Sony BMG settles FTC charges over anti-piracy CDs

MercuryNews.com: Sony BMG settles FTC charges over anti-piracy CDs

WASHINGTON (AP) - U.S. regulators said Tuesday that Sony BMG Music Entertainment agreed to reimburse consumers up to $150 for damage to their computers from CDs with hidden anti-piracy software.

Sony BMG to Pay $1.5 Million for CD Anti-Piracy Program

GigaLaw.com Daily News: Sony BMG to Pay $1.5 Million for CD Anti-Piracy Program. Hopefully, winding down their fiasco.

Negative Ads Attack Voters -- With the Facts:

Andrew Ferguson has an interesting article: Negative Ads Attack Voters -- With the Facts that points out that negative ads are often more effective than positive ones, and the reason is that they invariably have to contain verifiable facts in order to be effective.

There have been a lot of cases of this in this election cycle. One of note was Steele's sister's response to the Michael J. Fox commercial about stem cell research. The response was a lot more devistating than the original ad because it used facts to rebut a fairly fact free ad.

It is too bad that John Kerry isn't running this time, because he has, again, opened himself up to negative advertising by inartfully suggesting that only the least educated are fighting now for us in Iraq. It doesn't help his cause that this was very similar to his famous Congressional testimony about alleged atrocities during the Vietnam War - and is one of the reasons he lost in 2004.

Sony's ill-fated CD copy protection still causing problems

MercuryNews.com: Sony's ill-fated CD copy protection still causing problems points out that the antispyware software from AOL and CA may disable a computer's CD drive while attempting to remove the Sony DRM Rootkit code.

And I thought Sony had cleaned up this mess.

CNET News.com: Sony rootkit victims in every state, researcher says

"A security researcher has claimed that computers in every U.S. state have been affected by copy-restriction software from Sony BMG... Florida seems to have the highest number, with 12,588 networks detected that are hosting computers with the digital rights management software installed"

CNET News.com: Windows Wi-Fi vulnerability discovered

"A Windows feature that automatically searches for Wi-Fi connections can be exploited by hackers, a security researcher has warned."

The vulnerability revolves around Windows 2000 or XP (pre XP2, which I installed today, for free) trying to connect up to whatever Wi-Fi is available upon booting. As usual, it is extremely easy to protect against this - for example, just enable IEEE 802.1x authentication and specify EAP parameters. Or, you can disable your wireless card until needed (which I also do so I don't get silly Windows messages). Or, just don't configure your system in "ad hoc" mode, but rather limit it to "infrastsructure" mode.

The real problem though is just like that faced with the Sony DRM fiasco. Microsoft ships its operating systems configured for ease of use, and this seems to open up security holes galore. It is typically fairly easy to overcome most of these security problems. However, the vast bulk of Windows users these days don't have a clue as to what is going on in their computers, and, thus, never know until much too late of their vulnerabilities and how easy it would have been to protect against them.

I see Microsoft going through the motions, as they did with the "WPA wireless security update" for Windows XP included in SP2. But, in the end, ease of use sells more computers (and thus, in their case, software) than does safety. So, I don't expect things to change.

AP: Study Finds Exercise Helps Delay Dementia

"Older people who exercise three or more times a week are less likely to develop Alzheimer's and other types of dementia, according to a study that adds to the evidence that staying active can help keep the mind sharp."

Good to know, and just another reason to keep exercising.

AP: Gore Assails Domestic Wiretapping Program

Former Vice President
Al Gore called Monday for an independent investigation of
President Bush's domestic spying program, contending the president "repeatedly and insistently" broke the law by eavesdropping on Americans without court approval.

Al Gore is at it again, jumping on whatever bandwagen he finds that might get him into the White House. Never mind that much, if not most, of the evesdropping was started when he was VP, or that as president, he might want to continue it. If it might get him into the White House, it is fair game.

Open letter to Sony BMG (and its owners, Sony and Bertelsmann), First4Internet, and the LAME community.

Right now The LAME maintainers aren't interested in initiating a legal battle with Sony BMG. We live in a social competent world where we don't need to pull the weapons and are able to talk about what needs to be done to correct mistakes, right? But we expect Sony BMG to take appropriate action and tell the public about those actions.

Maricocpa County: Judgement against Sunncomm

--$8,202.82 - Costs
-$10,411.49 - Costs
-$79,314.75 - Attorney Fee
$115,334.16 - Interest
$384,447.23 - Principal
----$779.76 - Jury
-------------------
$598,490.21 - Total

ottawasun.com: Canadian Suit targets 'spyware'

"ECHOING a U.S. lawsuit, a $100-million class action was launched in Ottawa this week against Sony BMG Music (Canada) Inc. over allegations the company damaged Canadians' computers with software designed to thwart online piracy."

CNET News.com: Court OKs Sony "rootkit" CD settlement

"A New York judge has given a preliminary approval to the settlement of consumers' lawsuits against Sony BMG Music Entertainment, according to an Associated Press report ."

AP: Judge tentatively OKs Sony BMG settlement

"NEW YORK -- A judge Friday tentatively approved a proposed settlement of lawsuits against Sony BMG Music Entertainment that would give millions of consumers free music downloads to compensate them for flawed software on CDs."

EFF: Florida AG's Office Enters Sony BMG DRM Fray

"Charlie Crist, the Florida Attorney General, has joined several other states in investigating the Sony DRM debacle."

BBC NEWS: Legal fallt from Sony's CD woes

"Sony's settlement over the rootkit fiasco represents a blueprint for legislative action, argues law professor Michael Geist."

Michael Geist: Rootkit fiasco shows sterner laws needed

"Notwithstanding its shortcomings, the Sony settlement does provide a potential starting point for a much-needed statute that protects consumers from TPMs."

Michael Geist: The Start of a DRM Protection Act

"Reports today indicate that a provisional settlement has been reached in the U.S. Sony rootkit class actions. While the settlement still requires court approval, it makes for an interesting read since it may provide the starting point for a future statute that protects against the misuse of digital rights management technologies."

Mark's Sysinternals Blog: Sony Settles

"I’m proud to announce that a major step forward in the legal phase of Sony's rootkit: Scott Kamber and Sony have filed a proposed settlement for the national class-action suit brought by Scott."

