Network News

X My Profile
View More Activity

More Sony Problems to Be Revealed

Several groups of privacy and security experts are expected to release research later today that points to multiple, serious security flaws present in "XCP," the anti-piracy software used on an undisclosed number of Sony BMG music CDs. (For the record, Security Fix observed that experts were busily searching for such flaws shortly after this whole fiasco began).

According to details provided by prominent security researcher Dan Kaminsky, the resulting public outcry could make Sony feel like the last two weeks of consumer backlash were a walk in the park.

Kaminsky will be unveiling research that indicates just how many computer networks have Sony's anti-piracy software installed on them. Kaminsky declined to be more specific, but numbers referenced in a class-action lawsuit filed Tuesday in New York against Sony and XCP maker First4Internet indicate that Sony sold approximately 3 million music CDs carrying the software.

"The net effect is that it's not in doubt that Sony has created a major security event on the Net," Kaminsky said in an online chat last night.

But wait, it gets ... er ... better. The researchers discovered a security flaw in XCP (which stands for "extended copyright protection") that could afford attackers a window through which to break into computers running the software and install additional software or viruses.

Kaminsky told me that one of the researchers involved in the investigation is Edward Felten, a professor of computer science and public affairs at Princeton University.

And indeed,  Felten's blog -- Freedom to Tinker -- hints as to the research he will release tomorrow along with Alex Halderman, a Ph.D. student at Princeton whose research includes digital rights management technologies, including SunnComm Technologies, a different anti-piracy program used by other Sony titles :

"Alex Halderman and I have confirmed that Sony's Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony's Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit. ... In the meantime, we recommend strongly against downloading or running Sony's Web-based XCP uninstaller."

(The name of Felten's blog is a nod to his prior high-profile legal dust-up with the entertainment industry over alleged violations of the Digital Millennium Copyright Act.)

I tried to contact Felten earlier today, and no doubt he was too busy with this research to grab the phone. I contacted Halderman by e-mail, who confirmed that "the uninstaller can create even worse problems than" those created by the anti-piracy software itself. Halderman said further details would be available on Felten's site later today.

One of XCP's most alarming traits for security researchers has been its ability to hide not just its own files on a user's PC but also those of any other files, viruses or worms that follow the program's file-naming rules -- hidden so well that even antivirus programs can't find it.

Last week, about the same time that someone mass-spammed several versions of a virus designed to take advantage of XCP's file-hiding abilities, Sony issued a "patch" to help users remove the file-hiding function. (The patch did not uninstall the program itself, which resists removal so effectively that security researchers have equated it to a "rootkit".)

But according to research to be presented tomorrow, that very same patch Sony issued to help close the security hole exposed by its software actually introduces additional security flaws.

While exposing oblivious users to additional risks when someone or something has already compromised their computer is in itself inexcusable, opening that user's system to backdoor security flaws and then paving the way for attackers to install whatever they please without fear of detection or removal is unconscionable.

Imagine the potential consequences of military personnel or government employees at work on a sensitive government network popping one of these CDs into their computer to listen to their favorite Sony-label music artist. If only half of this research turns out to be supported by the broader security community, Sony is about to find itself in big-league legal trouble.

Update, 2:46, p.m. ET: If you're coming to this link from Google News, Slashdot, or another news aggregator and are looking for the latest information stemming from the above post, check out the three posts Security Fix put up since this one, Researchers: Sony Patch Opens Huge Security Hole, Researcher: Sony DRM on Half a Million Networks, and Yet Another Flaw Found in Sony's Anti-Piracy Software. If you'd like to catch up on how we got to where we are in this whole Sony anti-piracy mess, we've created a new category called "Piracy" which lists every blog post on this subject going back to November 1.

By Brian Krebs  |  November 15, 2005; 1:24 AM ET
Categories:  Piracy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Sony Faces Another Class-Action Suit
Next: Researchers: Sony Patch Opens Huge Security Hole


I've had bad experiences with sony, but my psp is great! Well, other than the dead pixels :)

Posted by: I like my psp | November 15, 2005 2:10 AM | Report abuse

I had decided to buy Neil Diamond's new 12 songs CD until reading about this disaster. Sorry Neil but no way.

Posted by: Roy Atkinson | November 15, 2005 2:15 AM | Report abuse

I don't intend to buy any more Sony products ever again. Unfortunately, Sony's signed up some world-class musicians:

... just too bad, I suppose.

One drawback would seem to be that Sony owns so many record labels. Its name may very well become a blight on CD sales - but if so it can simply release music under a different label and one wouldn't realize it was Sony.

At least not buying the hardware - laptops, camcorders, etc. - is easy.

Posted by: Michael | November 15, 2005 3:17 AM | Report abuse

I hope that other companies and the RIAA are paying VERY close attention to this! People want freedom to listen to their music in their own way. If you treat customers like criminals it won't be long before you won't have any customers. If all this money spent on DRM was put into effective ways to deliver digital content to consumer in a fair manner then they wouldn't be in this mess. Steve Jobs is probably laughing all the way to the bank. Apple is a company who "gets" it and it's no coincidence that they are at the top of the market. If you treat customers fairly and give them what they want they will reward you for it.

Posted by: noitall | November 15, 2005 4:00 AM | Report abuse

This whole debacle sounds like an excellent way to further encourage the illegal distribution of music - last thing I'ld want is to buy a "legal" copy that screws up my OS. I think I'ld rather take the risk of connecting to P2P networks.

Posted by: Teper | November 15, 2005 4:22 AM | Report abuse

When are the artists going to complain to sony? it's THEIR albums that scores of people are going to avoid buying because of this atrocious action that sony took.


Posted by: Valis | November 15, 2005 4:50 AM | Report abuse

This also extends to Sony software. I installed 'SoundForge' and it also installs secret rootkit programming on the OS!

I'm also concerned because I regularly buy blank Sony DVDs to record on. Are there rootkits attatched to the blanks that install when you try to make data copys on your computer? It would be relatively easy for Sony to use their blanks to infest unsuspecting consumers with malware in this way.

Thank heavens I download all my music safely and illegally from torrent sites!

Posted by: MarkoInBangkok | November 15, 2005 5:04 AM | Report abuse

I knew this fiasco was going to be incredibly damaging to Sony. But with additional (serious) revelations apparently forthcoming, I don't think it's inconceivable that Sony could be forced into bankruptcy (no hyperbole intended). This may go down as the most significant self-inflicted murder-suicide of a global corporate titan in memory - Enron and WorldCom not withstanding.

Posted by: Tom | November 15, 2005 5:27 AM | Report abuse

I'm not ever going to buy Sony after my last purchase of PS2. I personally think they are worse that spammers.


Posted by: Artbell | November 15, 2005 5:53 AM | Report abuse

These guys have GOT to be braindead. Not just one or two but the entire company. Where was legal when they wrote the EULA? You think one attorney would have stood up and said, "eh hey guys, baaad idea." And what jug head though first of all nobody would ever find out that they were doing this AND that people wouldn't care? This is something I would expect out of Jebbs Software company not out of guys like Sony!? I had been a loyal Sony customer but no longer. If I can't even trust plugging in their software and devices, I can't buy their crap.

Posted by: M. Starr | November 15, 2005 6:28 AM | Report abuse

Do you think that covert software like this can be called a rootkit even in the absence of a malicious payload, or is it enough for there to be a possibility of a malicious payload from a third party alongside a legitimate, but hidden software install? I think this is best described as a hidden vulnerability and not a malicious practice. Doesn't the Sony disclaimer state their intentions before you install? In any case it would be an intractable problem if there is no way to avoid a dangerous uninstall.

Posted by: MST | November 15, 2005 6:32 AM | Report abuse

I have to laugh about this. If you had real computers at least you would have been warned. Apparently this whole thing was a swipe at Apple Computers. Talk about karma. Wake up world, Mac users unaffected and working. Windows whiiiiiiiiiiine away.

Posted by: Road Warrior | November 15, 2005 6:33 AM | Report abuse

The DMCA was just a mad power grab, and we let them do it. What did you expect? And are you naive enough to think that Sony is alone? How odd--the corporations make the laws by buying the legislators. They don't pay taxes (for the most part), they don't die and they are sociopathic by design ("Our Interests Come Before All Else").
It's going to get worse before it gets better, and quite frankly, I can't wait for it to get unspeakably worse so folks will wake the f___ up.
Did that seem too dark? Sorry.


