Check out what all Wikipedia already has on this story!!!

Extended Copy Protection --Wikipedia

Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet and sold as a copy protection or digital rights management (DRM) scheme for compact discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony CD copy protection controversy; in that context it is sometimes known as the Sony rootkit.

Security researchers beginning with Mark Russinovich in October 2005 have regarded the program as a rootkit: software designed to surreptitiously seize and hold control of a computer. Russinovich broke the story on his Sysinternals blog, where it gained attention from the media and other researchers. The publicity, which grew to include a civil lawsuit and criminal investigations, soon forced Sony to discontinue use of the copy protection system.

While Sony eventually recalled the CDs that contained the XCP system, the web-based uninstaller was investigated by noted security researchers Ed Felten and J. Alex Halderman, who discovered that the ActiveX component used for removing the software exposed users to far more significant security risks, including arbitrary code execution from any site on the internet.

Description
The version of this software used in Sony CDs is the one marketed as "XCP-Aurora". The first time a user attempts to play such a CD on a Windows system, a program will be installed after a dialog box prompts the user to agree to a license agreement. It will then remain resident in the user's system, intercepting all accesses of the CD drive to prevent any media player or ripper software other than the one included with XCP-Aurora from accessing the music tracks of the Sony CD.

The included player software will play the songs and allow only a limited degree of other actions such as burning the music onto a certain number of other CDs or loading it onto certain supported devices such as a few portable music players. The popular iPod, sold by Sony competitor Apple Computer, is not supported.

XCP conceals itself from the user by installing a patch to the Windows operating system. This patch stops ordinary system tools from displaying processes whose names begin with $sys$. Other XCP components include "Plug and Play Device Manager", which continuously monitors all other programs being run on the computer.

Security research
In the short period that XCP has been publicly known, security researchers have been quick to analyze it and publish their findings. Many of these findings have been highly critical of Sony and First 4 Internet. Specifically, the software has been found to conceal its activity in the manner of a rootkit (a computer criminal's toolkit for hiding evidence); and moreover has been found to expose users to follow-on harm from viruses and trojans.

XCP's cloaking technique, which makes all processes with names starting with $sys$ invisible, can be used by other malware "piggybacking" on it to ensure that it, too, is hidden from the user's view. The first malicious trojan to use this technique was discovered in the wild on November 10, 2005 according to a report by the BitDefender antivirus company.

Follow-up research by Edward Felten and J. Alex Halderman has shown that the Web-based uninstaller Sony later offered for the software contains its own critical security problems. [1] The software installs an ActiveX component which allows any Web site to run software on the user's computer without restriction. This component is used by First 4 Internet's Web site to download and run the uninstaller, but it remains active afterward -- allowing any Web site the user visits to take over the computer.

Since it is specific to Microsoft Windows, XCP has no effect on all other operating systems such as Linux or Mac OS X, meaning that users of those systems do not suffer the potential harm of this software, and they also are not impeded from "ripping" (or copying) the normal music tracks on the CD. However, at least some XCP-bearing discs have also contained a program, MediaMax from SunnComm, which attempts to install a kernel extension on Mac OS X.

Antivirus industry response
Shortly after independent researchers broke the story, security software vendors followed up, releasing detailed descriptions of the components of XCP -- as well as software to remove it. Computer Associates, makers of the PestPatrol anti-spyware software, characterize the XCP software as both a trojan horse and a root kit[2]:

XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.

Furthermore, XCP.Sony.Rootkit installs a device driver, specifically a CD-ROM filter driver, which intercepts calls to the CD-ROM drive. If any process other than the included Music Player (player.exe) attempts to read the audio section of the CD, the filter driver inserts seemingly random noise into the returned data making the music unlistenable.

XCP.Sony.Rootkit loads a system filter driver which intercepts all calls for process, directory or registry listings, even those unrelated to the Sony BMG application. This rootkit driver modifies what information is visible to the operating system in order to cloak the Sony BMG software. This is commonly referred to as rootkit technology. Furthermore, the rootkit does not only affect XCP.Sony.Rootkit's files. This rootkit hides every file, process, or registry key beginning with $sys$. This represents a vulnerability, which has already been exploited to hide World of Warcraft RING0 hacks as of the time of this writing, and could potentially hide an attacker's files and processes once access to an infected system had been gained.

Computer Associates anti-spyware product PestPatrol will now detect and remove the Sony software.[3] The Microsoft Anti-Malware Engineering Team has announced that the next version of Windows Defender will identify the Sony XCP product as malware and remove it.

The somewhat slow response of some antivirus companies has, however, been questioned by Bruce Schneier "information security expert" at Counterpane and author of security bible Secrets and Lies. In an article for Wired News, Mr Schneier asks, "What happens when the creators of malware collude with the very companies we hire to protect us from that malware?" [4]

Impact of XCP
Beginning as early as August 2005, Windows users reported crashes related to a program called aries.sys, while inexplicably being unable to find the file on their computers. [5] Said file is now known to be part of XCP. Call for Help host Leo Laporte said that he had experienced a rise in reports of "missing" CD-ROM drives, a symptom of unsuccessful attempts to remove XCP. [6]

Security researcher Dan Kaminsky used DNS cache analysis to determine that at least 568,000 networks worldwide contain at least one XCP-infected computer. Kaminsky's technique uses the fact that DNS nameservers cache recently-fetched results, and that XCP "phones home" to a specific hostname. By finding DNS servers that carry that hostname in cache, Kaminsky was able to approximate the number of networks affected. [7]

Legal concerns
There is much speculation to what extent the actions taken by this software are a violation of various laws against unauthorized tampering with computers, or laws regarding invasion of privacy by "spyware", and how they subject Sony and First 4 Internet to legal liability. The States of California, New York, and Texas, as well as Italy have already taken legal action against both companies and more class action lawsuits are likely. However, the mere act of attempting to view or remove this software in order to determine or prevent its alteration of Windows would hypothetically constitute a civil or criminal offense under certain anti-circumvention legislation such as the controversial Digital Millennium Copyright Act in the USA.

