American Green Inc (ERBB)

[docgfd]

Sony BMG to Offer Protection Free Replacements

http://hometheaterinfo.com/nov.htm

With all the recent negative press from online news sites and blogs, it seems Sony is willing to do anything to regain a reputation of any kind.

Sony BMG has made an offer to exchange XCP protected CDs with unprotected CDs or unprotected MP3s.

Earlier this week Sony recalled 4.7 million CDs bundled with the insecure XCP DRM software after a wave of bad press.

Sony has also set up a site regarding the XCP software. Which includes information on how to swap your XCP protected discs for clean discs. This site also covers an update to remove the ‘hiding’ aspect of XCP, to allow users to see the XCP components and any viruses which are bundled within.



‘Sony DRM is Malware’ Official.
Former British Prime Minister Harold Wilson once said “A week is a long time in politics” and TrustedReviews can now officially reveal that a fortnight is a lifetime on the Internet. It was two weeks ago that Mark Russinovich reported on www.sysinternals.com that he had found that Sony BMG had included a rootkit within some CD playing software that’s included with a number of Sony BMG audio CDs. Many (all?) Sony BMG CDs have used a form of content protection to prevent bad people from copying them since April 2004. In practice this means that when you run the CD into your PC you are obliged to install a piece of Sony software that runs in the background to check that you don’t have any CD ripping software open. Naturally you have to click to accept a license, which none of us would normally bother to read, but if you did you’ll find the following pearls:
"As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “Software”) onto your computer. The Software is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the digital content. Once installed, the Software will reside on your computer until removed or deleted. "

The software in question is supplied by a British company First 4 Internet Ltd (www.first4internet.co.uk) which was founded at the end of 1999. The Chairman, Nicholas Bingham, (appointed in 2002) worked at Sony Pictures and Sony Television for a total of 12 years as President-International and was also Chairman of VIVA TV in Germany.

First 4 Internet lists XCP Content Management among its products, but seemingly the DRM software used by SONY BMG is called MediaJam. In principle there’s nothing wrong with content protection. However, MediaJam installs a rootkit called Aries.sys, which is misnamed as ‘Network Control Manager’ to reduce the chances that you will spot it running on your PC. Presumably Aries.sys is digitally signed by Microsoft, however Microsoft, First 4 Internet and Sony BMG are reluctant to either confirm or deny this. Because Aries is a rootkit it is installed at a very low system level which renders it invisible to anti-spyware software. More worryingly the rootkit is used to hide any code that starts with the characters $sys$, which allows Sony BMG to hide software within Windows to prevent its CD contents from being ripped.



Anti-piracy software accused of license violation
Uproar over controversial anti-piracy software carried by some Sony music CDs has intensified with claims that the software itself uses open source computer code without due acknowledgement.

The controversial anti-piracy software was first revealed on 31 October. US computer expert Mark Russinovich discovered that some Sony BMG music CDs not only refused to play normally on PCs – a tactic often used to prevent copying – but employed a sophisticated cloaking technique to hide the software. This was to prevent users from simply uninstalling the copy-prevention – or digital rights management (DRM) – software from their computers.

The discovery was so controversial because experts realized that this same cloaking software could be used to hide other programs on a computer, such as viruses and hacking tools for remotely controlling a computer. On 9 November, several programs designed to exploit the software were discovered, although there have been no reports of users being affected.

Now several computer programmers say the original anti-piracy software seems to contain code lifted from other software, which could constitute license infringement.
Reverse engineering

The anti-piracy program, called XCP, was created for Sony BMG by the UK-based company First 4 Internet. German programmer Sebastian Porst has posted details of the alleged infringements on his blog.

By painstakingly translating the finished program back into its original code, Porst and others claim to have found pieces of program taken from free community software projects for playing audio on computers. Such software can be usually be utilised only on the condition that its creators are credited. A spokeswoman for First 4 Internet told New Scientist that the company had no comment to make on the accusations.

Because the analysis is based on "reverse engineered" code, it is not absolutely clear that the code was copied. Porst also concedes that there could be coincidental similarities.
Bad to worse

Criticism of Sony BMG over the anti-piracy system was already intense, with one lawsuit being filed against the company in California, US. The suit accuses the company of breaching the state's anti-spyware laws with its cloaked software.

An investigation carried out by another US computer expert, Dan Kaminsky, suggests that more than 500,000 computers could be running the Sony software. This was because the DRM software was programmed to communicate with servers operated by Song BMG and Kaminsky was able to estimate the number of requests made by going through publicly available logs of domain name requests.

Censure of Sony proved so fierce that on 11 November the company announced it would stop producing CDs carrying the software. It also posted a web-accessible program to remove the software from affected computers.

But even this backfired when, on 15 November, computer experts found that the software fix could actually be used to hijack computers.
“Deep regret”

Alex Halderman and Ed Felten at Princeton University in New Jersey, US, discovered that the web-based fix uploads a small program to a computer in order to uninstall the anti-piracy software. They found this program could be hijacked through other web pages in order to take over a machine.

Halderman and Felten have since discovered a similar problem with another uninstaller issued for different DRM software included on some Sony CDs. The software, called MediaMax, is made by US company Sunncomm which also created a web-based uninstaller. Again, the researchers found that this uninstaller uploads a program that could potentially be hijacked.

In a statement issued on 16 November, Sony BMG says: “We share the concerns of consumers regarding these discs. We deeply regret any inconvenience this may cause our customers and we are committed to making this situation right.”

