|Major Dates||Key People|
Freedom To Tinker, Bruce Schneier
Cary Sherman, Texas
[10/31/05] - Russinovich uncovers a secret
Security Researcher from Sysinternals, Mark Russinovich does a routine
scan of his system and uncovers a poorly written but effective set of
Digital Rights Management tools which utilize rootkit functionality to
hide themselves from the Windows API.
[11/03/05] - WoW + DRM = phat l3wtz
SecurityFocus publishes information from a thread on a World of
Warcraft forum that confirms it is possible to hide cheating programs
from Blizzard's 'The Warden' anti-cheating program using the Sony DRM
$SYS$ file hiding convention.
[11/04/05] - What you don't know can't hurt you, right? More from Russinovich
Thomas Hesse: "Most people, I think, don't even know what a rootkit is,
so why should they care about it?"
Russinovich gives more details about the uninstaller in his blog and
notes that news of Sony's DRM has reached major media outlets, BBC and
[11/06/05] - First4Internet responds to Russinovich
First4Internet responds and Russinovich gives more detail on why the XCP
software is poorly engineered.
The EFF weighs in on the Sony DRM issue providing some of the technical
consequences of installing the XCP software and a partial listing of the
affected CDs. Horace Silver, Gerry Mulligan and Dexter Gordon CDs with
DRM? This is a fairly persuasive argument to listen to jazz in its
natural habitat, vinyl.
[11/10/05] - Trojans invade
The Register reports that Trend Micro and BitDefender have confirmed a
Trojan in the wild that uses the DRM technology.
BitDefender releases a technical analysis of the new Trojan shortly
after The Register covers its discovery.
[11/11/05] - DHS, SONY halts production
Department of Homeland Security assistant secretary for policy, Stewart
Baker, comments that some anti-piracy efforts are having far reaching
effects on the security of the nation's critical infrastructures. I'm
not sure how many member servers of the nation's critical infrastructure
are a) running Windows, b) have policy to allow the storage of
personal music on them or c) are storing music which required the
installation of a DRM. But hey, I'm only the DRD Assistant Vice Chair of Secretarial Policy
Affairs in lower Macedonia.
"Sony suspends the manufacture of copy-protected CDs and re-examines its
digital-rights management strategy.
Sometime between 11/12 and 11/13 Finnish security researcher Muzzy
Nikki) broke the news that the uninstall tool for the Sony DRM was
susecptible to malicious use. The ActiveX controller used
to uninstall marks itself as available for scripting, and there
are several functions available for malicious use. Specifically, he
notes the "RebootMachine" and "ExecuteCode" functions.
[11/14/05] - USA Today, EFF Open Letter
USA Today runs an article on the CDs containing the DRM software and
Sony is receiving over it. They quote the number of sold CDs with the
XCP software on them as 2.1 million.
The EFF drafts an open letter to Sony outlining steps they should
consider to undo the harm they've already done.
[11/15/05] - News of Muzzy's Research Spreads, Kaminsky's DNS-Fu
Muzzy broke the news over that weekend but it did not get widespread
attention until the blog Freedom to Tinker publicized
the discovery. Their analysis yielded the result that not only was it
possible to reboot the affected machine, but remote code execution was
Various vulnerability reporting sites take note of the disclosure and
add entires to their databases with the pertinant information.
Security reseracher Dan Kaminsky uses his Deluvian DNS scanning
platform to confirm at least 568,200 nameservers have witnessed DNS
queries related to the rootkit. The actual number of total infections is
unknown based on this data.
[11/17/05] - Microsoft, A different DRM Uninstaller flaw, Schneier
The anti-malware engineering team at Microsoft announces their
11/17/05 deffinition file update will scan for and remove the XCP
Freedom to Tinker finds a
hole in the web-based uninstall mechanism for the Sunncomm written DRM
tool. They say that exploiting this hole is even easier than exploiting
the hole left after the XCP uninstaller program is loaded. On the
bright side, though, Haldermann mentions that his team ("we") are
involved with testing a new uninstall tool from Sunncomm.