Researcher Sebastian Porst claims to have evidence that the XCP software infringes on the copyright of the LAME media encoding library. [8] The LAME software is licensed under the Lesser General Public License (LGPL), an open source license which requires, among other things, that the copyright holder be given credit. Porst's evidence includes direct similarities between functions in XCP and functions in LAME, as well as in another LGPL library that handles ID3 tags. If Porst's claim is correct, then First 4 Internet and Sony are both distributing copyrighted material in violation of the author's rights.

Sony's response
On a National Public Radio program, Thomas Hesse, President of Sony BMG's global digital business division asked "Most people, I think, don't even know what a rootkit is, so why should they care about it?"[9] He explained that "The software is designed to protect our CDs from unauthorized copying, ripping."

Sony also contends that the "component is not malicious and does not compromise security," but "to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove [the root kit] component from their computers."

A patch [10] to remove the cloaking of the software has been released; this patch does not completely remove XCP, but disables its technique of hiding itself from view.

First 4 Internet reports that any upcoming versions of XCP will not use the same techniques.

An uninstaller for XCP-Aurora is now available from the Sony-BMG web site [11]. An analysis of this uninstaller has been published by Mark Russinovich - who intially uncovered XCP - entitled "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home" [12]. Obtaining the uninstaller requires one to use a specific browser (Microsoft Internet Explorer) and to fill out an online form with their email address, receive an email, install the patch, fill out a second online form, and then they will receive a link to the uninstaller. The link is personalized, and will not work for multiple uninstalls.

It has also been reported that the uninstaller might have security problems which would allow remote code execution[13]. Sony's uninstall page will attempt to install an ActiveX control when it is displayed in Internet Explorer. This ActiveX control is marked "Safe for scripting," which means that any web page can utilize the control and its methods. Some of the methods provided by this control are dangerous, as they may allow an attacker to download and execute arbitrary code.

As of November 11, 2005, Sony has announced they will suspend manufacturing CDs using the XCP system:

"As a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology," it said in a statement.

"We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," Sony BMG added.

This followed comments by Stewart Baker, the Department of Homeland Security's assistant secretary for policy, in which he took DRM manufacturers to task, as reported in the Washington Post:

In a remark clearly aimed directly at Sony and other labels, Stewart continued: "It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.

According to the New York Times[14], Sony BMG said "about 4.7 million CDs containing the software had been shipped, and about 2.1 million had been sold." About 50 CDs distributed by Sony-BMG contained XCP.[15]

On November 14, 2005, Sony anounced it is recalling the affected CDs and plans to offer exchanges to consumers who purchased the discs. [16]

Exchange your XCP CDs free of charge.

SonyBMG is providing a free UPS service for consumers who have XCP titles to return the CDs to SonyBMG in exchange for a new CD that does not contain XCP. Go to:

http://www.upsrow.com/sonybmg/

Albums with XCP
Full article: List of compact discs sold with XCP
See also: http://cp.sonybmg.com/xcp/english/titles.html
The Electronic Frontier Foundation published its original list of 19 titles on November 9, 2005[17]. On November 15, 2005 The Register published an article saying there may be as many as 47 titles. Sony BMG says there are 52 XCP CDs.[18]

Amazon says it's treating the XCP CDs as defective merchandise and will offer a refund with shipping, as long as the customer specifies the request. [19]

See also
Digital Rights Management
Copy Protection

Here is the link to the previous thread:

http://www.boycott-riaa.com/article/18686

Texas files a lawsuit vs Sony! --Yahoo

From the EFF:

SonyBMG Litigation and Rootkit Info

I want to give a quick shout-out of thanks to all the netizens who keep hammering this story! We are starting to see even the major networks like CNN, Fox, MSNBC etc. begining to cover this story ...even when they initially resisted.

It is too early to claim "victory" against the RIAA & DRM yet, but the Sony XCP fiasco is perhaps our D-day against the facist corporate foe!

Bravo to you all!

Lawrence E. Feldman Associates joins with EFF and others in Class action against Sony



http://www.eff.org/IP/DRM/Sony-BMG/sony_complaint.pdf

US-CERT: Never Install Audio-CD DRM Software

Yep, you read it right. US-CERT recommends that you never install DRM software that comes with an audio-CD. Frankly, that's good advice.

Sony's long-term rootkit CD woes --BBC

Internet professor Michael Geist explains why Sony's rootkit problems have significant long-term implications for the industry.

Tough Decisions: Heuristics and Threats --eWeek

"Opinion: Should anti-virus products have flagged and removed the Sony rootkit? Their initial failure was understandable, and if the system fell apart it's Sony's fault.

I only partly agree with Bruce Schneier when he criticizes the anti-virus industry for not finding the Sony rootkit for all the months before it was discovered by Sysinternals' Mark Russinovich." --Larry Seltzer

The CD's remain in the stores.
The Store owners know nothing about any recall ....

