Eliot Spitzer to Sony BMG: “Unacceptable”

November 29th, 2005

Also in Business Week Online today: New York Attorney General Eliot Spitzer is following up on reports that the XCP-infected discs are still widely available in retailers, and is sending a message to Sony BMG and to retailers that the discs need to be removed from shelves immediately. The article also suggests that Sony BMG is even fumbling the recall:

…when Sony BMG started pulling CDs, it didn’t haveenough replacements lined up, says Ross Schilling, of Van Zant’sNashville-based manager, Vector Management. Sony BMG hadpromised the CD would be swapped out with non-rootkit CDs. Instead, therootkit CDs simply were pulled, Schilling says. “It’s obviously verybothersome,” he says.

That means Van Zant’s CD and others were not on the shelves for thebusiest shopping weekend of the year. Sony BMG has told Van Zant toexpect a 50% to 80% decrease in sales when the new numbers come out onNov. 30. That’s in a week that should have seen a 50% to 80% increasein sales. The week of Nov. 9 to 16, Van Zant’s sales actually jumped apoint, a spurt Schilling attributes to exposure from the Country MusicAwards.

So, for all those counting along at home: Sony BMG has proved its utter incompetence at software product management, subcontractor management, customer relationship management, public relations management, and now manufacturing and supply chain management. Is there anything they are doing right?

Post mortem of a screwup: what happened before Oct 31

November 29th, 2005

Business Week just posted an account of the internal communications among Sony BMG and First4Internet that sheds more light on the XCP rootkit foul-up, including the revelation that F-Secure warned Sony BMG in September that the rootkit existed and described the risk of exploits two weeks before Mark Russinovich went public. This is one of the missing pieces of the hypothetical marketing case that I have said could be written about this fiasco: just what happened inside Sony BMG prior to Russinovich’s opening of Pandora’s box?

The article also contains some more context for Thomas Hesse’s infamous quotation about rootkits:

“[F-Secure’s] e-mail, which we have also reviewed, seems to be about a routine matter,” says [Sony BMG President of Global Digital Business Thomas] Hesse. “While it did introduce the notion of a ‘rootkit,’ it did not suggest that this software was anything but benign.” [emphasis added]

Heh. Really puts that “most people, I think, don’t even know what a rootkit is” comment in context–most people, in this case, means “most people inside Sony BMG, including me and all my Global Digital Business team.”

More seriously, though, the suggestion is that Sony BMG had a very hands off relationship with First4Internet, to the extent that the latter company could have a conference call with an antivirus vendor without anyone from Sony BMG on the line.

Most disturbing is the statement from F-Secure that First4Internet “argued that there was no real problem because only a few people knew of the vulnerability XCP created, and said an update of the XCP software, due out early next year, would fix the problem on all future CDs.” This suggests that First4Internet didn’t understand the first thing about computer security. These are not people you want writing device drivers.

MediaMax: worse than you thought

November 29th, 2005

Freedom to Tinker revisits MediaMax (Sony BMG’s other DRM scheme for audio discs, the one that comes from SunnComm and doesn’t contain a rootkit) and finds that its surreptitious installer behavior is even more user hostile than previously documented. Previously it was documented that code is always placed on your machine prior to acceptance of the EULA. Now it appears that the copy protection driver can be permanently activated even if you never accept the EULA:

When you insert a CD containing either version of MediaMax, aninstaller program automatically starts (unless you have disabled theWindows autorun feature). This installer places the copy protectiondriver and other files on the hard disk, and then presents a licenseagreement, which you are asked to accept or decline. In the followingscenarios the driver may become permanently activated even if youalways decline the agreement:

  • You insert a CD-3 album, then later insert an MM-5 album
  • You insert an MM-5 album, then later insert a CD-3 album
  • You insert an MM-5 album, reboot, then later insert the same album or another MM-5 album

These steps don’t have to take place all at once. They can happen over a period of weeks or months.

This gives some real ammunition to the EFF lawsuit, which is the only one of the currently active lawsuits to address MediaMax. Installing software even when the user says No is sleazy, nasty behavior. It also indicates poor testing on the part of MediaMax–which is hardly surprising if you look at their development process, which like First4Internet involves asking for help in public forums. (Thanks to BoingBoing for the links.)

How’d that LGPL code get in there, anyway?

November 28th, 2005

Boing Boing: Pre-history of the Sony rootkit and Sony rootkit author asked for free code to lock up music. Two posts in which Boing Boing’s readers do some spelunking through Google News and other online sources for evidence of First4Internet’s inclusion of open source code in their XCP rootkit. Good reading, especially the quote from First4Internet programmer Lee Griffiths:

Does someone have some simple C++ code which can write Microsofts DRM v1 properties that the user whishes to set (i.e. 3plays 4 copies etc) over the unprotected file to make it protected.  There may be some cash on offer here if its easy to use!

Using blogs and the media for change: the Sony BMG case study

November 28th, 2005

With the notable exception of the issues that surfaced this weekend about Sony BMG’s lack of a plan to address their international customers’ issues, it seems like most of the primary news about the rootkit fiasco has broken. I thought this might be a good time to take a look at how the story broke and became mainstream news, for a few reasons. First, from a theoretical standpoint we are still in the process of developing an understanding of the relationship between blogs and the media, and are rather shy on good case studies–and as I believe I mentioned once before, the Sony BMG story makes a heck of a good case study.

Second, one of the reasons I started this blog was to actually make a difference. I was reading commentary on Slashdot about the original Sysinternals blog post, and many commentators were griping about how evil Sony was and how something should be done. I thought to myself, Well, yes, something should be done. So why don’t we put our money where our mouths are and do something? In other words, I thought of this blog as a way to raise awareness of the nasty business practices of Sony BMG, and as a result I have a keen interest in how the story spread from the tech blogosphere to the mainstream media.

So what happened? A few notes, starting with a selective timeline that focuses on media coverage and major themes:

That’s a lot–but it’s a lot of events. A few things to note: first, the usual suspects — Slashdot, News.com, Wired, various trade publications, etc.–were on the story from the beginning. The NPR spot was the first mainstream article on the brouhaha, and picked up on the rootkit angle. After that, it took a full six days–and the announcement that trojans were spreading that exploited the rootkit and that several states were filing lawsuits–for the story to make any more traction in the mainstream press. The following day, Sony BMG began to retrench its position, announcing a halt to production of XCP-protected discs. Still, it took three more days after that for the story to hit critical mass with the mainstream print media.

So here’s the point: the story only made the mainstream after the threat to the customer, or the threat to the company, is clear and present. If you are a technologist who wants to shift public opinion regarding some technology development, writing about it is an important first step. But without smoking guns like actual exploits that target rootkitted systems, it’s hard to get the story heard.

For proof of that, one has only to look at the Broadcast Flag and Analog Hole initiatives that keep popping up. Both arguably represent greater threats to customers than this rootkit case; both seek to redesign hardware, either the PC or mass market electronics, to restrict the rights of customers. But both lack a compelling smoking gun to show the harm that implementation of the restrictions would do to customers.

Another point, and one that some readers may not want to hear: the legal system and the class action lawsuit were clear contributors to the eventual decision that Sony took to withdraw XCP from the market. In fact, class action lawsuits may be the most important arrow in the quiver when faced with a company that just doesn’t want to listen to the market.

Last point: while blogging about the story is important, sometimes the type of blog makes a difference. I got very few hits on the first two posts I wrote about this back on my own blog. But the same storyline on a dedicated, single subject blog with a catchy URL and title got huge traction. While the media struggles to deal with the all embracing scope of most blogs, perhaps meeting them halfway with special blogs with a singular focus and (possibly) limited scope is the right way to get the message across.

Security through obscurity: First4Internet’s website offline

November 25th, 2005

Boing Boing: Rootkit arms-dealer takes website down. Remember that great website that the makers of XCP used to have that showed all the information about their product, including all those wonderful braggy press releases? All gone. In fact, no mention of XCP at all on the revised site, just contact information.

Hmm. Does this mean there was a smoking gun that we missed? That the company had to shut down? Or is there a simpler explanation?

Update 11/30: Thanks to reader Tom Buckley for pointing out that the general site on XCP, http://www.xcp-aurora.com, is still alive and well. Including a severely selective press gallery.

Buyer beware: XCP titles still on store shelves

November 25th, 2005

Chicago Tribune: Copy-protected Sony CDs still in stores despite recall. I was afraid this would happen, and said as much during my radio interview last week. It’s one thing to make a statement that you’re doing a recall, quite another to actually put the effort into ensuring that the channel gets the discs returned. Net: a lot more people are going to get corrupted computers this holiday season.

Sony BMG doesn’t learn: copy protection coming to Australia

November 25th, 2005

According to AV Info, Sony BMG Australia is planning to introduce copy control software on its audio discs next year. This comes as a surprise to most Australian customers, I’m sure, after the month of crap that Sony has already been through in other markets regarding its various customer-hostile DRM schemes.

According to the article, the software won’t be XCP but the final decision hasn’t been made on which anti-copying software will be used. My $0.02: how about none?

Happy Thanksgiving

November 24th, 2005

On this most American holiday, I wish all my readers a happy Thanksgiving. Let us give thanks that under our pressure, Sony has recalled XCP protected CDs and posted updated uninstallers for their DRM. Let us give thanks that, thanks to us, educated customers everywhere know the meaning of the word rootkit. And let us give thanks that this episode came along to remind us to not take anything for granted about the products we buy.

In the meantime, remember:

  1. If you live outside the US, be careful of what you buy. Sony isn’t exchanging CDs for you…yet.
  2. If you live in the US, always read the back of the CD before you purchase it—make sure it’s not packing anything that you aren’t expecting.
  3. Keep those Sony goods off your post-Thanksgiving shopping list, until the day comes that they pull all their malevolent DRM off their audio discs.
  4. And tell everyone you know about what one of the largest music companies almost succeeded in doing to your PC.

CD replacements US only for now

November 23rd, 2005

The Sydney Morning Herald is reporting that Australian customers are being locked out of the CD replacement program that Sony BMG unveiled last week. An email from Sony BMG reportedly says that there are no return programs in place for any countries other than the US, though an international CD replacement program is “being developed.” Time for an Australian lawsuit, I think.