Wired publishes an article by Bruce
Schneier which gives an excellent high level timeline of this event and raises ethical questions about how AV and other security firms
didn't raise the red flag before Russinovich did. Schneier ends with
serious questions on corporate sponsored malware.
[11/18/05] - Totally LAME, SunnComm news spreads, Sliver Lining?, RIAA weighs in, Bergstein comments
Wired news discloses that the XCP program used LGPL'd code from the
LAME mp3 encoding
CNET discloses FtT's findings on the similar vulnerability in the
Sunncomm software, noting that only 223 customers have utilized the
uninstall software and Sunncomm's active response in contacting affected
In Spyware Confidential
Suzi Turner posits there may be a bright side to this whole mess, with
the major media coverage of this issue more and more people are becoming
aware of rootkits. She also points out that of late Spyware is
increasingly using rootkit technology to hide itself from AV and AM/S
products. There has yet to be an explicit connection in major media
between these two, but hopefully people will begin to realize the power
available to malicious parties on the net.
Cary Sherman holds an online press conference wherein he lauds the
prompt and aggressive response of Sony to address the vulnerability in
the uninstallation method provided by First4Internet. Sherman sidesteps
the issue of the (mis)use of rootkit technology, technical problems with
the uninstaller and lack of disclosure on the part of Sony.
Yahoo News prints a story by AP Tech reporter Brian Bergstein on the
corporate response from Sony. Bergstein illustrates some previous
methods of anti-priacy technology as well as pointing out this little
gem from Thomas Hesse, head of Sony BMG's global digital business,
"Most people, I think, don't even know what a rootkit is, so why should
they care about it?"
[11/21/05] - Legal Insights, Irony, Hilarity, Tape > CD?, Don't Mess with Texas, XCP phones home, EFF Suits
CNET News publishes an article by John Borland which raises points in the
debate about who ultimately has the rights to know what's on your
computer. Privacy advocates point out that a "personal" computer is just
that, personal; and users should always know what installed programs are
doing. However companies also have a stake in their intellectual
Freedom to Tinker posts a more indepth analysis of the copyrights Sony
least First4Internet) broke by incorporating Open Source code into their
DRM management tool. FtT points out that Open.Source != Public.Domain
and that failure to observe the copyright those projects are distributed
under is grounds for a law suit. To their credit, the LAME project
issues a letter asking Sony to resolve this situation to their best of
Freedom to Tinker - Letter
In yet another sign that this issue is working its way into popular
conscienceness, Bill Amend's Foxtrot makes light of the
Several sites are reporting that a strip of gaffers tape can be used to
circumvent the Sony DRM installation. Analysts at Gartner were able to
circumvent the DRM by using tape to obsecure the second session on the
disk. Historically, Sony seems to be having bad luck with low
tech methods of defeating their DRM strategies.
Proving once again it is inadvisable to mess with the Lone Star state,
Texas is suing Sony BMG. "Consumers who purchased a Sony CD thought they
were buying music. Instead, they received spyware ... "
Benjamin Edelman proposes and provides a POC for Sony to get the word
out to their customers regarding their pwnage.
The EFF has followed in the State of Texas' footsteps
and filed a class
action lawsuit against Sony.
Michael Geist, law professor and Internet researcher at the University
of Ottawa, publishes a good top level summary of the entire Sony debacle
to date and offers insights into the lasting effects of Sony's
[11/29/05] - Whoops
It is revealed by Business Week that Sony was notified by Finnish virus
reserach firm F-Secure on October 4th of their DRM's use of rootkit
Link - Discussion
[06/02/06] - Finally, resolution
Music fans who bought CDs with Sony BMG Music Entertainment's controversial XCP copy
control software are going to get refunds.