It appears we are being duped.

The only places Sony seems to be
mentioning any recall are internet based.
By doing that, Sony makes the E-world
believe that they are really recalling
CD's. But by not breathing a single word
of it in ANY paper press, cable, local, or
ANY other lamescream medium, they can
preserve their christmas sales.

There are way too many reports by bloggers indicating that the XCP CD's are still on the shelves, and the store owners are still oblivious.

Here's some MORE BS along those lines Dreddsnik:

Sony sailing past rootkit controversy --CNet

"Though Sony BMG Music Entertainment faces a torrent of criticism and lawsuits stemming from copy-protection software on some of its CDs, the so-called rootkit controversy has not yet had much of an impact on sales, according to market trackers."

I smell a HUGE lie being told in that article!!!

The article's author was John Borland

I have an idea---don’t buy rootkit protected CD’s.

im3min3, you tryin' to be funny or something?

sheesh! State the OBVIOUS why don't ya!

lol

I saw this on Sony's page listing the infected CDs:

"Note: Two titles, Ricky Martin’s 'Life' and Peter Gallagher’s '7 Days in Memphis' were released with a content protection grid on the back of the CD packaging but XCP content protection software was not actually included on the albums."

You ask me, they should still be legally required to exchange those two titles. They can say they're not infected all they want but how is the unsuspecting customer supposed to know? Sounds to me like they're still trying to sell the infected CDs by assuming consumer stupidity.

Folks, here is a toll-free number to call (US only?) if you are a victim of all this:

1-888-766-2690 (Ask for Larry or Steve, tell 'em it's about the Sony XCP rootkit if you get the receptionist or a recording!)

From the article "Sony's Long-Term Rootkit Woes":

“. . .It is safe to assume that few if any purchasers of Sony’s infected CDs realised that they were creating both a security and potential privacy risk as well as setting themselves up for a "Hotel California" type program that checks in but never leaves.

Another issue that has been percolating for some time is that TPMs not only put users' property at risk, but they also limit use of lawfully-acquired personal property. The Supreme Court of Canada held that “once an authorised copy of a work is sold to a member of the public, it is generally for the purchaser, not the author, to determine what happens to it".

With consumer backlash against protected music CDs and licensing agreements, along with policymakers’ attention on the privacy and security implications of TPMs, together with the courts' concern for personal property rights — the Sony rootkit case is destined to resonate long after the CDs disappear from store shelves.”
_ _ _ _

So, market trackers -- keep trackin'; the worst is not nearly over.

"I have an idea---don’t buy rootkit protected CD’s."

Sounds smart enough to me.

Don't buy any DRM- or TPM- infected music.
And, instead of RIAA material, patronize independent music.

"im3min3, you tryin' to be funny or something?
Sheesh! State the OBVIOUS, why don't ya!"

I hope it's not a case of someone wondering why our forum is spending so much typing time on the Sony issue.
(There are so many ramifications involved, it would take too long to discuss them all in one place here.)

“And, instead of RIAA material, patronize independent music.”

That’s my point! The public has it in their power to tell these businesses how they feel by voting on this with their wallet. Look at GM today. It's VERY sad indeed but do you think they got the message? Perhaps too late but they are hearing it loud and clear today.

"The real p2p pirates and thieves"
p2p news

http://p2pnet.net/story/7025

ShadowMom posted a cartoon she found in the Off-Topic thread:

And
George found one from the day before that's just as good!

Lol, keep hitting the "back" button at that cartoon's page!

"Though Sony BMG Music Entertainment faces a torrent of criticism and lawsuits stemming from copy-protection software on some of its CDs, the so-called rootkit controversy has not yet had much of an impact on sales, according to market trackers."

SoundScan will give you their total of reported sales before the year is over and it will take the RIAA four months to figure out how many they shipped out, so it's a little early to track anything. It's only been a week or two.

I agree. Why is John Borland spreading this crap then?


Sony sailing past rootkit controversy

“And, instead of RIAA material, patronize independent music.”

Don't laugh off that reminder.

It's funny, but if you do exactly that, and vigorously stick to that position, people will attack you for not being an Ashley Simpson fan or maybe your political affiliation, how you look, question your motives, complain that you are asking them to give up what they like, or any number of other reasons to make you stop talking about the depth of the problems with the cartel and its current attempt to wrest back the market control that they have lost because of being imbeciles.

im3min3 knows the score CynicalGeezer. (has been around for quite awhile and is just playin with us a little fer kicks.)

"Don't laugh off that reminder."

Exactly.

After all, the NAME of this site is Boycott-Riaa!!!

Folks, please keep all replies in this thread fairly short (50-100 words or less) I am trying to keep it primarily as a thread for linking to the important/interesting links regarding the whole Sony XCP rootkit story. Otherwise, I could post a whole thread on each and every link that we are collecting here... (but if we did that, we'd have eleventy-bazillion threads to contend with each day while this story is on the "front pages".)

If you want to post a LENGTHY comment about ANY article/portion/segment on the Sony XCP rootkit issue, put it in the "off-topic" thread or hit the submit button!

GadflyDiscourse
Date: November 22, 2005 @ 1:31 PM

Useless and/or vulgar/rude comment was deleted by Admin.

