If you see the image below on a disc you are considering purchasing, think again, you might be in for a very unpleasant surprise.

If you enjoy listening to your music on a computer, be very very careful about putting a Sony-BMG title in your computer and if it has the image above take it back to the store you bought it and scowl a lot. In an attempt to thwart piracy Sony-BMG have decided to punish people who actually buy the discs by installing potentially malicious code onto your computer. Here is how CNET explains it:

You buy a CD. You put the CD into your PC in order to enjoy your music. Sony grabs this opportunity to sneak into your house like a virus and set up camp, and it leaves the backdoor open so that Sony or any other enterprising intruder can follow and have the run of the place. If you try to kick Sony out, it trashes the place.

They have been including this malware on certain discs for 8 months and due to the firestorm of negative publicity have announced that they won’t included this type of malicious code on new discs. But since it is impossible to tell which discs have the malware you might want to just avoid discs from Sony-BMG altogether.

This is classic ass-backwards thinking. We want to stop people from stealing music by punishing anyone who does buy a legitimate copy. In fact I think it is a basic tenet of business not to punish customers.

Also if you want to uninstall the virus-like program that Sony-BMG stealthily installs on your computer, you have to fill out a form on the Sony-BMG website and give them your email address. Furthermore, Sony-BMG’s privacy policy makes it very clear that they can then add your name to the company’s marketing lists. After submitting the form you will receive an email assigning you a case ID and directing you to another page on the record company’s web site where you would have to submit an uninstall request a second time.

You then get a 3.5mb “patch” that includes God-only-knows-what. According to experts, Sony’s uncloaking patch puts users systems at risk of a blue-screen crash and the associated chance of data loss.

Some users have experienced the complete loss of their DVD/CDROM drives. Overall, the gall of Sony-BMG to install such insidious code onto the machines of people who bought the CD is incredible. And record companies wonder why they have such PR problems?

**********************

If you don’t mind living dangerously and somehow feel compelled to buy an album from Sony-BMG, here is a list of artists that the EFF has found malicious software (be forewarned it may not be complete):

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver’s Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

**********************

Remember: BMG stands for “Big Mean Germans!”

**********************

Updates: Computer Associates has classified the Sony rootkit and its patch as spyware, and will begin removing it. Sony also faces at least two lawsuits over the malicious software the company distributes on its music CDs. At least one library district is banning Sony BMG discs. Enterprising virus writers have already started using the Sony spyware to infect computers.

*****************************

Update: More Sony Malware (from Freedom to Tinker)

MediaMax software:

* Is installed onto the computer without meaningful notification or consent, and remains installed even if the license agreement is declined;
* Includes either no uninstall mechanism or an uninstaller that fails to completely remove the program like it claims;
* Sends information to SunnComm about the user’s activities contrary to SunnComm and Sony statements and without any option to disable the transmissions.

Does MediaMax also create security problems as serious as the Sony rootkit’s? Finding out for sure may be difficult, since the license agreement specifically prohibits disassembling the software. However, it certainly causes unnecessary risk. Playing a regular audio CD doesn’t require you to install any new software, so it involves minimal danger. Playing First4Internet or SunnComm discs means not only installing new software but trusting that software with full control of your computer. After last week’s revelations about the Sony rootkit, such trust does not seem well deserved.

h/t: Boing Boing

*****************************

Is this the last act of Sony-BMG’s Andrew Lack? Independent Sources thinks he’s toast but we shall see.

Update: It turns out that the Sony malware violates copyright. Hipocritical or ironic? From DiWinter Information Services:

The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.

It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Sony complied with non of these demands, but delivered just an executable program.

Update, November 13: CNet reports that Microsoft is going to classify the Sony tools as spyware and its security tools will be updated to remove it (link.

technorati: drm sony bmg music

trackback: Wizbang

This entry was posted on Friday, November 11th, 2005 at 9:58 pm by Insider and is filed under How Not To Succeed In Business. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.