Wednesday, May 17, 2006

Inside the Spyware Scandal -- Part 2

The "rootkit" on Sony BMG CDs was meant to prevent consumers from disabling anti-piracy software. It didn't stop one group.

By Wade Roush

Mika Stahlberg and Santeri Kangas of Finnish data security firm F-Secure, who uncovered Sony BMG's rootkit application. (Photo by Markus Marcentic/Moment/Redux.)

This article -- the cover story in Technology Review's May/June 2006 print issue -- has been divided into three parts for presentation online. This is part 2; part 1 appeared on Tuesday, May 16, and part 3 will appear on Thursday, May 18.

Cloaking Device
When Sony originally hired First 4 Internet, it wasn't to build a DRM system for consumer CDs. According to press interviews with First 4 Internet executives months before the rootkit scandal broke, it was to deter copying of pre-release music by the label's own employees and contractors, and other recipients. The company's first DRM product, XCP1, rendered the music session on multisession CD-Rs, the type of recordable CD used in music studios, unplayable by computers. That ability was attractive not just to Sony BMG but also to its three major rivals, Universal, EMI, and Warner Music Group, all of which had licensed XCP1 by 2002.

But this method wouldn't work for consumer CDs, which needed to be playable in all types of devices, including computers, DVD players, video CD players, and ordinary players. So First 4 Internet developed a new program, XCP2, that uses a cleverer, slightly more permissive approach called "sterile burning." This unappetizing term simply means that purchasers of a protected CD can rip it to their computers, then burn copies back to blank CD-Rs, but those copies cannot be used to make more copies. (XCP2 came to be known simply as XCP.)

According to Princeton University computer scientists Ed Felten and J. Alex Halderman, who "reverse-engineered" XCP as part of an academic investigation, the software has several distinct functions that are invoked separately. The first time an XCP-protected disc is loaded into a computer, it asks the user to consent to Sony BMG's end-user license agreement (EULA). It then copies a number of programs and drivers to the hard drive and launches a proprietary media-player program. Once installed, according to a white paper -Halderman and Felten published in February, the new drivers listen for attempts by other media players such as iTunes to read audio tracks on the CD; if they detect one, they replace the data returned by the CD drive with random noise. Meanwhile, a "back door" in XCP allows the proprietary media player to read the disc's raw data without distortion.

Built into the media player is a burning application that allows the owner of the CD to rip up to three copies of it and burn them to CD-Rs. These copies will contain everything on the original disc, including the audio tracks, the media player, and the copy protection software. But they will be sterile: the burning application will be disabled, meaning the copies can only be played, not ripped and burned again. Alternatively, users can rip individual tracks or entire albums to their hard drives, then burn up to three copies to CD-Rs in the Windows Media Audio format.

If it were easy for users to sidestep or disable all of these complex functions, the copy protection system would be useless. And here is the nub of the controversy over XCP and the Sony BMG discs: First 4 Internet's developers decided that a number of the program's files and operations should be hidden from average users. The drivers that interfere with other media players' attempts to read a protected CD, for example, needed to be stored in a secret place where users couldn't find and remove them. Then there was the file XCP uses to count the number of copies of the CD the user is still permitted to make. The burning application is disabled only when the counter reaches zero. If advanced users were able to find this file, they could potentially change the counter's value back to three after each copy they burned.