Tuesday, November 29, 2005

FCC Expected to Back Pay-Per-Channel Cable TV

Wall Street Journal is reporting that the Federal Communications Commission (FCC) is expected to back 'a la carte' pricing in the industry, instead of bundled channels. Last years' FCC report on the subject found that most U.S Households would face higher television bills if they only paid for the channels they wanted to watch. However, the FCC is now releasing a revised report that will conclude just the opposite.

Pay-Per-Channel does better serve the customer IMHO. This is long overdue too. I live in Texas but really do not know that much Spanish, so why do I have two/three Spanish channels on my extended cable? Why am I paying for them? Good Question.

FireFox 1.5 - Releasing Today?

LinuxWorld.com is reporting that Firefox will be released on Tuesday (today). Another false release? I guess we can only wait and see.
After a host of test releases and one false start, a new version of the Firefox browser will be ready on Tuesday, according to a media alert issued by the Mozilla Foundation.

Firefox 1.5 will be available for free on Tuesday afternoon, U.S. Pacific Standard Time, at
www.getfirefox.com and www.mozilla.com, according to the open-source group. A complete press release outlining the new features in Firefox 1.5, as well as some additional Mozilla news, will be issued tomorrow at the time the new version is available.

Tuesday, November 22, 2005

EFF Files Class Action Lawsuit Again Sony BMG

The Electronic Frontier Foundation (EFF), along with two leading national class action law firms, yesterday filed a lawsuit against Sony BMG, demanding that the company repair the damage done by the First4Internet XCP and SunnComm MediaMax software it included on over 24 million music CDs.

When MediaMax software doesn't contain as many "magic tricks" as the XCP software, it is on over 20 million CDs - ten times the number of CDs as the XCP software.

MediaMax installs files on the users computer even if they click "No" on the EULA and like the XCP, does not include a way to fully uninstall the program. Both MediaMax and XCP send data back to their owners, allowing them to track user listening habits at the flip of a switch - even though the EULA states that the software will not be used to collect personal information.

Remeber the XCP EULA states that Sony is never liable to the customer for more than 5 dollar. Would Sony like to tell me where a computer can get repaired for 5 dollars??

The EFF - Defending Freedom in the Digital World.

Monday, November 21, 2005

State of Texas Sues Sony BMG over XCP

Texas Attorney General Greg Abbott today sued Sony BMG Music as the first state in the nation to bring legal action against Sony for its rootkit XCP DRM software.

This suit is the first filed under the state's spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems.

“Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” said Attorney General Abbott. “Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime.”

Because of alleged violations of the Consumer Protection Against Computer Spyware Act of 2005, the Attorney General is seeking civil penalties of $100,000 for each violation of the law, attorneys’ fees and investigative costs.

This is a bold step taken by the state of Texas. Makes me proud to be a Texan. I wouldn't be surprised to see other states file suits as well. Many states passed similar anti-spyware legislation in 2005.

See the full lawsuit in PDF form. After reading the text, I don't see any possible way the state could lose.

XCP DRM Defeated by a "Piece of Tape"

Vnunet.com has a very interesting aritcle about another XCP discovery. It isn't a new feature of the XCP rootkit, but the discovery that a very old anti-DRM trick still works.

Researchers at Gartner released this information just today.
Applying a piece of opaque tape to the outer edge of the disk renders the data track of the CD unreadable. A computer trying to play the CD will then skip to the music without accessing the bundled DRM technology.

"After more than five years of trying, the recording industry has not yet demonstrated a workable DRM scheme for music CDs," Gartner concluded in
a newly published research note.

The use of a piece of tape will defeat any future DRM system on audio CDs designed to be played on a stand-alone CD player, the analyst said.
How can these DRM scheme really be worth all the money, if they are easily bypassed by a peice of tape, a magic marker or the "SHIFT" key??

Thursday, November 17, 2005

Sony Story Gets Going - Enter MediaMax

While Sony was slow to response to the initial story of the XCP, it seems they are finally putting their money where their mouth should have been all along. This story proves that the blogosphere can make a difference in a very huge way.

Sony have taken several very positive steps in the last few days -

1) Along with an open letter to their customers, Sony has released a list of the CDs that contain the XCP DRM software - all 52 of them.

