Heard on news this AM Sony in effort to thwart piracy imbedded something in 5,000,000 new CD's that will allow hackers easy access to your computer. AND the fix they offer only makes it worse. If you play CD's on your computer, your tipoff is on the label. Look for the licensing lingo and look for "something something blah blah" .XCP. Mac is safe. That is all I know.
SONY CD's allow hackers in your computer
- Thread starter ces
- Start date
Sounds to me like BS. They'd be leaving themselves wide open for a class-action lawsuit if they released something that could damage your computer, or leave you vulnerable to identity theft or exposure of private information. Not to mention the negative publicity this would generate would be seriously damaging. Surely their judgement couldn't be that poor, could it?
Record label Sony BMG Music Entertainment said Tuesday that it will recall millions of CDs that, if played in a consumer's PC disc drive, will expose the computer to serious security risks.
Anyone who has purchased one of the CDs, which include southern rockers Van Zant, Neil Diamond's latest album, and more than 18 others, can exchange the purchase, Sony said. The company added that it would release details of its CD exchange program "shortly."
Sony reported that over the past eight months it shipped more than 4.7 million CDs with the so-called XCP copy protection. More than 2.1 million of those discs have been sold.
"We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets," the company said in a statement. "We deeply regret any inconvenience this may cause our customers."
The company made the announcement--its second public apology since the CDs' risks came to light last week--just as security researchers found several other potentially dangerous flaws in the software.
Princeton University computer science professor Ed Felten wrote on his blog Tuesday that he and a fellow researcher had confirmed that Sony's initial Web-based uninstall tool--designed to uninstall the copy-protection software deposited by Sony's CDs--actually exposed a critical vulnerability on computers.
The tool downloaded a program that causes a user's hard drive to accept instructions from Web sites. But the program remained active on the user's hard drive after it had been instructed to uninstall the Sony software. The program could then be triggered by almost any code from any Web site, including malicious instructions, the Princeton researchers said.
"Any Web page can seize control of your computer; then it can do anything it likes," Felton and fellow researcher J. Alex Halderman wrote on their blog. "That's about as serious as a security flaw can get."
Sony later replaced that Web-based uninstall tool with one that downloads a program with its own instructions, as opposed to one that accepts instructions from Web sites. The researchers said the new program appeared to be safe.
For anyone who did use the earlier tool, the researchers' blog has instructions for removing the Sony component.
Separately on Tuesday, security company Internet Security Systems released its own new advisory on Sony's software. It warned that flaws in the copy-protection software--not just in the early uninstall tool--could allow an attacker to take control of a user's machine.
Previously, security researchers had spotlighted the online release of several Trojan horse viruses that piggybacked on the Sony software to hide their presence on hard drives.
The Trojan horse software, once installed, automatically connects to an Internet chat network and allows an attacker to take remote control of an infected computer.
Half a million people at risk?
Although more than 2 million of the Sony discs have been sold, it's still unclear how many of those were actually played in a Windows-based computer, thus triggering the security risks. Sony notes that the copy-protection software is not activated on an ordinary CD or DVD player, or on a Macintosh computer.
Security researcher Dan Kaminsky said he estimated that at least 500,000 computers had installed the Sony software.
Once installed, the Sony software can relay data, which indicates what CDs are being played, to an outside server. To relay the information, the software has to find its destination by contacting the Internet's domain name system address servers, where a publicly available record of that request is left behind.
Kaminsky said he counted more than 568,000 separate requests. The method counts any request coming from the same network, but only once. So it might not include repeated requests coming from offices or schools, where numerous computers use the same network, he said.
"The thing that's proved here is not the upper bound," Kaminsky said. "This is a lower bound. This is a pandemic."
Sony's copy-protection software was created by British company First 4 Internet. The software is installed on a computer's hard drive when certain Sony compact discs are put in the CD player and the listener accepts a license agreement.
The software then hides itself using a controversial programming tool called a "rootkit," which takes over high-level access to some computing functions. The rootkit blocks all but the most technically savvy users from being able to detect its presence.
Sony has worked with antivirus companies to help their products pierce this veil of invisibility, and has posted a patch on its Web site that will uncloak the hidden software. It also said it would temporarily stop manufacturing discs using the First 4 Internet tools.
Lawsuits have been filed against the record label in California and New York, and others are expected.
Anyone who has purchased one of the CDs, which include southern rockers Van Zant, Neil Diamond's latest album, and more than 18 others, can exchange the purchase, Sony said. The company added that it would release details of its CD exchange program "shortly."
Sony reported that over the past eight months it shipped more than 4.7 million CDs with the so-called XCP copy protection. More than 2.1 million of those discs have been sold.
"We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets," the company said in a statement. "We deeply regret any inconvenience this may cause our customers."
The company made the announcement--its second public apology since the CDs' risks came to light last week--just as security researchers found several other potentially dangerous flaws in the software.
Princeton University computer science professor Ed Felten wrote on his blog Tuesday that he and a fellow researcher had confirmed that Sony's initial Web-based uninstall tool--designed to uninstall the copy-protection software deposited by Sony's CDs--actually exposed a critical vulnerability on computers.
The tool downloaded a program that causes a user's hard drive to accept instructions from Web sites. But the program remained active on the user's hard drive after it had been instructed to uninstall the Sony software. The program could then be triggered by almost any code from any Web site, including malicious instructions, the Princeton researchers said.
"Any Web page can seize control of your computer; then it can do anything it likes," Felton and fellow researcher J. Alex Halderman wrote on their blog. "That's about as serious as a security flaw can get."
Sony later replaced that Web-based uninstall tool with one that downloads a program with its own instructions, as opposed to one that accepts instructions from Web sites. The researchers said the new program appeared to be safe.
For anyone who did use the earlier tool, the researchers' blog has instructions for removing the Sony component.
Separately on Tuesday, security company Internet Security Systems released its own new advisory on Sony's software. It warned that flaws in the copy-protection software--not just in the early uninstall tool--could allow an attacker to take control of a user's machine.
Previously, security researchers had spotlighted the online release of several Trojan horse viruses that piggybacked on the Sony software to hide their presence on hard drives.
The Trojan horse software, once installed, automatically connects to an Internet chat network and allows an attacker to take remote control of an infected computer.
Half a million people at risk?
Although more than 2 million of the Sony discs have been sold, it's still unclear how many of those were actually played in a Windows-based computer, thus triggering the security risks. Sony notes that the copy-protection software is not activated on an ordinary CD or DVD player, or on a Macintosh computer.
Security researcher Dan Kaminsky said he estimated that at least 500,000 computers had installed the Sony software.
Once installed, the Sony software can relay data, which indicates what CDs are being played, to an outside server. To relay the information, the software has to find its destination by contacting the Internet's domain name system address servers, where a publicly available record of that request is left behind.
Kaminsky said he counted more than 568,000 separate requests. The method counts any request coming from the same network, but only once. So it might not include repeated requests coming from offices or schools, where numerous computers use the same network, he said.
"The thing that's proved here is not the upper bound," Kaminsky said. "This is a lower bound. This is a pandemic."
Sony's copy-protection software was created by British company First 4 Internet. The software is installed on a computer's hard drive when certain Sony compact discs are put in the CD player and the listener accepts a license agreement.
The software then hides itself using a controversial programming tool called a "rootkit," which takes over high-level access to some computing functions. The rootkit blocks all but the most technically savvy users from being able to detect its presence.
Sony has worked with antivirus companies to help their products pierce this veil of invisibility, and has posted a patch on its Web site that will uncloak the hidden software. It also said it would temporarily stop manufacturing discs using the First 4 Internet tools.
Lawsuits have been filed against the record label in California and New York, and others are expected.
GM said:
This is a true story. Heard about it a couple weeks back. They are cleared in the fine print of what a consumer agrees to and can not be pursued legally.
Many are boycotting all Sony products!
Thousands of faulty CDs sold in Canada
About 120,000 recalled Sony BMG CDs that create security glitches were sold in Canada, the company said Friday.
The discs contain XCP software, used as a way to stop music piracy. But it leaves behind spyware, making computers that play the disc susceptible to hackers and viruses. .....
http://www.cbc.ca/story/canada/national/2005/11/19/sony_051118.html
About 120,000 recalled Sony BMG CDs that create security glitches were sold in Canada, the company said Friday.