Posted by: AI Crew | November 15, 2005 6:42 AM | Report abuse

As an OS X user, I'm afraid to say that Road warrior is wide of the mark. While OS X is a relatively secure OS it can't protect against this kind of attack - no OS can - and it's important for their safety that OS X users grasp this.

(1) You need admin privileges to install the Sony Trojan on Windows XP and you have to choose to run the installer and to accept the EULA. Otherwise, nothing is installed.

(2) There is similar malware from another of Sony's subcontractors, Suncomm, that targets Mac users.

Let's be clear: this is not some drive-by infection it is a classic case of getting more than you expect when someone's "social engineering" persuades you to run an installer. It's a Trojan Horse program - people click through in order to get a promised "enhanced experience", and while they do get some additional content they also, unawares, get (rootkitted) spyware on their system.

No operating system in the world is going to save someone who accepts an invitation from the maker of a Trojan. And this is why it such a serious matter that an apparently respectable company has started distributing them.


I have very litle time for Rob Enderle but for once he gets it right. He suggests that Sony may well have just put themselves out of business. He also suggests that they have harmed themselves before by their own greed and simply failed to learn their lesson:

"DRM is clearly on track to be the death of Sony unless something changes. Sony, who owned the iPod predecessor, the Walkman, should have owned the portable MP3 player space. A few years ago the company flew a number of us to Japan to see their then new players and they were, as is often the case, gorgeous. Small, attractive, easily the equivalent of anything Apple has later done with one massive exception: the DRM implementation was so nasty you would have had to have been insane to buy the product."

Posted by: Mike | November 15, 2005 6:57 AM | Report abuse

In other news - Sony's DRM software flagrantly and deliberately violates the intellectual property rights of others, by including code from the LAME project. So that's the end of their 'necessary defence of IP' argument.

Posted by: Phyle | November 15, 2005 7:07 AM | Report abuse

Is anyone aware of a listing of Sony CD titles affected by this mess?

Posted by: Brian H. | November 15, 2005 7:17 AM | Report abuse claims to have a list of affected titles (47 so fare)

Posted by: no-name | November 15, 2005 8:37 AM | Report abuse

I would have to say the eMusic is more consumer friendly then what Steve Jobs is offering. No DRM, tracks cost a third, and you can easily redownload anything if a file gets lost or corrupt. You wont find chart topping artists at eMusic , but I dont buy or need most of that stuff anyways.

As someone stated Sony/BMG controls a huge catalog of music, so boycotting them at that level can be tough. I'm biting the bullet in order to get Kate Bush's latest, just recently bought an excellent Roky Erickson anthology thats distributed by Sony/BMG.

This is one list of CDs using the XPC software.

Posted by: kosmo vinyl | November 15, 2005 8:42 AM | Report abuse

USA Today article: "Sony to pull controversial CDs, offer swap"

Posted by: Steve | November 15, 2005 8:49 AM | Report abuse

I think ALL Sony CDs should be yanked from the shelves until this is straightened out. I've already got a name for this event: The Week The Charts Imploded.

Also, I noticed the other day that there's a Sony brand of blank CD-r out there. I wonder if they come pre-packed with any surprises.

Posted by: just john | November 15, 2005 9:13 AM | Report abuse

More good news:

It looks like Sony breached a code license with some of the software included in their rootkit.

How ironic! A program to protect copyright infringement infringes on copyright.

The web site for this news is in Dutch and a site with an English translation is down at the moment.

original site:

Posted by: Gary | November 15, 2005 9:15 AM | Report abuse

Sony is on my total sh*t list. No sony products of any kind are coming into my house ever again. They can't be trusted.


Posted by: Anonymous | November 15, 2005 9:15 AM | Report abuse

Sony is on my total sh*t list. No sony products of any kind are coming into my house ever again. They can't be trusted.

Posted by: Tyler | November 15, 2005 9:16 AM | Report abuse


As mentioned above, it appears Sony's root-kit actually violates copyright itself. This site is in English (unlike the link posted above)


Posted by: guest | November 15, 2005 9:56 AM | Report abuse

This has been the way Sony has done business for a long time. Sony products have been banned from my house for 3 years now after the bad laptop. Now I'm not even safe from my kids CDs! And I thought the Betamax caused the family trouble!

Posted by: Previously Burned Sony Customer | November 15, 2005 10:04 AM | Report abuse

I think that the Consumer Products Safety Commission should start looking at things like this... and perhaps a recall is in order.

Posted by: PNM | November 15, 2005 10:38 AM | Report abuse

Sony are not just immoral but compulsive liars. Virtually every staement made by a Sony spokesman has turned out to be a lie. Then, when that's pointed out, they just shift ground and tell a new one.

"Sony says that only 20 titles, which it refuses to name, contain the XCP virus - software which attacks music piracy by attacking your PC."

It seems that is yet another lie:

"Reg reader Geoffrey McCaleb has found no fewer than 47 titles containing Sony's DRM rootkit. They are spread across several sub-labels owned by Sony-BMG, so it looks like a little finessing is going on."

Worse, their equally dishonest subcontractor is so incompetent that its web-based uninstaller is actually, if that be possible, *more* dangerous than the rootkit. the uninstall is so badly written that it actually allows "any web page you visit to download, install, and run any code it likes on your computer".

Perhaps it is better for anyone who is infected to eschew any "help" from the morons at First 4 and wait for Microsoft's Malicious Software Removal Tool to clean the mess up.

Posted by: Mike | November 15, 2005 10:42 AM | Report abuse

I have been noting a significant increase in the amount of Spam I've been receiving and a little thought brought the idea that perhaps this is tied with the College academic year. Let's see, if they start in late September, they ought to be in the grind about now and classes and the like have taken on somewhat a routine. That COULD mean that these kiddies are now using their computers to spam the nation.
Well, I'm a Capitalist and believe in the Free Market, but the possibility that I'm getting spammed via University Computer nets funded with my tax dollars is more than I can bear in silence.
Although this is the extent of what I haave to say.

Posted by: B. Slasienski | November 15, 2005 10:43 AM | Report abuse

So, let me get this straight. People who did the "honest" thing and went and spent their money to buy the CDs are having to deal with this major Sony-inflicted security nightmare. Meanwhile, everyone who downloads music through bittorrents or other "illegal" means is worry-free. Gee, Sony, way to encourage the very piracy you're trying to stop . . .

Posted by: b'bye Sony | November 15, 2005 11:12 AM | Report abuse

This has to be the greatest self inflicted wound to any company ever. In fact it may be so bad that Sony may have just killed itself. Not only has it just converted countless legal music buyers to illegal pirates, it has damaged the reputation of ALL of its products. In fact I may buy a XBOX 360 instead of a PS3 because of this mess.

Posted by: Nickrangerx | November 15, 2005 11:44 AM | Report abuse

BOYCOTT SONY! BOYCOTT THE RIAA! DRM is not the answer to their problems. Consumers DO NOT WANT DRM. Support P2P it is not all illegal as they want you to think. Who wants the RIAA's terrible music anyway?

Posted by: RS | November 15, 2005 11:58 AM | Report abuse

Anyone know about other Sony products such as Acid Express, a music creation software? Every time I open it my firewall says it is trying to access the internet.

Posted by: Kenny | November 15, 2005 12:36 PM | Report abuse

I find it both laughable and totally irresponsible that the music industry continues to ignor the small business owner. Our company Media Wizard Inc. has a program that stops piracy of music. We've released an encrypted music CD. Using our software prevents media from being downloaded to the hard drive and the internet. It uses it's own media player. Along with the media these dinosaurs of industry refuse to acknowledge the availablity of a product that works. SONY contacted us last spring and refuse to give us a shot at the prize because with our technology it would eliminate the use of their proprietary products such as game tools and video recoders. This company is not interested in protecting their artists. Their interested in selling products that don't work and getting information to sell to marketing firms via snooping software.

Posted by: Chris Albert | November 15, 2005 12:52 PM | Report abuse

The CD software issue is bad enough, but digital camera users already know that Sony has another, less-publicized problem going on. Please read the following if you own a digital camera, camcorder or PDA that incorporate an image sensor. These companies, including SONY, are NOT proactively issuing a recall! You have to contact them if you own one of the affected products! Shame on Sony!!

