"Microsoft will update its security tools to detect and remove part of the copy protection tools installed on PCs when some music CDs are played."

"To protect Windows users, Microsoft plans to update Windows AntiSpyware and the Malicious Software Removal Tool as well as the online scanner on Windows Live Safety Center to detect and remove the Sony BMG software, the software maker said in its blog."

C|NET News Story

John

I can see it now (parody/tongue in cheek):

"Oops. Our new XP patch removes all Sony software and now flags all Sony software as Spyware.

A fix will appear in our next scheduled XP update...In January"

...when first we practice to deceive:

Spyware Sony seems to breach copyright
Posted on Thursday, November 10 @ 11:44:47 CET by brenno

GNU / GPL (Copyleft) The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.

This article is a translation of this article I wrote for Webwereld.

It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Sony complied with non of these demands, but delivered just an executable program. A computerexpert, whose name is known by the redaction, discovered that the cd "Get Right With The Man" by "Van Zant" contains strings from the library version.c of Lame. This can be conluded from the string: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 ".

But the expert has more proof. For example, the executable program go.exe contains a so called array largetbl. This is a part used in the module tables.c of libmp3lame.

This discovery can have far-stretching consequences for the music giant, who claims only to protect copyrights. Previously, judges in Germany already forced various companies to release source code to the public and to deliver the goods necessary for compiling. It is also possible to demand financial compensation for damages.

Meanwhile, Other details are also becoming clear. The Electronic Frontier Foundation complains that the spyware makes the legal listening to the music on iPods impossble. The organisation is busy making a list of cds containing the hidden software and publishes this on her website.

Various calls to SonyBMG remained unanswered despite promises to call back.

I know this is a bit late, I just came across the posting by riredale (OT: Update—Sony BMG digs deeper hole).

There is a level of DRM apparent in the Vegas+DVD suite. If you purchased the retail box version as I did, this might enlighten you a bit. I bumped into this trying to set up an account to post another posting about the re-install of Media Manager after an uninstall.

Go to: http://www.sonymediasoftware.com/forums/Default.asp

Log in to your account

Select MyAccount/My Software

Use one of (or your only as the case may be) Serial Number(s) and enter it into the Serial Number box under Missing Products. Click Submit. You are then presented with the first page that would be used to register the product if it was not registered on-line during installation. Just select Other in the two drop downs and click Submit Form.

You are then presented with a page that requests your Serial Number AND ComputerID!

Click ‘what’s this’.

You are then presented with a page that tells you how to find your Computer ID. The text is as follows:

Sony Pictures Digital uses the computer ID of your machine to generate activation codes. Activation codes are used to activate our applications on your machine. Once the application is activated, you become entitled to technical support, upgrades, and other helpful information. Activation also allows us to keep track of your serial number for you. Use the following steps to find your computer ID.

Now that was interesting. I have been keeping track of my serial numbers for a good number of years now without the help of SONY, I’m sure I can continue to do so. Also, catch the subtlety, Sony Pictures Digital uses the computer ID of your machine to generate activation codes, not only will it run on just that machine, but it will only run on that physical processor chip with that ID.

The following describes what would take place on the first activation of the software after the initial install.
1. Double-click the application's icon and enter your serial number. If you do not have a serial number, select "I would like to run the Demo" or "I don't have a serial number." If your serial number returns a reply stating that it has timed out, select "I don't have a serial number" and click Next.

Item 1 is obviously for the downloadable versions. The only option I had from the retail package was to enter the serial number.

2. The following screen prompts you to go online to register. Select "I can't go online" or "I would like to register over the phone" and click Next. If your only option is to register online, yet you don't have a connection to the internet on this PC, attempt to register online anyway, three times. On the failed third attempt, you should be given the option to register over the phone. Choose that option.

Here again; with the retail package I was only given the On-Line option. The software performed the registration on-line in the background and the product was activated. However; if the manual registration via phone or using these pages on-line required the Computer ID, you can bet that the computer ID was sent from the background process. Now SONY not only knows my serial number, which they should, but they now have my Computer ID as well. They DO NOT NEED IT!

