Monday, November 07, 2005

Sony really needs to evaluate their DRM

I previously wrote about the Sony music CD DRM that was screwing up people’s computers.  Now it turns out that the Sony DRM is calling home according to Sysinternals.  From the post:

  • Despite a chorus of criticism over Sony not delivering an uninstaller with their DRM software, Sony refuses to admit blame and to make an uninstaller readily available.
  • The download text [of the patch] claims that the rootkit does not pose any “potential security vulnerabilities,” however it’s obvious that any software that cloaks files, directories and Registry keys beginning with a certain string of characters is a clear security risk.   Sony’s uncloaking patch puts users systems at risk of a blue-screen crash and the associated chance of data loss.
  •  the EULA does not disclose the software’s use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There's no way to ensure that you have up-to-date security patches for software you don't know you have and there's no way to remove, update or even identify hidden software that's crashing your computer.
  • I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID.   I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way.


No comments: