» Game Reviews
» Technology Features




- Join Here
- Terms & Conditions
- What is Writers Club?


TECHNOLOGY FEATURES
Hacking the consumer

"But the frightening thing is that Sony tried to do this to their customers, hide the fact and get away with it. I just don't trust Sony anymore. I will never buy another Sony artist CD."

Strong words from a consumer and just one of dozens of comments on the page for the artist Van Zant on Amazon.com.

What would bring such a response and drop the album's rating from 3.5 to 1.5 in a matter of hours? Last week the news hit that Sony's music CDs are shipping with code that masks activities of a program on a machine. Called a rootkit in the coding industry, the technology was used to hide Sony's Digital Rights Management (DRM) software from users and the system at large. The point was to stop piracy. Instead it turned into a scandal of "biblical proportions", according to tech site The Register.

Discovery

The man who found the rootkit adds a lot of weight to Sony's problem. Mark Russinovich is the chief software architect at Winternals Systems in Austin, Texas, but he's also a legend in software development circles and one of the leading experts on the Windows system. He discovered the rootkit while doing a routine scan of his system.

"Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I'd picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected [rootkit detection program] RKR to have a bug," he wrote on his blog. Subsequent investigation lead to his legal copy of 'Get Right With The Man' by Van Zant — a Sony artist. The rootkit is part of Sony's Xtended Copyright System (XCP), a DRM system that installs when you run Sony's media player on the CD; the music won't play without this player.

But when users install the player, the software also alters the Windows Kernel — essentially the core of the system — by installing a rootkit. Rootkits are traditionally used by crackers and usually indicate a compromised system. Crackers use the software to conceal programs in a system from administrators and security software.

Rootkits, while termed as Malware, aren't always malicious in intent though. "Rootkit detection programs have made rootkits more high-profile in the media, but this technology has been around for a long time and is used widely by anti-virus and other information security companies," explained Mathew Gilliat-Smith, CEO of First 4 Internet, the company responsible for XCP.

What went wrong?

Well surely if the measure is to stop piracy, a rootkit shouldn't worry the average user. President of Sony BMG's global digital business division, Thomas Hess, defended his company's technology accordingly on a radio show, "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

But his comments already expose ignorance about one facet of the controversy. Users aren't informed that their systems are being altered; permission to install XCP is gained through the End User License Agreement (EULA), but these are rarely read by anyone and courts have previously sided with consumers who agreed to EULA statements without realising the consequences. Critics say that Sony should have made the procedure more apparent.

But even worse, there seems to be little you can do to un-install it. "Most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," wrote Russinovich. Removing the rootkit and DRM effectively disables the drives — and in the end the only means to get rid of it is to format and reinstall.

There is an uninstaller, although these are the instructions that Computer Associates got when they requested it:

  • User fills out online form and registers for download.
  • First email arrives.
  • User has to click link in email.
  • User has to download an activeX control which sends out unknown data to First4Internet.
  • User must provide more information.
  • Second email arrives telling the user to wait again.
  • Third email arrives eventually.
  • User has to click link and download second ActiveX control in order to download uninstaller.

That's a lot for what Hess terms as "most people" — and ActiveX controls are also generally considered to be security issues.

Digging deeper

So there are privacy concerns, but it doesn't stop there. The rootkit allows for a serious system vulnerability: it cloaks all files that use the $sys$ extension, not just the files used by Sony's DRM. This means that other coders can exploit this to sneak dangerous code onto machines with the kernel altered by XCP.

Then there is the matter of whether the rootkit sends back user information, including the system IP.

"[The DRM software] hides with generic file names, and then monitors your activity — in terms of what you type on your keyboard, what emails you send, websites you look at, websites you run and what windows you have open on your screen," Jason Schultz from the Electronic Frontier Foundation claims.

These have been refuted by First 4 Internet, who replied saying that no specific user data is being sent to them. But this can't be confirmed and the guy who might have the answer, Russinovich, fears prosecution under the Digital Millennium Copyright Act (DCMA), a vague US law that prevents anyone from revealing security details on a copyright management system.

Administrators have found problems with security applications. Some antivirus applications pick the code up as a virus, causing problems maintaining machines. Analysts point out that XCP can make entire networks vulnerable, because if one machine is compromised, it gives crackers potential access to machines connected to it. This poses a serious problem for companies and individuals — and it's not a small one either: an estimated two million CDs from Sony artists that use XCP have shipped since being introduced in early 2005.

Stopping the pirates

The point was to stop piracy. The music industry has been blaming falling sales on the booming file-sharing segment of the internet. Despite draconian measures by groups like the Recording Industry Association of American (RIAA), which included individual civil cases against anyone it could target, file sharing and music swapping is always growing with users simply shifting from one system to another.

Commentators say this is instead a matter of consumers choosing what they want to get, instead of paying stifling prices for a CD they only want a few songs from. iTunes proved this when Apple's service became a success story in every country it launched. Still, copying of music is perceived as a problem — despite several studies showing that music pirates actually purchase more songs than the average listener, the corporate ethos of profits above all has mainly sabotaged the music industry's transition into the digital age.

That's why the record labels keep implementing ways to stop pirates which just lead to hampering consumers. DRM has never been a success and DRM programs are quickly hacked or bypassed. Sometimes it doesn't even take any effort —' to bypass the very player and security on Sony's CDs, all you need to do is hold in Shift while inserting the disc.

Notoriously the first anti-piracy measure introduced to CDs a few years ago prevented playback on a PC, but someone found a workaround by blacking out a piece the disc with a permanent marker. Music companies want to protect their product, but to date the success rate has been pretty pathetic.

Usually the companies themselves are to blame. The DVD format was cracked by a Linux user; a court subsequently found in favour of him because the DVD consortium neglected to give any support to the platform, hence he had every right to crack and adjust the standard for Linux. A similar ruling hit Australia recently when the High Court declared mod chips legal (devices that bypass the regional and copyright security on consoles like the PlayStation 2), because high game prices were forcing gamers to import cheaper copies from other countries.

"These companies are trying to — in their effort to reduce copying — erode users' control over their own computers," says Ed Felton, a professor of computer science and public affairs at Princeton University in New Jersey. "I think we may continue to see problems like this. There are other companies that offer other kinds of copy-protection technologies, and there is a danger that they will stray across the line as well, or maybe even already have."

What's next?

Sony has a big problem here. The software has inadvertently created a massive security hole in a lot of systems, a bad move in a time where 'security' and 'malware' are big buzzwords. The company did release a patch, but this was criticised for being vague and not telling users what it specifically does, nor letting them opt-out if they want. Subsequent investigation found that the patch simply puts a halt order on anything the rootkit tries to do, but the problem is that in a multi-thread operating system like Windows this can cause a crash when resources are in contention.

Then there are legal woes. The ALCEI-EFI (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) filed a complaint alleging the technology contravenes Italian legislation. The group wants to expose those responsible and set a precedent about how far companies can go to protect themselves. Clearly it shouldn't be at the cost of the consumer.

The EFF also announced that it is investigating the events and might file a class-action lawsuit in the coming weeks. "This is exactly what happens with spyware that gets installed on people's computers, they have these 27-page license agreements in which you totally agree to let them infest your computer with all kinds of stuff you really don't want," Schultz said. "But it's all kind of buried in the fine print and I think to allow companies like SonyBMG to do the same thing is heading down a bad path."

Because Sony's EULA never declares what it plans to do ("As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program onto your computer"), this opens the door to several legal charges.

"These issues of consent are going to be squarely in front of any lawsuit that occurs; to what extent did these people actually know what they were consenting to, did they realise it and is that an appropriate way for Sony to get around these protections?" Schultz said. "I think from a consumer protection point of view, we have to err on the side of being over-protective of consumers because most people just click through these agreements."

This could also affect Blu Ray, Sony's contender in the standards war to replace DVD. Contender Toshiba's HD-DVD standard and Blu Ray will both use the Advanced Access Content System (AACS), but the former will be far more tolerant about users backing up and moving their movies to other formats. Blue Ray will also have a watermarking system, plus BD+, which can update a Blue-Ray system to battle workarounds to the security.

But Hewlett Packard already threatened to leave the Blu Ray stable if Sony doesn't lighten up about DRM. Sony says the movie studios want protection, but the studios and technology companies are divided on the formats (both Paramount and Warner already declared support for both) and analysts expect the decision will be made by the consumer.

Considering the public's response to XCP, Sony has a bit of work to do here to secure its future format and win back the confidence of the consumers. Maybe it's time for a paradigm shift on file sharing?