[Dixielandjazz] Sony CD hidden software redux redux

[David Richoux]

So now their "fix" for the problem makes it even worse!

Dave R
=================================
Sony's fix worsens security hole
SAFE, NEW REMOVAL PROGRAM PROMISED
By Brian Bergstein
Associated Press
BOSTON - The fallout from a hidden copy-protection program that Sony  
BMG Music Entertainment put on some CDs is only getting worse. Sony's  
suggested method for removing the program widened the security hole  
the original software created, researchers say.

Sony has moved to recall the discs in question. But music fans who  
have listened to them on their computers or tried to remove the  
dangerous software they deposited could still be vulnerable.

``This is a surprisingly bad design from a security standpoint,''  
said Ed Felten, a Princeton University computer science professor who  
explored the ``XCP'' copy-protection program with a graduate student,  
J. Alex Halderman.

When the discs were put into a PC, the CD automatically installed  
anti-piracy software -- which works only on Windows PCs -- with a  
cloaking feature that allowed it to hide files on users' computers.  
Security researchers classified the program as ``spyware,'' saying it  
secretly transmits details about what music the PC is playing. Manual  
attempts to remove the software can disable the PC's CD drive.

The program also gave virus writers an easy tool for hiding their  
malicious software, taking advantage of the cloaking feature to enter  
computers undetected, anti-virus companies said.

Sony BMG and the British company that developed the anti-piracy  
software, First 4 Internet, released a program that uninstalls XCP.

To get the uninstall program, users were asked to request it by  
filling out online forms. Once submitted, the forms download and  
install a program designed to ready the PC for the fix, making the PC  
open to downloading and installing code from the Internet.

According to security experts, the program fails to make the computer  
confirm that such code should come only from Sony or First 4 Internet.

``It allows any Web page you visit to download, install, and run any  
code it likes on your computer,'' Felten and Halderman wrote.

Sony BMG said Tuesday evening that it was preparing to release a safe  
new method for removing XCP. It was unclear when it might be available.


On Nov 15, 2005, at 10:05 PM, Robert Pulliam wrote:

> From: <tcashwigg at aol.com>
> To: <dixielandjazz at ml.islandnet.com>
> Sent: Saturday, November 12, 2005 11:25 PM
>
>> Sony defended its right to prevent customers from illegally copying
>> music but said it will halt manufacturing CDs with the "XCP"  
>> technology
>> as a precautionary measure.
>
> Putting aside the hypocrisy of the major labels who themselves  
> apparently
> engage in some shady practices as far as creative accounting and  
> payment of
> royalties, this business with Sony seems like an expensive, invasive
> exercise and ultimately a pointless waste of time. I suppose there are
> hi-tech ways to beat their system, but the fact is, you don't have  
> to be hip
> to any deep, dark computer secrets. Any CD that can be listened to  
> can be
> copied. You can record internally using "what you hear" mode, or  
> simply
> record from one computer's output to another's input. Or to any  
> tape deck
> for that matter. The results may not be "perfect" if you examine  
> the files
> with an audiophile magnifying glass, but I suspect those who engage in
> large-scale piracy aren't overly concerned with this issue.
>
> I'm not at all a proponent of piracy but I really hope some high-level
> people at Sony get their asses paddled over this.
>
>