Posted by: What's wrong at Sony??! | November 15, 2005 12:57 PM | Report abuse

One last thing ... this is what one techie had to do to get rid of the SonyCrap:

Posted by: What's wrong at Sony??! | November 15, 2005 1:02 PM | Report abuse

Let me get this straight. Customers that paid full price for Sony lable CDs were rewarded for their patronage of Sony and compliance with the law with a stealth invasion of their computers which can't at present be fixed, but can be made much worse by Sony's download "fix" cobbled together and released after it got caught in the act of sabotaging customers computers.

Sony's lame justification was that just wanted to protect Sony from infringement of its copy rights by its customers. Clearly the soft ware doesn't do that. It is spy ware to prove and punish an abuse after the fact if it happens. Meanwhile it injures every customer niave enough to do business with Sony.

Why does Sony sell multi-media computers, mini-disc portables, and fixed disc portables if it does not want people to use computers to play multi-media on the computers or load the portables so we can listen to the music we bought when we work out at the gym?

I've three multi-media computers for family members and have mini-discs and several Walkman products and sa Sony sound system. I will never again buy anything from Sony. It's misconduct in stealth-raiding computers, in the name of protecting the value of its copy rights, justifies voiding Sony's copy rights--call it the law of "unfair use" of copy rights.

Posted by: Mike Bergin | November 15, 2005 1:03 PM | Report abuse

I hope everyone boycotts Sony products from now on. What Sony did is unforgivable.
Let's boycott their products and drive their company into the ground.

Posted by: No More Sony | November 15, 2005 1:32 PM | Report abuse

I find it laughable that someone touts that music should be released only on CD-ROM, which one assumes isn't playable in a regular CD player.

It's also laughable that the record companies feel the need to assume that eveyrone that buys thier products are automatically criminals and going to copy and put it on file sharing services...

Posted by: kosmo vinyl | November 15, 2005 1:55 PM | Report abuse

I have a brother that is a high-ranking Air Force officer. He listens to Sony CDs, and most certainly pays for each one (i.e., so Sony already got their $ from him).

I would like to hear how Sony feels justified to open his computer to spying, and potentially doing this themselves in an over-zealous attempt at "catching" him in the act. The judicial system will certainly find activities like this illegal as it PRESUMES THE GUILT of U.S. citizens.

Posted by: Shower_Singer | November 15, 2005 1:56 PM | Report abuse

It may be wishful thinking at this point, but IMO the collapse of the Sony/BMG empire would be a wonderful thing. Not only would it send a message to Universal, EMI and Warner not to try anything like this in the future, it would also inject some much-needed chaos into a music industry which is has become so moribund that it can't produce any decent new music, just more bland offerings from sure-fire big-sellers and for "new" music, some rehashes of classic-rock cliches.

Posted by: james | November 15, 2005 2:28 PM | Report abuse

Personally, I think whoever was involved in the decision to put software like this on the CDs needs to do some jailtime. Lawsuits aren't going to stop behavior like this.

Also, Chris Albert of Media Wizard Inc, why would you develop a media format that infringes on the rights of consumers? Copying does not equal piracy. I own over 300 CDs and the first thing I do when I get a new one is copy it to my hard drive. Not only does this protect my CDs from wear and tear, but it's far more convenient for listening and transferring to a portable player. I have never downloaded an album, nor have I distributed my own copies. Yet, companies like yours try to make their money by preventing honest consumers from using items they have purchased as they wish to. DRM makes me sick, but luckily I have only ever come across one worthwhile album that has any sort of copy protection.

Posted by: Anonymous | November 15, 2005 3:18 PM | Report abuse

I found the fix to this mess, LINUX

Posted by: Gilvar | November 15, 2005 4:34 PM | Report abuse

Posted by: But wait, there's more! | November 15, 2005 6:14 PM | Report abuse

The piracy problem never would have happened without digital media. CDs did nothing for sound fidelity, but they did increase the cost of music to unaffordable levels. Why not go back to vinyl and vhs? Have you ever heard a third generation cassette copy. Awful, isn't it?

Posted by: Rod H. | November 16, 2005 6:16 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company