Category: Digital media

When did Gordon Gecko join the Rolling Stones?

Greed is good, apparently. That’s the takeaway I get from this story:

Rolling Stones tour with phones

Can’t make it to Europe for the current tour by the Rolling Stones? No problem.

Dial a toll-free number and listen to them perform all down the line in real time for $1.99 per seven minutes.

[…]

According to a statement, U.S. fans can buy in by calling [a toll-free number] from 8 a.m. to 5 p.m. Pacific time. At the six-minute mark, a voice will warn them that the time is almost up, which makes bootlegging the concerts a challenge.

I’m not sure which is more craptacular: The greed of the companies behind this, or the stupidity of anyone who would actually pay. Who is stupid enough to pay anything, even two bucks, to listen to seven minutes of a live concert over a freakin’ phone? I guess if a bunch of gazillionaires can convince their fans to cough up $100 each for a Platinum fan club membership that gives them the right to compete with other suckers, er, fans to spend $352.50 per ticket (plus convenience charges and handling fees) to see a rock and roll show.

Nice retirement plan you got there, Mick.

Windows Media Player 11 for XP due by end of June

What’s missing from Windows Media Player 11?

CNET is reporting that Microsoft plans to release an updated version of Windows Media Player for Windows XP within the next couple of months. It’s the same code, more or less, that will go into Windows Vista when it’s released at the end of this year:

Microsoft is on track to release a Windows XP version of Windows Media Player 11 before the end of June, the company confirmed last week.

Microsoft has been uncharacteristically tight-lipped about the XP incarnation. The company briefly demonstrated it at the Consumer Electronics Show in January but has said little since. Microsoft has said the XP version won’t have all the features of its Vista sibling, but the company won’t say which features will be excluded. The company also has yet to offer a public test version of the software.

What’s missing? A Microsoft document that was briefly available for public download last week has some answers – and raises a few new questions:

When running on Windows XP, the following Windows Media Player 11 features are not available:

  • Playing content (including DRM) on your PC from another PC or device
  • Viewing content from the Vista Media library on other PCs or digital devices, such as Tivo
  • Playback of High Value video content
  • Shell integration with Windows Media Player
  • Content Indexer change notification to sync My Music and WMP library
  • DVD Fullscreen playback enhancements
  • DRM Transcode
  • High quality video streaming over home networks
  • Media foundation for playback

A lot of the missing features are related to streaming DRM-protected content from a PC with Media Center features to other devices, especially modern extenders like the Xbox 360. Based on screen shots I’ve seen, the XP version of WMP 11 will have the much-improved interface of its Vista sibling. Will it be able to handle extra-large media libraries as quickly as the Vista version? Stay tuned.

The year’s first random 10

Haven’t done this in a while, so without further ado…

I am taking a different tack from the usual rules this time: This list consists of 10 tracks [*] I’ve listened to in the last 30 days and rated 4 stars or better. This week’s list is formatted as song title, artist, and album (in italics):

  1. Good Luck Charm, Vigilantes of Love, Audible Sigh
  2. The Mountain, Steve Earle and the Bluegrass Dukes (live recording), Just an American Boy
  3. Prison Grove, Warren Zevon, The Wind
  4. In the Name of Us, Honey; Shannon McNally, Geronimo
  5. Home to Houston, Steve Earle and the Dukes, The Revolution Starts … Now
  6. Tributo al Niño Rivera, Juan De Marcos’ Afro-Cuban All Stars, Distinto Diferente
  7. The Girl with No Name, The Byrds, The Byrds (Box Set)
  8. Am I Too Blue, Lucinda Williams, Lucinda Williams
  9. The End, Alejandro Escovedo, With These Hands
  10. Don’t Need You, Cowboy Junkies, Por Vida: A Salute to the Songs of Alejandro Escovedo

A lot of this stuff came from eMusic.com, which has become my favorite source of new music these days. [Full disclosure: If you click the link in the previous sentence and open a trial account, you get 50 free MP3s and I get a few bucks. This is one of a very small number of affiliate programs I belong to, and I highly recommend this company.]

[*It used to be 20.]

A sleazy QuickTime trick

In a perfect world, we’d be able to choose one media player for everything. In the real world, we need two or three media players to handle the mix of incompatible and proprietary formats available on the Web. So, although I don’t use QuickTime often, I keep a copy installed so that I can see video clips on sites that offer only Apple formats.

If you use QuickTime on Windows or a Mac and you haven’t updated it since January 10, you’re at serious risk. But be careful when you go looking for that security update or you may get more than you bargained for.

On January 10, Apple released a critical update for QuickTime designed to fix five separate vulnerabilities, any of which can result in “arbitrary code execution” if you simply view a specially crafted image file (QTIF, GIF, TIFF, or TGA) or a similarly doctored media file. The vulnerability exists on Windows XP, Windows 2000, and Mac OS X. Sounds at least as serious as the WMF exploit that Microsoft was pilloried for, and indeed it is. (It took 71 days for Apple to come up with the patch after this vulnerability was reported, by the way, but that’s a topic for another day.)

Being a security-conscious sort, I checked my version of the QuickTime Player and determined that it was hopelessly out of date. I had version 6.5.1 installed; these vulnerabilities are fixed in version 7.0.4. I tried the Update Software option from the QuickTime Player menu, but when it finished its quick download and installation I was only at version 6.5.2, and it told me I was completely up to date. So I headed over to Apple’s QuickTime site and was greeted with this page:

I’ve circled the two areas of interest on this page. See that big blue Free Download Now button? That’s what most people will click. I almost did, until I noticed the wording at the top of the page: “QuickTime 7 with iTunes 6.” I don’t want iTunes! But I need that security update. Maybe I should read the security bulletin again. Oh, dear. Right there at the bottom, it has the bad news:

APPLE-SA-2006-01-10 QuickTime 7.0.4:

For Mac OS X v10.3.9 or later
The download file is named: “QuickTimeInstallerX.dmg”
Its SHA-1 digest is: a605fc27d85b4c6b59ebbbc84ef553b37aa8fbca

For Windows 2000/XP
The download file is named: “iTunesSetup.exe”
Its SHA-1 digest is: 1f7d1942fec2c3c205079916dc47b254e508de4e

Well, that’s odd. If I own a Mac, I can just get the QuickTime installer, but because I use Windows I have to install iTunes? Doesn’t seem right.

Hey, what’s that tiny link at the bottom of the QuickTime downloads page? The one that reads QuickTime Standalone Installer? Clicking that link from Internet Explorer installs the QuickTime ActiveX control. Clicking it from Firefox downloads a file called … QuickTimeInstaller.exe. No iTunes required. (Update: The QuickTime ActiveX control only loads in IE if it’s not already installed. The download link leads to the QuickTime installer, regardless of browser.)

This is a crappy way to do business, Apple. The security bulletin should reference the QuickTime installer, not just the iTunes setup file that happens to include the QuickTime Player. And if someone comes to your site looking for a critical security update, don’t push extra software on them.

Years ago, Real used to pull this same crap with their RealPlayer. When you visited the download page, you were steered into the trial version of Real’s subscription-based software, and it took a treasure map and a Sherpa to find the tiny link to the free player. It took a few thousand complaints, but Real finally wised up. Go to Real.com now and you’ll see two buttons of equal size: one offers a 14-day trial of its premium SuperPass product; the other is labeled Free Download. No magnifying glass required.

I never thought I’d say it, but Real is setting the standard when it comes to downloads. Apple, clean up your act.

Update: A visitor from Down Under comments that Real.com is up to its old tricks on sites outside the United States. After telling Real.com that I’m from Australia, I can see what he’s talking about. As a point of reference, here’s what the main U.S. page looks like:

Bob Dylan as DJ? Cool!

I don’t care one bit about Howard Stern, but this news makes me want to sign up for XM Radio:

[Bob Dylan] has signed on to serve as host of a weekly one-hour program on XM Satellite Radio, spinning records and offering commentary on new music and other topics, starting in March. The famously reclusive 64-year-old performer said in a statement yesterday that “a lot of my own songs have been played on the radio, but this is the first time I’ve ever been on the other side of the mike.”

 I just noticed yesterday that DirecTV is now offering a limited selection of XM channels as part of its subscription (no extra fee to XM required), and I can also get access to a selection of XM channels via Media Center. If they were available as podcasts, I’d be deliriously happy!

Sony releases a rootkit remover

If you’ve been attacked by Sony’s XCP rootkit software, you can finally remove it. Here are the download links.

Remarkably, Sony has finally admitted that the XCP software is dangerous. Their announcement confesses:

CDs containing XCP content protection software developed by First4Internet for SONY BMG may increase the vulnerability of your computer to certain computer viruses.

The uninstaller allows you to completely remove the XCP software (good idea) or update it to a newer version that Sony claims is free of the rootkit component (do you feel lucky?).

Not so remarkably, Sony can’t resist the urge to say dumb things. Like this:

Please be advised that this [update/uninstall] program is protected by all applicable intellectual property and unfair competition laws, including patent, copyright and trade secret laws, and that all uses, including reverse engineering, in violation thereof are prohibited.

Yes, it certainly wouldn’t be appropriate for any security researchers to look closely at this software and determine whether it’s safe and effective. Especially given Sony’s track record so far.

Listen up, Sony!

In the comments to an earlier post, Ben Edelman makes a very smart suggestion:

I share your assessment that “Sony still has a long way to go.” In addition to the problems you raise, there’s also the question of whether and how Sony will provide meaningful notice to affected users. In http://www.benedelman.com/news/112105-1.html I show something of a novel approach — using Sony’s own “call-home” feature to send users a special banner ad describing the situation and users’ rights. Turns out Sony can do this with only a few lines of XML code placed on their web server. And I already ran a demo — using a HOSTS file to make one of my PCs look like Sony’s web server — to confirm that the banner system works as required.

Go look at Ben’s page. This is one of the best solutions anyone has yet come up with for the conundrum of how to recall a defective product that most users don’t even realize they have.

Sony and Amazon to take back XCP-infected CDs

Sony has finally agreed to take back its rootkit-infected CDs. Visit this page for instructions on how to print out a pre-paid label you can use to exchange the affected CD for one that doesn’t contain XCP copy protection. (Interestingly, this and a similar page at Sony’s Web site represent the first official list of CDs that use the XCP software.)

No word yet on whether the replacement CDs will use another form of copy protection.

Meanwhile, Amazon is allowing its customers to return any XCP-infected CDs. This announcement appears on the order page for any Sony CD that includes the XCP software:

This Sony CD includes XCP digital rights management (DRM) software. Due to security concerns raised about the use of CDs containing this software on PCs, Sony has asked Amazon.com to remove all unsold CDs with XCP software from our store. If you have purchased this CD from Amazon.com, you may return it for a full refund regardless of whether the CD is opened or unopened, following our normal returns process. Simply indicate that the CD is “defective” as the reason for return.

Sony still has a long way to go. There’s no indication that they are actually accepting responsibility for their actions. They still have issued no apology or admission that they really, really screwed up. And they haven’t made any public contact with the people in the community who identified this problem. In a world run by sane people, someone at Sony would have been in contact with Mark Russinovich within 24 hours of the identification of this problem.

(Via Brian Krebs’ Security Fix blog.)

Sony’s big Mac attack

IT Hub says Sony’s DRM Rootkit Comes in Mac Flavor, Too:

Imogen Heap’s new CD, “Speak for Yourself,” on RCA Victor (a BMG subsidiary), has an extra partition for “enhanced” content. Along with Windows files, there is a Mac file present called “Start.app.”

When run, a EULA is first displayed (which does inform the user that software is going to be installed without saying exactly what that software will do).

PointerClick here to read more about Sony’s decision to temporarily suspend production of CDs with its DRM technology.

The user then is prompted by the program for a user name and password. After that information is provided, the program seemingly quits. However, it actually installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext, in the OS X system files.

These turn out to be part of a DRM codebase developed by SunnComm.

Will someone please tell me when the last cockroach crawls out from under Sony’s big mess?

Sony to recall CDs; researchers discover “serious security flaw”

A story filed late last night at USAToday.com says Sony has begun recalling CDs containing the XCP rootkit software from stores:

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

I haven’t seen this story elsewhere, and the statement quoted in the USA Today story isn’t on Sony’s Web site. If true, it’s yet another sign that Sony is finally beginning to realize how much it has messed up.

Maybe pressure from artists has something to do with the recall. The USA Today story quotes Ross Schilling, manager of the band Van Zant, which was an unwitting victim of the XCP malware:

“I said we’ve got to be proactive [about recalling these CDs], or it could destroy the business model,” Schilling says. “Sony should be in the artist business, promoting and selling records. This type of issue sheds a negative light on their ability to do that.”

[…]

[M]any artists have spoken out about all forms of copy-protected CDs, including Matthews, the Foo Fighters and Christian rock band Switchfoot. Bela Fleck and the Flecktones are set to release a new album on Sony in January, and it will not be copy protected, says Fleck’s manager, David Bendett.

Frustrated when he bought a copy-protected Dave Matthews release and couldn’t copy it to his Apple iPod, Fleck insisted that Sony not release his new album with such restrictions, Bendett says.

Meanwhile, do not use Sony’s Web-based uninstaller. Ed Felten and J. Alex Halderman of Princeton University just released their latest research, which show that Sony’s quick-and-dirty response to the problem is a nightmare waiting to happen:

Over the weekend a Finish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

It’s important to note that this flaw is caused by the limited patch Sony has released, which disables the Aries.sys file-system filter driver but leaves the DRM files intact. What Sony needs to do, right now, is to put their full uninstaller online so that anyone who has this software on their system can completely remove all traces of it.

(Thanks to Walter for the USA Today pointer.)