BW: Sony BMG Ends a Legal Nightmare

'The label has quickly settled the class action over its "secret" copy-protection software. That's good for all parties -- including the future of digital music.'

Good article.

High level analysis of settlement

We found out Thursday that a class action lawsuit in the Federal District Court for the S.D.N.Y. against Sony BMG, SunnComm, and First 4 Internet has preliminarily settled. Originally, I thought that this was a legal maneuver to short circuit other pending lawsuits against Sony, et al. on terms more favorable than they would otherwise get. But late Thurs. night, the Electronic Freedom Foundation, the closest thing to a consumer group involved, announced that they were joining this proposed settlement. Presumably, this means that they are dropping their pending class action lawsuit against these parties in CA.

Personally, I have a lot more faith in the EFF than I do in the attorneys in NY that are asking to be named lead class counsel. After all, in many class action lawsuits, it appears to me that the attorneys ostensibly representing the class plaintiffs are really primarily representing themselves, with the result that they are often the first, and sometimes only, people who actually get paid.

The EFF on the other hand has been involved as a consumer group in this area at least since Mike Godwin was their attorney and one of their only employees almost 15 years ago when I first met him in person at a BBS (Bulletin Boarding System) convention in Colorado Springs. Shows how both the technology and the EFF have progressed since then.

In any case, I think that the addition of the EFF in the proposed settlement is a pretty good indication that this is probably about as good a settlement as can be expected. Yes, Sony is going to escape with their assets intact. But apparently, they are committing themselves to not utilizing DRM for the next two years - and that is the sort of thing that the EFF would be asking for, and not the putative class action counsel.

As I suggested at Freedom to Tinker, this may end up being taught in Business Schools as how to respond to this sort of public relations disaster. After several false starts, management said make the issue go away, and they are doing that. They are now putting the fiasco behind them as quickly as they can.

Finally, in conjunction with the previous point, it should be remembered that Sony is a Japanese company. Getting into this mess in the first place is probably partially a result of this. Ditto for the initial false starts in addressing the matter. But then when it became apparent to top management that something needed to be done, word came down from the top to make it go away, and it is going away. The Japanese don't like litigation, and, as a result, in many cases appear much quicker to settle than comparable U.S. companies.

EFF: EFF and Sony BMG Reach Preliminary Settlement over Flawed DRM

'“The proposed settlement will provide significant benefits for consumers who bought the flawed CDs,” said EFF Legal Director Cindy Cohn. "Under the terms, those consumers will get what they thought they were buying--music that will play on their computers without restriction or security risk. EFF is continuing discussions with Sony BMG, however, and believes that there is more they can do to protect music lovers in the future.”

"Sony agreed to stop production of these flawed and ineffective DRM technologies,” noted EFF Staff Attorney Kurt Opsahl. “We hope that other record labels will learn from Sony’s hard experience and focus more on the carrot of quality music and less on the stick of copy protection.”

Electronic Frontier Foundation (EFF) joined in this preliminary settlement agreement with Sony BMG this week to settle several class action lawsuits filed due to Sony's use of flawed and overreaching computer program in millions of music CDs sold to the public. The proposed terms of settlement have been presented to the court for preliminary approval and will likely be considered in a hearing set for January 6, 2005 in federal court in New York City.'

ExtremeTech: Ten Failed Tech Trends for 2005

"The recent debacle surrounding Sony's copy protected music CDs was simply the latest in a series of failed attempts to copy-protect music CDs. While the Sony rootkit incident has been the worst offender, there have been past attempts to get around the CD audio standard in a misguided effort to protect the music sold on CD."

Slashdot: Sony Settlement Start of DRM Protection Act?

Interesting thread on the provisional class action settlement. A lot of Slashdot readers don't like the proposed settlement. Expect some profanity.

CNET News.com: Sony settles 'rootkit' class action lawsuit

"Sony BMG has struck a deal with the plaintiffs in a class action lawsuit over copy-restriction software it used in music CDs, according to a settlement document filed at a New York court Wednesday."

RED HERRING: Sony Settles Spyware Suit

"Music giant Sony BMG has agreed to stop making CDs with much-criticized copyright protection software as part of a settlement in a class-action lawsuit that was filed after users found the software made their computers vulnerable to spyware and other malicious software.

The settlement will put an end to the 20-plus cases filed by consumers against Sony since November. It will also resolve the lawsuit filed by the [EFF]"

BetaNews: Preliminary Settlement Filed in Sony Suit

"Lawyers in a class action lawsuit filed against Sony BMG, First 4 Internet and SunnComm last month have submitted a preliminary settlement, which calls for Sony to stop manufacturing CDs with XCP and MediaMax DRM, provide replacement discs, and make cash payments to affected customers."

Proposed class action settlement proposal

Proposed class action settlement proposal discovered by Alex Eckelberry.

WaPo: Sony BMG to Settle Class-Action Lawsuit

Brian Krebs on Computer Security: "Sony BMG Music Entertainment has agreed to a settlement that would end a nationwide class-action lawsuit brought against the company over security flaws in anti-piracy software that it shipped on millions of music CDs."

Slyck News: File-Sharing Winners and Losers of 2005

'"Most people, I think, don't even know what a Rootkit is, so why should they care about it?"

Remember those words? They’re true. Most people didn’t know what a rootkit was. But Sony-BMG gave us all an excellent education on rootkits, spyware, and Digital Rights Management.'

BW: For Sony, a Pain in the Image

"The spyware debacle has sparked anger, distrust, and boycotts among consumers, but the financial impact on Sony BMG is likely to be limited"

ATO Records: Information Regarding Our Artists' Music, Copy-Protected CDs and your iPod

"We at ATO Records are aware of the problems being experienced by certain fans due to the copy-protection of our distributor. Neither we nor our artists ever gave permission for the use of this technology, nor is it our distributor's opinion that they need our permission. Wherever it is our decision, we will forego use of copy-protection, just as we have in the past."

MercuryNews.com: Texas expands spyware lawsuit against Sony BMG

Texas Attorney General Greg Abbott expanded his lawsuit against Sony BMG Music Entertainment on Wednesday, alleging that a second form of anti-piracy technology used by the label violates the state's spyware and deceptive trade practices laws.

eWeek.com: Sony DRM Woes Continue

High level description of Media Max security issues.

