WARNING: Sony/BMG Music CDs - DO NOT BUY

Greebo

N9017H - C172M (1976)
Joined
Feb 11, 2005
Messages
10,976
Location
Baltimore, MD
Display Name

Display name:
Retired Evil Overlord
I'm not a big cd buyer myself, but I do understand computer operating systems somewhat, and what these CDs are doing to Windows users is BAD.

In short, the CD installs a low level copy protection protocol that superceedes some very basic functionality of the computer, and if you remove it, your CD Rom drive COMPLETELY fails and as I understand it, only a clean reinstall of Windows fixes it at that point (clean meaning you format and reinstall everything, hopefully not missing anything in your backup before hand).

I've also learned that Sony seems to think there's nothing wrong with what they've done here. I smell major lawsuits coming - several middle sized businesses have already had systems hurt by this little stunt.

Thanks to those who brought this to my attention.

Some elevant links:

http://www.sysinternals.com/Blog/

http://www.securityfocus.com/news/11352

http://www.stereophile.com/news/110705sony/

http://www.dashes.com/anil/stuff/doctorow-drm-ms.html
 
This is very real, and could have an impact on how you use your computer in the future...

More relevant links:

USA Today

BBC
 
I have to admit, since going the iPod/iTunes route, I haven't even browsed through CDs. I no longer have to buy 10 songs for one or two decent ones.
 
Can you say "Music Industry Shoots Self In Foot"?

I've been following this for the last week or so. It is possible to restore CD functionality, but not for the faint of heart:

http://www.sysinternals.com/Blog/
 
They also will not allow you to remove it without jumping through an insane array of hoops - that is, if you can FIND out how to even begin the request to uninstall it.

It is poorly written so it ties up your CPU checking every few seconds to see what you're doing. I had a co-worker going nuts for weeks because auto-play on his Dell wouldn't work. He never did get it fixed. I wonder if he ever tried playing a Sony BMG CD? Whattd'ya think?

This is going to be a MAJOR "NBC Dateline" Wall Street Journal story with a ton of damage to Sony. Geeks are already saying that they will not buy Sony anything.

The evil and arrogance here is amazing blatant and insidious. This will (should!) also do a TON of damage to the RIAA and MPAA efforts right now to get a long list of new DRM laws passed in congress. They want to effectively outlaw VCRs.

http://www.eff.org

Too bad I helped Jann buy a Sony HDTV CRT.

The first trojan using Sony's DRM to hide has been spotted in the wild:

http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/

Sony is in a HEAP O' TROUBLE!

They better have PR teams in overdrive.
 
Last edited:
So what we effectively have here is a major worldwide corporation writing computer viruses and deliberately sending it out in their packaged products to deliberately infect computers without the knowledge of the end user or even the system administrators of said systems. For all practical purposes they're going out of their way to to make sure the end users do not know it's being done. The intent of the software appears to be to deliberately fail part of your system if you try to disable the virus. Does that behavior pattern sound familiar to anyone? This isn't even a computer software disk, it's music CD's. Sheesh.

If this were, say, proprietary company software not for public consumption and if you steal it you get what you deserve, that's fair game in my book. I write stuff like that all the time and some of it has been downright hostile and will tear the smithereens out of anything it can get it's bits and bytes on - but it is exclusively a self defensive anti theft weapon for proprietary private use software and hardware that absolutely no one else in the universe has any reason to be touching. That's a complete different situation from what sony is doing.

That's all I need to know. I'll look into this further for verification purposes but pending no significant descrepancies:
WEF immediately: Sony. Banned. All products. UFN.

Greebo said:
Thanks to those who brought this to my attention.

Yea. Thanks for posting this. If there is anything I have zero tolerance for on my computer is someone else trying to hack my system without my knowledge and I don't care what they're doing. They have no business doing that. PERIOD.

Pop quiz: How long before hostile hackers use this to start obtaining information from your system without your knowledge. Probably already happening.

mikea said:
They better have PR teams in overdrive.

Here's my first question to the damage control PR team:
How do you intend to convince me to give you money for any products that you sell if you intend to hack my computer system and invade my privacy and personal security?
 
Last edited:
fgcason said:
Pop quiz: How long before hostile hackers use this to start obtaining information from your system without your knowledge. Probably already happening.
It IS already happening - there has already been at least one trojan style virus identified, as I understand it, that exploits this little bit of Sony Malware.
 
stupid question - this is literally if you just put it in, to play it? not burn it, copy it, do anything to it but play it?

and once it's on there, what happens next? if you even try to use a Kazaa type thing it nabs you, or locks your computer down? i.e. what if you don't even know to install it? will it slow your computer down?

this sucks. scumbags.
 
I haven't bought more than 3-4 CDs in the past year but now I'm going to check to see who made them!
 
woodstock said:
stupid question - this is literally if you just put it in, to play it? not burn it, copy it, do anything to it but play it?
You don't even have to play it. If you put one of these CD's in your (Windows) computer and you have autoplay turned on then it will install itself.

Linux / Mac are, of course, immune.
 
woodstock said:
stupid question - this is literally if you just put it in, to play it? not burn it, copy it, do anything to it but play it?
Just "play" it. Actually just close the door on the CD drive with this CD in place. You do get a dialog telling it's going to install a "viewer" or something. The hint of what it does is buried on page 3 of the legal agreement. It doesn't tell you it's a rootkit.

You can prevent "infection" by holding down the shift key while you close the CD or, better, by disabling "Auto-play" permanently.

Warning: Doing so may subject you to the penalties of the Digital Millieum Copyright Act as well me for just telling you about this method of "circumvention." Welcome to America.

woodstock said:
and once it's on there, what happens next? if you even try to use a Kazaa type thing it nabs you, or locks your computer down? i.e. what if you don't even know to install it? will it slow your computer down?
It is supposed to only let you make 2 copies and never copy anything to your iPod and tell Sony whenever you play a CD and check every 12 milliseconds to see if you're doing any of the preceding. Other than that, why worry?
woodstock said:
this sucks. scumbags.

I'm printing the "BOYCOTT SONY" bumper stickers right now.

http://www.boycottsony.com

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
 
Last edited:
mikea said:
I'm printing the "BOYCOTT SONY" bumper stickers right now.
(Columbia) (Epic) (Epic Legacy) (Columbia Legacy)

So...Stupid question time: How do you go about determining which cd's are sony while standing at the store looking at them?

Granted I don't buy a lot however the best I can tell taking a random look at my collection, I have either (a) managed to never buy one or (b) it's not marked in a way that I can find the word 'sony' anywhere on it including the little book that's in the front of most cd cases.
 
fgcason said:
So...Stupid question time: How do you go about determining which cd's are sony while standing at the store looking at them?

Granted I don't buy a lot however the best I can tell taking a random look at my collection, I have either (a) managed to never buy one or (b) it's not marked in a way that I can find the word 'sony' anywhere on it including the little book that's in the front of most cd cases.
There's a sticker which says "Copy protected."

Unless you agree you should be considered a thief and not a customer, don't buy any with such stickers. That way the music industry has fewer sales so they have the ammo so they can ask congress for a law that forces every citizen to buy a minimum number of CDs each month.
 
mikea said:
There's a sticker which says "Copy protected."

Unless you agree you should be considered a thief and not a customer, don't buy any with such stickers. That way the music industry has fewer sales so they have the ammo so they can ask congress for a law that forces every citizen to buy a minimum number of CDs each month.

I'm not sure there's any legal requirement for a CD to have a sticker which says "Copy protected", and if you bought a CD with this malware included, shouldn't you have the right to return it opened if you decide not to let Sonly take over your computer?
 
lancefisher said:
I'm not sure there's any legal requirement for a CD to have a sticker which says "Copy protected", and if you bought a CD with this malware included, shouldn't you have the right to return it opened if you decide not to let Sonly take over your computer?
There IS a requirement that only an AUDIO CD that meets the red book standard have the CD logo. You can refuse to buy those that these don't have the CD logo because they're hybrid data/audio, which is not red book compliant.


The EULA has some other fun stuff in it. If you have a judgement against you or file bankruptcy you have no license to listen to the music. If you lose the CD you can't listen to copies you made onto your computer. It has the provisions that are the foundation for the RIAA's wet dream: make you pay each time you listen.

http://www.gripe2ed.com/scoop/story/2005/11/10/03956/517

There's a report that some have a Mac OS X DRM system through a kernel extension on them. It's a lot harder to get the install to work on a Mac. You'll be prompted for your password because user accounts on Macs don't run as root.
 
Last edited:
mikea said:
There's a sticker which says "Copy protected."

Interesting. Well, I don't have any of those either. :cheerswine:

mikea said:
Unless you agree you should be considered a thief and not a customer

That's really good for business isn't it? Your customers are considered guilty criminals by default until proven guilty. Brilliant.

Well, I don't agree with their deceptive tactics so you call me a thief then. :D And while you're at it, sony should be considered a computer security terrorist also. Fair's fair.

mikea said:
don't buy any with such stickers.

That was the plan thus the question on how to identify them.
 
mikea said:
There IS a requirement that only an AUDIO CD tha tmeets the red book standard have the CD logo. You can not that these don't have the CD logo because they're hybird data/audio, which is not red book compliant.
I just read the comments of a guy who says he takes those back to Best Buy for a refund, saying it won't play.

BB: "We don't give refunds on CDs, sir."

"It's NOT a CD. Find me one place on it where it says it's a CD."

Refund given.
 
Last edited:
One of my partners in crime posted this on our gaming guild forums this morning.
From The Register

UK security firm Sophos plans to release a tool which will detect the existence of Sony's DRM copy-protection rootkit on Windows computers, disable it, and prevent it from re-installing.
The move follows the discovery of the first malware (a Trojan called Breplibot) that takes advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs to mask its presence on infected systems.
"Sophos is acting on customers' concern that the software on Sony's CDs is introducing a vulnerability which hackers and virus writers are able to exploit," explained Cluley. "We will give customers the ability to determine if their computers suffer from the vulnerability and remove it if necessary." The free download should be available today.
Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory. Once loaded in this way the malware will be invisible to anti-virus scanners. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the malware.
Sophos's tool will remove this cloaking behaviour but will not remove the software components installed by Sony-BMG, the deletion of which might cause system instability. But this very cloaking means it may not be obvious to users that they need the tool. Around 20 CDs from Sony-BMG which have shipped an estimated 2m copies around the world feature the controversial DRM technology, developed by UK security developer First4Internet. Sophos obtained advice from First4Internet in developing its tool.
We wanted to ask First4Internet and Sony-BMG what they intended to do to make sure their copy-protection technology wasn't abused by virus writers but neither returned our calls this afternoon.

Oh boy... SONY is in for it now...
http://www.cnn.com/2005/TECH/internet/11/10/sony.hack.reut/index.html
excerpt said:
New virus uses Sony BMG software

AMSTERDAM, Netherlands (Reuters) -- A computer security firm said Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc...
(Continued in the link above)

Well... I must say Sony has, by many accounts, been extremely arrogant about this little attempt to manage content. They ignored warnings about this being used as something to exploit by virus developers, and wondered at the top levels why computer users would care what they did to our operating systems...

They're about to find out why, I think.
 
Last edited:
Sony caves...

The following is from Excite.com: http://apnews.excite.com/article/20051111/D8DQELK0E.html


WASHINGTON (AP) - Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.

Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the "XCP" technology as a precautionary measure. "We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," the company said in a statement.

The antipiracy technology, which works only on Windows computers, prevents customers from making more than a few copies of the CD and prevents them from loading the CD's songs onto Apple Computer's popular iPod portable music players. Some other music players, which recognize Microsoft's proprietary music format, would work.

Sony's announcement came one day after leading security companies disclosed that hackers were distributing malicious programs over the Internet that exploited the antipiracy technology's ability to avoid detection. Hackers discovered they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony technology.

Sony's program is included on about 20 popular music titles, including releases by Van Zant and The Bad Plus.

"This is a step they should have taken immediately," said Mark Russinovich, chief software architect at Internals Software who discovered the hidden copy-protection technology Oct. 31 and posted his findings on his Web log. He said Sony did not admit any wrongdoing, nor did it promise not to use similar techniques in the future.

