Ending Not With a Bang But a Whimper - Sony Recalls CDs - P2P-Zone

JackSpratts · 16-11-05, 10:09 AM

CD's Recalled for Posing Risk to PC's
Tom Zeller Jr.

The global music giant Sony BMG yesterday announced plans to recall millions of CD's by at least 20 artists - from the crooners Celine Dion and Neil Diamond to the country-rock act Van Zant - because they contain copy restriction software that poses risks to the computers of consumers.

The move, more commonly associated with collapsing baby strollers, exploding batteries, or cars with faulty brakes, is expected to cost the company tens of millions of dollars. Sony BMG said that all CD's containing the software would be removed from retail outlets and that exchanges would be offered to consumers who had bought any of them.

A toll-free number and e-mail message inquiry system will also be set up on the Sony BMG Web site, sonybmg.com.

"We deeply regret any inconvenience this may cause our customers," the company said in a letter that it said it would post on its Web site, "and are committed to making this situation right." Neither representatives of Sony BMG nor the British company First 4 Internet, which developed the copy protection software, would comment further.

Sony BMG estimated last week that about five million discs - some 49 different titles - had been shipped with the problematic software, and about two million had been sold.

Market research from 2004 has shown that about 30 percent of consumers report obtaining music through the copying and sharing of tracks among friends from legitimately purchased CD's. But the fallout from the aggressive copy protection effort has raised serious questions about how far companies should be permitted to go in seeking to prevent digital piracy.

The recall and exchange program, which was first reported by USA Today, comes two weeks after news began to spread on the Internet that certain Sony BMG CD's contained software designed to limit users to making only three copies. The software also, however, altered the deepest levels of a computer's systems and created vulnerabilities that Internet virus writers could exploit.

Since then, computer researchers have identified other problems with the software, as well as with the software patch and uninstaller programs that the company issued to address the vulnerabilities.

Several security and antivirus companies, including Computer Associates, F-Secure and Symantec, quickly classified the software on the CD's, as malicious because, among other things, it tried to hide itself and communicated remotely with Sony servers once installed. The problems were known to affect only users of the Windows operating system.

On Saturday, a Microsoft engineering team indicated that it would be updating the company's security tools to detect and remove parts of the Sony BMG copy-protection software to help protect customers.

Researchers at Princeton University disclosed yesterday that early versions of the "uninstall" process published by Sony BMG on its Web site, which was designed to help users remove the copy protection software from their machines, created a vulnerability that could expose users of the Internet Explorer Web browser to malicious code embedded on Web sites.

Security analysts at Internet Security Systems, based in Atlanta, also issued an alert yesterday indicating that the copy-protection software itself, which was installed on certain CD's beginning last spring, could be used by virus writers to gain administrator privileges on multi-user computers.

David Maynor, a researcher with the X-force division of Internet Security Systems, which analyzes potential network vulnerabilities, said the copy-protection feature was particularly pernicious because it was nearly impossible for typical computer users to remove on their own.

"At what point do you think it is a good thing to surreptitiously put Trojans on people's machines?" Mr. Maynor said. "The only thing you're guaranteeing is that they won't be customers anymore."

Some early estimates indicate that the problem could affect half a million or more computers around the globe.

Data collected in September by the market research firm NPD Group indicated that roughly 36 percent of consumers report that they listen to music CD's on a computer. If that percentage held true for people who bought the Sony BMG CD's, that would amount to about 720,000 computers - although only those running Windows would be affected. (Consumers who listen to CD's on stereo systems and other noncomputer players, as well as users of Apple computers, would not be at risk.)

Dan Kaminsky, a prominent independent computer security researcher, conducted a more precise analysis of the number of PC's affected by scanning the Internet traffic generated by the Sony BMG copy-protection software, which, once installed, quietly tries to connect to one of two Sony servers if an Internet connection is present.

Mr. Kaminsky estimated that about 568,000 unique Domain Name System - or D.N.S. - servers, which help direct Internet traffic, had been contacted by at least one computer seeking to reach those Sony servers. Given that many D.N.S. servers field queries from more than one computer, the number of actual machines affected is almost certainly higher, Mr. Kaminsky said.

Although antivirus companies have indicated since late last week that virus writers were trying to take advantage of the vulnerabilities, it is not known if any of these viruses have actually found their way onto PC's embedded with the Sony BMG copy protection software.

Mr. Kaminsky and other security and digital rights advocates say that does not matter. "There may be millions of hosts that are now vulnerable to something that they weren't vulnerable to before," Mr. Kaminsky said.

For some critics, the recall will not be enough.

"This is only one of the many things Sony must do to be accountable for the damage it's inflicted on its customers," said Jason Schultz, a lawyer with the Electronic Frontier Foundation, a digital rights group in California.

On Monday, the foundation issued an open letter to Sony BMG executives demanding, among other things, refunds for customers who bought the CD's and did not wish to make an exchange, and compensation for time spent removing the software and any potential damage to computers.

