Saturday, November 12, 2005

Sony's XCP escapades

I may have to get rid of the Google Desktop, because it's dangerously more interesting than updating outlines. Here's a developing story in the world of Digital Rights Management.

It appears that Sony created a system to keep people from pirating audio CDs. The system is called XCP. If you want to play an audio CD protected by XCP in your computer's CD drive, you have to install the XCP software, which limits your ability to copy the disk. And apparently does some other things that are a bit nastier.

One of the authors of the Sysinternals blog conducted an analysis of the software. To make a long story short, when you install this stuff, it hides files and directories that have names beginning with the letters "$sys$". It also takes steps derived from hacker tricks to make sure you can't find it or easily remove it and periodically sends information back to Sony. The steps it takes create some security vulnerabilities: anyone else who can hack into your system can hide files simply by giving them names beginning with "$sys$". Apparently at least one virus and one trojan horse already take advantage of this vulnerability.

On November 11th, Sony suspended distribution of the XCP software and offered a way to remove the software to those who had installed it. According to Sysinternals, the removal system is cumbersome at best. Now Microsoft has jumped into the dispute, saying they're going to treat XCP as spyware and add its signature to the weekly update for their spyware blocker because of its effect on the security, reliability, and performance of Windows systems where the software's been installed. Also, on November 1st a San Franscisco attorney filed a class action suit against Sony over XCP.

No comments: