Sony CDs Install Spyware: Firm

[Evi]

Some BMG CDs install spyware when played on computers, a CA report says.
November 8, 2005

Sony’s music group is spying on thousands of listeners who play its music CDs on their computers, a security firm has alleged.

Computer Associates said new anti-copying software installed on Sony’s discs also secretly collects information from any computer that is playing the discs.

The Islandia, New York-based company’s eTrust security management division said Monday the media player that Sony ships with the CD spies on users, sending IP address and listening habits back to Sony and potentially to Sony partners. Sony does this without notifying users or gaining their consent, CA said.Researchers at CA found a 3MB download “patch” issued by Sony that installs without notice and permission of the user and cannot be removed. It also has a broken uninstall that removes a rootkit in a way that can cause Windows to crash.

A rootkit is a set of tools frequently used by an intruder after cracking a computer system. These tools are intended to conceal running processes and files or system data, which helps an intruder maintain access to a system for malicious purposes.

The user’s work computing environment could also be exposing information to the outside world as users bring these CDs to work and play them, causing corporate PCs to host the rootkit.

This controversy came to light last week in a blog entry by Windows computer engineer Mark Russinovich who came across a rootkit on his personal computer while running a security scan. He realized the source was a Sony BMG CD entitled Get Right with the Man by Van Zant carrying the digital rights management software that installed the rootkit on his computer.

Mr. Russinovich’s attempt to uninstall the software from his computer failed.          

 

Sony Denies Charges

Sony and United Kingdom-based First4Internet deny charges the software passes on user information to Sony or its partners. Sony first started installing the copy protection on its CDs eight months ago and it now runs on 20 of its titles.

First4Internet CEO Mathew Gilliat-Smith said his company and Sony have made some patches available on Sony’s web site to unhide the content-protection files on users’ computers.

“The intent [for this technology] is to provide protection to make it more difficult to make mass copies of the CDs,” Mr. Gilliat-Smith said. He said there was a theoretical security risk that existed from copy-protection technologies for which they were providing an upgrade patch as a solution.

Responding to CA’s charge that the system asks for personal information while downloading the uninstaller, Mr. Gilliat-Smith said the information is being used only to confirm the legitimate use of the uninstaller and not for any other purposes. He also said no spyware or consumer information is received by Sony or First4Internet.

 Mr. Gilliat-Smith said he has not heard of any instance in which users have had problems installing the patch. All the supposed security concerns raised have been addressed by Sony and First4Internet, he said.

 CA also reported that the place on Sony’s web site that invites users to request an uninstaller for the Sony applications requires them to give their identity, CD name, email address, and other data to the company that makes the rootkit and spyware software for Sony, First4Internet. After this disclosure, no uninstaller is made available.

Click Me

Spyware is T3H SuCK!!

This particular sony rootkit is also sweeping the net for it\'s "hiding" properties.  Lots of online games are now seeing working hacks that standard screening can\'t fight (like blizzard\'s scanner, punkbuster) - because people just are using the rootkit to hide the cheat proggies (or bots, or whatever) so that nothing in windows can see it.

It\'s !@#$ like this that MAKES people into PIRATES.

You can\'t uninstall it manually like you can other programs.  After all the bad press Sony offered an uninstall download off their site

what a pita

Well, in related news, I got a Sony Ericcson 800 Walkman phone the other week and installed its Disc2Phone software and it totally rooted my computer.

Now when I go START>Shutdown at the windows desktop the whole computer locks up and i have to reboot.

Uniinstalled it and didnt fix a thing.

FUD

 That\'s bad, Sony.

I have the ff-ing netword wm e75 atrac3plus player with Sonicstage installed.

I only have it on my offline workstation though. So they won\'t get any info from my pc. I never had crashes or lockups from Sonicstage either...

Originally posted by ##RaCeR##
Well, in related news, I got a Sony Ericcson 800 Walkman phone the other week and installed its Disc2Phone software and it totally rooted my computer.

Now when I go START>Shutdown at the windows desktop the whole computer locks up and i have to reboot.

Uniinstalled it and didnt fix a thing.

I have it too, but got no problems with it, you sure it\'s the software that\'s fucking up your computer?

[Evi]

Another article:

Sony BMG in court over anti-piracy

Sony BMG Music Entertainment, the world’s second largest music label, faces a slew of lawsuits in the US after PC security companies found that copy protection software included on some CDs made PCs vulnerable to hackers.

At least three lawsuits have been filed in California against the company, a joint venture between Japan’s Sony group and Germany’s Bertelsmann.

Sony BMG has declined to identify which CDs include the DRM (digital rights management) software identified by Kaspersky Labs, a Moscow-based PC security firm, and UK-based Sophos as a security vulnerability.

On Thursday Sophos claimed it had found the first “trojan” e-mail virus designed to exploit secret “rootkit” software that a number of Sony BMG music CDs install on owners’ computers when they are played.

This week the Electronic Frontier Foundation, a US-based consumer advocacy group, identified at least 19 Sony BMG music CDs that it claimed installed the software when played on a PC.

he software, created by UK-based First4Internet and known as XCP2, is designed to deter casual piracy by enabling record labels to limit the number of copies that can be made from an original.

However, critics including the EFF claim the software slows down PCs and makes them more susceptible to crashes and third-party attacks. “Since the program is designed to hide itself, users may have trouble diagnosing the problem,” the EFF said.

“Entertainment companies often complain that fans refuse to respect their intellectual property rights,” said Jason Schultz, the EFF’s staff lawyer. “Yet tools like this refuse to respect our own personal property rights. Sony’s tactics here are hypocritical, in addition to being a security threat.”

Sony BMG, which has yet to respond to the claims, was not available for comment.

http://news.ft.com/cms/s/16f8bba2-5219-11da-9ca0-0000779e2340.html