The group, which has been involved in lawsuits over the protection of digital rights, gave the company, which is jointly owned by the Sony Corporation and Bertelsmann, a deadline of Friday morning to respond with some indication that it was "in the process of implementing these measures."

Mr. Schultz said: "People paid Sony for music, not an invasion of their computers. Sony must right the wrong it has committed. Recalling the CD's is a beginning step in the process, but there is a whole lot more mess to clean up."
http://www.nytimes.com/2005/11/16/te...gy/16sony.html

RDixon · 16-11-05, 12:57 PM

Lawsuits have already been filed both here in US and abroad.
Will most likely get class action status soon.
Sony stock tanking.
Heavy insider selling.
I wonder who is buying.

RoBoBoy · 16-11-05, 01:06 PM

They created a good argument in support of not buying music CD's but instead, downloading them.

JackSpratts · 16-11-05, 03:04 PM

Quote:

Originally Posted by RDixon

Lawsuits have already been filed both here in US and abroad.
Will most likely get class action status soon.
Sony stock tanking.
Heavy insider selling.
I wonder who is buying.

so nice to see an riaa member getting sued for a change. few deserve it more.

Quote:

Originally Posted by RoBoBoy

They created a good argument in support of not buying music CD's but instead, downloading them.

yes, one of the best i've ever heard.

- js.

JackSpratts · 16-11-05, 03:21 PM

conservative global estimate of nodes infected by sony (in orange):

us -

w.europe -

source: wired

- js.

RDixon · 19-11-05, 03:10 AM

Ironicly evil:

"In the latest twist to the story, software engineers found earlier on Friday that the music player which is part of the XCP software contains components from an open source project, an MP3 player called LAME, raising questions about copyright."

story

Mazer · 19-11-05, 09:53 AM

Look on the bright side. The ability to hide these kinds of files would eventually have been discovered by virus and worm programers, and indeed since XCP came out a few rootkit viruses have cropped up, but with the kind of publicity this security hole is getting it will eventually be closed by a high priority Windows patch (though knowing Microsoft it won't be available until late next year). The system works, sort of.

Mazer · 20-11-05, 09:05 AM

The rootkit and the lawsuits and the recall might make Sony BMG look bad, but I doubt it will slow sales much. What it will do is make music buyers double check the label before they put the purchased disk in their computers. Sony doesn't see this as bad publicity, they're banking on the public's perception of their CD's as hazardous to computers, thereby preventing those CD's from being copied whether they actually contain XCP or not. It obviously won't prevent copies from being made alltogether, but it will cut that number by a considerable margin. In their war against piracy they've gained some ground, and they'll hold that ground until the aforementioned Windows patch is released, if ever.

16-11-05, 10:09 AM	#1
JackSpratts Join Date: May 2001 Location: New England Posts: 10,017	Ending Not With a Bang But a Whimper - Sony Recalls CDs CD's Recalled for Posing Risk to PC's Tom Zeller Jr. The global music giant Sony BMG yesterday announced plans to recall millions of CD's by at least 20 artists - from the crooners Celine Dion and Neil Diamond to the country-rock act Van Zant - because they contain copy restriction software that poses risks to the computers of consumers. The move, more commonly associated with collapsing baby strollers, exploding batteries, or cars with faulty brakes, is expected to cost the company tens of millions of dollars. Sony BMG said that all CD's containing the software would be removed from retail outlets and that exchanges would be offered to consumers who had bought any of them. A toll-free number and e-mail message inquiry system will also be set up on the Sony BMG Web site, sonybmg.com. "We deeply regret any inconvenience this may cause our customers," the company said in a letter that it said it would post on its Web site, "and are committed to making this situation right." Neither representatives of Sony BMG nor the British company First 4 Internet, which developed the copy protection software, would comment further. Sony BMG estimated last week that about five million discs - some 49 different titles - had been shipped with the problematic software, and about two million had been sold. Market research from 2004 has shown that about 30 percent of consumers report obtaining music through the copying and sharing of tracks among friends from legitimately purchased CD's. But the fallout from the aggressive copy protection effort has raised serious questions about how far companies should be permitted to go in seeking to prevent digital piracy. The recall and exchange program, which was first reported by USA Today, comes two weeks after news began to spread on the Internet that certain Sony BMG CD's contained software designed to limit users to making only three copies. The software also, however, altered the deepest levels of a computer's systems and created vulnerabilities that Internet virus writers could exploit. Since then, computer researchers have identified other problems with the software, as well as with the software patch and uninstaller programs that the company issued to address the vulnerabilities. Several security and antivirus companies, including Computer Associates, F-Secure and Symantec, quickly classified the software on the CD's, as malicious because, among other things, it tried to hide itself and communicated remotely with Sony servers once installed. The problems were known to affect only users of the Windows operating system. On Saturday, a Microsoft engineering team indicated that it would be updating the company's security tools to detect and remove parts of the Sony BMG copy-protection software to help protect customers. Researchers at Princeton University disclosed yesterday that early versions of the "uninstall" process published by Sony BMG on its Web site, which was designed to help users remove the copy protection software from their machines, created a vulnerability that could expose users of the Internet Explorer Web browser to malicious code embedded on Web sites. Security analysts at Internet Security Systems, based in Atlanta, also issued an alert yesterday indicating that the copy-protection software itself, which was installed on certain CD's beginning last spring, could be used by virus writers to gain administrator privileges on multi-user computers. David Maynor, a researcher with the X-force division of Internet Security Systems, which analyzes potential network vulnerabilities, said the copy-protection feature was particularly pernicious because it was nearly impossible for typical computer users to remove on their own. "At what point do you think it is a good thing to surreptitiously put Trojans on people's machines?" Mr. Maynor said. "The only thing you're guaranteeing is that they won't be customers anymore." Some early estimates indicate that the problem could affect half a million or more computers around the globe. Data collected in September by the market research firm NPD Group indicated that roughly 36 percent of consumers report that they listen to music CD's on a computer. If that percentage held true for people who bought the Sony BMG CD's, that would amount to about 720,000 computers - although only those running Windows would be affected. (Consumers who listen to CD's on stereo systems and other noncomputer players, as well as users of Apple computers, would not be at risk.) Dan Kaminsky, a prominent independent computer security researcher, conducted a more precise analysis of the number of PC's affected by scanning the Internet traffic generated by the Sony BMG copy-protection software, which, once installed, quietly tries to connect to one of two Sony servers if an Internet connection is present. Mr. Kaminsky estimated that about 568,000 unique Domain Name System - or D.N.S. - servers, which help direct Internet traffic, had been contacted by at least one computer seeking to reach those Sony servers. Given that many D.N.S. servers field queries from more than one computer, the number of actual machines affected is almost certainly higher, Mr. Kaminsky said. Although antivirus companies have indicated since late last week that virus writers were trying to take advantage of the vulnerabilities, it is not known if any of these viruses have actually found their way onto PC's embedded with the Sony BMG copy protection software. Mr. Kaminsky and other security and digital rights advocates say that does not matter. "There may be millions of hosts that are now vulnerable to something that they weren't vulnerable to before," Mr. Kaminsky said. For some critics, the recall will not be enough. "This is only one of the many things Sony must do to be accountable for the damage it's inflicted on its customers," said Jason Schultz, a lawyer with the Electronic Frontier Foundation, a digital rights group in California. On Monday, the foundation issued an open letter to Sony BMG executives demanding, among other things, refunds for customers who bought the CD's and did not wish to make an exchange, and compensation for time spent removing the software and any potential damage to computers. The group, which has been involved in lawsuits over the protection of digital rights, gave the company, which is jointly owned by the Sony Corporation and Bertelsmann, a deadline of Friday morning to respond with some indication that it was "in the process of implementing these measures." Mr. Schultz said: "People paid Sony for music, not an invasion of their computers. Sony must right the wrong it has committed. Recalling the CD's is a beginning step in the process, but there is a whole lot more mess to clean up." http://www.nytimes.com/2005/11/16/te...gy/16sony.html

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

16-11-05, 12:57 PM	#2
RDixon Registered User Join Date: Mar 2001 Posts: 3,742	Lawsuits have already been filed both here in US and abroad. Will most likely get class action status soon. Sony stock tanking. Heavy insider selling. I wonder who is buying.

16-11-05, 01:06 PM	#3
RoBoBoy Registered User Join Date: Dec 2002 Posts: 166	They created a good argument in support of not buying music CD's but instead, downloading them.

16-11-05, 03:21 PM	#5
JackSpratts Join Date: May 2001 Location: New England Posts: 10,017	conservative global estimate of nodes infected by sony (in orange): us - w.europe - source: wired - js.

19-11-05, 03:10 AM	#6
RDixon Registered User Join Date: Mar 2001 Posts: 3,742	Ironicly evil: "In the latest twist to the story, software engineers found earlier on Friday that the music player which is part of the XCP software contains components from an open source project, an MP3 player called LAME, raising questions about copyright." story

19-11-05, 09:53 AM	#7
Mazer Earthbound misfit Join Date: May 2001 Location: Moses Lake, Washington Posts: 2,563	Look on the bright side. The ability to hide these kinds of files would eventually have been discovered by virus and worm programers, and indeed since XCP came out a few rootkit viruses have cropped up, but with the kind of publicity this security hole is getting it will eventually be closed by a high priority Windows patch (though knowing Microsoft it won't be available until late next year). The system works, sort of.

20-11-05, 09:05 AM	#8
Mazer Earthbound misfit Join Date: May 2001 Location: Moses Lake, Washington Posts: 2,563	The rootkit and the lawsuits and the recall might make Sony BMG look bad, but I doubt it will slow sales much. What it will do is make music buyers double check the label before they put the purchased disk in their computers. Sony doesn't see this as bad publicity, they're banking on the public's perception of their CD's as hazardous to computers, thereby preventing those CD's from being copied whether they actually contain XCP or not. It obviously won't prevent copies from being made alltogether, but it will cut that number by a considerable margin. In their war against piracy they've gained some ground, and they'll hold that ground until the aforementioned Windows patch is released, if ever.