Here's something to ponder. Microsoft has just released their new Xbox 360. It's been talked about for some time now, and it's finally out. This morning I heard some advertising about it and the Ad caught my attention. The Ad said the Xbox 360 will play CDs. Hmmm...now that's interesting. The Xbox 360 is really just a computer, probably running a version of Windows with a modified user interface to make it look like a gaming machine. Therefore, when copy protected CDs from Sony are played, it's very likely the CD will attempt to load and execute its DRM code. And since the Xbox 360 can be tied to the internet, the connection is there for monitoring what you're doing with your Xbox. This may not actually happen of course, but it does raise some very interesting questions. Is anyone willing to try this? If your Xbox breaks, Microsoft would be very interested in knowing that.

Well done Mike.
I point kids to this site.
Nobody needs to read that stuff.

Talk to your local library about Sony Cd's.
Maybe they'll stop buying them.

http://vielmetti.typepad.com/vacuum/2005/11/sony_rootkit_mu.html

http://itmanagement.earthweb.com/article.php/3565746

"Buckling under the weight of all the negative press, Sony has announced it is recalling all of its compromised CDs and will provide patches to fix security holes -- holes that Sony spokesmen still deny present any security risks at all!

Unfortunately, this entire episode suggests that Sony's executives aren't very clued into the concerns of consumers and haven't yet accepted the consequences of their poor decisions. This suggests to me that we probably haven't heard the last of Sony's invasive and intrusive DRM practices.

Now would be an excellent time for them to consider hiring a talented privacy officer to help them negotiate the difficult times they are still facing as the full scope of this mess begins to be understood. "

http://www.informationweek.com/story/showArticle.jhtml?articleID=174400076

""The person behind this did it just to make a point. He could have had total access to the computer, and done whatever he wanted," said Hubbard. "Instead, he just made the machine reboot. He even inserted comments in the HTML code that said something like 'Sony DRM Christmas Gift.'"

""Buckling under the weight of all the negative press, Sony has announced it is recalling all of its compromised CDs and will provide patches to fix security holes -- holes that Sony spokesmen still deny present any security risks at all! "

That's what I am bitchin' about.
The only place they seem to have "announced" anything is on the web based news sites.
And the biggest shopping day of the year is this friday.

Jerks.

"he had experienced a rise in reports of "missing" CD-ROM drives"
that explains what is wrong with Brenda's PC. As her PC repairman it must be my duty to direct her to the class action lawsuit against the hacker who distroyed her business machine used at her office costing her weeks of downtime and perhaps thousands of dollars.

"Though Sony BMG Music Entertainment faces a torrent of criticism and lawsuits stemming from copy-protection software on some of its CDs, the so-called rootkit controversy has not yet had much of an impact on sales, according to market trackers."


In you Dream Sony/RIAA! Parasites master of BS! There is no way!

This should and will have a substantial impact not only on Sony but also on music sale in general. I am sure this is not what Sony is telling their investors. Deu! I am expecting Sony to lose way more than the money they extorted to 3K people not only in the lawsuits but in the lost sale. After all there is a justice in this world. Do something wrong and it will hit you back hard like a boomerang.

Fox News has an article about how sad it is for Madonna that she tops the charts the same week Warner Music admits to payola because, gee whiz, radio stations didn't have to cash those checks the labels have been sending out for decades.

http://p2pnet.net/index.php?page=comment&story=7067&comment=24960


http://p2pnet.net/index.php?page=comment&story=7067&comment=24941

The Sony DRM episode

www.groklaw.net/staticpages/index.php?page=20051122010323323

Clickable link
http://www.groklaw.net/staticpages/index.php?page=20051122010323323

here's the big question that I haven't seen asked yet.

oral hatch, evrybody's favorite senator has been crusading for a few years to create stuff to blow peoples computers up. well, this fall short of blowing them up but still trashes them fairly effectively.

this is something he wanted and has publicly asked for. I wonder if it is possible to hold him accountable for his actions on this and give him his share of the blame.

before you laugh, remember this. charles manson never killed anyone and the state knew this when they prosecuted him but he is in prison for life after being convicted of murder.

Macs are sucseptable too!! I found this from the link at groklaw above at ithub.com:

"...the program [DRM installation, CnJ] seemingly quits. However, it actually installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext, in the OS X system files."

"These turn out to be part of a DRM codebase developed by SunnComm."

From what I've read so far, MacOS version prior to X are safe, but I didn't personally check myself.

A LA SADAM HUSSEIN PROPAGANDA FROM THE MAJORS PART II

Remember the minister of information in Bagdad claiming the routing of the US troop few hour only before the taking of the Bagdad International airport where he was speaking?

Well! Read this and don't laught to loud you are going to wake-up the Neighbors!

"Overnight, Get Right with the Man dropped to No. 1,392 on Amazon's music rankings. By Nov. 22 -- after the news made headlines and Sony was deep into damage control, pulling some 4.7 million copy-protected disks from the market -- Get Right with the Man was even further from Amazon's Top 40, plummeting to No. 25,802.

http://yahoo.businessweek.com/technology/content/nov2005/tc20051122_343542.htm"

There is currently 3 class-action lawsuits against Sony in progress in the US and more coming. The 3 currents lawsuits alone might cost Sony 3-40 Billions dollars. Is it enought to put Sony in Bankrupty? Sony has nothing to lose. They are probably dead anyway. I am sure the piece of shit in charge are preapring to piece out!

I am sure the others EMI, Videndi, Warner are pulling their rootkit stuff in the hurry right now! Wohahahahahaha The crisis!

I just checked Sony's main site. Lots of information about XCP, and how to check to see if a title is tainted or not. Nice statement on their front page about how they "regret" any "inconvenience" this may have caused, etc., etc. They regret getting caught, I bet.

One very crucial phrase is conspicuously absent anywhere on their site: "We're sorry". No apologies that I can see. (not that I expected to see one)

As if it wasn't before, it's now time to stop buying ALL Sony products. It's about time one of these scumbag corps got careless enough to get caught.

Consumer reports has an article out, with some good instructions for actions to take for fixes.

http://www.consumerreports.org/cro/electronics-computers/sonys-serious-cd-problem-1105.htm

captdunsel -- Sounds like inducement to commit a crime.

"From what I've read so far, MacOS versions prior to X are safe, but I didn't personally check myself." — Capt-n-Jack

I can vouch for that. I use Mac OS 9.2.2, and it's impervious.
(MacOS X uses kernals of Unix which is susceptible.)

Hey, great link Olde-Phart! Welcome to Boycott-Riaa!

http://www.boycott-riaa.com/article/18791

If you want to read the EFF's complaint vs Sony without having to open a .pdf file.

Thanks for the welcome. I've read the site many times, but I figured it was time to chime in my $.02.

Now I gotta go sleuth my kids computer, to make sure that Sony CD he bought yesterday didjn't leave him an early Christmas present. It's not on their list, but if they lied about the DRM stuff, they'll lie about anything.

I sure as heck wouldn't rely on any "removal" software patches Sony provides.

"...but if they lied about the DRM stuff..."

Speaking of which, I just left a regional department store chain that still has the infected CDs on the shelf. I took one to the counter and explained that these were recalled last week. He politely let me know that they had not heard of this. Just to clear up Sony's intentions, he also told me the Sony rep was IN THE STORE TO CHECK THE INVETORY AND MADE NO MENTION. When I left, he was going to find him and inquire.

I am tempted to go to Wal-Mart and see what I find.

I encourage EVERYONE to go to your local stores where CD's are sold and see what YOU find.

Sony claimed they PULLED the infected CD's off the shelves with a "recall"....

but if what TotallyFrustrated and a few others I have heard from is true,

Sony LIED to us AGAIN!!!

I have called my local Best Buy, Cat's Records, Wal-Mart... (The local Wal-Mart Electronics dept. manager actually hung up on me when he found out what it was I was calling about...)

EACH of them said they "had not heard" about the supposed recall. I asked the clerk to go pull a copy of that Van Zant record off the shelf and describe the markings on it... in EACH case, it WAS an infected CD.

...I ask each of you to check out your local retailers and see if they have any of the infected discs still in stock... AND if they have even "heard" of the recall Sony claimed to have made.

I just talked to the manager of the Cat's Records in Knoxville who HAD heard of the furor over all this, but she said there has BEEN no recall to her chain of stores yet.

(She tried to ASSURE me that the Van-Zant disc didn't contain an actual "virus" but that it was just a form of "copy-protection" that limits playback/recording on computers...)

lol, at FIRST she thought I was just calling about/in regard to the disc itself.

I can't say for sure, but it SMELLED like she was "reading off a cue-card."

Folks, call/visit your local retailers and report back to us if the Sony XCP infected discs are still on the shelves or not.

Ok, I just talked with clerks at 2 Wal-marts and a Best-Buy up in Knoxville who each told me the XCP infected CD is still on the shelf and that they had not heard of any recall yet.

It's hard to find store managers in today (seems they are taking a Thanksgiving weekend...)

...maybe this is just a "regional" problem getting that crap off the shelves?

(I somehow doubt it!)

I sent a note to EFF. Fred von Lohmann responded and confirmed that they were still seeing them on the shelves as well....It appears Sony didn't want mess up the largest shopping day of the year by having these hard working clerks stop to pack up these defective discs.

Maybe this is how Sony plans on getting rid of these things...You know, make 'em go away by selling them all

I believe the XCP products are off the shelf at amazon.com. At least the new Neil Diamond CD was, the last time I looked. Kudos to them.

If Sony doesn't do due diligence on the recall, it will go against them in a lawsuit, I think. Bad faith.

As crappy as it's gonna be for the people who buy the CDs still on the shelves, maybe this will be a good thing.

More victims = bigger/more lawsuits.

Maybe Sony is arrogant enough to think they can still do whatever they want, but the feces is gonna hit the recirculator all over again when those CDs bought today for Christmas gifts end up installing XCP on all those brand new computers people might be getting for Christmas.

eh, I can dream.

"It appears Sony didn't want mess up the largest shopping day of the year by having these hard working clerks stop to pack up these defective discs. "

Like I was sayin' ......

Christmas is real close.
The "Announced" recall is to placate
Netizens, only. It is an experiment in
media control.

Dammit RAID !!
Your idea sounds really good
to pissed off people like me.
Whats the name of that Korn Album
again

When i first started out in business, my best advertising for the price was cardboard signs i made taped to the sides of my trucks. Lots exsposure no trouble with the law, basic info with a phone number. In this case basic info with the web page.

SONY INSTALLS SPYWARE
ON YOUR COMPUTER
WWW.Boycott-Riaa.com

Simple, drive to the locale mall this time a year and thousands of people may get a education. We may need to assist sony in the removal of their product from the shelves.

peatrap - I like your appoach...I'm digging out the posterboard!

Looks like another source has spotted the no-recall recall.


http://www.chicagotribune.com/business/chi-0511240095nov24,1,7145430.story?coll=chi-business-hed

I hope Sony gets their upcomings.