Reuters: Texas Files New Spyware Claim Against Sony BMG

The Texas attorney general said on Wednesday he added a new claim to a lawsuit against Sony BMG Music Entertainment accusing it of violating the state's laws on deceptive trade practices by hiding "spyware" on its compact discs.

vnunet.com analysis: The Sony BMG anti-piracy debacle

Brief synopsis of early part of the Sony DRM situation.

Texas Attorney General: SONY BMG Spyware (November 2005)

"SONY BMG Music Entertainment allegedly installed spyware on millions of compact music discs (CDs)... Because of alleged violations of the Consumer Protection Against Computer Spyware Act of 2005, the Attorney General is seeking civil penalties of $100,000 for each violation of the law, attorneys’ fees and investigative costs."

KRISTV.COM:Texas adds new allegations against Sony BMG over anti-piracy software

'The state has added new allegations to its lawsuit against Sony BMG Music Entertainment over anti-piracy software on music compact discs...The new allegations center on Sony's "MediaMax" technology for copy-protection of Sony BMG CDs... The lawsuit says files are secretly installed on the computer, even if the license agreement is rejected'

Current litigation against Sony BMG

Nov. 8 - Italian police asked to probe Sony copy protection code

Nov. 14 - NY Class Action Suit (complaint).

Nov. 22 - EFF Files Class Action Lawsuit Against Sony BMG

Nov. 22 - CNET News: Texas sues Sony BMG over alleged spyware

Nov. 22 - Texas AG complaint against Sony BMG

Nov. 22 - EFF California class action complaint against Sony BMG

Nov. 28 - SONYSUIT.COM: Oklahoma class action suit - class action complaint.

Nov. 28 - NY AG Spitzer investigating Sony BMG

Dec. 1 - Private Wash. D.C. suit filed on behalf of the general public of the capital also Private D.C. suit filed against Sony

Dec. 12 - Ill. AG investigating Sony BMG

Dec. 22 - Texas AG Expands Lawsuit Against Sony BMG to include SunnComm / Media Max; Texas Attorney General: SONY BMG Spyware (November 2005)

Yahoo! Finance: Texas Expands Lawsuit Against Sony BMG: Financial News

'Texas Attorney General Greg Abbott expanded his lawsuit against Sony BMG Music Entertainment on Wednesday, alleging that a second form of anti-piracy technology used by the label violates the state's spyware and deceptive trade practices laws.'

Sony Boycott Blog : Don’t celebrate the end of DRM?

Tim Jarrett takes to task Doug Lichtman from the University of Chicago Law School over a post on the faculty blog that argues that ending DRM would be disasterous for the music industry. Unfortunately, I can't read it, so can't comment.

The Register: Sony BMG shortlisted for 'internet villain' gong

'Sony BMG, the European Commission (EC) and Russia have all been nominated for this year's "internet villain" award...Sony BMG gets the nod for "compromising the security of its customers' PCs with its copyright-protecting rootkit technology"'

BetaNews: Microsoft Tool Cleans Sony BMG Mess

"The December release of Microsoft's Malicious Software Removal Tool attempts to clean up the mess left behind by Sony BMG's XCP copy protection software, which entered the spotlight in November after the discovery that it installs a rootkit."

p2pnet.net: Sunncomm into MediaMaxBo

Tony Smith responding at Sony Boycott Blog points to an article on P2Pnet that better explains the relationship between SunnComm and Media Max.

DRM Patents

Over at Freedom to Tinker mention was made of First 4 and SunnComm patents. As a patent attorney, I thought it might be interesting to see what these companies had in the line of patents and patent applications. I thus availed myself of the USPTO web site search engines and found six published applications of interest.

First, SunnComm had two patent applications assigned to it (one abandoned), and two others with the same inventors (Eric Vanderwater and Peter Jacobs, both of the Phoenix area) unassigned:

US 2004-0103115 - 10/304,259
Filed 11/26/02
Abandoned 11/03/05
US 2004-0103044 - 10/412,453
Filed 4/11/03
Unexamined
US 2005-0278256 - 10/868,576
Filed 6/15/04
Final rejection mailed 10/24/05
US 2005-0177516 - 10/773,686
Filed 2/6/04
Non-final office action mailed 6/15/05
(which means that it is abandoned but can be revived).

First 4 Internet, LTD had two published applications assigned to it:

US 2003-0169878 A1 - 10/217,994
Docketed to examiner - 8/22/05
US 2005-0223240 A1 - 10/506,964
Docketed to examiner - 09/23/05

The US 2005-0223240 A1 application appears to be a US prosecution of an WO 2004-109681 A3 / GB 2402802 A European Patent Office (EPO) application.

Note that I haven’t had a chance to read these patent applications, nor have I looked to see if either of the two SunnComm inventors had other patents or patent applications.

SunnComm stock price

SunnComm's stock price appears to have responded negatively to the Sony DRM problems.

Billboard: Sony BMG Boosts Copy-Protected CDs [02/24/2005]

"Sony BMG Music Entertainment is stepping up the rollout of what it calls 'content-enhanced' copy-protected CDs, according to company executives."

The Register: No more mister nice guy: EMI, Sony-BMG revisit CD copy protection [6/21/2005]

"Both Sony-BMG and EMI have made statements this week that most of their CDs for their major markets will have copy protection placed on them." [6/21/2005]

SunnComm: Perfect placement = adware+spyware

In a press release dated July 13, 2005, SunnComm announces "Pefect Placement":

"Perfect Placement - MediaMax presents the record labels and music producers with unparalleled targeted marketing opportunities through a feature called Perfect Placement. This unique feature centrally serves up dynamic promotional content controlled by the record label to reserved spaces located throughout the MediaMax interface while a user is enjoying their CD on the computer. Imagine an artist's album is coming out and the record company has the ability to announce this event to all those playing the artist's previously released album in their computer."

In short, the software they automatically install from music CDs containing their DRM software monitors what someone is playing, communicates this to a central site, receives advertisements in response to this information, and displays the ads to the user.

The monitoring and communicating is clearly spyware, whereas the display of the unwanted advertisements is adware. All, apparently done without explicit permission from the user (since MediaMax is apparently installed regardless of acceptance of, for example, an attached EULA).

