February 28, 2005 1 The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney.

Slides:



Advertisements
Similar presentations
The Deficit Reduction Act, Deficit Reduction Act of 2005 In the Deficit Reduction Act of 2005 (DRA) Congress, for the first time, has mandated healthcare.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
Shelby County Technology Scope and Sequence 6-8 #8: AUP Computer Fraud Copyright Violations Penalties Nancy Law Columbiana Middle School.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
IRMA Anti-Piracy Compliance Programme. What is IRMA? International Recording Media Association IRMA developed the Anti-Piracy Compliance Programme in.
Spyware: Legislative Responses Jody Blanke Mercer University ALSB, Ottawa August 20, 2004.
1 The Sony CD DRM Debacle A case study of digital rights management.
Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.
The Anti-Piracy Campaign: The Drag Behind Their Efforts Jamal Haskin.
Increasing Social Responsibility
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Slides prepared by Cyndi Chie and Sarah Frye1 A Gift of Fire Third edition Sara Baase Chapter 4: Intellectual Property.
Security, Privacy, and Ethics Online Computer Crimes.
CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.
1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
IST346: Information Ethics. Ethics  Ethics are the principles of conduct that govern a group of people.  Ethics are not morals.  Morals are the proclamation.
The Downside to DRM. What is DRM? “Digital Rights Management” Software used to control access to copyrighted material Protect company from piracy.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
VISD Acceptable Use Policy
Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!
Class 7 Internet Privacy Law Your Digital Afterlife.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
CONSUMER PROTECTION AND LITIGATION: CONSUMER PROTECTION AND LITIGATION: Ryan Mehm Attorney Bureau of Consumer Protection Federal Trade Commission The views.
Data Security.
ISNE101 Dr. Ken Cosh Week 14. This Week  Challenges (still) facing Modern IS  Reliability  Security.
Information Systems Security Computer System Life Cycle Security.
1 Spyware Ryan Myers Andrew Sullivan ECE 4112 – Spring 2005.
1 Protect Against Spywares – SpywareBlaster. 2 Content Introduction – - What is Spyware? - Danger - Sign of Trouble Solution Cleaning -- Spybot Protection.
Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.
Administrator Protect against Malware by: Brittany Slisher and Gary Asciutto.
Computing Essentials 2014 Privacy, Security and Ethics © 2014 by McGraw-Hill Education. This proprietary material solely for authorized instructor use.
1 Digital Rights Management Dissenting Argument: Users of Digital Media should obey digital rights management systems to guarantee the integrity and protect.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Mathieu Castets October 17th,  What is a rootkit?  History  Uses  Types  Detection  Removal  References 2/11.
PROTECTING YOUR IP RIGHTS Waldo Steyn, Senior Associate, Intellectual Property December 2012.
ISP Policy Position: For A university should monitor university networks and connected computers for improper activities such as copyright infringement.
Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.
Chapter Six Maintaining a Computer Part II: Installing, Repairing, and Removing Applications.
Chapter 3 Installing and Learning Software. 2Practical PC 5 th Edition Chapter 3 Getting Started In this Chapter, you will learn: − What is in an application.
3.05 Protect Your Computer and Information Unit 3 Internet Basics.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Topic 5: Basic Security.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
The Internet of Things and Consumer Protection
Digital Millennium Copyright Act (DMCA) The Digital Millennium Copyright Act is a United States copyright law that was signed into law by Bill Clinton.
Digital Rights Management / DMCA Anti-Circumvention Edward W. Felten Dept. of Computer Science Princeton University.
Legal and Ethical Issues in Computer Security Csilla Farkas
Protecting Yourself from Fraud including Identity Theft Personal Finance.
1 Computer Technician Computer Software: Types, Setup, and Ethical Boundaries Copyright © Texas Education Agency, All rights reserved.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President of Sony's Global Digital Business.
Cybersecurity Test Review Introduction to Digital Technology.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Digital Rights Management Zach Milko. Overview Definition Why it exists DRM Today  Fairplay Opponents of DRM  DefectiveByDesign.org Future Conclusion.
CIW Lesson 8 Part B. Malicious Software application that installs hidden services on systems term for software whose specific intent is to harm computer.
Sniper Corporation. Sniper Corporation is an IT security solution company that has introduced security products for the comprehensive protection related.
A properly constructed virus can disrupt productivity causing billions of dollars in damage A virus is a small piece of software that piggybacks on real.
Mini Law Lesson: Law of Apps Brian Heidelberger
Computer Security Keeping you and your computer safe in the digital world.
Dr. Rob Hasker Dr. Brad Dennis. Sony’s Virus  2005: Sony wanted to reduce piracy  They put an XCP program on 20 CDs including Van Zant, The Bad Plus,
Botnets A collection of compromised machines
A Gift of Fire Third edition Sara Baase
Botnets A collection of compromised machines
By Jake Schmitt, Seth Raleigh, Neil McLain
Cyber Issues Facing Medical Practice Managers
Other Sources of Information
Presentation transcript:

February 28, The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney

February 28, Overview: What was the problem? In a nutshell: Sony BMG Music Entertainment included flawed ‘copy-protection’ software in millions of music CDs sold to the public. DRM software had serious security holes:  XCP had a ‘rootkit’ and hid systems files  MediaMax allowed privilege escalation attack Software also ‘phoned home,’ invaded consumer privacy without disclosure

February 28, Background: Who is Sony BMG? Sony BMG is the world's second largest music company, responsible for about 25% of sales. Prominent labels include Arista Records, Columbia Records, Epic Records, RCA Records, RCA Victor Group.

February 28, Background: What Were They Thinking? Labels are concerned about unlimited CD copying  Seeking more rights than provided by law DRM is not designed to stop all “piracy”  Can’t stop peer-to-peer/darknet  Can’t stop commercial operations Proponents call it a “speedbump” to “casual piracy,” keeping “honest people honest”

February 28, Background: Your Legal Rights to Copy CDs Fair use to copy to computer Fair use to copy to MP3 player Audio Home Recording Act allows non- commercial copies by consumers onto CD-Audio discs DRM provides tighter restrictions than copyright law

February 28, DRM Is Problematic By Nature Active protection* only works if DRM software is running to interfere with reading standard CD format Software must have greater rights than user or it is easy to defeat or remove But users do not want software that restricts their uses; often try to remove or disable * passive protection, which exploits differences in how computers and CD players read discs, is generally considered insufficient.

February 28, First4Internet’s XCP 4.7 million made; 2.1 million shipped Written with intent to conceal itself from users (like a “rootkit”)  Hides files from the user, intercepts calls to CD drive Extremely difficult to remove without damage  Improper removal can break CD drive Communicated listening habits to a sonymusic.com server

February 28, SunnComm’s MediaMax 20 million total; about 5.7 million with MM5. Installed some files (over 12 MB), including DRM, even if user clicks ‘I disagree’ MM5 allowed privilege escalation attacks  SunnComm folder permission open to “Everyone”  Attacker could set booby-trap for next CD play Communicated listening habits to a SunnComm server

February 28, Sony BMG’s EULA Both installs included 3000-word End User License Agreement Highlights  Lose rights to digital copy if lose physical CD  Lose rights upon bankruptcy  Can’t leave country with digital copy (i.e., the one on your MP3 player)  Sony can use software to “enforce its rights”  Prohibits reverse engineering  $5 limit on damages; must sue in NY

February 28, Privacy Concerns Software sends a unique identifier to an external web server that can be used to identify which CDs are being played Also provides standard web browser info to server Can be used to send content to player software, customized by the songs Was not disclosed to users in EULA or otherwise; website FAQ had denials.

February 28, Sony DRM Spotting

February 28, What is Spyware? Anti-Spyware Coalition describes spyware as technologies deployed without appropriate user consent and/or implemented in ways that impair user control over: 1)material changes that affect a user's experience, privacy, or system security; 2)use of the user's system resources, including what programs are installed on the user's computer; and/or 3)collection, use, and distribution of a user's personal or other sensitive information. Computer Associates defines spyware as, "Any product that employs a user's Internet connection in the background without their knowledge, and gathers/transmits info on the user or their behavior."

February 28, Sony BMG’s XCP Response Oct. 4: F-Secure informs Sony BMG privately Oct. 31: Mark Russinovich blogs about rootkit Nov. 4: Sony BMG Exec. Thomas Hesse, says “Most people, I think, don't even know what a rootkit is, so why should they care about it?” Nov. 8: Sony BMG writes XCP “is not malicious and does not compromise security.” After multiple lawsuits filed and intense public pressure (incl. EFF open letter) Sony changes tune

February 28, Sony BMG’s MediaMax Response Nov. 14: EFF open letter pushes on MediaMax Nov. 30: EFF informs Sony BMG privately about vulnerability detected by iSEC Partners (EFF had requested examination of software) Dec. 6: Joint announcement; patch released Dec. 7: Security flaw found in patch Dec. 8: New patch issued.

February 28, The Law: Overview Many class action lawsuits filed; Texas AG files civil action; other AGs (NY, MA, IL) and FTC investigating. Legal issues include:  Anti-Spyware Laws  Anti-Hacking Laws  Unfair Business Practices Laws  False Advertising Laws

February 28, States Have Anti-Spyware Laws E.g. California’s Consumer Protection Against Computer Spyware Act:  Prohibits preventing “an authorized user's reasonable efforts to block the installation of, or to disable, software, by presenting the authorized user with an option to decline installation of software with knowledge that, when the option is selected by the authorized user, the installation nevertheless proceeds.”  Authorized user excludes persons that have “obtained authorization to use the computer solely through the use of an end user license agreement.”

February 28, Federal Anti-Hacking Laws Computer Fraud and Abuse Act  “intentionally access protected computers,” and as a result of such conduct, cause damage;  By means of such conduct further an intended fraud; or  Cause a threat to public health or safety, medical computer, administration of justice

February 28, State Anti-Hacking Laws California Penal Code 502 :  forbids any person knowingly introducing “any computer contaminant into any computer, computer system, or computer network.”  computer contaminant: “any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information.”

February 28, Unfair Business Practices Many states have laws against unfair business practices. California’s forbids companies from engaging in unfair competition, which is defined as “any unlawful, unfair or fraudulent business act or practice....” Unlawful: Any violation of law, federal or state, civil or criminal, can be trigger Unfair: Can include privacy violations Fraudulent: Addresses misrepresentations

February 28, DMCA Issues Digital Millennium Copyright Act generally prohibits circumventing copy protection systems Some speculated that security research into Sony BMG’s DRM software could violate DMCA In response to EFF’s open letter, Sony BMG said it would not use DMCA against “legitimate security researchers.” Alex Halderman and Ed Felten sought an exemption that would allow DRM circumvention for spyware and security holes through DMCA rulemaking process.

February 28, Why Such Problems With DRM? As Prof. Ed Felten points out,* DRM is likely to act like spyware because both face similar problems:  Installing software users do not want  Stopping removal or disabling Plus inherent security risks in operating software at high rights level *See

February 28, A Skeptic’s View of DRM DRM is ineffective at stopping “piracy.” Fair use must be preserved DRM must not impede innovation, competition and consumer choice DRM technology mandates are bad policy Anti-circumvention rules impede innovation and security research

February 28, What’s the Big Deal? Many software programs have bugs and security holes Key differences:  Installed without user authorization or knowledge  No notice of ‘phone home’ feature  XCP rootkit was deliberate design decision  Different expectations for CD-Audio

February 28, MediaMax Hack Discovered by iSEC Partners (at EFF request) The SunnComm Shared directory uses an ACL allows low rights users (i.e., "Everyone" in Windows parlance) to overwrite the contents, such as MMX.EXE, the MediaMax program. An attacker can overwrite MMX.EXE with code of her choice, and the next time a MediaMax disc is played, her attack code will be executed as an Admin Attack vectors only limited by creativity of malware writers.

February 28, Why EFF Got Involved To protect people who purchased these defective discs and to prevent this from re-occurring A watchdog was needed to ensure the settlement was fair, reasonable and adequately addressed all the issues Bring our expertise in DRM issues to bear

February 28, The Settlement: EFF’S Goals Close the spigot: Stop production of more flawed CDs. Get people non-DRM'd/non-EULA'd versions of their music. Get this relief to people quickly. Get people some free music, or a choice of some money for their trouble. Ensure adequate notice--of flaws and compensation. Ensure independent security testing and pre-launch EULA review of any future DRM Ensure quick, reliable process for handling future security problems--with independent experts and judicial enforcement

February 28, IF YOU BOUGHT:YOU ARE ELIGIBLE FOR: XCP 1. An identical CD that does not contain DRM 2. A clean MP3 version of the music on that CD. 3. For every CD you return: a cash payment of $7.50, plus one free download from a list of approximately 200 album titles in the Sony BMG catalogue; OR three free downloads (same list) MEDIAMAX A clean MP3 version of the music on that CD 2. One additional download. MEDIAMAX 3.0 A clean MP3 version of the music on that CD

February 28, Settlement doesn’t include: Damage to a computer or network resulting from interactions between XCP or MediaMax and user’s computer (e.g., damage to hard drive); Damage related to reasonable efforts to remove XCP or MediaMax; or Copyright, trademark or other IP claims (e.g. GPL claims which can only be brought by code rightholders). Another option: Opting Out (by May 1).

February 28, EULA PROVISIONS Replacement CDs/downloads won’t have EULA For old disks: Sony BMG agrees not to enforce provisions forbidding fair use, resale of CDs, and full use of CDs if user fails to instaall update or go bankrupt. Future EULA: Independent EULA reviewer

February 28, What about the future? If Sony uses DRM in the future, it must:  Adequately disclose DRM BEFORE sale  Have DRM independently tested for security flaws BEFORE release  Ensure the DRM doesn’t install without explicit permission  Provide ready access to uninstaller  If security flaw found after release-- notify/fix/disclose

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.