Can't donate to charity?
Volunteer computer time
or Support SETI!
R&D Sponsorship Center
December 2005

Home Page
Feature Archive
A&I Column Archive
Production Tools
State Marketing Data
US Marketing Data
World Marketing
Service Directory
Quality Assurance
3D Printing

Subscribe to Advertising & Marketing Review!
Contact Ken Custer at 303-277-9840.

The Sony DRM Debacle

by Glen Emerson Morris
Popular Columns
The Cost of Creativity
When bright ideas cost too much.
Desktop Manufacturing
Hits the Home Market

Someday print any object you need.
Saving Motion, Time & Your Business
Motion time studies can save you money.
A Gold Mine of Data Goes Online
The Statistical Abstract is now online, 1300+ data tables in Excel format, free.
A Process for Quality
How a formal process can improve quality.
Recommended Columns
The Greening of Expectations
It's not a fad, it's critical to our survival.
The Learning Curve to Prosperity
Buckminster Fuller predicted the resource crunch now hitting us. He also gave us the tools to deal with it.

October 31, 2005, marked the beginning of what would arguably become the greatest public relations disaster Sony ever faced. On that date a computer security expert, Mark Russinovich of Sysinternals, posted on his company blog that he had found a major security problem with a digital rights management (DRM) software application Sony used on about two million CDs it shipped in 2005. (You can read his postings at

Sony's response was to deny there was a problem. Over the next two weeks, Russinovich made several other postings on his blog that carefully, step by step, proved Sony wrong on nearly every assertion they made about the safety, quality and function of their DRM software. The result was Sony not only appeared technically incompetent, but dishonest as well. Within a week CNN, NPR and the BBC picked up the story, and by the end of the second week, Sony was facing lawsuits, a boycott and their DRM was blacklisted by Computer Associates. Sony announced it would temporarily cease using their DRM application, but the bad news continued. Unfortunately, the fallout will likely affect advertisers as well.

Sony's original intentions were good, or at least legal. They had contracted with the British firm First 4 Internet to develop a DRM application, named XCP, that would be included on selected Sony CDs. These CDs required XCP to be installed on Windows computers in order for the CD to play. XCP was designed to limit the number of times the CD could be copied, and make it impossible to create MP3s of the CD at all.

Unfortunately, XCP does more than that, and a lot more than is mentioned in its end user license agreement. XCP installs itself as a rootkit on Windows systems, meaning it can control the operating system. One of the first things XCP does is to reprogram the OS to not list any file, directory, registry key or process that begins with the characters $sys$. Not surprisingly, $sys$ is the character string XCP software components began with. This cloaking quality makes detecting the components nearly impossible, even for experienced technicians.

Generally, rootkits are used by hackers to install and prevent removal of trojans and other malicious software. In fact, Russinovich was testing a security application named RootkitRevealer, designed to detect rootkits, when he found the problem. When asked about it by NPR, Sony's president of Global Digital Business, Thomas Hesse, said that "most people, I think, don't even know what a rootkit is, so why should they care about it?"

The reason people might care is simple. Hackers can easily use the rootkit $sys$ cloaking feature to infect computers with their viruses and trojans. XCP leaves the door wide open for major security breaches.

Russinovich found other troubling problems with XCP. The program was designed to run even in the "safe" mode on Windows systems, meaning if there was an interaction problem between it and other software on a system that caused a crash, booting the computer from its hard drive would be impossible. Unfortunately, crashes were possible. According to Russinovich, XCP was not written by someone with a good understanding of Windows.

XCP also continually checks the CD drive every 2 seconds to see if a protected CD is being played. This eats approximately 2% of CPU processing, and would shorten the life of the computer's hard drive. XCP also has a phone home feature that communicates with the Sony Website. Sony initially denied this, but Russinovich captured data being sent to Sony from his machine that included the CDs title and his machine's IP address.

Removal of the DRM application also turned out to be a problem. Sony provides no uninstall program for XCP, and XCP is programmed so that if someone were to find and remove XCP components, the computer's CD drive would be disabled in the process. At the time of this writing, Sony has released a patch to remove the $sys$ cloaking feature, but is still denying on their Website that XCP poses any security risk. The exact line is, "This component is not malicious and does not compromise security." Given that there are three known trojans that target this XCP feature, this statement is somewhere between false and a blatant lie.

As bad as XCP is for consumers, it's worse for businesses. To apply for a cloaking removal kit, which Sony seems to be discouraging, Sony is requiring that it be provided with information including the CD artist, title and location of purchase. The requester must also agree to receive e-mail promos about future Sony CD releases to get the cloaking removal kit. Under the circumstances, these are outrageous demands. A business IT department might have no idea about who installed the Sony DRM application, or what CD they were trying to play at the time. In addition, having to agree to accept e-mail that would further eat up a company's Internet bandwidth and disk space in order to make a company's computers secure sounds a lot like extortion.

Even worse, to get the patch you have to run an application that captures information about your system and sends it to Sony. The patch you are eventually e-mailed will only work on the computer you ran the application on, which will prevent quick and widespread deployment in a corporation.

Fortunately, several computer security products, including those form Computer Associates and Microsoft, have classified XCP as a trojan horse and have been programmed to remove it without causing any damage to the computer.

It will probably be argued in court that Sony's use of a rootkit based digital rights management system showed a callous disregard for the security of their customers' computer systems. This could cost them millions in damages. Unfortunately, the damage won't be limited to Sony.

About 40% of consumers on the Internet delete their browser cookies at least once a month, making it difficult for legitimate Internet advertising services to track what ads these consumers have seen on the Websites they visit. The Sony debacle can only make consumers less trustful of any software they get from businesses, including cookies, and that's bad for all advertisers on the Internet.
Glen Emerson Morris has worked as a technology consultant for Network Associates, Yahoo!, Ariba, WebMD, Inktomi, Adobe, Apple and Radius, and is the developer of the Advertising & Marketing Review Data CD.

Copyright 1994 - 2010 by Glen Emerson Morris All Rights Reserved

' keywords: Internet advertising, Internet marketing, business, advertising, Internet, marketing. For more advertising and marketing help, news, resources and information visit our Home Page.

Back to top

Economic Indicators
Census 2010
Census Bureau
Health   Labor
Commerce Dept.

It's Time to Let
A Robot
Make Your Sales Pitch!
Roy the Robot
Funded by Kickstarter