Obviously though, even if the installation were not automatic, regardless of EULA acceptance, it would probably still be adware and spyware since it is not explicitly disclosed in the EULA. Rather, at least the Sony EULA, merely talks about a small software program that is presumably being installed for DRM purposes. This is clearly not DRM. It goes much beyond that.

CNET News.com: Music sharing doesn't kill CD sales, study says

Sony et al. have justified DRM software on music sharing. A study showed it had little part in recent slide in CD sales.

Freedom to Tinker: Inside the MediaMax Prospectus

Ed Felten picks up where I left off looking into the MediaMax Prospectus.

WaPo: Another Attorney General Targeting Sony BMG?

Illinois Attorney General Lisa Madigan said Friday she is investigating whether Sony BMG violated privacy and consumer protection laws, noting that her office has requested information from the company regarding anti-piracy software it included on music CDs that experts have shown exposes Microsoft Windows users to security holes and computer viruses.

Media Max prospectus

Ned Ulbricht at Freedom to Tinker waded through the revised MediaMax filing SB-2 Amdendment #5, dated November 4, 2005as filed with the SEC. Some interesting things popped out.

"MediaMax Technology Corporation, a Nevada corporation is in the business of providing copy control technology to the music and entertainment industry. This industry is generally unpopular with consumers because of their ability to make inexpensive unauthorized copies of entertainment software. The proliferation of illicit copying has resulted in perhaps billions of dollars of lost revenues for industry-wide content owners. The latest data available from the MPAA estimates that the U.S. motion picture industry lost in excess of $3.5 billion in 2003 due to packaged media piracy. Music industry unit ("CD") sales have been falling approximately 10% year-over-year for the past four years, according to the International Federation of Phonographic Industries ("IFPI"). In addition, the International Intellectual Property Alliance ("IIPA") estimated that copyright piracy, not including Internet piracy, around the world inflicts $20-$22 billion in annual losses to the U.S. copyright industries. As technology has become more advanced and efficient, illegal copying activity has increased because of its ease and simplicity."

This, of course, explains why Sony has included DRM software on many of its recent albums.

"On November 2, 2005, we entered into an Employment Agreement with Kevin Clement, an executive at Sony BMG Music Entertainment, to join our company as Chief Executive Officer and President and as a member of our Board of Directors as of November 21, 2005. "

Which helps explain why Sony BMG picked MediaMax / SunnComm for DRM software.

"We have an Exclusive Distribution Agreement with SunnComm to distribute, market, advertise, and sublicense the SunnComm Products throughout the world. The SunnComm Product that we will begin marketing is a content protection control technology called Media Max M4. The market for Media Max are all major and independent record companies along with their artists which may be concerned over lost revenues to illegal copying. Management believes that approximately 2 billion music CD's are sold annually worldwide. SunnComm currently has an agreement with a major record label and manufacturer to provide the Media Max M4 product upon their demand."

This explains some of the relationship between Media Max and SunnComm. Interesting though that they don't point out that the "major record label" is presumably Sony BMG, esp. given that by this time, Sony BMG must have already shipped a number of SunnComm protected CDs AND they had hired Kevin Clement away from Sony.

"The License Management Technology, "LMT", provides a security platform that is able to monitor and control activity on all CD/DVD drives or burners when it determines that content protection could be compromised. The software is designed to be completely invisible to users, programs and system components. CDs created with the LMT are 100% compatible with standard audio CDs; therefore, playability on any regular CD or DVD device is guaranteed."

And that is one of the big problems with the SunnComm DRM code - that it is so invisible that the user doesn't even know that it is installed on his computer, esp. since it installs regardless of whether the Sony EULA is agreed to or not.

"When the disc is inserted, the auto launch feature will activate the MediaMax M4 program on the second session, which feature is called launchcd.exe. Depending on the DRM license implementation, this program is either activated directly or through another program called autorun.exe. Launched first determines if the LMT Software controls are installed on the computer. If not, or if the disc concerned contains a newer version, it will copy the controls from the disc concerned and will install same. The LMT Software controls consist of two dynamic link libraries. The controls are used by the MediaMax M4 application (which is browser based).
Whenever the LMT Software controls are activated, (i.e. when the second session software is executed), the LMT Software controls will first determine if the content protection device driver is installed on the system. If not, it will extract it from the main LMT Software into a separate file and install it as a standard Windows device driver.
The driver first locates all CDROM devices installed on the computer. Then it will poll each device once per second to determine if a new disc has been inserted. If so, it will read various elements of the disc to determine if it is a MediaMax M4 disc. It is important to note that the driver is completely idle (without any chance to affect the computer), unless an actual MediaMax M4 disc has been detected. Once detected, the driver will insert itself into the communication stream for that drive to prevent any non-authorized activities. While allowing the computer to access the second session without any limitations, the driver will interfere when applications try to access the first session.
When the driver detects that the MediaMax M4 disc is ejected, it will remove itself from the communication stream for that drive and switch back to the polling mode. Several enhancements are currently under development to make it very difficult to locate and/or remove the device drivers."

Media Max is essentially admitting here that the SunnComm code installs itself regardless of whether or not the computer user accepts the EULA, that it ties up resources by scanning running processes, and that the code tries very hard to hide itself from the user.

"We believe that today's market prefers playability over protection which its MediaMax M4 technology provides because it is compliant with the CD Redbook Standard."

Which business plan got us here, where MediaMax / SunnComm DRM code is automatically installed on computers regardless of whether or not the accompanying EULA is accepted.

Freedom to Tinker: CD Copy Protection: The Road to Spyware

"So if you’re designing a CD DRM system based on active protection, you face two main technical problems:

1. You have to get your software installed, even though the user doesn’t want it.
2. Once your software is installed, you have to keep it from being uninstalled, even though the user wants it gone.

These are the same two technical problems that spyware designers face.

People who face the same technical problems tends to find the same technical solutions. How do you get software installed against the user’s wishes? You mislead the user about what is being installed, or about the consequences of installation. Or you install without getting permission at all. How do you keep software from being uninstalled? You don’t provide an uninstaller. Or you provide an uninstaller that doesn’t really uninstall the whole program. Or you try to cloak the software so the user doesn’t even know it’s there."

CNET News: Sony fixes security hole in CDs, again

"Sony announced on Tuesday that a new risk had been found with a batch of 27 of its compact discs, which automatically install antipiracy software on hard drives when put into a computer's disc drive."

BBC News: Sony BMG repents over CD debacle

"The head of Sony BMG's global digital business, Thomas Hesse, told the BBC that the company was "re-evaluating" its current methods."

BW: For Sony, a Pain in the Image

Interestingly, the Feds are getting involved:

And the complaints are being heard at the Justice Dept. "It's fair to say that we're aware of consumer concerns on the installation of this software on Sony products," says Justice spokesman Paul Bresson, though he declined comment on the number of Sony-related complaints the agency has received. "For now we're going to wait for more facts to become available and then evaluate what, if any, action is appropriate."

NYT: Sony fixes security hole in CDs, again

"Sony BMG is replacing a patch for its CD copy protection software after Princeton University researchers found a security flaw in the update."

MercuryNews.com: Sony BMG urges consumers to download security fix for CDs

"Sony BMG Music Entertainment said Tuesday some 5.7 million of its CDs were shipped with anti-piracy technology that requires a new software patch to plug a potential security breach in computers used to play the CDs.

The company said Tuesday it brought the issue up with the MediaMax software maker, SunnComm Technologies Inc., which has developed a software patch to fix the problem."

EFF: SunnComm MediaMax Security Vulnerability FAQ

CNET News: New Sony CD security risk found

Sony BMG Music Entertainment and the Electronic Frontier Foundation digital rights group jointly announced Tuesday that they had found, and fixed, a new computer security risk associated with some of the record label's CDs.

USATODAY: Sony closes in on new program to cleanse PCs

Sony plans to release new uninstall program next Monday (12/12/05).

US-CERT Vulnerability Note VU#312073

An ActiveX control used to uninstall XCP Digital Rights Management (DRM) software made by First 4 Internet and distributed on some Sony BMG audio CDs is [incorrectly] marked "Safe for scripting"

US-CERT: First 4 Internet XCP (Sony DRM) Vulnerabilities

US-CERT is aware of several vulnerabilities regarding the XCP Digital Rights Management (DRM) software by First 4 Internet, which is distributed by some Sony BMG audio CDs. The XCP copy protection software uses "rootkit" technology to hide certain files from the user. This technique can pose a security threat, as malware can take advantage of the ability to hide files. We are aware of malware that is currently using this technique to hide.

EFF: SunnComm MediaMax Affected CDs

EFF has redone the SunnComm CD list.

Another list of infected CDs

Another list of Sony CDs infected with DRM RootKit code (from sunncomm thanks to zapkitty)

