Sony: screwing up Windows PCs since 2002

Most of the coverage I’ve seen so far of the Sony rootkit disaster mentions that this software has been used for about six months. That must refer to the latest batch of copy-protected CDs, which use the First 4 Internet XPC code. But Sony’s been wreaking havoc with Windows for much longer than that. In fact, I’ve found evidence of problems dating back at least three years.

I started with this Google search, which turned up 29,000 links at Amazon.com that contained the words content AND enhanced AND protected. That doesn’t translate to 29,000 CDs, because the search results turns up multiple links to each CD. But it’s a starting point.

And then I started clicking and reading reviews. Early on, I found a comment from an Amazon customer who bought the soundtrack to Brown Sugar. The CD was released in September 2002, and this comment was posted in May 2003:

I knew I wouldn’t be able to copy selected songs to my PDA for my own private use when I purchased this CD so I have no complaints about that aspect of the copy-protection. I didn’t expect to have a hard time playing it on a computer, however. The ‘player’ that’s supposed to launch when you insert the CD into your drive is adequate *when* it plays. It took awhile to get the player and CD to do their thing the first time but it did eventually play. I had to restart my computer in order to use my standard player for other CDs and no CD is worth that much trouble. When I tried a second time the CD just plain wasn’t recognized so I tried it on another computer and that CD drive completely disappeared from ‘My Computer’, the CD never loaded and now I’m wondering what kind of re-configuring I have to do there. And, guess what – it also proves occasionally problematic on my new CD player which supports mp3s. I’m not a computer newbie and it’s not a matter of my not understanding. This is way beyond a minor inconvenience.

Sound familiar?

A comment attached to Healthy In Paranoid Times (Sony, August 2005) described similar problems and pointed me back to this dire warning at Sony’s Web site:

Sony Global – Urgent Message Regarding Problems Caused by Microsoft Windows Security Update Program MS04-032 (KB840987):

It has been confirmed that some of Sony’s application software(*) for managing music files on the PC may not work as originally intended, if a user installs Microsoft Windows Security Update Program MS04-032 (KB840987) on his/her PC. Sony has been investigating the cause of this problem as well as working on countermeasures in collaboration with Microsoft Corporation. A countermeasure program (KB887811) to remedy this situation is now available at Microsoft’s website as shown below.

Sure enough, Microsoft issued Critical Update for Windows XP (KB887811) in October 2004, more than one year ago, to fix the problem identified here.

After you install the MS04-032 (KB840987) Security Update for Windows on a computer running either Windows XP or Windows XP with Service Pack 1 and then try to run an OpenMG compliant music software, the OpenMG compliant music software may not run as expected or respond. Install this update to help resolve this issue. After you install this item, you may have to restart your computer.

OpenMG? What the hell is that? The KB article for that Critical Update has a long list of “OpenMG-compliant music software that includes the OpenMG Secure Module.” And not surprisingly, almost all of it is from Sony.

In response to an earlier post of mine, a commenter wrote:

Ed, Sony’s response is ignorant –but that’s because they don’t understand what a rootkit is and how damaging they can be. In fact, when NPR introduced the concept on the radio this morning, I was hardly surpised to hear a very garbled and oversimplified description of rootkit technology.

If Sony’s to blame, it’s because they tried to play with the computer equivilant of a sharp stick and accidentally hurt themselves. Now they’re bleeding and they don’t know what to do.

They’ll learn. Most of us are still learning about this. Only people like Russinovich really have a handle on this situation. I’m not trying to whitewash what Sony BMG is doing, but you have to allow time for the managers in suits to wrap their minds around this topic.

I place the blame squarely on First4Internet. These idiots should have known better. Their programming effort can only be described as a hack of the first order. It was sloppy to the point of carelessness.

The bottom line is that if DRM technology is going to include rootkits, then we need reasonable assurances that such rootkits are narrowly targeted, stable, and well written.

Sorry, no. Sony’s DRM has been causing major consumer headaches for years, and they don’t seem to care. In fact, they have graduated from sharp sticks to Ginsu knives to chainsaws.

And the notion that any software developer should be allowed to cloak its technology using rootkits is wrong, wrong, wrong.

I have a feeling that Windows Vista will block this sort of crude hack. Has anyone tried using one of these Sony CDs on a current beta of Windows Vista yet?

Sony’s phony patch

At Freedom to Tinker, Edward Felten says Sony is trying to weasel out of its obligations to come clean with customers:

Yesterday, [Sony and First 4 Internet] released a software update that they say “removes the cloaking technology component that has been recently discussed in a number of articles”. Reading that statement, and the press statements by company representitives, you might think that that’s all the update does. It’s not.