The discs contain XCP software, used as a way to stop music piracy. But it leaves behind spyware, making computers that play the disc susceptible to hackers and viruses. .....
http://www.cbc.ca/story/canada/national/2005/11/19/sony_051118.html
Run the disc on a complete read-only file system and there is not a damn thing they could install. Stream it to another system and create your own safe disc. A digital copy is as good as the original. If you don't market or share your safe disc, there is not much Sony can do about it.
If a sufficient number of people do it, then maybe, just maybe, they will learn how stupid they have been.
Having expectations that Corporate America will act fairly is like, well it is unrealistic.
If a sufficient number of people do it, then maybe, just maybe, they will learn how stupid they have been.
Having expectations that Corporate America will act fairly is like, well it is unrealistic.
Texas Sues Sony Under Anti-Spyware Law 9 minutes ago
AUSTIN, Texas - The state sued Sony BMG Music Entertainment on Monday under its new anti-spyware law, saying anti-piracy technology the company slipped into music CDs leaves huge security holes on consumers' computers.
ADVERTISEMENT
The lawsuit is over the so-called XCP technology that Sony had added to more than 50 CDs to restrict to three the number of times a single disc could be copied.
After a storm of criticism, Sony recalled the discs last week.
To enforce the restrictions, the CD automatically installed the copy-protection program when discs were put into a PC ? a necessary step for transferring music to iPods and other portable music players.
Attorney General Greg Abbott accused Sony BMG of surreptitiously installing "spyware" in the form of files that mask other files Sony installed as part of XCP.
This "cloaking" component can leave computers vulnerable to viruses and other security problems, said Abbot, echoing the findings of computer security researchers.
"Sony has engaged in a technological version of cloak-and-dagger deceit against consumers by hiding secret files on their computers," Abbott said in a statement.
The term "spyware" has been used broadly to cover programs that are installed without users' full knowledge and consent, whether or not they actually spy on a user's activities.
A Sony BMG spokesman didn't immediately return a call Monday morning.
Sony BMG initially rejected the uproar over XCP as technobabble.
But after security experts discovered that XCP opened gaping security holes in users' computers ? as did the method Sony BMG offered for removing XCP ? Sony BMG agreed last week to recall the discs.
Some 4.7 million had been made and 2.1 million sold. CDs that had XCP included releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.
Abbott said some CDs remained in Texas stores as of Monday morning.
The Texas spyware law allows the state to recover damages of up to $100,000 in damages for each violation.
Abbott said there were thousands of violations, and that any money would go to the state.
AUSTIN, Texas - The state sued Sony BMG Music Entertainment on Monday under its new anti-spyware law, saying anti-piracy technology the company slipped into music CDs leaves huge security holes on consumers' computers.
ADVERTISEMENT
The lawsuit is over the so-called XCP technology that Sony had added to more than 50 CDs to restrict to three the number of times a single disc could be copied.
After a storm of criticism, Sony recalled the discs last week.
To enforce the restrictions, the CD automatically installed the copy-protection program when discs were put into a PC ? a necessary step for transferring music to iPods and other portable music players.
Attorney General Greg Abbott accused Sony BMG of surreptitiously installing "spyware" in the form of files that mask other files Sony installed as part of XCP.
This "cloaking" component can leave computers vulnerable to viruses and other security problems, said Abbot, echoing the findings of computer security researchers.
"Sony has engaged in a technological version of cloak-and-dagger deceit against consumers by hiding secret files on their computers," Abbott said in a statement.
The term "spyware" has been used broadly to cover programs that are installed without users' full knowledge and consent, whether or not they actually spy on a user's activities.
A Sony BMG spokesman didn't immediately return a call Monday morning.
Sony BMG initially rejected the uproar over XCP as technobabble.
But after security experts discovered that XCP opened gaping security holes in users' computers ? as did the method Sony BMG offered for removing XCP ? Sony BMG agreed last week to recall the discs.
Some 4.7 million had been made and 2.1 million sold. CDs that had XCP included releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.
Abbott said some CDs remained in Texas stores as of Monday morning.
The Texas spyware law allows the state to recover damages of up to $100,000 in damages for each violation.
Abbott said there were thousands of violations, and that any money would go to the state.