20137-(HED) PE-4 Song Sampler
439-40 Below Summer-The Mourning After
456-ADEMA-Unstable
20077-Afterdark-San Francisco
20149-Afterdark-New York City
323-ALEJANDRA GUZMAN-LIPSTICK
324-ALEJANDRA GUZMAN-LIPSTICK (VERSION INTERNACIONAL)
20237-Alicia Keys-Unplugged - Premium
20238-Alicia Keys-Unplugged - Standard
20247-Alicia Keys-Unplugged - Premium Canadian Release
20248-Alicia Keys-Unplugged - Standard Canadian Release
20162-Amici forever-Defined
20195-Amici forever-Defined - Canadian Release
326-Ana Victoria-Love Is All
202-Ana Victoria-3 Song Sampler
208-Ana Victoria-5 Song Sampler
10083-Angie Stone-Stone Love
268-Anthony Hamilton-Comin' From Where I'm From
20268-Anthony Hamilton-Ain't Nobody Worryin'
418-Aretha Franklin-So Damn Happy
248-Automatic Black-Automatic Black - Album Sampler
203-Automatic Black-3 Song Sampler
819-Avril Lavigne-Under My Skin
20117-Babyface-A Love Story
249-Babyface-Babyface 5 Song Sampler
20181-Babyface-Grown & Sexy
20186-Babyface-4 Song Sampler
20204-Babyface-Grown & Sexy - Canadian Release
20189-Backstreet Boys-Never Gone - Canadian Release
20183-Backstreet Boys-Never Gone
20055-Bargrooves-Terrazza
250-Bebel Gilberto-Bebel Gilberto
360-Ben Kweller-On My Way
20208-Black Rebel Motorcycle Club-Howl
20171-Blitzkrieg Pop-T. Raumschmiere
251-Blu Cantrell-Bittersweet
255-Boyd Tinsley-Boyd Tinsley
20082-Boyz II Men-Throwback
275-Brand New-Deja Entendu
20244-Brian Wilson-What I Really Want For Christmas
20258-Britney Spears-Remixed">Britney Spears - Remixed
20262-Britney Spears-Remixed - Canadian Release
309-Britney Spears-In The Zone
20057-CARTEL DE SANTA-VOL. II
420-Cassidy-Split Personality (explicit)
20205-Cassidy-I'm A Hustla (Explicit) - Canadian Release
20191-Cassidy-I'm a Hustla (explicit)
20192-Cassidy-I'm a Hustla (edited)
261-Cee Lo Green-Cee Lo Green...Is The Soul Machine
20196-Charlie Wilson-5 Song Sampler
20223-Charlie Wilson-Charlie Last Name Wilson
20029-Charlotte Martin-On Your Shore
20264-Chris Brown-Chris Brown
10071-Christopher Lawrence-All Or Nothing
735-Citizen Cope-Under The Sun
20135-Clay Aiken-Merry Christmas With Love
20190-Cook Dixon Young-Volume One
20210-Cuban Link-Chain Reaction (Explicit)
20144-Cuban Link-Chain Reaction - Demo
321-da Brat-Limelite Luv & Niteclubz (Edited)
322-da Brat-Limelite Luv n Niteclubz (Explicit)
20172-Dave Matthews Band-Stand Up - Canadian Release
20161-Dave Matthews Band-Stand Up
20211-David Gray-Life In Slow Motion
20232-David Gray-Life In Slow Motion - Canadian Release
357-Death Threat-Now Here Fast!
320-Dido-Life For Rent
474-Dido-White Flag
20180-Dido-Dido Live
20273-Donell Jones-Journey Of A Gemini Sampler
237-Donell Jones-Album Sampler
20241-Donovan Banzana-Life's Code Of Ethics
267-Elvis Presley-Close Up Sampler
325-Elvis Presley-Live In Texas 1972
454-Elvis Presley-Unreleased Movie Gems
455-Elvis Presley-Unreleased Stereo Masters From The `50s
437-Elvis Presley-The Magic Of Nashville
286-ERIK RUBIN-ERIK RUBIN
311-Eve6-It's All In Your Head
20206-Faithless-Forever Faithless
20222-FlamBey-The Flamerous Life
20187-Foo Fighters-7 Song Sampler
20178-Foo Fighters-In Your Honor (Electric)
20179-Foo Fighters-In Your Honor (Acoustic)"
20127-Frequent Flyer-Bombay
20044-Frequent Flyer-Rio De Janeiro
353-From Zero-My So-called Life
262-Gavin DeGraw-Chariot Album Sampler
299-GOB-Foot In Mouth Disease
20254-Goldfrapp-Supernature
20092-Hadley-Hadley
443-Heather Headley-this is who I am
20018-Hot Import Nights-Driving Beats
435-Ike and Tina Turner-The Early Sessions
20239-Imogen Heap-Speak for Yourself
438-In Essence-The Master Plan
305-J-Kwon-Hood Hop (Edited)
306-J-Kwon-Hood Hop (Explicit)
20074-J-Zone-A Job Aint Nuthin but Work
372-Jacksoul-PROMO - HMV value add
403-jacksoul-Resurrected
307-James Taylor-Hourglass
20260-Jamie Foxx-Unpredictable - THE SAMPLER
20240-Jeff Bates-Good People
20166-Jim Brickman-Grace - Canadian Release
20156-Jim Brickman-Grace
20158-Jody Sticker-5 Minutes
20182-Judd And Maggie-Subjects
20132-Kalan Porter-219 Days
20141-Kasabian-Kasabian
20167-Kasabian-Kasabian - Canadian Release
20157-Keith Anderson-Three Chord Country And American Rock & Roll
20151-Kelis-Tasty (Edited)"
427-Kelis-Tasty (Explicit)
20145-Ken Oak-Half Step Down
20113-Kenny G-4 Song Sampler
809-Keshia Chanté-Sampler
476-Kings Of Leon-Youth And Young Manhood
20134-Kings Of Leon-Aha Shake Heartbreak
20169-Kings Of Leon-Aha Shake Heartbreak - Canadian Release
292-LA 5a. ESTACION-FLORES DE ALQUILER
20272-Leilani Jaster-Leilani Jaster
362-Len Doolin-Once In A Lifetime
20198-Leo Kottke/Mike Gordon-Sixty Six Steps
20217-Living Things-Ahead Of The Lions
20152-Longwave-There's A Fire
20126-Los Razos-La Raza Anda Acelrada (Explicit)
354-Manmohan Waris-Nachiye Majajne
20106-Mario-Here I Go Again
20229-Maroon 5-Maroon 5 Live - Friday The 13th - Canadian Release
20225-Maroon 5-Live: Friday the 13th
285-MARTIN RICCA-ENAMORADO
20215-Mashonda-January Joy
20263-Melissa O'Neil-Melissa O'Neil - Canadian Release
260-MIJARES-CAPPUCCINO
20128-Moderato-Detector De Metales
20129-Moenia-Stereo Hits
310-My Morning Jacket-it still moves
20216-My Morning Jacket-Z
20174-Nathaniel Kimble-Better Get Ready
20219-Nikka Costa-Can'tneverdidnothin' - Australian Release
298-Nodesha-Get It While It`s Hot
368-North Star-Pollyanna
20125-Other-Please Detail in Question
20214-Our Lady Peace-Healthy In Paranoid Times - Candadian Release
278-Out Of Your Mouth-Draghdad
419-Outkast-Speakerboxxx
424-Ozomatli-Street Signs
816-PANTEON ROCOCO-TRES VECES TRES
20220-Paul van Dyk-Politics of Dancing 2
366-Pedro Vargas-Pedro Vargas Canta a José Alfredo Jiménez
20024-Peggy Scott-Adams-God Can And He Will
308-PERSEGUIDOS-III
20136-Peter Cetera-You Just Gotta Love Christmas
20261-Philosopher Kings-Castles
448-Pink-Try This
20147-Play-N-Skillz-The Album Before The Album
20025-Projet Orange-4-Track Sampler
20097-Projet Orange-Megaphobe
20227-Quenga-Quenga - U.S. and New Zealand Release
808-Rachael Yamagata-Happenstance
20194-Raheem DeVaughn-The Love Experience
20014-Ray Charles-Genius Loves Company
20038-Ray LaMontagne-Trouble
20193-Richard Hawley-Cole's Corner
20197-Röyksopp-The Understanding - Australian & New Zealand Release
20030-Sak Pasé Presents Wyclef Jean-Welcome To Haiti Creole 101
20199-SalonMusique-Uptown Conditioner
20200-SalonMusique-Ultimate Relaxer
20245-Santana-All That I Am
20256-Santana-All That I Am - Canadian Release
20207-Sarah McLachlan-Bloom (Album Remix)
20138-Sarah McLachlan-Afterglow Live
235-Sarah McLachlan-Afterglow
289-Sarah Mclachlan-Fallen
20249-Say Anything-Say Anything...is a Real Boy
20250-Say Anything-Say Anything...was a Real Boy
20251-Say Anything-Say Anything...is a Real Boy - Canadian Release
20252-Say Anything-Say Anything...was a Real Boy - Canadian Release
817-SHAILA-SHAILA
20257-Shane Capone-Heated Speech
20148-Shawn Desman-Sampler - Canadian Release
20163-Shawn Desman-Back For More - Canadian Release
20120-Shawn Kane-Full Version Sampler
20188-Shawnie-The Return
20094-Silvertide-Show And Tell (Explicit)
20095-Silvertide-Show And Tell (Edited)
457-Skrape-Up The Dose
213-Sloan-Action Pact
20173-Sloan-A Sides Win: Singles 1992 - 2005 - Canadian Release
20259-Smitty-Life Of A Troubled Child (Album Advance)
373-Soil-Redefine
20221-Soundtrack-Masters of Horror Soundtrack Sampler
20170-Soundtrack-The Cave
20159-Soundtrack-XXX: State of the Union (explicit)
20160-Soundtrack-XXX: State of the Union (edited)
20165-Sountrack-XXX: State Of The Union (Explicit) - Canadian Release
475-South-With The Tides
415-Spymob-Sitting Around Keeping Score
20201-StellaStarr*-4 Song Sampler
20203-StellaStarr*-Album Advance
20231-Stellastarr*-Harmonies For The Haunted - Canadian Release
20235-Stellastarr*-Harmonies For The Haunted
356-Steve Myland-Not Every Rhyme Has A Reason
371-Strawberry Shortcake-Premium Giveaway
20255-Suburban Tragedy-Tonight We'll Watch The Sun Come Up
20224-Syleena Johnson-Chapter 3: The Flesh
20228-Syleena Johnson-Chapter 3: The Flesh - Canadian Release
20266-T-Pain-Rappa Ternt Sanga - Explicit
20267-T-Pain-Rappa Ternt Sanga - Edited
20176-T. Raumschmiere-Blitzkrieg Pop
20177-Tazz Calhoun-It's All Good
204-Tears For Fears-3-Song Sampler
288-Tears For Fears-Everybody Loves A Happy Ending
276-Tha Rayne-Didn`t You Know
20202-The Appearance-Are We Not Entertained?
10073-The Calling-Two Copy
20168-The Chieftains-Live From Dublin; A Tribute To Derek Bell - Canadian Release
20143-The Chietains-Live From Dublin; A Tribute To Derek Bell
318-The Crystal Method-Legion of Boom
440-The Neptunes-The Neptunes Present...Clones
20142-The Residents-Animal Lover
432-The Sound Of Urchin-The Diamond
406-The Strokes-Album Advance
20269-The Strokes-First Impressions Of Earth
20213-The Trews-Den of Thieves - Canadian Release
20175-The Warlocks-Surgery
263-Theo-Chemistry...You And Me
365-Tita & Sãozinha-Papá
802-TOÑITA-LAS CUENTAS CLARAS
20133-UGK-Jive Records Presents: UGK - Chopped & Screwed
271-Usher-Confessions
20080-VARIOS-MISION S.O.S.(AVENTURA Y AMOR)
20041-Various-Relaxation: A Windham Hill Colletion
20079-Various-Reflections
20027-Various-Urban International Sampler
245-Various-Arista Fall 2003 Sampler Promo CD
20146-Various-Down South Party Mix!
20212-Various-Elizabethtown - Songs From the Brown Hotel
20218-Various-Canadian Idols: High Notes - Canadian Release
20209-Various-2005 NARM Sampler
20226-Various-So Amazing An All Star Tribute To Luther Vandross
20230-Various-So Amazing An All-Star Tribute To Luther Vandross - Canadian Release
20242-Various-Masters Of Horror
20234-Various-Masters of Horror Radio Sampler
343-Various Artists-Music Snapshot of LG Action Sports Championship
824-Various Artists-Majestic II
828-Velvet Revolver-Contraband (Explicit)
822-Velvet Revolver-Contraband (Edited)
20130-Velvet Revolver-Bonus Material
300-Vertical Horizon-Go
277-Vue-Down For Whatever
241-Wakefield-American Made
20184-Wakefield-What Side Are You On? (explicit)
20185-Wakefield-Which Side Are You On? (edited)
363-Whitney Houston-One Wish
447-Whitney Houston-Try It On My Own
441-Wyclef Jean-The Preacher`s Son
20089-Yaga Y Makie-Clase Aparte
10077-Yogacharya Swami Kripalvanandji-Premdhara 3 & 4 - U.S. & India Release
20154-Yogacharya Swami Kripalvanandji-Premdhara 5 & 6 - U.S. & India Release
20253-Yogacharya Swami Kripalvanandji-Premdhara 7 & 8 - U.S. & India Release
20270-YoungBloodZ-Ev'rybody Know Me (Explicit)
20271-YoungBloodZ-Ev'rybody Know Me (Edited)
279-YoungBloodZ-Drankin` Patnaz
20086-Yung Wun-The Dirtiest Thirstiest (Explicit)
20087-Yung Wun-The Dirtiest Thirstiest (Edited)

