Another day, another Sony BMG revelation
Another day, another Sony BMG revelation
Nov 22, 2005: Sony BMG has taken a beating over the last fortnight due to its digital rights management (DRM) software XCP. The controversy doesn’t appear to be showing any signs of letting up either. Security flaws, worse security flaws, spyware, law suits and now alleged copyright infringement.
In a new twist it appears that the rootkit was designed to “phone home” and send data back to its master. The returned data is unlikely to compromise corporate security – unless you consider a predelication for Celine Dion to be compromising. However, the fact that any data is returned without requesting permission does present a serious breach of trust.
All this additional activity also adds load to DNS servers globally. While not an Internet devouring worm, the sloppy design of the XCP rootkit certainly does not add value to anybody’s working day.
As Dan Kaminsky of Doxpara Research says: “It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows...unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale incident.”
The controversy doesn’t stop there, with accusations of copyright violation. It appears that Sony and First4Internet’s original XCP copy protection software has reused code from programs such as LAME, mpg123, FAAC and, ironically, from Jon Lech Johansen. Otherwise known as DVD Jon for his work reverse engineering the content-scrambling system used in DVD region coding.
4.7 million CDs with dodgy DRM software have shipped and opened up a gaping Windows vulnerability on the potential 2.1 million PCs they were played on.
Sony BMG has issued a recall of the discs, offering a special exchange program as compensation. However, the damage has already been done and the saga is set to continue.
The events over the last fortnight include:
- Microsoft claiming it would come to the rescue and provide fixes for the hole.
- Sony BMG releasing its own fix only to have it soon outed as not only opening even worse security holes than it closed.
- Accusations that Sony BMG’s fix also contains spyware.
- According to reliable sources, class action law suits are being mounted as we write.
And more revelations about the extent of the security issues are coming to light every day – and IDM will keep you up-to-date on the essential issues.
Trojans written specifically to take advantage of the hole were discovered soon after the DRM storm erupted.
Have you been affected by this issue? Let us know.
Related Article: