Tech Talk

[Sony halts music CDs with anti-piracy scheme]

FYI...

Sony halts music CDs with anti-piracy scheme
- http://www.msnbc.msn.com/id/10005667/
Nov. 11, 2005
"Stung by continuing criticism, the world’s second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.
Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the “XCP” technology as a precautionary measure. “We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use,” the company said in a statement..."

 

I guess that we out here in the real world have a strong voice afterall . I suppose that the realization of poor sales ( not only CDs either ) , the threat of lawsuiits ( which I hope no one drops ) and having themselves labelled as purveyors of malware , have made Sony/BMG reconsider one of the biggest blunders in consumer history . While this seems like it means Sony/BMG wants to kiss and makeup , I sure hope no one forgets this boneheaded move . I think it will take a long , long time before consumers can trust Sony again .

[Symantec - SecurityRisk.First4DRM Removal Tool]

FYI...

Symantec - SecurityRisk.First4DRM Removal Tool
- http://tinyurl.com/9mqs4



 

[Sony DRM Rootkit to be removed automatically by Microsoft]

FYI...

Sony DRM Rootkit to be removed automatically by Microsoft
- http://isc.sans.org/diary.php?storyid=845
Last Updated: 2005-11-13 14:36:09 UTC
"Microsoft says* "Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems" "and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software."
* http://blogs.technet.com/antimalware/

 

[here]

FYI...

- http://www.sysinternals.com/Blog/
November 14, 2005
"...Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:
   1. Open the Run dialog from the Start menu
   2. Enter “cmd /k sc delete $sys$aries”
   3. Reboot ..."

 

[Sony’s Web-Based Uninstaller Opens a Big Security Hole...]

FYI...

Sony’s Web-Based Uninstaller Opens a Big Security Hole...
- http://www.freedom-to-tinker.com/?p=927
November 15, 2005
"Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get..."

Sony to pull controversial CDs, offer swap
- http://www.usatoday.com/tech/news/computersecurity/2005-11-14-sony-cds_x.htm?csp=34
11/14/2005 11:01 PM

 

[here]

More...

- http://www.theinquirer.net/?article=27714
15 November 2005
"...Blatant stupidity in the 'cure is worse than the disease' category... FTT goes into detail. It seems the 'cure' from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine. See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course. The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC? Moral, if you bought Sony products, you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder. If you uninstall it yourself, you are a criminal under the DMCA. If you use an antivirus program to uninstall it, you spent money to fix Sony's problems, and you are still a criminal. That's what you get for buying music."

 

[CodeSupport detector page]

FYI...

- http://www.freedom-to-tinker.com/?p=927
"To see whether CodeSupport is on your computer, try our CodeSupport detector page:
- http://www.cs.princeton.edu/~jhalderm/xcp/detect.html

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)
cmd /k del “%windir%\downloaded program files\codesupport.*”

 

[UPDATE (11/16, 2am)]

FYI...

- http://www.freedom-to-tinker.com/?p=928
"...You can tell whether you are vulnerable by visiting our CodeSupport detector page.
If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.
UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form... In its place is the following message:
'November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.'
This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk..."

 

[Welcome To Planet Sony]

FYI...

Welcome To Planet Sony
- http://www.doxpara.com/?q=sony
Submitted by Dan Kaminsky on Tue, 2005-11-15 09:28.
"Sony.
Sony has a rootkit.
The rootkit phones home.
Phoning home requires a DNS query.
DNS queries are cached.
Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.
It just so happens I have such a list, from the audits I've been running from http://deluvian.doxpara.com .
So what did I find?
Much, much more than I expected.
It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows... unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident..."

 

[here]

Hmmm...

- http://www.wired.com/news/print/0,1294,69601,00.html
Nov. 17, 2005
"... That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.
Microsoft I can understand. The company is a fan of invasive copy protection -- it's being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers.
What happens when the creators of malware collude with the very companies we hire to protect us from that malware?
We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.
Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?..."

 

[Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole]

FYI...

Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole
- http://www.freedom-to-tinker.com/?p=931
November 17, 2005

(Arrgghh!)


     

[Sony-baloney]

But first, a few questions:

Sony-baloney
- http://www.securityfocus.com/columnists/370
2005-11-22...

...not many answers yet.


 

[here]

FYI...

- http://www.wired.com/news/print/0,1294,69763,00.html
Dec. 07, 2005
"...The software used a Microsoft Windows feature called AutoRun that executes software on a CD without the user's knowledge or consent. Holding down the Shift key stopped AutoRun and prevented the software from being installed. Halderman wrote about the software, and the "infamous Shift key attack," in an academic paper and posted it online. Within 24 hours, SunnComm was threatening a $10 million lawsuit, and vowing to refer Halderman to authorities for allegedly committing a felony under the controversial Digital Millennium Copyright Act, or DMCA. By the next day, the company had backed down in the face of public outrage. Looking back, Halderman says, "The whole experience was a whirlwind.... The response was way bigger than (anything I'd) expected"..."

 

[Not Just Another Buggy Program]

FYI...

Not Just Another Buggy Program
- http://www.freedom-to-tinker.com/?p=944
Thursday December 8, 2005 by Ed Felten
"Was anybody surprised at Tuesday’s announcement that the MediaMax copy protection software on Sony CDs had a serious security flaw? I sure wasn’t. The folks at iSEC Partners were clever to find the flaw, and the details they uncovered were interesting, but it was pretty predictable that a problem like this would turn up...if you decline the MediaMax licence agreement, and the software secretly installs itself anyway, you will face risks that you didn’t choose. You won’t even know that you’re at risk. All of this, simply because you tried to listen to a compact disc. Experience teaches that where there is one bug, there are probably others. That’s doubly true where the basic design of the product is risky. I’d be surprised if there aren’t more security bugs lurking in MediaMax...."

(More detail at the URL above.)