Security researchers have described Sony's technology as "spyware," saying it is difficult to remove, transmits without warning details about what music is playing, and that Sony's notice to consumers about the technology was inadequate. Sony executives have rejected the description of their technology as spyware.

Some leading antivirus companies updated their protective software this week to detect Sony's antipiracy program, disable it and prevent it from reinstalling.

After Russinovich criticized Sony, it made available a software patch that removed the technology's ability to avoid detection. It also made more broadly available its instructions on how to remove the software permanently. Customers who remove the software are unable to listen to the music CD on their computer.

---

On the Web:

Sony's XCP Page: http://cp.sonybmg.com/xcp

Russinovich's Blog: http://www.sysinternals.com/Blog

Symantec warning:

tmlhttp://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.h

Computer Associates warning:

http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid76345
 
They had to give in - what they did was extremely bad from a technicalAND privacy angle.

They SHOULD have recognized this from the beginning but apparently they STILL don't.

Time to start being a lot more careful about what music CDs I put in my computers.
 
So basically, what I am hearing here is that since I can't play sony music cd's on my computer, there is only one safe way to get their music.......

Looks like you need to dig out your eye patch and hook and do some pirating!!!!

:goofy:

--Matt
 
Dan Smith said:
Sony caves...

The score so far:
+1 point for stopping the despicable unauthorized hacking BS for the moment
-5,000 points for not stopping it permanently
-7,000 points for denying it's spyware
-10,000 points for not being on the reasonably trustworthy list
Off scale negative points for being deceptive and sneaky to start with

Dan Smith said:
nor did it promise not to use similar techniques in the future.

Bad move. :mad:

Dan Smith said:
Some leading antivirus companies updated their protective software this week to detect Sony's antipiracy program, disable it and prevent it from reinstalling.

That didn't take long.

Dan Smith said:
Symantec warning:

I'm clean. :)

The rogue said:
Looks like you need to dig out your eye patch and hook and do some pirating!!!!

Two reasonably easy near totally foolproof ideas come to mind... One is likely really hard to defeat, the other is near impossible.
 
Last edited:
The rogue said:
So basically, what I am hearing here is that since I can't play sony music cd's on my computer, there is only one safe way to get their music.......

Looks like you need to dig out your eye patch and hook and do some pirating!!!!

:goofy:

--Matt

I would have never publically said that pirating is the right way to avoid the overpriced cds and nazi-like RIAA, but in this case:

Sony can go to hell. From now on out, I WILL pirate anything Sony offers if its something I want. At least it will keep me from installing malware.
 
spread the word. I sent an email to many friends yesterday. the more people know, the more outcry there will be.

I so rarely buy CDs anymore, anyway.
 
fgcason said:
The score so far:
+1 point for stopping the despicable unauthorized hacking BS for the moment
-5,000 points for not stopping it permanently
-7,000 points for denying it's spyware
-10,000 points for not being on the reasonably trustworthy list
Off scale negative points for being deceptive and sneaky to start with

At the opposite end of the music business, the manner in which these companies have long dealt with artists and songwriters is no prettier.

-- Pilawt
 
Don't know if it's been posted, but the Dallas Morning News today said Sony would quit distributing these.

Usually, by the time something like this gets to me, it pretty old news. That's why I was so good at pickin stocks in the past--not.

Dave
 
Pilawt said:
At the opposite end of the music business, the manner in which these companies have long dealt with artists and songwriters is no prettier.

-- Pilawt

Yeah, no kidding.

I've seen the numbers and the way they're calculated. The only ones making money are the record companies.
 
Good news:
http://www.msnbc.msn.com/id/10050095/

Microsoft will be adding tools for removing this safely to their AntiSpyware program (still in beta but works great).

That will, hopefully, address the millions of users who might have been infested with this Malware but don't know about it or have the technical savvy to remove it themselves.

Its a big bad blow to Sony, too, that their software was deemed as hazardous BY Microsoft.
 
