What's on that music CD, anyway?

Door opened for hackers
The new problems, according to computer security experts, were severe.   First 4's flawed program opened the door to hackers by re-writing part of the Windows operating system, hiding from view every file that began with the characters $sys$.  The strategy troubled anti-virus firms, which said it could prevent their programs from finding some computer viruses. First 4’s Gilliat-Smith said he doubted the severity of the vulnerability, but still agreed to publish a fix that removed the rudimentary cloaking technology. Concerned consumers can download the patch from Sony or get it from their antivirus providers, he said.

“This is a tempest in a teacup,” Gilliat-Smith said. “It’s not designed to be sneaky. It’s meant to be a bar that makes it a little more difficult to circumvent.”

Ero Carrera, a virus researcher at F-secure Corp., disagreed.  Consumers around the world now have the First 4 Internet program on their PCs. Many still might not realize it; and even those that do are unlikely to download and install the patch – consumers often don’t install patches from software makers. 

The release of computer viruses using the $sys$ cloaking trick have blunted Gilliat-Smith's argument a bit, though there is no indication that any of those programs have infected multiple consumers' computers.

Give me my hard drive back
Still, Sam Curry, vice president of  eTrust security management at Computer Associates Inc., says people are tired of seeing their PCs loaded up with unwanted and unexpected software – adware, spyware, Trojan horses.

“It’s time to say enough is enough. You invest $2,000 in a computer, you have the right to decide what’s on it,” he said.  The music industry has piracy problems, but shouldn't “try to resolve those issues with ill-conceived attempts to control the users’ computers.”

Or, as Goldman puts it: “The outrage reflects frustration with software vendors deciding what's on your computer. People are beginning to say, ‘Stop it. Give me my hard drive back.’ ”

Bill Rosenblatt, editor of the newsletter DRM Watch and author of Digital Rights Management, says music CDs were never designed to stop 21^st Century pirates, and now is not the time to start. "My opinion is that the record label people who use this technology are being told that it works and that it will solve their piracy problems whereas in fact neither is the case. It doesn't work well and it doesn't solve piracy problems.”

Jacobs insists SunnComm technology does work, and says the firm rarely gets complaints. The complaints that do arrive are almost all focused on the fact that MediaMax software doesn’t allow songs to be transferred to Apple iPods.  That, he says, is more than a quirky problem, but the firm is close to settling compatibility issues with Apple.

Still, Jacobs worked hard to distance his product from First 4 Internet's; SunnComm's MediMax clearly tells consumers what it's doing, he said, and it opens up none of the security holes left behind by First 4.

Testing it on the public
But there are other problems with copy-protected CDs; Halderman said. To play them on a PC, the user must have administrative rights on that computer, so the necessary software can be installed.   That means some employees can’t listen to their CDs while at work.  That’s a restriction few consumers imagine when they purchase music. 

On the other hand, a simple Google search will tell a would-be pirate how to defeat the copy-protection technology, Halderman said, creating the scenario copy protection critics fear: honest consumers are hassled while criminals continue unobstructed.

“There’s no really good way of testing this stuff,” Rosenblatt said.  “In effect, they are testing it on the public.”

But while the kinks are being worked out, Sony and First 4 have had little success putting last week’s controversy behind them. Discussion and criticism continue on Russinovich’s blog, and each day brings word of new computer viruses and lawyers attacking the program. Russinovich said the patch designed to fix First 4’s software tends to crash computers.  Computer Associate's Curry took exception to Sony BMG's requirements for uninstall.  Users can’t do it alone -- they must go to Sony’s Web site and fill out a form.  There, they have to supply a name, e-mail address, and the place they purchased the CD.

“Why is it that they are asking for (this information).  This policy wasn't stipulated up front,” he said.  It's not about digital rights management, he said, but rather “This is really about their paying customers and rights they have.”

By announcing it would suspend use of First 4 for now, Sony has taken one more step towards appeasing critics. It's not clear that they will be satisfied. After all, there's still the matter of patching all those computers which already have the cloaking software installed.

But one things seems certain after last week's dust-up: More arguing over both music and rights is sure to follow.

MORE FROM SECURITY

Security Section Front

T-Mobile sued over 'mandatory' text fees Web site design flaws make banking riskier Facebook redesign to weed out toxic spam The end of human customer service? EU warns against buying ring tones online Engineer accused of network tampering Man gets prison time for spamming AOL FCC chief says Comcast violated Internet rules Lawmakers to probe 'adware' practices Red Tape: Thwarting thieves with ... magic? Security Section Front   Add Security headlines to your news reader: