Always good to see in a Saturday paper....
Sony halts anti-piracy software
Hackers can exploit secret copy-protect program in CDs - Carrie Kirby, Chronicle Staff Writer
Saturday, November 12, 2005
Sony BMG said it has temporarily stopped manufacturing music CDs containing a controversial copy-protection program after several Internet viruses took advantage of the software to attack computers.
"We are aware that a computer virus is circulating that may affect computers with XCP content protection software," the company said in a statement Friday, referring to the secret program Sony included in some of its music CDs that would download itself onto hard drives unbeknownst to many customers.
Aside from stopping the production of CDs with the problematic program, the company said it will "re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use."
Sony has been criticized and sued by customers over the program, which was designed to slow music piracy by limiting the number of times a CD can be copied.
Many customers were angry that the program hides itself on computers where the CD is played and is difficult to remove without damaging the computer. Computer security experts warned that the technology the program uses to hide deep in the Windows operating system could open the door to dangerous Internet viruses.
As predicted, several viruses have begun piggybacking on the Sony program to attack computers, antivirus firms said Friday. Like most viruses infecting computers in the past year, the malicious programs are designed to take over computers and make them part of zombie networks, or botnets, that can be used to send spam or attack Web sites.
However, because the viruses will infect only computers whose owners happen to have bought and installed a Sony CD with this form of copy protection, they do not present a major security threat, anti-virus experts said.
"There's no reason to belive that this is going to be a huge problem," said David Cole, senior director of antivirus firm Symantec's Security Response team. He estimated that about 100 computers worldwide may have been infected with these viruses.
Without mentioning Sony by name, Homeland Security official Stewart Baker warned entertainment companies not to let their efforts to fight piracy endanger their customers.
"It's very important to remember that it's your intellectual property, it's not your computer," the Associated Press quoted Baker as saying at a piracy conference. "And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."
Sony has not said how many CDs with the program have already been sold or remain on store shelves. A phone call to a Sony spokesman Friday went unanswered. San Francisco's Electronic Frontier Foundation has identified 19 affected CDs, from a variety of artists including Neil Diamond, Celine Dion, Switchfoot and others.
The company has made a patch available on its Web site that removes the virus risk associated with the program. Anti-virus companies said their software can detect and remove the risky part of the program.
"We're glad Sony has stopped manufacturing the CDs, but they aren't out of the woods yet," said Jason Schultz, staff attorney for the foundation, which helped call attention to the problem recently. He called on Sony to recall the CDs it has already shipped, help people fix problems the program has caused and to disclose how many CDs and what titles carry the program.
"Simply halting production is like Exxon saying they will no longer ship oil along the Alaskan coast, but refusing to clean up the spills (that) have occurred," Schultz wrote in an e-mail to The Chronicle.
The first virus seen Thursday was ineffective and may have been designed to call attention to the weakness of Sony's program, antivirus experts said. But subsequent viruses that appeared Thursday and Friday looked like run-of-the-mill attempts to take over computers in search of illicit profit.
Virus writers sometimes embed messages in the code of a malicious program. When viruses or other attacks are carried out to send a political message, it's known as hacktivism.
"Certainly, there's nothing in the code ... thanking or cursing Sony," Cole said. "This didn't smack of hacktivism in any way."
Anti-copying systems have become more common on compact discs as music companies try to stem flagging sales, blamed in part on piracy. But the effort has been a struggle, because some anti-copying technologies have been easy to thwart and others, like this one, have angered customers.
--------------------------------------------------------------------------------
Controversial music software
What it's for: To prevent widespread CD copying from cutting into music sales.
The problems: The software can open up computers to virus risks or other problems, and attempting to remove it may damage the PC.
Which CDs? Sony BMG releases with the software include Trey Anastasio's "Shine," Celine Dion's "On ne change pas," Neil Diamond's "12 Songs" and Van Zant's "Get Right With the Man."
Web resources:
Sony answers questions about the software and offers a security patch: cp.sonybmg.com.
Mark's Systinternals Blog explains the problems with the software:
www.sysinternals.com/blog.
