Order of the Bath

I have been on holiday for a week. But no relaxing in the sun, mostly at home and doing the Christmas shopping etc. I ought to have had more time to blog but didn’t for some reason. What it did mean was that I was out of touch with my security news sources which I monitor from the office and so missed Bruce Schneier’s latest Cryptogram Newsletter.

This newsletter is a great read and this month’s is particularly insightful. I commend to you the articles “Sony’s DRM Rootkit: The Real Story”, “Identity theft over reported” and “Australian Minister’s Sensible Comments on Airline Security Sparks Outcry”

Now I must remember to add his blog to my RSS feed rather than wait for the monthly email newsletter—that is so yesterday’s technology.

I have often had suspicions that Sony spoke with a forked tongue. On the one hand it is a world leader in equipment for recording (professional and domestic, audio and video). On the other hand it is leading the industry DRM campaigns trying to stop people using recording equipment.

Now it seems to be getting into the spyware business; perhaps they are going to start a computer security company as well <GRIN>. This article (Sony, Rootkits and Digital Rights Management Gone Too Far) describes a forensic look at a rooted Windows PC which turned out to have been infected by playing a Sony-BMG audio CD. The built in Media Player, in addition to installing the software to play the content, also installed software which hid itself so you couldn’t see that it was there and disguised itself as a legitimate Windows service. The EULA said “this CD will automatically install a small proprietary software program … to protect the audio files embodied on the CD … until removed or deleted” However no uninstall option was provided. Curiously it requires you to remove the software upon termination of the licence—but you can’t!

This is spyware without a doubt. It violates at least two of the terms of the ASC i.e. “material changes that affect their user experience, privacy, or system security” and “use of their system resources, including what programs are installed on their computers.” It probably falls foul of the Computer Misuse Act 1990 as well (the software is written by a British company.)

Sony-BMG claim, in the EULA, that the CD is red-book compliant which means that it must play as an audio CD on any player. This includes your computer so you should be able to play it without the software. This should be true of any CD that has the logo —if not, take them back and claim a refund. (note: the logo is sometimes impressed in the plastic inside the case rather than on the paper inserts visible from the outside. That does not matter).

This reinforces a couple of safety measures that all Windows users should adopt:

• disable autorun so that CD’s don’t automatically install their contents when you insert them. Doing this is tricky for the novice so the best thing is to always hold down the shift key (for quite a while on slow machines) when inserting a CD.
• run your day to day work as a “limited user” so that any malware doesn’t gain admin rights. This is done by creating another account for admin purposes; login to it and remove the admin rights from your everyday account and only use the admin when you have to.

One final warning—if you discover that you have been infected by this, don’t try to remove it unless you know what you are doing, you could make your machine unusable, demand an uninstaller from Sony.

Meanwhile, I will be adding the RootkitRevealer to my toolbox (and looking carefully at any CDs I buy).