[10/31/05] - Russinovich uncovers a secret

Security Researcher from Sysinternals, Mark Russinovich does a routine scan of his system and uncovers a poorly written but effective set of Digital Rights Management tools which utilize rootkit functionality to hide themselves from the Windows API.
Link

[11/03/05] - WoW + DRM = phat l3wtz

SecurityFocus publishes information from a thread on a World of Warcraft forum that confirms it is possible to hide cheating programs from Blizzard's 'The Warden' anti-cheating program using the Sony DRM $SYS$ file hiding convention.
Link

[11/04/05] - What you don't know can't hurt you, right? More from Russinovich

Thomas Hesse: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Link

Russinovich gives more details about the uninstaller in his blog and notes that news of Sony's DRM has reached major media outlets, BBC and USA Today.
Link

[11/06/05] - First4Internet responds to Russinovich

First4Internet responds and Russinovich gives more detail on why the XCP software is poorly engineered.
Link

[11/09/05]

The EFF weighs in on the Sony DRM issue providing some of the technical consequences of installing the XCP software and a partial listing of the affected CDs. Horace Silver, Gerry Mulligan and Dexter Gordon CDs with DRM? This is a fairly persuasive argument to listen to jazz in its natural habitat, vinyl.
Link

[11/10/05] - Trojans invade

The Register reports that Trend Micro and BitDefender have confirmed a Trojan in the wild that uses the DRM technology.
Link

BitDefender releases a technical analysis of the new Trojan shortly after The Register covers its discovery.
Link

[11/11/05] - DHS, SONY halts production

Department of Homeland Security assistant secretary for policy, Stewart Baker, comments that some anti-piracy efforts are having far reaching effects on the security of the nation's critical infrastructures. I'm not sure how many member servers of the nation's critical infrastructure are a) running Windows, b) have policy to allow the storage of personal music on them or c) are storing music which required the installation of a DRM. But hey, I'm only the DRD Assistant Vice Chair of Secretarial Policy Affairs in lower Macedonia.
Link

"Sony suspends the manufacture of copy-protected CDs and re-examines its digital-rights management strategy.
Link

Sometime between 11/12 and 11/13 Finnish security researcher Muzzy (Matti Nikki) broke the news that the uninstall tool for the Sony DRM was susecptible to malicious use. The ActiveX controller used to uninstall marks itself as available for scripting, and there are several functions available for malicious use. Specifically, he notes the "RebootMachine" and "ExecuteCode" functions.
Link

[11/14/05] - USA Today, EFF Open Letter

USA Today runs an article on the CDs containing the DRM software and the backlash Sony is receiving over it. They quote the number of sold CDs with the XCP software on them as 2.1 million.
Link

The EFF drafts an open letter to Sony outlining steps they should consider to undo the harm they've already done.
Link

[11/15/05] - News of Muzzy's Research Spreads, Kaminsky's DNS-Fu

Muzzy broke the news over that weekend but it did not get widespread attention until the blog Freedom to Tinker publicized the discovery. Their analysis yielded the result that not only was it possible to reboot the affected machine, but remote code execution was also possible.
Link

Various vulnerability reporting sites take note of the disclosure and add entires to their databases with the pertinant information.
OSVDB

Security reseracher Dan Kaminsky uses his Deluvian DNS scanning platform to confirm at least 568,200 nameservers have witnessed DNS queries related to the rootkit. The actual number of total infections is unknown based on this data.
Link

[11/17/05] - Microsoft, A different DRM Uninstaller flaw, Schneier

The anti-malware engineering team at Microsoft announces their 11/17/05 deffinition file update will scan for and remove the XCP software.
Link

Freedom to Tinker finds a hole in the web-based uninstall mechanism for the Sunncomm written DRM tool. They say that exploiting this hole is even easier than exploiting the hole left after the XCP uninstaller program is loaded. On the bright side, though, Haldermann mentions that his team ("we") are involved with testing a new uninstall tool from Sunncomm.
Link

Wired publishes an article by Bruce Schneier which gives an excellent high level timeline of this event and raises ethical questions about how AV and other security firms didn't raise the red flag before Russinovich did. Schneier ends with serious questions on corporate sponsored malware.
Link

[11/18/05] - Totally LAME, SunnComm news spreads, Sliver Lining?, RIAA weighs in, Bergstein comments

Wired news discloses that the XCP program used LGPL'd code from the LAME mp3 encoding project.
Link

CNET discloses FtT's findings on the similar vulnerability in the Sunncomm software, noting that only 223 customers have utilized the uninstall software and Sunncomm's active response in contacting affected customers.
Link

In Spyware Confidential Suzi Turner posits there may be a bright side to this whole mess, with the major media coverage of this issue more and more people are becoming aware of rootkits. She also points out that of late Spyware is increasingly using rootkit technology to hide itself from AV and AM/S products. There has yet to be an explicit connection in major media between these two, but hopefully people will begin to realize the power available to malicious parties on the net.
Link

Cary Sherman holds an online press conference wherein he lauds the prompt and aggressive response of Sony to address the vulnerability in the uninstallation method provided by First4Internet. Sherman sidesteps the issue of the (mis)use of rootkit technology, technical problems with the uninstaller and lack of disclosure on the part of Sony.
Link

Yahoo News prints a story by AP Tech reporter Brian Bergstein on the corporate response from Sony. Bergstein illustrates some previous methods of anti-priacy technology as well as pointing out this little gem from Thomas Hesse, head of Sony BMG's global digital business, "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
Link

[11/21/05] - Legal Insights, Irony, Hilarity, Tape > CD?, Don't Mess with Texas, XCP phones home, EFF Suits

CNET News publishes an article by John Borland which raises points in the debate about who ultimately has the rights to know what's on your computer. Privacy advocates point out that a "personal" computer is just that, personal; and users should always know what installed programs are doing. However companies also have a stake in their intellectual property.
Link

Freedom to Tinker posts a more indepth analysis of the copyrights Sony (or at least First4Internet) broke by incorporating Open Source code into their DRM management tool. FtT points out that Open.Source != Public.Domain and that failure to observe the copyright those projects are distributed under is grounds for a law suit. To their credit, the LAME project issues a letter asking Sony to resolve this situation to their best of their ability.
Freedom to Tinker - Letter

In yet another sign that this issue is working its way into popular conscienceness, Bill Amend's Foxtrot makes light of the incident.
Link

Several sites are reporting that a strip of gaffers tape can be used to circumvent the Sony DRM installation. Analysts at Gartner were able to circumvent the DRM by using tape to obsecure the second session on the disk. Historically, Sony seems to be having bad luck with low tech methods of defeating their DRM strategies.
Link

Proving once again it is inadvisable to mess with the Lone Star state, Texas is suing Sony BMG. "Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware ... "
Link

Benjamin Edelman proposes and provides a POC for Sony to get the word out to their customers regarding their pwnage.
Link

The EFF has followed in the State of Texas' footsteps and filed a class action lawsuit against Sony.
Link

Michael Geist, law professor and Internet researcher at the University of Ottawa, publishes a good top level summary of the entire Sony debacle to date and offers insights into the lasting effects of Sony's behavior.
Link

[11/29/05] - Whoops

It is revealed by Business Week that Sony was notified by Finnish virus reserach firm F-Secure on October 4th of their DRM's use of rootkit technology.
Link - Discussion

[06/02/06] - Finally, resolution

Music fans who bought CDs with Sony BMG Music Entertainment's controversial XCP copy control software are going to get refunds.
Link