, Matti Nikki. "It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."

On Tuesday evening, Sony BMG was preparing to release a safe new method for removing XCP. It was unclear when it might be available.

Other programs that knock out the original software are likely to emerge. Microsoft Corp. says the next version of its tool for removing malicious software, which is automatically sent to PCs via Windows Update each month, will yank the cloaking feature in XCP.

A Sony BMG statement Tuesday said the company would pull unsold CDs with the software from store shelves and let consumers exchange already purchased ones. On Friday the company had said it would halt production of CDs with the technology and "re-examine all aspects of our content protection initiative."

"We share the concerns of consumers regarding discs with XCP content-protected software," Tuesday's statement said.

First 4 Internet was not making any comment, according to Lynette Riley, the office manager who answered the company's phone Tuesday evening in Englan