UPDATE 21 NOV - Sony's DRM disaster: A chronology of events

Posted by Humphrey Cheung

Westlake Village (CVA) - Sony is one of protagonists in various initiatives that aim to establish a narrowly spun net of digital rights managements technologies. Traditionally, the company has not been very motivated to talk about its ideas to protect its digital content from piracy. What can happen when the industry has its way and the consumer is locked out of the discussion about new technologies has been revealed at the end of October, when we learned that Sony used stealth software, secretly installed on consumer computers, to achieve its goals.

Here is TG Daily's recap of the events that pushed Sony in one of the firm's worst PR disasters and led to a recall of audio CDs that carry the stealth software.

Mid-2004: Sony starts selling XCP protected CDs. Music CDs from popular artists such as Celine Dion, Louis Armstrong and Frank Sinatra are sold with XCP protection. In total, Sony says 52 titles had the protection. It would take more than a year before computer security experts detect the XCP software. Link to list of XCP protected Sony titles

October 31: Mark Russinovich finds something strange. Russinovich, Co-author of Windows Internals (Microsoft Press) and developer of several Windows utilities tools on the Sysinternals.com website, finds evidence of what he thinks is rootkit on his system. While running Rootkit Revealer, he discovered a hidden directory, application and several cloaked drivers. Russinovich traced the software back to a Sony music CD he bought, "Get Right With Man" by Van Zant. He also finds that the DRM software, called XCP, is made by First 4 Internet Ltd., a company based in England. Over the next few days, major newspapers and websites report on the news. Sony, Rootkits and Digital Rights Management Gone Too Far

November 3: Is Sony's DRM XCP really a rootkit? While several websites are reporting that the XCP is rootkit, some virus companies are calling it spyware or a virus. Fulton, one our news editors, took a skeptical look at the news with his article entitled, Analysis: Sony BMG copy protection may be stealthy, but is it a "rootkit?".

November 4: XCP developer First 4 Internet says XCP "is not malware." TG Daily editor Fulton interviews Matthew Gilliat-Smith, chief executive officer of First 4 Internet to get his side of the story. Gilliat-Smith admits that XCP does have some rootkit-like characteristics, saying, "it's using cloaking techniques that are similar to a rootkit," but believes the negative media coverage is undeserved. "I want to confirm that this is not malware. It's not spyware," says Gilliat-Smith. Read the full story: Sony BMG's DRM provider does not rule out future use of stealth

Nov 9: David Strom: Sony BMG's music sounds off-key: Strom, Editor-In-Chief for TGPublishing, laments that it's tough enough to keep viruses and spyware away from your PC, without having to worry about Sony's DRM software. " When I buy a CD (and I do buy them from time to time), I don't want anything extra coming along for the ride," says Strom. Read his column here:David Strom: Sony BMG's music sounds off-key

Nov 10: Sony sued and Sophos finds two Trojans that take advantage of XCP. A busy day develops for Sony as a class-action lawsuit is filed in Southern California and Sophos, a well-known anti-virus vendor, discovers two Trojan programs that piggyback on the XCP software: Sony BMG sued: Class action plaintiffs allege company used rootkit as DRM and Sophos discovers two Trojans hiding behind Sony BMG DRM

Nov 15: Security expert Dan Kaminsky says Sony infection is widespread. Kaminsky, a noted expert in DNS and frequent speaker at computer security conventions, told TG Daily that he believes that millions of machines could potentially be infected with XCP. He traced DNS lookups caused by XCP and plotted them on a world map. Sony malware infections in the millions - security expert

Nov 16: Sony changes XCP's uninstaller and claims DNS propagation estimates are "flawed." John McKay, Sony BMG's spokesperson, responds to reports that the uninstaller is unsecure and can open computers up to further attack. "We will shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer," says McKay. McKay also disputes Kaminsky's claims and believe them to be, " significantly exaggerated." Sony BMG to revise XCP uninstaller procedure, claims DNS propagation estimates "flawed"

Nov 16: Sony recalls XCP-endowed CDs. Sony agrees to stop selling XCP-protected CDs and has instructed retailers to pull the CDs from store shelves. Sony BMG issues recall order for XCP-endowed CDs

Nov 18: Developers find evidence of open-source codecs in XCP. As if Sony BMG didn't have enough problems to contend, now there are fresh allegations that the media player component of XCP may have included portions of open source codec software. If XCP was entitled to use that software, it's not displaying the licenses to prove it. Sony BMG issues recall order for XCP-endowed CDs

Nov 21: Texas Attorney General's Office and Electronic Frontier Foundation both file suit against Sony BMG. Texas became the first state to sue Sony BMG. Texas Attorney General Greg Abbott said, "SONY has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers." He is seeking up to $100,000 for each violation of the state's Consumer Protection Against Computer Spyware Act of 2005. Texas Attorney General's Office Press Release

The Electronic Frontier Foundation filed a class action lawsuit demanding that Sony BMG fix the damage caused by the DRM software. EFF Press Release