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function — they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert — falsely — that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.

Whoever is making these decisions at Sony has no idea how badly they are damaging the company’s reputation.

Is Sony violating the law?

I’m not qualified to pass judgment on legal issues, so when I run across infuriating behavior like what Sony has been engaging in (see Sony wants to hijack your PC“>here for background), I try to find an expert on the subject. For this question, I can’t think of anyone more qualified than Ben Edelman. He’s most famous as an expert on spyware, which is noteworthy given the spyware-like behavior of these copy-protected CDs.

I asked Edelman if he thought that Sony’s behavior was potentially illegal. Here’s his reply:

It all comes down to consent. If Sony’s EULA is taken to obtain a user’s consent for the installation, perhaps Sony is on strong ground. But if the “consent” procedure is deemed defective (too vague, too hard to find, no clear manifestation of assent, too inconsistent with the premise of buying a CD), suddenly Sony is in trouble — for a nonconsensual installation of software onto users’ PCs. One might reasonably accuse Sony of committing a trespass to chattels, or even of exceeding authorized access to a computer system (a Computer Fraud and Abuse Act violation).

I’m also struck by the fact these items, though apparently labeled as CDs and of course sold in CD stores, aren’t actually genuine CDs (as the official “red book” CD standard defines that format). Could Sony be committing fraud by claiming to sell users CDs, when in fact what Sony is offering is something else altogether?

There are a pair of 800-pound gorillas that might have something to say about that latter question. One is Philips, which owns the CD trademark and has been vocal about its objections to copy protection since at least 2002. If Sony is using the CD logo, they’re infringing on that trademark. The other party who might want to stomp on Sony is Eliot Spitzer, Attorney General of the State of New York, who has already taken on some big names in the spyware industry. I hope he’ll weigh in here.

Sony tries to stop the bleeding

When you shoot yourself in the foot, you can expect some bleeding. That, presumably, is why Sony and its partner in crime are rushing out a patch for the crapware that comes with their copy-protected CDs. CNET News.com has the details:

Sony BMG’s technology partner First 4 Internet, a British company, said Wednesday that it has released a patch to antivirus companies that will eliminate the copy-protection software’s ability to hide. In consequence, it will also prevent virus writers from cloaking their work using the copy-protection tools.

The record label and First 4 Internet will post a similar patch on Sony BMG’s Web site for consumers to download directly, the companies said.

“We want to make sure we allay any unnecessary concerns,” said Mathew Gilliat-Smith, CEO of First 4 Internet. “We think this is a pro-active step and common sense.”

This is a tiny, tiny first step, but unless they go a lot further, a lot faster, their reputation is shredded.

Free advice for Sony:

Fire First 4 Internet immediately and publicly.
Remaster the CDs with DRM-free versions.
Offer free replacement CDs to anyone who purchased one of the rootkit-infected CDs.
Provide toll-free tech support for anyone who experiences a problem with their Windows computer that they think is related to this software.

That would be a positive response.

Update: I’ve got one more idea…

Sony’s even sleazier than I thought

In the comments to my earlier post on the sleazy DRM software that Sony is pushing, Charles Arthur (who has a very cool new job) points out that I was mistaken to accuse Sony of installing this crap “without any notification or any attempt to obtain your consent.” Fair enough. As Charles points out, the original post from Mark Russinovich at Sysinternals.com includes a reference to the end-user license agreement (EULA) for the Sony DRM software that does indeed refer to a software installation and could be construed to be a notification. In fact, Russinovich’s post is unclear on this issue. He has posted a copy of the EULA for the DRM software (with a key clause highlighted in yellow), but that license agreement is not the one that pops up when you first insert the CD. To see that license agreement, read the F-Secure write-up. (I’ve posted a copy of the screen shot here.)

This is how the makers of spyware work. See anything in the first screen that says you’re about to install a hidden file-system filter driver that will run at all times and cannot be uninstalled? See the scroll box (the small handle in the scroll bar) on the right of the dialog box? Judging by the size of the box, I estimate that you would need to scroll through approximately 25 screens to read the entire license agreement, and way down at the end it includes this line: “The SONY BMG PARTIES may from time to time provide you with updates of the SOFTWARE in a manner that the SONY BMG PARTIES deem to be appropriate.”

Folks, this is how spyware makers work. They provide misleading end-user license agreements that they count on users ignoring. They fail to disclose the true purpose or impact of their product. They fail to provide removal tools. They reserve the right to update their sleazy software at any time without any further notice or consent.

It’s even worse than I thought.

Sony wants to hijack your PC

Mark Russinovich of Sysinternals.com has documented his experience with Sony’s new copy-protected CDs: Sony, Rootkits and Digital Rights Management Gone Too Far. It’s a bone-chilling story. According to Mark, just inserting one of Sony’s copy-protected CDs into your computer installs unwanted software on your computer. The software installs as a device driver that hides itself using techniques that are the same as those used by viruses and Trojan horses. It does this without any notification or any attempt to obtain your consent. Mark reports:

Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

Researchers at F-Secure were working on similar results at the same time and have now published their results:

Although the software isn’t itself malicious, the hiding techniques used are exactly the same that malicious software known as rootkits use to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits.

The hiding techniques used by the DRM software can be abused by less technical malware authors to hide their backdoors and other tools. If a malware names its files beginning with the prefix ‘$sys, the files will also be hidden by the DRM software. Thus it is very inappropriate for commercial software to use these techniques.

According to Mark’s research, any attempt to remove this software will essentially disable their CD or DVD drive if they try to remove this crap.

This is beyond sleazy. Whoever approved this software should be forced into court and made to pay damages. I’m not a lawyer, but it also could violate several criminal statutes.

Screw you, Sony. You’re not getting another dime from me in any way.

Follow-up: Sony’s even sleazier than I thought and Sony tries to stop the bleeding.

The woes of external USB hard disks

Alex Scoble writes about a friend who is using an array of external drives to manage a large media collection. It sounds like he’s having some of the same problems Thomas Hawk has reported:

Additionally, iTunes would stop playing after a while for no apparent reason. Only fix for the problem that I could find was to go into Device Manager and disallow XP from turning off the USB hub subsystems, which it does to save power. So far it sounds like that has worked.

Personally, I think the decision to use SATA drives and then connect them via a USB connection was ill-advised. External USB drives are acceptable for some applications, but I’ve seen and heard of enough problems in demanding digital media applications that I recommend strongly against using them. External SATA is the only way to go.

Alex also throws in an aside:

Trust me when I say that his system definitely requires the use of high quality MP3 or lossless audio files. The crappy 128kbit MP3s you get off of Napster or the Apple iTunes store definitely won’t cut it.

Amen.

I would never write a column like this

Slate’s Jack Shafer has a good old-fashioned bomb-thrower of a column that is guaranteed to piss off the cult of Mac:

The Apple Polishers – Explaining the press corps’ crush on Steve Jobs and company

I don’t hate Apple. I don’t even hate Apple-lovers. I do, however, possess deep odium for the legions of Apple polishers in the press corps who salute every shiny gadget the company parades through downtown Cupertino as if they were members of the Supreme Soviet viewing the latest ICBMs at the May Day parade.

More little tidbits:

Although staffed by dorks and drizzlerods, Apple projects itself and its products as the embodiment of style and cool. The population of Apple’s parallel universe? A paltry 1.8 percent of PCs worldwide.

[…]

Apple incites fanaticism about its products via ad campaigns and evangelist outreach programs designed to make its customers feel as though they’re part of a privileged and enlightened elite. One unnamed loser at Slate says today’s V-iPod news made her want to rush out and buy one, even though she already owns two iPods, one of which she bought three weeks ago.

[…]

Hell, all the press corps really needs to put Apple products in perspective is a few short-term memory neurons focused on the fanfare visited upon recent, mediocre iPod releases. Only a year ago the company received excited press notices when it introduced the iPod Photo, now acknowledged to be a failed product. I searched Nexis to find a mention of the iPod Photo in the hundreds of V-iPod newspaper stories from today and found only one. Of the wildly heralded but totally average iPod Shuffle, released in January 2005, I found only two.

When the V-iPod’s super-duper, long-lasting, big-screen replacement shows up in 12 months, the press will have forgotten this second-rate box, too.

Ironically, the curmudgeonly column is available in a podcast version.

Can we stop with the single-play DVD stories, please?

I know, I know. You’re as sick of this as I am, maybe more so. But The Inquirer amplified this weekend’s follow-up story in The Business, in which Tony Glover tried to defend his original report and only made it more muddled. And then Gizmodo picked up the Inky’s story, also without questioning it. Sigh. Both of those sites have many more readers than this one.

So, let’s see if we can put a wooden stake through this story, once and for all. Glover’s follow-up story hinges on this paragraph:

Alistair Baker, Microsoft’s UK managing director, told The Business: “Microsoft’s digital rights management [DRM] software generates a licence key to give the DVD content owner total control over how the content is viewed. This could mean watching a film only once, or over a limited period.”