2) Not only has Sony recalled all these CDs from the stores, but they will also provide customers a free XCP-free replacement.

3) Sony states they will be releasing a complete and "secure" XCP uninstall program in the near future as well.

Sony must not be allowed to sweep their under the "carpet". Dan Kaminsky has produced an extremely striking picture of the geographic extent of rootkit-related DNS traffic. Dan collected this information in a process called DNS Cache Snooping. While these steps should be seen as a positive step in the right direct, the real case is not closed just yet.

The information against Sony keeps coming in and the world keeps fighting. Soon Sony's other DRM software, MediaMax, will be all over the news as well.

J. Alex Halderman released information today on his Freedom-to-tinker blog, that the web-based uninstaller used to remove the MediaMax DRM software opens up a major security hole very similar to the one created by the web-based uninstaller for Sony's XCP. He has verified that it is possible for a malicious web site to use the SunnComm hole to take control of PC where the uninstaller has been used. In fact, he states that the SunnComm problem is easier to exploit than the XCP uninstaller flaw. Secunia has released an advisory on this highly critical vulnerability.

EFF is collecting stories from EFF members and supporters who have purchased Sony-BMG CDs that contained SunnComm's MediaMax copy protection software. The MediaMax software is somewhat different, but similarly has no true uninstall option and establishes an undisclosed ongoing communication from the users’ computer to SunnComm. CDs with this technology include:

Amici Forever, Defined
David Gray, Life in Slow Motion
Foo Fighters, In Your Honor
My Morning Jacket, Z
Santana, All That I Am
Sarah McLachlan, Bloom Remix Album

Apple/Mac users that laughed about the XCP story can now join in on the fight against Sony, since MediaMax has been Apple/Mac compatible since 2003.

Right in the middle of this battle, the House Subcommittee on Commerce, Trade, and Consumer Protection heard from witnesses discussing "Fair Use: Its Effect on Consumers and Industry." on Wednesday.

While that the blogs and the stories will fade, it is very important that people know their rights and learn to defend those freedoms even in the face of a corporate giant, like Sony.

Wednesday, November 16, 2005

Exploit of the Sony/First 4 Internet ActiveX Control in the Wild

Active exploits of the "Uninstall" ActiveX Control Vulnerability have been found in the wild.

Websense Labs have recieved reports of websites that are using the Sony DRM "Uninstaller" vulnerability as a means to perform malicious actions on end user machines.

Remember this ActiveX control will only be present on your system if you used Sony's web-based XCP decloaker.

But why use another Sony program to decloak Sony's XCP rootkit?

I would use one of the many third-party decloaking utilities, like Sophos' UnMaking Tool.

Once it is decloaked, you still have to ask yourself the following.

"Am I comfortable with the Sony's XCP software on my computer? "

Tuesday, November 15, 2005

Sony's Wants to Kill Your Computer - Again

Remember the Sony web-based "patch" that removed the cloaking ability of the XCP rookit and updated all the files to XCP2?

It appears that if you believed the magic words of Sony and ran the web-based patch, you may have dug a larger security hole into your computer than the original cloaking rootkit itself.

A post co-written by Ed Felten & J. Alex Halderman over at Freedom to Tinker explains the new security threat posed by the CodeSupport ActiveX control.

The root of the problem was in a serious security flaw in Sony's web-based uninstaller patch. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

In short, this is the situation that Sony has created for THEIR CUSTOMERS that currently have the CodeSupport ActiveX control installed -

1) A malicious website author can write a malware program.

2) Package it up and throw it on some URL.

3) Trick the user into visiting the site that calls the above URL using IE. (Think Phishing or Pharming)

As soon as you visit the evil site, the package is downloaded to your computer and executed automatically without the user seeing a thing. You now have a non-sony rootkit/keylogger/bot installed on your computer. Thanks again Sony. Depending on the target range of the attack, the now installed malware may not even be detected by anti-virus.

Sony has again heard the voices of the public and provided an EXE version of this uninstaller patch. As long as you have never used the web-based patch, then you should be safe from this new threat.

If you think you might have the CodeSupport ActiveX installed, try Muzzy Reboot Test.