Slyck News: Anti-DRM Protest Part II in NYC

SC Magazine: Private D.C. suit filed against Sony

"The latest development in the saga saw a lawsuit filed yesterday by legal firm Finkelstein, Thompson & Loughran for a resident of the District of Columbia on behalf of the general public of the capital."

Freedom to Tinker: Sony, First4 Knew About Rootkit Issue in Advance

Security vendor F-Secure contacted SonyBMG and First4Internet about the companies’ rootkit software on October 4 — about four weeks before the issue became public — according to a Business Week story by Steve Hamm.

WaPo: Russinovich to join NY class action suit as expert witness

Mark's Sysinternals Blog: Premature Victory Declaration?

"Two weeks ago I declared victory in what the media is now referring to as the “Sony rootkit debacle”, but now I’m wondering if I jumped the gun. It turns out that the CDs containing the XCP rootkit technology are still widely available, there’s still no sign of an uninstaller, and comments made recently by the president of the Recording Industry Association of America (RIAA) make it clear that the music industry is still missing the point."

Businessweek: Sony BMG's Costly Silence

Businessweek: Spitzer Gets on Sony BMG's Case

Freedom to Tinker: MediaMax Permanently Installs and Runs Unwanted Software, Even If User Declines EULA

SONYSUIT.COM: Oklahoma class action suit.

Class action complaint.

Freedom to Tinker: What Does MediaMax Accomplish?

Sony Recall Information

Sony BMG Web site

Information on XCP Protection

XCP Frequently Asked Questions (FAQ)

CDs Containing XCP Content Protection Technology

Sony BMG CD Exchange Program

November 18, 2005 Exchange Program Announcement

Stars & Stripes: Military assessing possible threat posed by Sony security software

"Military network analysts are assessing a possible security threat that could result if the software is installed on government computers, according to Tom Ryan, an information assurance manager with the 5th Signal Command based in Mannheim, Germany."

EFF CA class action complaint against Sony BMG

PC Pro: News: US rights body and state of Texas file against Sony BMG

"The leading US digital rights campaigner has filed a class action lawsuit against Sony BMG, demanding that the company repair the damage done by the DRM software it included on over 24 million music CDs. The record label also faces litigation from the US state of Texas."