Bruce Schneier, a prominent computer security expert, criticizes anti-virus companies for not detecting the XCP software sooner and for not being more critical of it. "The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us," he writes on his weblog.



CD's Recalled for Posing Risk to PC's
The global music giant Sony BMG yesterday announced plans to recall millions of CD's by at least 20 artists - from the crooners Celine Dion and Neil Diamond to the country-rock act Van Zant - because they contain copy restriction software that poses risks to the computers of consumers.

The move, more commonly associated with collapsing baby strollers, exploding batteries, or cars with faulty brakes, is expected to cost the company tens of millions of dollars. Sony BMG said that all CD's containing the software would be removed from retail outlets and that exchanges would be offered to consumers who had bought any of them. A toll-free number and e-mail message inquiry system will also be set up on the Sony BMG Web site, sonybmg.com.

"We deeply regret any inconvenience this may cause our customers," the company said in a letter that it said it would post on its Web site, "and are committed to making this situation right." Neither representatives of Sony BMG nor the British company First 4 Internet, which developed the copy protection software, would comment further.

Sony BMG estimated last week that about five million discs - some 49 different titles - had been shipped with the problematic software, and about two million had been sold.

Market research from 2004 has shown that about 30 percent of consumers report obtaining music through the copying and sharing of tracks among friends from legitimately purchased CD's. But the fallout from the aggressive copy protection effort has raised serious questions about how far companies should be permitted to go in seeking to prevent digital piracy.

The recall and exchange program, which was first reported by USA Today, comes two weeks after news began to spread on the Internet that certain Sony BMG CD's contained software designed to limit users to making only three copies. The software also, however, altered the deepest levels of a computer's systems and created vulnerabilities that Internet virus writers could exploit.

Since then, computer researchers have identified other problems with the software, as well as with the software patch and uninstaller programs that the company issued to address the vulnerabilities. Several security and antivirus companies, including Computer Associates, F-Secure and Symantec, quickly classified the software on the CD's, as malicious because, among other things, it tried to hide itself and communicated remotely with Sony servers once installed. The problems were known to affect only users of the Windows operating system.

On Saturday, a Microsoft engineering team indicated that it would be updating the company's security tools to detect and remove parts of the Sony BMG copy-protection software to help protect customers.

Researchers at Princeton University disclosed yesterday that early versions of the "uninstall" process published by Sony BMG on its Web site, which was designed to help users remove the copy protection software from their machines, created a vulnerability that could expose users of the Internet Explorer Web browser to malicious code embedded on Web sites.

Security analysts at Internet Security Systems, based in Atlanta, also issued an alert yesterday indicating that the copy-protection software itself, which was installed on certain CD's beginning last spring, could be used by virus writers to gain administrator privileges on multi-user computers. David Maynor, a researcher with the X-force division of Internet Security Systems, which analyzes potential network vulnerabilities, said the copy-protection feature was particularly pernicious because it was nearly impossible for typical computer users to remove on their own.

"At what point do you think it is a good thing to surreptitiously put Trojans on people's machines?" Mr. Maynor said. "The only thing you're guaranteeing is that they won't be customers anymore."

Some early estimates indicate that the problem could affect half a million or more computers around the globe.

Data collected in September by the market research firm NPD Group indicated that roughly 36 percent of consumers report that they listen to music CD's on a computer. If that percentage held true for people who bought the Sony BMG CD's, that would amount to about 720,000 computers - although only those running Windows would be affected. (Consumers who listen to CD's on stereo systems and other noncomputer players, as well as users of Apple computers, would not be at risk.) Dan Kaminsky, a prominent independent computer security researcher, conducted a more precise analysis of the number of PC's affected by scanning the Internet traffic generated by the Sony BMG copy-protection software, which, once installed, quietly tries to connect to one of two Sony servers if an Internet connection is present.

Mr. Kaminsky estimated that about 568,000 unique Domain Name System - or D.N.S. - servers, which help direct Internet traffic, had been contacted by at least one computer seeking to reach those Sony servers. Given that many D.N.S. servers field queries from more than one computer, the number of actual machines affected is almost certainly higher, Mr. Kaminsky said. Although antivirus companies have indicated since late last week that virus writers were trying to take advantage of the vulnerabilities, it is not known if any of these viruses have actually found their way onto PC's embedded with the Sony BMG copy protection software.

Mr. Kaminsky and other security and digital rights advocates say that does not matter. "There may be millions of hosts that are now vulnerable to something that they weren't vulnerable to before," Mr. Kaminsky said. For some critics, the recall will not be enough.

"This is only one of the many things Sony must do to be accountable for the damage it's inflicted on its customers," said Jason Schultz, a lawyer with the Electronic Frontier Foundation, a digital rights group in California.

On Monday, the foundation issued an open letter to Sony BMG executives demanding, among other things, refunds for customers who bought the CD's and did not wish to make an exchange, and compensation for time spent removing the software and any potential damage to computers. The group, which has been involved in lawsuits over the protection of digital rights, gave the company, which is jointly owned by the Sony Corporation and Bertelsmann, a deadline of Friday morning to respond with some indication that it was "in the process of implementing these measures."

Mr. Schultz said: "People paid Sony for music, not an invasion of their computers. Sony must right the wrong it has committed. Recalling the CD's is a beginning step in the process, but there is a whole lot more mess to clean up."