After infecting more than half a million networks, including military and government, Sony has decided to pull the XCP CDs off the shelf.

For now, pulling the CDs off shelves "could go a long way toward making a consumer feel comfortable that the CD they just purchased isn't going to mess up their computer," says record store owner John Kunz of Waterloo Records in Austin.

If you ever feel the need to dig for vinyl records, Waterloo and Alien are both great Austin stores.

Microsoft has finally jumped in the game and joined the rest of the anti-spyware world in its view of the Sony Rootkit. Microsoft will include removal signatures for the Sony rootkit in the Windows AntiSpyware beta, the Malicious Software Removal Tool, and the Windows Live Safety Scanner. Good news for many Windows users.

To top off all the lawsuits currently in the works against Sony, a Dutch article was released today that indicates that Sony may have used the LAME LGPL mp3 encoder in their rootkit. If this is true, then Sony failed to follow the rules for using open-source software, therefore putting it in direct violation of the open-source license agreement.

Friday, November 11, 2005

Reaction to Sony's "Magic" makes Sony Halts Production of XCP CDs

It would appear that Sony has heard the public and the world for once. They have decided to suspend the manufacture of CDs containing XCP technology. They have finally decided to put a link to their "patch" on their website also. Brilliant..and why did they not do that from the start? I wouldn't even call it a patch - more like an upgrade to XCP2 with the cloaking.

It seems that the global security reaction to Sony's magic tricks was enough to make them stop and think about their actions - for once. In my mind, I see Sony rolling its sleeves up and saying "nothing up my sleeve".

Digital-rights advocates and consumers attorneys are preparing nearly a half dozen legal actions against the music giant. Included in the legal actions are the following -

  • Chicago-based law firm Cirignani Heller Harman & Lynch may be filing a class-action law suit.
  • San Francisco-based law firm Green Welling will be filing a class-action law suit against Sony to recover damages caused by consumers by the XCP CDs. The lawsuit alleges that Sony BMG has broken three Californian laws.
  • Italian digital rights group Associazione per la Libertá nella Comunicazione Elettronica Interattiva (ALCEI) filed a criminal complaint with that nation's Economic and Financial Police Division to investigate whether Italy's consumers were affected by the Sony BMG cloaking technology and, if so, whether the company, and any other music company, violated national laws and should be prosecuted.
  • Electronic Frontier Foundation (EFF) is collecting stores from EFF members and supporters who have purchased Sony BMG CDs that contained the XCP technology. They are considering litigation against Sony but have not made a final decision on the issue.
  • New York lawyer, Scott Kamber, is planning a class-action lawsuit for all Americans affected.

Antivirus and Anti-Spyware vendors are taking action as well.

There is even an online Sony DRM Boycott petition, if you want to personally express your unhappiness in the public eye.

It is my belief that Sony knew they were going into untouched waters with this rootkit-like technology, but I do also believe that they do not understand the security issues related to releasing a tool of this nature. Within the last two days, several bots have been released that are using the Sony DRM cloaking code to hide and infect users with very evil stuff.

I can only assume that spyware makers and botnet writers will start using Sony's DRM cloaking as soon as possible. They already jump on every new IE exploit like it is gold, why whould this be any different? Did Sony not see this happening? Where were they?

They are busy staring at their bottom line...and it is above to drop... like it's hot.

Thursday, November 10, 2005

Sony DRM / Rootkits - Why You Need to Care

In August 2005, I received a virus alert in my e-mail. It was from a computer in the financial department - it was infected with a rootkit. Not the best way to start out a day, but stuff happens. We looked over the file and I reported it to our anti-virus vendor. The vendor responded that it was not a false positive and that we should treat it like a normal rootkit. Here was the detection -

Virus Troj/RKProc-Fam detected in:"C:\WINNT\system32\$sys$filesystem\aries.sys"
Disinfection unavailable.

Thanks to my friends at TRE Research for reverse engineering the above file with IDA Pro. Check that out here.

The threat was removed but I kept the file for several months. On Nov 9th, I tested the file at VirusTotal.com and it was no longer detected as a rootkit. Study the filename closely and remember it as you read the rest of this blog.

On the morning of October 31, I started my day like every other day. I was looking over the standard security websites, reading Full-Disclosure and drinking my coffee. I ran across Mark Russinovich's Blog that morning but my eye didn't get past the title for some reason. I was asked to work on a network device, so I started my day.

But later I came back to Mark's blog entry for Oct 31 and was very impressed with what he had found. In the process of testing the latest version of Sysinternals' RootKit Revealer, he had discovered hidden software on his computer. Mark, like many in the security community, does not like to find surprises hiding in his computer. He started a basic forensic breakdown on the software and found that it was connected to a company not normally known for its rootkit technology - Sony BMG.

Digging deeper, he found that the main driver of the rootkit (aries.sys) was designed by the UK firm - First 4 Internet. This driver is part of a new Digital Rights Management package from Sony called Extended Copy Protection (XCP). This new software is installed onto your computer when you attempt to listen to certain copyright-protected music CDs. When the CD is inserted into the computer, it automatically runs the software and presents the user with a common End User License Agreement. The EULA tells the user that a special player needs to be installed to listen to the CD but fails to fully describe the "player" software. If you agree to the install, the software installs itself onto the computer, hooks its "claws" into the kernel and cloaks itself using standard "rootkit technology".

"Root technology" in a simple yet very broad sense can be seen as a piece of software that hooks into the lowest level of a computer and attempts to cloak itself using many techniques. In general this cloaking ability will enable a piece of software to hide form the operating system itself and even lie about its existence to applications that run at "levels" higher than itself. This means that the rootkit can lie to anti-virus, running process detection software, anti-spyware and other applications that may hint at its existence. But you have to remember, the hooking is separate from the cloaking. Kernel hooking is in itself a valid programming technique used by some anti-virus vendors, anti-spyware vendors and IDS/IPS vendors.

This is where the water gets dirty however. Sony's rootkit driver cloaks ANY file or folder that has $sys$ in the filename. Sony stated that the cloaking rootkit does not increase the security risk to normal user, but I will state the opposite. This does make a computer more vulnerable overall and puts the casual user in greater risk. I also stated this fact in a small e-mail interview with TechTarget/SearchSecurity.com yesterday.

Sony's statement about the security risk only proves to the public that they do not understand the security risk of their rootkit-technology. Sony mislead the public about the risk only to save its image (aka bottom line), nothing more. If they are aware of the increased risk, then this proves they lied to the public. If they are not aware of the increated risk, this proves they do not understand the technology they are forcing onto millions of computers and therefore should have never started down this road in the first place.

Just today, a Trojan was discovered using Sony's cloaking driver to hide itself. This Trojan would normally have to contain code to hook itself into the kernel. But who needs the code, when Sony already has the hooks in place. The Trojan only needs to have $sys$ it its name to hide from the user and operating system.

Under the recent public pressure, Sony and First 4 Internet have released a "patch" that decloaks the DRM software but doesn't remove it at all. It actually updates the DRM software to new versions.

Sony's rootkit-like tricks are not the real legal problem however. There are two main legal problems with Sony's actions -

1) Sony's attempt to mislead the public about the software and its security risk - multiple times.
2) Sony's lack of information discourse in their EULA about the true nature of the software and how it is impossible to remove for a normal computer user.

See the Electronic Frontier Foundation's report on the Sony BMG EULA.

A class-action lawsuit has been started in the state of California, a nationwide class-action lawsuit is expected to be filed in the state of New York this week and there could be criminal cases bought against Sony under the "U.S. Computer Fraud and Abuse Act" and the UK's "Computer Misuse Act of 1990". Italian police have been asked to by the ALCEI-EFI in Italy to investigate Sony DRM code as well.

Computer Associates International said today it is now classifying Sony's software as spyware and will begin searching for and removing XCP with its anti-spyware software, starting on November 12. I can only hope that other vendors will follow suit.

How much trouble will Sony get into? Only time will tell...

In the meantime, conduct a simple test on your computer. Create a new folder on your desktop and name it test. Then rename the folder to $sys$test. If the folder disappears, your computer is infected with Sony's new DRM software. Then do two things -

1) E-mail Sony to thank for putting your system at increased security risk.
2) Wipe your computer and install everything fresh or use Sophos' UnMasking Tool to decloak the DRM Software. It will not remove it however.