I hope Sony gets their upcomings.

comeuppance

I like your idea peatrap!

RaidHHI, I admire your intent to teach 'em a lesson, but of course, I am very much AGAINST your call to share RIAA content.

We are "Boycott" Riaa, not "circulate" Riaa.
===========================

EFF Files Class Action Lawsuit Against Sony BMG

Company Should Repair Damage to Customers Caused by CD Software

San Francisco - The Electronic Frontier Foundation (EFF),
along with two leading national class action law firms, today
filed a lawsuit against Sony BMG, demanding that the company
repair the damage done by the First4Internet XCP and SunnComm
MediaMax software it included on over 24 million music CDs.

EFF is pleased that Sony BMG has taken steps in acknowledging
the security risks caused by the XCP CDs, including a recall
of the infected discs. However, these measures still fall
short of what the company needs to do to fix the problems
caused to customers by XCP, and Sony BMG has failed entirely
to respond to concerns about MediaMax, which affects over 20
million CDs -- ten times the number of CDs as the XCP
software.

Sony BMG is to be commended for its acknowledgment of the
serious security problems caused by its XCP software, but it
needs to go further to regain the public's trust," said
Corynne McSherry, EFF Staff Attorney. "It is unconscionable
for Sony BMG to refuse to respond to the privacy and other
problems created by the over 20 million CDs containing the
SunnComm software."

The suit, to be filed in Los Angeles County Superior court,
alleges that the XCP and SunnComm technologies have been
installed on the computers of millions of unsuspecting music
customers when they used their CDs on machines running the
Windows operating system. Researchers have shown that the XCP
technology was designed to have many of the qualities of a
"rootkit." It was written with the intent of concealing its
presence and operation from the owner of the computer, and
once installed, it degrades the performance of the machine,
opens new security vulnerabilities, and installs updates
through an Internet connection to Sony BMG's servers. The
nature of a rootkit makes it extremely difficult to remove,
often leaving reformatting the computer's hard drive as the
only solution. When Sony BMG offered a program to uninstall
the dangerous XCP software, researchers found that the
installer itself opened even more security vulnerabilities in
users' machines. Sony BMG has still refused to use its
marketing prowess to widely publicize its recall program to
reach the over 2 million XCP-infected customers, has failed
to compensate users whose computers were affected and has not
eliminated the outrageous terms found in its End User
Licensing Agreement (EULA).

The MediaMax software installed on over 20 million CDs has
different, but similarly troubling problems. It installs files
on the users' computers even if they click "no" on the EULA,
and it does not include a way to fully uninstall the program.
The software transmits data about users to SunnComm through an
Internet connection whenever purchasers listen to CDs,
allowing the company to track listening habits -- even though
the EULA states that the software will not be used to collect
personal information and SunnComm's website says "no
information is ever collected about you or your computer." If
users repeatedly requested an uninstaller for the MediaMax
software, they were eventually provided one, but they first
had to provide more personally identifying information. Worse,
security researchers recently determined that SunnComm's
uninstaller creates significant security risks for users, as
the XCP uninstaller did.

"Music fans shouldn't have to install potentially dangerous,
privacy intrusive software on their computers just to listen
to the music they've legitimately purchased," said EFF Legal
Director Cindy Cohn. "Regular CDs have a proven track record
-- no one has been exposed to viruses or spyware by playing a
regular audio CD on a computer. Why should legitimate
customers be guinea pigs for Sony BMG's experiments?"
"Consumers have a right to listen to the music they have
purchased in private, without record companies spying on their
listening habits with surreptitiously-installed programs,"
added EFF Staff Attorney Kurt Opsahl, "Between the privacy
invasions and computer security issues inherent in these
technologies, companies should consider whether the damage
done to consumer trust and their own public image is worth its
scant protection."

Both the XCP and MediaMax CDs include outrageous,
anti-consumer terms in their "clickwrap" EULAs. For example,
if purchasers declare personal bankruptcy, the EULA requires
them to delete any digital copies on their computers or
portable music players. The same is true if a customer's house
gets burglarized and his CDs stolen, since the EULA allows
purchasers to keep copies only so long as they retain physical
possession of the original CD. EFF is demanding that Sony BMG
remove these unconscionable terms from its EULAs.

The law firms of Green Welling, LLP, and Lerach, Coughlin,
Stoia, Geller, Rudman and Robbins, LLP, joined EFF in the
case. Sony BMG is also facing at least six other class action
lawsuits nationwide and an action by the Texas Attorney
General. EFF looks forward to representing the voice of
digital music fans in the resolution of these disputes between
Sony BMG and consumers.

For more on the Sony BMG litigation, see:
http://www.eff.org/IP/DRM/Sony-BMG/

EFF's open letter to Sony:
http://www.eff.org/IP/DRM/Sony-BMG/?f=open-letter-2005-11-14.html

DRM boycotts hurt Sony's music sales - musicians frustrated

It's easy to get upset when we are following the news and learn of dirty tricks played by big companies. Sometimes we are even motivated to write comments or warnings to the companies responsible or make angry statements online. Often, people will even pledge to boycott these companies and their products, in order to show they are displeased.

www.cdfreaks.com/news/12738

------------------------------------------------

Customer dissatisfaction

"Ultimately, the experience of consumers is our primary concern, and our goal is to help bring our artists' music to as broad an audience as possible," the company says in a statement. "Going forward, we will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music."

Hey, throw in not threatening your customers' computers and you've got a plan.

www.newsday.com/news/columnists/ny-gamboa4524624nov27,0,4893453.column?coll=ny-entertainment-columnists

------------------------------------------------

Sony BMG's copy-protected CD hell: the fallout

For more than three weeks, the PR disaster and consumer horror story known as the Sony BMG Rootkit scandal has torn across the web.

The tale has thrown up loads of questions - what's a Rootkit? Should we give a toss about Digital Rights Management? What other software's being installed without our consent? Why are the copy-protected CDs in question still being sold? - so we've compiled a Stuff guide to the sordid affair.

www.stuffmag.co.uk/hotstuffarticle.asp?de_id=855

------------------------------------------------

Copy-Protected CDs Turning Music Fans Off Record Buying

It's backwards thinking. It's protectionism," said Terri McBride, president of Vancouver-based Nettwerk, whose roster includes the Be Good Tanyas. "The average consumer who's not tech-savvy is going to buy the CD, thinking that they can load it onto their iPod ... They're going to be royally pissed off."

www.technewsworld.com/story/47497.html

(Sorry) Did it again
Here's the clickable links

http://www.cdfreaks.com/news/12738

http://www.newsday.com/news/columnists/ny-gamboa4524 624nov27,0,4893453.column?coll=ny-entertainme nt-columnists

http://www.stuffmag.co.uk/hotstuffarticle.asp?de_id= 855

http://www.technewsworld.com/story/47497.html

http://www.newsday.com/news/columnists/ny-gamboa4524624nov27,0,4893453.column?coll=ny-entertainment-columnists

http://www.stuffmag.co.uk/hotstuffarticle.asp?de_id=855

Hmmm...Wonder where Neilson got their data? From this, it appears they didn't ask the public. They must have used the "ever reliable" label (shipped) numbers to conclude that the fiasco had no impact on sales.

Another cartoon from UserFriendly

Keep hitting the back button for more!

RaidHHI, I just realized you provided an actual direct link to that infringing Korn file you were talking about. I deleted your post and reposted your text below without that link.

Folks, please do NOT give direct links to RIAA tunes in our forums!
----------------------------------
RaidHHI
Date: November 25, 2005 @ 8:50 PM
You know, I got to thinking. What could possibly be more entertaining for the consumers to show the big labels that the newest DRM was a very very unwise move?

Then it came to me, Torrents! My next thought, what possible album would the big labels really dislike if it was leaked today? Say, a few weeks before they can sell it.... Awe... Shucks, hence this experiment.

I have located the new Korn album, I don't normally even fool with true 0day material, but I am making an exception. I'm going to see how many netizens will participate with the uhm, tons that already are. If you don't like Korn, you can delete it after you download/seed it awhile.

An excellent torrent client I can recommend after extensive testing, would be utorrent. You can find it at www.utorrent.com

For safety in this experiment, I do recommend you use peerguardion2 or protowall with the newest ip updates.

Now that the safety concerns are out of the way, join me in some civil disobedience. Burn copies of this DRM FREE! audio cd and give it to all your friends/family that likes Korn. Birthday coming up? Makes a nice early gift

http://www.jimcromwell.com/landfill/sonybmgwee.jpg

"RaidHHI, I just realized you provided an actual direct link to that infringing Korn file you were talking about. I deleted your post and reposted your text below without that link."

RaidHHI IS AN RIAA AGENT!

This site is really starting to bug the music industry parasites big time! This site is really scoring! They want this site to dissappear. Now how to do this?


You know they are bad but most of you do not know how bad. This is an example of the level of corruption of these pieces of shits! Trying now to plant evidences!

Good try but you missed RIAA! Now my turn!

I have said before that RaidHHI is a RIAA agent. He is obviously trying to get this site busted!

But congratulation independent! Seriously! You defeated this RaidHHI crap!

I suggest you delete is logging and block all the IP addresses he is using. Also identify these IP addresses using whois to see if you can get some info about this parasite. And post it on this forum! Meanwhile I suggest we all ignore his posting!

Now RaidHHI I did what you told us to do and I am sharing the file on Limewire, edonkey, Kazza, and Bit torrent My user name is MajorThreat! Bust me if you dare!

Oh! and I forgot this suggestion:

If you can, add into the server firewall a "peerguardian" blocking list to help keep the crap out of this forum!

"RaidHHI IS AN RIAA AGENT!"

No MajorTreat, he is NOT.

Raid may have some very profound differences of oppinion with us, but he HATES the RIAA too.

...Don't call RaidHHI and like-minded folks "evil" simply because they are "wrong" (in our opinion.)

There are DOZENS of "sides" of this story we are all embroiled in.

...but,

I will NOT allow any direct links to RIAA downloads in our forums...

even if legal, sanctioned, authorized, "pirated", or whatever...

NO RIAA!

(MajorTreat, you and RaidHHI can "fight" about it in the "Off Topic" thread if you want... but do NOT do it here!)

""RaidHHI IS AN RIAA AGENT!"

No MajorTreat, he is NOT."

======

(At least, I hope to goodness he isn't. That would really SUCK if it turned out that one of our most thought provoking participants was actually a "planted agent"...)

RaidHHI has consistently been "sorta" on "our side" with things... but has an advocate of "breaking the law" in regards to p2p and stuff.