Greebo said:
Good news:
http://www.msnbc.msn.com/id/10050095/

Microsoft will be adding tools for removing this safely to their AntiSpyware program (still in beta but works great).

That will, hopefully, address the millions of users who might have been infested with this Malware but don't know about it or have the technical savvy to remove it themselves.

Its a big bad blow to Sony, too, that their software was deemed as hazardous BY Microsoft.

Its great to hear, but it doesn't change my opinion of a company that would resort to such underhanded tactics to stop pirating anyways.

Perhaps it would speak volumes if Sony beat Microsoft to the development and instead released a patch themselves that would remove the rootkit. Might not completely change my opinion, but it would help.
 
Its great to hear, but it doesn't change my opinion of a company that would resort to such underhanded tactics to stop pirating anyways.

Perhaps it would speak volumes if Sony beat Microsoft to the development and instead released a patch themselves that would remove the rootkit. Might not completely change my opinion, but it would help.
Oh, Sony did release a "removal tool" but it required such complicated hoop jumping that even seasoned geeks had trouble with it.

And how would Sony distribute their patch anyway? The only vendor authorized to run operating system level updates/patches on Windows is Microsoft themselves.

I agree - Sony BMG, and Sony by association, have lost tons of credibility. Their developers should have known they had no business tinkering with something so core to the O/S without getting the experts (Microsoft) involved. And the arrogance displayed by Sony "Why should they care?" after discovery - well - lets just say I'm glad I cancelled my EQ2 account recently and switched to WoW.
 
Brian Austin said:
I have to admit, since going the iPod/iTunes route, I haven't even browsed through CDs. I no longer have to buy 10 songs for one or two decent ones.

After ripping the songs I wanted off of my CD collection I have not bought another CD. Plenty of iTunes have been bought though.
 
Greebo said:
Oh, Sony did release a "removal tool" but it required such complicated hoop jumping that even seasoned geeks had trouble with it.

Who would *trust* a "removal tool" from Sony? Takes more faith than I have to believe there wouldn't be another form of spyware buried in it. Kinda like buying a do-it-yourself explosive de-fusing kit from Al-Qaeda.

-- Pilawt
 
Worser and worser:

USA Today called this Sony thing a virus, which it isn't, but that's not exactly favorable publicity for Sony. Even an undersecretary of the DHS scolded the RIAA, "You own the content but you do not own the computer."

Researchers: Sony Patch Opens Huge Security Hole
As Security Fix warned in a post late last night, researchers have found new flaws in a program designed to remove portions of an anti-piracy software included in an unknown number of Sony BMG music CDs.

A patch that Sony issued a week ago when virus writers began taking advantage of the software's file-hiding capabilities actually introduces serious new security risks onto the user's machine, according to research released today by Princeton University computer science professor Edward Felten.

http://blogs.washingtonpost.com/securityfix/2005/11/sony_uninstall_.html

As a Slashdotter pointed out, the last thing that Sony needs to do after they take easier measures like fire any exec that had anything to do with fiasco this is apologize to consumers, which is a very big deal in Japan. They also need to apologize to their fellow RIAA members, whose plans for legislated control of all things audio have been severely damaged.
 
http://www.msnbc.msn.com/id/10069563/

sounds like they are recalling them.

question, if anyone knows... I bought a Sarah McLaughlin CD in Vancouver in July. I have NOT taken it out of my CD deck in my car. does anyone know when this fiasco started? I don't have the wrapper for the CD anymore and now I'm afraid to put it in my computer - I would like it on my iPod but not if it's going to ruin my new laptop. (she is under Sony and mentioned in the article.)
 
Now its FORTY NINE TITLES???

Too little, too late on Sony's part. I've seen some numbers about the DNS requests - over half a million+ "phone home" connections have been made by this software. Only now, after the virus fighters and the O/S manufacturer themselves have stepped in to stop this software do they change their tune and announce that they'll distribute a removal tool?

Hey, guys - thanks but no thanks - the FIRST removal tool you wrote made computers *COMPLETELY* vulnerable to a very SIMPLE form of takeover attack.

Sony BMG should be off of EVERYONEs list of CD vendors from now on.
 
Back
Top