EFF: SonyBMG Litigation and Rootkit Info

By including a flawed and overreaching computer program in over 20 million music CDs sold to the public, Sony BMG has created serious security, privacy and consumer protection problems that have damaged music lovers everywhere.

At issue are two software technologies - SunnComm's MediaMax and First4Internet's Extended Copy Protection (also known as XCP) - which Sony BMG claims to have placed on the music CDs to restrict consumer use of the music on the CDs but which in truth do much more, including monitoring customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms in the End User Licensing Agreement (EULA).

WaPo: EFF, Texas Attorney General Sue Sony

Texas AG complaint against Sony BMG

CNET News: Texas sues Sony BMG over alleged spyware

"Texas Attorney General Greg Abbott filed a civil lawsuit on Monday against Sony BMG Music Entertainment for allegedly including spyware on its media player designed to thwart music copying."

EFF Files Class Action Lawsuit Against Sony BMG

"The Electronic Frontier Foundation (EFF), along with two leading national class action law firms, today filed a lawsuit against Sony BMG, demanding that the company repair the damage done by the First4Internet XCP and SunnComm MediaMax software it included on over 24 million music CDs."

Freedom to Tinker: Does Sony’s Copy Protection Infringe Copyrights?

"Matti Nikki and Sebastian Porst have done great work unearthing evidence pointing to infringement. They claim that the code file ECDPlayerControl.ocx, which ships as part of XCP, contains code from several copyrighted programs, including LAME, id3lib, mpglib, mpg123, FAAC, and most amusingly, DVD-Jon’s DRMS."

FoxTrot Cartoon on Sony DRM code

FoxTrot by Bill Amend November 21, 2005

Provided by Universal Press Syndicate

Original CD that started has now been pulled by Amazon.com

Currently Amazon.com: Get Right with the Man [SONY XCP CONTENT/COPY-PROTECTED CD]: Music: "Availability: THIS TITLE IS CURRENTLY NOT AVAILABLE. If you would like to purchase this title, we recommend that you occasionally check this page to see if it has become available."

This was the original Sony CD that infected Mark Russinovich's computer, and, thus, started this entire Sony DRM RootKit controversy - and as of 11/17/2005 it had been pullled by Amazon.com, and remains unavailable as of 11/20/2005.

EFF: An Open Letter to Sony-BMG

EFF: List of infected CDs

EFF: A Spotters' Guide to XCP and SunnComm's MediaMax

EFF: A Spotters' Guide to XCP and SunnComm's MediaMax

The LAME Project

"LAME is an LGPL MP3 encoder. The Open source development model allowed to improve its quality and speed since 1999. It is now an highly evolved MP3 encoder, with quality and speed able to rival state of the art commercial encoders".

De Winter Information Solutions: Spyware Sony seems to breach [LAME] copyright

"The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.

This article is a translation of this article I wrote for Webwereld.

It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license. This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Sony complied with non of these demands, but delivered just an executable program. A computerexpert, whose name is known by the redaction, discovered that the cd "Get Right With The Man" by "Van Zant" contains strings from the library version.c of Lame. This can be conluded from the string: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 "."

LAME code

This is from Drew Lehman, who forwarded this from a user group list to cyberia-l cyber law listserve group:

oh the irony....

Sony's rootkit infringes on software copyrights

Close examination of the rootkit that Sony's audio CDs attack their customers' PCs with has revealed that their malicious software is built on code that infringes on copyright. Indications are that Sony has included the LAME music encoder, which is licensed under the Lesser General Public License (LGPL), which requires that those who use it attribute the original software and publish some of the code they write to use the library. Sony has done none of this. [BEH Note - see "Can I use LAME in my commercial program?"]

The evidence against Sony is compelling, and this further reveals the hypocrisy of Sony's actions. Sony claims that it needs to install dangerous, malicious, underhanded software on its customers' computers to protect its copyrights, but in order to write this malware, it has no compunction about infringing on the copyrights of public-spirited software authors who make their works available under free software licenses like the GPL.

I suppose it's natural to believe that everyone is at least as sleazy as you are: for Sony's rip-off artists, assuming that paying customers are planning to rip them off must come easy. Link

http://dewinter.com/modules.php?name=News&file=article&sid=215

Later,

Troy

Wired News: Tainted Sony CDs Used Open Source

"Controversial copy-protection software used by music publisher Sony BMG on music CDs appears to have tapped an open-source project, raising questions about copyrights, software experts said on Friday."

CNET News: Sony's sour note

Sony BMG Music Entertainment finds itself singing the blues this week, after copy protection on many of its CDs struck a sour note on fans' PCs.

The record label will recall millions of CDs that, if played in a consumer's PC disc drive, will expose the computer to serious security risks. Anyone who has purchased one of the CDs, which include southern rockers Van Zant, Neil Diamond's latest album and more than 18 others, can exchange the purchase. The company added that it would release details of its CD exchange program "shortly."

CBC: CDs with security glitches sold in Canada

"About 120,000 Canadians may have bought Sony BMG CDs that can damage their computers."

Freedom to Tinker: Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole

"It turns out that the web-based uninstaller SunnComm provides opens up a major security hole very similar to the one created by the web-based uninstaller for Sony’s other DRM, XCP, that we announced a few days ago. I have verified that it is possible for a malicious web site to use the SunnComm hole to take control of PCs where the uninstaller has been used. In fact, the the SunnComm problem is easier to exploit than the XCP uninstaller flaw."

Santana: Copyright Protection letter

Letter from Deborah Santana to Santana fans concerning Sony DRM software on "All That I Am" CD.

Slashdot: DVD Jon's Code In Sony Rootkit?

Slashdot | DVD Jon's Code In Sony Rootkit?: "An anonymous reader writes 'With some help from Sabre Security, Sebastian Porst and Matti Nikki have identified some stolen GPL'd code in Sony's rootkit. Ironically the code in question seems to be VLC's demux/mp4/drms.c -- the de-DRMS code which circumvents Apple's DRM, written by 'DVD' Jon Lech Johansen and Sam Hocevar.'"
[Entire Article]

Reuters: Software writers spot open source in Sony BMG CDs

Reuters: "Controversial copy-protection software used by music publisher Sony BMG on music CDs appears to have tapped an open source project, raising questions about copyrights, software experts said on Friday."