Of course their argument will be to insure single usage of the software on only one machine. But their EULA already provides recovery actions should someone violate the agreement. They will also say that they will use the Computer ID for that purpose and only that purpose. Right. Just like Credit Card companies, Banks and the like will only use your Social Security number for legal purposes. Protection efforts for those numbers do not appear to be doing too well lately. The Computer ID is effectively the SSN for the computer. Combine the Comptuer ID with the IP address and what have you got? Basically the keys to the kingdom. The only way to insure the integrity of you Computer ID once it has been lifted is to purchase and install a new physical processor chip, but then the software probably won’t run because they have used the Computer ID and the Serial number to develop the activation codes. What happens if someone upgrades their computer?

While I support the need for copyright enforcement and protection of intellectual property rights, I do NOT support mechanisms such as this that invade privacy. That is what this amounts to. The ID of my computer is nobody’s business save my own! What other information has the process gleaned in the background? What happens when I paste a clip from a DVD movie that was produced by SONY Pictures to just play around and check out some functions? Is that information captured and sent, similar to the capturing and notification of SONY CDs now? I don’t know. Do you?

3. The following screen displays your computer ID.
You can also find your computer ID number directly under the Help/About screen in the application you are running. The ID is a seven to nine digit code beginning with 0, 1, 2, or 3.

I’m not so sure that this thread should go away just yet. SONY didn’t just tighten up on their music delivery and not take into account their video offerings and how to protect those with software like VEGAS on the market. I think we are just seeing the tip of the iceberg here with the approach SONY has taken toward DRM.

Keith L

I think it all comes down to a matter of trust.

Does the company do things (like release buggy software and install hidden software) that earn or lose customers' trust?

It would behoove Sony to give some careful thought to their software and music side of the business, and what they're doing to earn trust.

Their hardware is great, but the other divisions seem troubled.

Sony's latest issue here is a PR nightmare, and has damaged their reputation and credibility.

ken

Keith,

Ummm, so, now SONY knows your computer ID number.

Ummm, so what? (*shrug*)

SONY Media Software isn't the only company that generates activation keys based on processor ID. I probably use at least 30 different pieces of software from various publishers that use nearly identical methods. Even Microsoft assigns a tech-support ID number based on your Office serial number and processor ID.

So, what can these companies do with your processor ID number that matters in the slightest to you? The DMV and my insurance company know the VIN of my car. How does this harm me? How is having your processor ID known to others harmful in the slightest? It seems to me that the only time anyone could possibly worry about the processor ID number is if you are dealing in stolen computer equipment or illegal documents. I'm pretty sure you're not, so what's your worry?

I agree with Chien. Who cares if Sony knows my computer ID number? What can be done with it? Nothing. Guess what, my bank knows my social security number and has all of my money! The DMV, as Chien pointed out, knows even more about me. An online store even knows my shoe size! Oh the terror of it all!!!

I think the problem is that the term "ID" is a very sensitive button for some people. As soon as they hear that term all sorts of evil conspiracy thoughts pop up in their minds. If computer companies called it the "Activator Code" we wouldn't have nearly as many paranoid rants.

Most of us don't have that much to hide. But wait 'til that "company" who has your machine ID teams up with doubleclick or another adware company who already has a UID and a whole bunch of other information they've collected. THEN watch your mailbox fill up.

Yish,
come on guys, a bit of a reality check! As said above what can one do with a computer ID?
Answer, didly squat. Just about anyone can figure out your IP address and from that pretty easily get a close fix on where you live by doing a traceroute, that'll get them the location of the nearest router to you. From that they can generate some really neat pop-ups, like "there's girls waiting for you in Artarmon right now!", saw that trick just yesterday. They didn't need my Computer ID to pull that off, just information that all of us publish everytime we access the web.
And so what, even if your inbox fills up with junk, isn't that what delete keys were made for?
There's plenty in this world that deserves to be treated with a healthy amount of paranoia, computer IDs are not one of them. If want to get freaked out, read up on RFID.
Now everyone back inside their Faraday cages.
Bob.

It was just an observation. Given the uproar about their current tactics on music CDs I thought I would present the information on Vegas for those who may not be aware. Granted it seems innocent enough, on the surface, but I'm sure SONY thought it was innocent enough on the CDs. It may be the preliminary steps to something more in depth latter, maybe not, who knows. If you aren't concerned, then you're not concerned. Like I said, just an observation for those who may care.

