Ed Felten is my idea of a great academic: he’s both a clever thinker and a brilliant explainer. As an example of what he can do, see this terrific account of how attempts to put DRM on music discs leads inexorably to the mess from which Sony BMG is now trying to extricate itself. Sample:

If the music is encoded on the disc in a format that any software program can read, the only way to stop programs from reading it is to install software on the user’s computer, and to have that software actively interfere with attempts to read the disc, for example by corrupting the data stream coming from the disc. We call this “active protection”.

For example, suppose the user wants to use iTunes to read the disc. But the DRM vendor wants to stop the user from doing this, because iTunes can be used to make copies of the disc. The active protection software will detect this and will interfere to ensure that iTunes gets a garbled copy of the music.

Here’s the key issue: Active protection only works if the DRM software is running on the user’s computer. But the user doesn’t want the software on his computer. The software provides no value to him at all. Its only effects are to stop him from doing things he wants to do (such as listening to the music with iTunes), and to expose him to possible security attacks if the software is buggy.

So if you’re designing a CD DRM system based on active protection, you face two main technical problems:

1. You have to get your software installed, even though the user doesn’t want it.
2. Once your software is installed, you have to keep it from being uninstalled, even though the user wants it gone.

This is just an excerpt. Read the full post for pleasure and enlightenment. Ed’s conclusion is: “Having set off down the road of CD copy protection, the music industry shouldn’t be surprised to have arrived at spyware. Because that’s where the road leads.”

Yes, siree.

One big mystery about the Sony DRM fiasco is why were the anti-virus companies so slow to deal with the Sony rootkit? Now we know. The answer: they were afraid of

violating the Digital Millennium Copyright Act, according to security expert Dan Kaminsky. He says creating new software to remove DRM software is a violation of the DMCA, forcing antivirus companies to create patches that eliminate the software’s dangerous behavior, but do not remove it.

The company that wrote the DRM software that has landed Sony BMG in the merde is based in Banbury, near Oxford. It’s called First 4 Internet Ltd and it has a three-page web site of staggering opacity. Apparently, its business involves developing “leading Content Management technology providing Digital Asset Management, Content Protection, DRM and Image Content Filtering solutions”.

Research at Companies House puts some interesting flesh on these bones. The company has “two core business areas” — Image Composition Analysis (ICA) and XCP (Extended Copy Protection). Its sales turnover in the year to end-2004 was £709,941, up from £191,382 for the previous year. Pre-tax loss was down to £489,309 (compared with £786,071 in 2003). So someone is providing serious funding for this little outfit.

The Director’s Report for the year ended 30 November 2004 makes interesting reading — especially the bit about XCP. Here’s what it says:

The final testing and customisation of XCP2 was completed for Sony BMG in January of this year and the first CD title “Susie Suh” was manufactured for commercial release in February. Since March there have been approximately 20 new album releases with XCP2 on over two million CDs in the US market place. The launch of XCP2 has been a major achievement for the company and I would like to thank all employees for the committment and contribution of extra hours to help achieve this.

XPC2 was the first content protection technology with secure burning to be released in the US market in any volume and significantly ahead of our competitors. Independent consumer feedback conducted for Sony BMG on these CDs has been impressive with a positive reception from consumers [Eh?] as well as from the extensive press coverage that has accompanied this launch. [Eh?] The remaining hurdle is for the major record labels to negotiate with Apple Computers their agreement for the integration of content protected discs with iPod devices following which the adoption of content protection by all record labels will increase rapidly.

Hmmm… Time to rethink, chaps? Knowing Sony, they might even sue their plucky little UK supplier. Next year might not be a bumper year, after all. How about a change of name — Last 4 Internet, perhaps?

Curiouser and curiouser. According to Business Week, Sony were warned about the problem with their DRM system a full month before Mark Russinovich posted the news on his Blog — and did nothing. Excerpt:

Sony BMG is in a catfight with a well-known computer-security outfit that became aware of the software problem on Sept. 30 and notified the music company on Oct. 4 — nearly a month before the issue blew up. F-Secure, a Finland-based antivirus company that prides itself on being the first to spot new malware outbreaks, says Sony BMG didn’t understand the software it was introducing to people’s computers and was slow to react.

“If [Sony] had woken up and smelled the coffee when we told them there was a problem, they could have avoided this trouble,” says Mikko H. Hypponen, F-Secure’s director of antivirus research.

From Business Week…

BUYER, BEWARE.  [New York Attorney General] Spitzer’s office dispatched investigators who, disguised as customers, were able to purchase affected CDs in New York music retail outlets — and to do so more than a week after Sony BMG recalled the disks. The investigators bought CDs at stores including Wal-Mart, BestBuy, Sam Goody, Circuit City, FYE, and Virgin Megastore, according to a Nov. 23 statement from Spitzer’s office.

Sony BMG says it shipped nearly 5 million CDs containing the software, of which 2.1 million had been sold. The company says 52 individual titles are affected.

Spitzer’s office urged consumers not to buy the disks, and if they do buy them, not to play them in computers. The disks should be returned to the place of purchase for a refund, Spitzer advises.

MORE PRESSURE. 

“It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year,” Spitzer said in a written statement. “I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony.”

Attaboy!

From The Register…

Amazon.com has successfully defended a claim that its famous 1-Click payment feature infringed another company’s patent for an electronic fund transfer or transaction system. IPXL Holdings had been seeking around $50 million in damages.

Quentin’s written a terrific piece about the craziness of the patent system — based on his own experience. He also has some modest proposals about how to begin making it better.

Nice piece by Andrew Brown in today’s Guardian on the madness of the current mania for intellectual property.

From Good Morning, Silicon Valley…

WASHINGTON (AP) – Stung by continuing criticism, the world’s second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.

Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the “XCP” technology as a precautionary measure. “We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use,” the company said in a statement.

The antipiracy technology, which works only on Windows computers, prevents customers from making more than a few copies of the CD and prevents them from loading the CD’s songs onto Apple Computer’s popular iPod portable music players. Some other music players, which recognize Microsoft’s proprietary music format, would work.

Sony’s announcement came one day after leading security companies disclosed that hackers were distributing malicious programs over the Internet that exploited the antipiracy technology’s ability to avoid detection. Hackers discovered they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony technology.

More… It turns out that Sony also has plans for Mac users too. According to this post, Darren Dittrich followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style “root kit” on their computers via audio CDs:

I recently purchased Imogen Heap’s new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there’s a smaller extra partition for “enhanced” content. I was surprised to find a “Start.app” Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.

Personally, I’m not a big fan of anyone installing kernel extensions on my Mac. In Sony’s defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.

So, as I was saying the other day, the best thing is just to shun anything emanating from Sony.

The Electronic Frontier Foundation has been reading the End User License Agreement that comes with Sony’s new copy-protected CDs (yep — the ones that install a security hole on your Windows machine).

Before detailing some of the implications of the License, the EFF provides some background:

When you buy a regular CD, you own it. You do not “license” it. You own it outright. You’re allowed to do anything with it you like, so long as you don’t violate one of the exclusive rights reserved to the copyright owner. So you can play the CD at your next dinner party (copyright owners get no rights over private performances), you can loan it to a friend (thanks to the “first sale” doctrine), or make a copy for use on your iPod (thanks to “fair use”). Every use that falls outside the limited exclusive rights of the copyright owner belongs to you, the owner of the CD.

Now compare that with the world according to the Sony-BMG EULA, which applies to any digital copies you make of the music on the CD:

If your house gets burgled, you have to delete all your music from your laptop when you get home. That’s because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

You can’t keep your music on any computers at work. The EULA only gives you the right to put copies on a “personal home computer system owned by you.”

If you move out of the country, you have to delete all your music. The EULA specifically forbids “export” outside the country where you reside.

You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

Sony-BMG can install and use backdoors in the copy protection software or media player to “enforce their rights” against you, at any time, without notice. And Sony-BMG disclaims any liability if this “self help” crashes your computer, exposes you to security risks, or any other harm.

The EULA says Sony-BMG will never be liable to you for more than $5.00. That’s right, no matter what happens, you can’t even get back what you paid for the CD.

If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

You have no right to transfer the music on your computer, even along with the original CD.

Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

Simple suggestion: just give Sony products a miss from now on. Any company that behaves like this deserves to go bust.