He didn’t follow-up with Microsoft to see if he was drawing the correct conclusion from Mr. Baker’s remarks, so I put in a call myself. I got this reply from Marcus Matthias, Product Manager of the Windows Digital Media Division:

Alistair Baker’s comments broadly addressed the capabilities of WM DRM. These capabilities are focused on digital distribution within the PC ecosystem and networked devices, and more importantly, for content in the Windows Media format. They do not extend to today’s DVDs which use MPEG2. As to how this applies to next generation DVDs, it doesn’t — there’s no connection with WM DRM. To address the original premise of the story, Microsoft has no plans to create a cheap, disposable DVD.

This is confusing technology. I got a few technical details wrong in one of my earlier posts, which I’ve since corrected following some discussions with the people who actually designed the Windows Media software. The HD DVD format will use Advanced Access Content System (AACS), not Windows Media DRM, which will be used for downloading content and streaming it over a network.

Anyway, I don’t know how much clearer it gets. No cheap, disposable, pre-recorded DVDs. No story.

An “unlikely” defense of the one-play DVD story

Tony Glover of The Business Online delivered his promised follow-up on the single-play DVD story one day early. Read it for yourself here:

The Business, the bloggers and Microsoft’s ‘one-play’ DVD

It doesn’t start out well:

One blogger going by the unlikely name of Ed Bott claimed to have carried out a piece of investigative journalism of his own to prove the story was a “hoax”. Though dismissed by other online commentators, Bott’s blog found favour with a hard core of dissenters on the internet.

I’ll have to tell my parents all about the unlikely name they chose for me. I certainly didn’t expect a professional journalist to start a serious defense of a controversial news story by making fun of my name, although I will give him credit for spelling it correctly. But let’s carry on…

Glover’s defense of his story is almost comical. Last week, he wrote, “Microsoft has developed a cheap, disposable pre-recorded DVD disc that consumers can play only once.”

This week, he unmasks his source and provides a quote:

Alistair Baker, Microsoft’s UK managing director, told The Business: “Microsoft’s digital rights management [DRM] software generates a licence key to give the DVD content owner total control over how the content is viewed. This could mean watching a film only once, or over a limited period.” [emphasis added]

Yes, it could mean that, exactly as I said in my earlier posts. But it certainly doesn’t mean that Microsoft is poised to unleash a new disposable disc format on the world, which was what the original story screamed. (It referred to the alleged new disposable disc format as a “revolutionary product.”)

I don’t see anything in Mr. Baker’s quote about “cheap” or “disposable” DVD discs. In fact, given the retooling costs involved and the greater complexity of the dual-layer HD DVD media, the new discs will probably cost somewhat more to make than current DVDs.

As I pointed out earlier today, the DRM components in the Windows Media format can be used in a variety of ways. Using the DRM toolkit, a content provider could choose to create digital media files that can only be viewed on the 28th day of any month between 1300 and 1400 GMT. Why they would choose to do so is another question completely. It would be a bad business decision, in my opinion, just as building a business around disposable DVD discs would be.

The real story, the one that Glover should have printed last week, goes something like this:

Next year, new optical disks in the HD DVD format will begin hitting the market. This format, a competitor to the Sony-backed Blu-Ray Disc, can be used to produce a hybrid disc that includes standard-definition content and high-definition versions on different layers. Consumers who play the new disks in standard DVD players won’t be able to view the new high-definition content. For that, they’ll need a new player or a personal computer running Microsoft’s Windows Vista, which is also due out in 2006.

[update: Some details in the following paragraph have been revised based on discussions with representatives of Microsoft’s Windows Media group]

The most controversial aspect of digital media is its support for Digital Rights Management (DRM). Microsoft’s Windows Media DRM strategy, which has been widely debated among experts in the digital media community, gives content distributors a wide range of tools to lock down content that is released in Windows Media format. They can limit the number of plays, or specify that a promotional video can’t be played past the date the film is released. These DRM technologies are used in online content distribution. Some content providers (MovieLink and CinemaNow) already offer Internet-based services that allow consumers to download movies on a pay-per-view basis; future services could take the form of all-you-can-watch subscriptions similar to the Napster and Yahoo music services.

Windows Media DRM is not, however, used in the HD DVD disc format. It uses the Advanced Access Content System (AACS), currently under development.

That’s the story I would have written [and then rewritten!], and I would have proudly tacked my “unlikely” by-line on it. But Slashdot wouldn’t have been interested in it, because it’s not news.

So, what’s missing from Glover’s story? How about a quote from one of the content providers who are dying to flood the market with these revolutionary new disposable DVDs? Somehow I think it’s highly unlikely that anyone from a major content producer has any such plans.