Keith L

Regarding the computer ID, this is something Sonic Foundry developed before Sony took over. So this is not something Sony threw into the mix when they took over. It's just part of the registration process, that has always been there. To register Vegas, it uses your serial number and unique computer ID, to generate an activation code. This is what makes registration so easy with the online process, where you don't need to be calling someone on the phone and getting a no answer because you're in the middle of a project and tech support is closed due to it being outside of normal business operating hours. I'm not even sure the computer ID is identified to your processor. I seem to recall the last time when I upgraded my OS from win98 to winXP that my computer ID changed also. I believe Sony also allows up to 5 different computer IDs to be registered with the same serial number. If you exceed that, then no more activation codes will be generated for your serial number. This is a way to prevent someone from posting a single serial number on the internet and 500 people using 500 different computers/computer ID's registering under the same serial number. That's all the computer ID is about. The Sony/Sonic Foundry registration process is the best thing we have going for us compared to anything else out there. Let's not let our current Sony paranoia ruin that process. If you've ever had a hardware dongle attached to a piece of software, then you'll really regret ever complaining about the Sony computer ID method.

I hate to clue everyone in, but, in America, at least, your name is on a list, somewhere. Whether it's your SSN or driver's license or computer ID. On the surface, this would seem innocuous; however, history is replete with many, many instances of such lists being used for ill-conceived purposes. Consider, for example, the McCarthy bruhaha of the 40's. Many innocent people were railroaded in the name of paranoia. And where did these people get into trouble? It was because some innocent affiliation connected them, by innuendo, to something the government thought, at the time, was pernicious. I submit that being unknowingly put on a list somewhere, opens me to a raft of consequences I'd rather not deal with. However, because I can be traced through so many other ID numbers, I'd hardly call a computer ID a significant step towards loss of my privacy. It was lost, like my innocence and my virginity, many, many years ago.

Nevertheless, hiding ones head in the sand and proclaiming that "there is no problem", opens the door to abuses by people who compile these lists. Remember the old addage, "question authority"? Having grown up in the era where that addage was popular, it pays to be vigilant, it pays to resist, resistance is NOT futile if enough people resist and resist vocally.

And it keeps getting deeper and deeper....

See this new revelation.

Guess what the final outcome of this will be?

a) People Will AVOID buying Any SonyBMG-produced CDs for (correctly placed) fear of Spyware/Rootkits.

b) SonyBMGs CD sales will PLUMMET.

c) Artists will Avoid Recording with SonyBMG over this.

d) Consumers will Avoid Buying SonyBMGs CDs.

For years and years and years.

This will go down in history as one of the biggest music industry Snafus since the heavy handed "suing college kids for using napster" bs that went on a couple years back, and the RIAA bashing.


Some companies never learn. Put your CUSTOMERS first.

For a Japanese-owned company, this is quite suprising and disappointing. Sony BMG execs, go re-read Imai's "Kaizen" and Deming and Juran. Get it?


ken

Ken,
People won't avoid buying Sony CDs. Not en masse anyway. Most people don't know or don't care.

CD sales will not plummet.

Artists will not avoid recording with Sony because a) they are contractually obliged to (assuming theyr'e Sony artists), and b) if they're not Sony artists they won't turn down a good offer from Sony no matter what.

HA! I just looked at "D" and it's the same as A and B.

As for suing college kids, why was that bad and how did that hurt? Why should college kids be exempt from the law, especially when they were the main ones breaking it?

And with regard to other posts about Sony knowing my computer's ID number, I couldn't care less about that. I might even send them my coffee maker's ID number too.

At this rate, the hole will exit at the antipodes any time now....

Welcome To Planet Sony
Submitted by Dan Kaminsky on Tue, 2005-11-15 09:28.

Sony.

Sony has a rootkit.

The rootkit phones home.

Phoning home requires a DNS query.

DNS queries are cached.

Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.

It just so happens I have such a list, from the audits I've been running from http://deluvian.doxpara.com .

So what did I find?

Much, much more than I expected.

It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows...unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident. The process of discovering this has led to some significant advances in the art of cache snooping.

Rest of story can be found at <http://www.doxpara.com/?q=sony>

Finally read this thread, sony working with Symantec .

Now that is really scary, I would have thought someone at the mighty sony would have known what a joke Symantec is, Moron sofware that just doesnt want to go away.


Oh , now i get it.