NOT our view... BUT and HOWEVER, even though I/most of us do not CONDONE RaidHHI's opinions, I will NOT thwart him (nor ANYBODY) in lawful expression of FREE SPEECH! (Even if I/we agree with it or not!)

(But I WILL delete direct links to RIAA material, RUDE attacks upon other participants, THREATS to others, ETC.)

I am under leflaw's orders in some regards.

I try to be open and fair to everybody here, but there ARE some rules. If you can not play by those rules, hit the road.

Has you all read about the roots of SonyBMG's Rootkit? Take a look at this archived e-mail

This person was fishing for information to create the DRM for an mp3 players, but in retrospect, seems to have been used for much broader purposes.

Sorry about the messed up grammer in the first sentence.

sony has gotten back the cds the target stores in the san franando valley (SoCal). i pointed out to my boss that sony has recalled these 50 or 52 cds and printed him out the list. at which point he said "great, now go find all of them" so i spent a whole day in the back room pulling 1000 cds and getting the m packed to go back to sony. then i called the other 4 targets nearby and told them to do the same.

Good deal WaterBoy100, you saved a bunch of new computer owners from a lot of problems, icing on the cake, you gave sony the shaft, HOME RUN

Sony caught in it's tangled web, Sony was warned, Sony moved forward anyway, Rats are jumping ship, Sony joins the ranks of the Pirates the only thing that could be better, Cary Sherman
could choke to death on a chicken bone.

http://www.theregister.com/2005/11/30/sony_drm_spitzer/

I applaud you waterboy100. Now, you should send a bill to Sony for having had to do their job for them.

(I'm serious! Send 'em a bill for your time and effort!)

Ah,, Sorry independent.. My bad. lol

MajorTreat, I'm not an RIAA spy; I don't think the riaa would be very happy with my group right now; We're on isohunt now for christs sake. Grow up, little boy. heh.

If however your paranoid and you feel I shouldn't post here, I'll be happy to provide the IPs I post with, and happily have my account deleted. I grow tired of the accusations anyway.

Good Day!

If you/your group have a website you want to link to RaidHHI, that's fine. From your own site you can link to whatever you feel like (of course!) I just won't deliberately allow anyone to link directly to RIAA files on our servers.

Rember this:[Senator Hatch] said damaging someone's computer "may be the only way you can teach somebody about copyrights."

The senator acknowledged Congress would have to enact an exemption for copyright owners from liability for damaging computers. He endorsed technology that would twice warn a computer user about illegal online behavior, "then destroy their computer."

"If we can find some way to do this without destroying their machines, we'd be interested in hearing about that," Hatch said. "If that's the only way, then I'm all for destroying their machines. If you have a few hundred thousand of those, I think people would realize" the seriousness of their actions, he said.

"There's no excuse for anyone violating copyright laws," Hatch said

On line complaint form for the State of Texas lawsuite
https://www.oag.state.tx.us/consumer/complain.shtml

Thanks for the find peatrap!

waterboy that is great you r saving a lot of computers.

""There's no excuse for anyone violating copyright laws," Hatch said"

Shows his level of intelligence... or lack thereof. He doesn't even understand copyright laws. There's no excuse for speeding either, is there? Yet we don't authorize our police officers to take sledge hammers to our cars when we are caught speeding, do we? No one would accept that. Yet, Hatch would have it happen to you on your PC. Moron.

Info on califoria law suite
http://www.tgdaily.com/2005/11/10/sony_bmg_sued_in_la/

Could win $75,000.00 just by signing up,
Where else but in America.

"Matthew Gilliat-Smith, the CEO of First 4 Internet which produces XCP copy protection, for whom Sony BMG is a major client, defended his software by arguing it is not a rootkit because it does not gather information from the unsuspecting user's computer, and transmit that information over an unmonitored Internet connection back to a stealth host."

Still making up their own definitions, I see.

A rootkit is simply a means to hide activity from the rightful owner of a system. In itself, it doesn't really do anytihng beyond that. As far as phoning home is concerned, where did that half-million hits to Sony's web site found in DNS caches all around the workd come from?

This rootkit was bad made worse because of the lousy code. The software it cloaked was the spyware. This is the standard for rootkit activity. Place malicous code on a computer and hide it. Like it or not, they are hooked simply because their program was a package deal and that package had a primary purpose that was malicous.

Sony's goose is cooked, the only question is , how well done!

XCP version of Van Zant's Get Right With the Man...still on Walmart shelves as of last night. It certainly doesn't take them this long to put new release CDs on the shelf...why does it take them so long to pull them off? Sony's probably instructing retailers not to remove CDs until replacements come in...or they're just not bothering to tell them anything until they send out the new ones.

Come to think of it, has anyone even seen a non-XCP version of these CDs on any shelves yet?

The Van Zant CD comes in two versions: one in a standard case that shows "cp. sonybmg. com/xcp" on the back; and one that is sold as a dual disc.

I was in FYE this evening and they still have XCP titles, although I did not look all over the store. They have restocked the Neil Diamond album with the non-XCP version. The Van Zant disc appears no longer to be in stock in this store, probably due to sales.

I did speak to the associate who did show the print out I had with me to her manager. He did not know anything about the recall, nor did he seem interested in looking into the matter further. He said I could fax the information and my concerns to their corporate office. Why should I have to do their jobs?

I found some contact info on their site. I also looked them on doing a Whois, and their HQ is located in Albany, NY. Any ideas?

[url=http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm

George, I used the link you provided to start Thread #3.

This thread now archived!