Thursday, May 18, 2006

Inside the Spyware Scandal -- Part 3

The public furor over Sony BMG’s anti-piracy efforts could lead media companies to loosen their hold on digital content.

By Wade Roush

Labels on Sony BMG CD boxes alerted consumers about the copy-protection software they carried -- but not about the "rootkit" technique used to hide that software on users' computers. (Photo by Matt Carr.)

This article -- the cover story in Technology Review's May/June 2006 print issue -- has been divided into three parts for presentation online. This is part 3; part 1 appeared on Tuesday, May 16, and part 2 on Wednesday, May 17.

Facing the Music
Despite the warnings from F-Secure in late October, Sony BMG was surprised by the controversy. Indeed, for days after Russinovich's analysis hit the news, company executives showed little understanding of the fury it was arousing in the hearts of many of its customers. "Most people, I think, don't even know what a rootkit is, so why should they care about it?" Sony BMG's Hesse said in an interview with National Public Radio on November 4.

But for the owners of the more than two million XCP-protected discs sold by Sony BMG between January and November, the reports came as a shock. Security flaws in commercial software are common; Microsoft's products, for example, are so widely used that even the tiniest bug will eventually be discovered and exploited by a malware author, so the software giant publishes updates and patches on a monthly basis. But no software or media company of the stature of Sony BMG had ever distributed a program that, in the judgment of security experts, was deliberately designed to mimic malware.

Sony BMG did not immediately apologize but did try to solve the problem. Its first step, in early November, was to publish a Web-based program that customers could use to remove XCP from their systems. The move didn't help matters. Matti Nikki in Finland discovered that a file that the uninstaller placed on a user's computer to facilitate communication with Sony BMG's servers could later be exploited by any website that wanted to send and execute malicious code. The uninstaller posed "a far greater security risk than even the original Sony rootkit," according to Felten and Halderman, who verified Nikki's discovery on November 15 in their widely followed blog, Freedom to Tinker.

A few days later, Sony BMG replaced the Web-based uninstaller with a safer, downloadable one. And gradually, the company seemed to recognize the scope of the public-relations disaster it faced. On November 11, Sony BMG announced that it would stop manufacturing music CDs with XCP. On November 14, the company said it regretted the inconvenience it had caused its customers and announced an exchange program to replace XCP--protected discs with new ones without the rootkit.

According to media reports, consumers had purchased 2.1 million of the copy-protected CDs. How many of these customers actually played the CDs on their computers, thus unwittingly installing the rootkit, is not clear. But Dan Kaminsky, an independent security researcher in Seattle, discovered evidence linking Sony's rootkit to hundreds of thousands, if not millions, of systems across 131 countries. He calls that number "enormous," especially when compared with figures for the spread of Internet worms and viruses. Kaminsky posted the statistics on his website, -doxpara.com, along with world maps showing the locations of affected networks.

Sony BMG, meanwhile, tried to respond to the specific worries raised by Russinovich, Kaminsky, and others. In a November 18 letter to the Electronic Frontier Foundation, which had earlier published its own open letter criticizing Sony BMG's handling of the XCP episode, Sony counsel Jeffrey Cunard said that the company would never disclose the Internet addresses collected when XCP phoned home and that, in any case, these addresses were never associated with personally identifiable information. He also said that Sony BMG would be more careful in the future about evaluating copy-protection software and the EULAs that come with it. "Any present and future copy protection tech-nology used by Sony BMG will be tested, verified, and disclosed to consumers," Cunard wrote.

Sony BMG representatives contacted by Technology Review in March and April would not name the executives responsible for licensing XCP from First 4 Internet or releasing the copy-protected discs, and they declined to make executives available for interviews. However, Cory Shields, director of the company's communications office, said it was never Sony BMG's intention to include software that caused security concerns on its compact discs. "The company's intent was to deliver a technology that was consumer friendly, that would let people pursue the functionality that they wanted," Shields said. "It certainly wasn't the company's intent to create a problem."