Now that virus writers have started exploiting the rootkit built into Sony-BMG albums that utilize First4Internet's XCP DRM (as I warned they would last week), Sony has at last agreed to temporarily stop shipping CDs containing the defective software:

We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use.

What few people realize is that Sony uses another copy protection program, SunnComm's MediaMax, on other discs in their catalog, and that this system presumably is not included in the moratorium. Though MediaMax doesn't resort to concealing itself with a rootkit, it does behave in several ways that are characteristic of spyware.

I originally wrote about MediaMax back in 2003. It was the first copy restricting technology that installed software in an attempt to block ripping and copying. SunnComm has continued to develop its anti-copying tools, and today MediaMax is distributed on albums from Sony-BMG and several smaller labels. Sony titles that use MediaMax include Grown and Sexy by Babyface and Z by My Morning Jacket. These discs aren't hard to spot; the back album covers usually contain a label that includes a sunncomm.com URL.

Like XCP, recent versions of MediaMax engage in spyware-style behavior. They install software without meaningful consent or notification, they include either no means of uninstalling the software or an uninstaller that claims to remove the entire program but doesn't, and they transmit information about user activities to SunnComm despite statements to the contrary in the end user license agreement and on SunnComm's web site. I'll describe each of these problems in detail below.

1. MediaMax installs without meaningful consent or notification

When a MediaMax-protected CD is inserted into a computer running Windows, the Windows Autorun feature launches a program from the CD called PlayDisc.exe. Like most installers, this program displays a license agreement, which you may accept or decline. But before the agreement appears, MediaMax installs around a dozen files that consume more than 12 MB on the hard disk. Most are copied to the folder c:\Program Files\Common Files\SunnComm Shared\, shown below:

These files remain installed even if you decline the agreement. One of them, a kernel-level driver with the cryptic name "sbcphid", is both installed and launched. This component is the heart of the copy protection system. When it is running, it attempts to block CD ripping and copying applications from reading the audio tracks on SunnComm-protected discs. MediaMax refrains from making one final change until after you accept the license—it doesn't set the driver to automatically run again every time Windows starts. Nevertheless, the code keeps running until the computer is restarted and remains on the hard disk indefinitely, even if the agreement is declined. [Update 11/28: In several common scenarios, MediaMax goes a step further and sets the driver to automatically run again every time Windows starts, even if the user has never agreed to the license.]

To see if SunnComm's driver is present on a Windows XP system, open the start menu and select Run. In the box that pops up, type

cmd /k sc query sbcphid

and click OK. If the response includes "STATE: 1 STOPPED", the driver is installed; if it includes "STATE: 4 RUNNING", the driver is installed and actively restricting access to music. Alternately, you can look for the driver's file, sbcphid.sys, which will be located in the c:\windows\system32\drivers\ folder if it is installed.

(Newer version of SunnComm's software can also block copying on Mac systems, as reported by MacInTouch. However, since Mac OS X does not automatically run software from CDs, Mac users will only be affected if they manually launch the installer.)

Is there any meaningful notice before the program is installed? On the contrary, the Sony license agreement (which happens to be identical to the agreement on XCP discs, despite significant differences between XCP and MediaMax) states that the software will not be installed until after you accept the terms:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.

Notice too that while the agreement partially describes the protection software, it fails to disclose important details about what the software does. Yes, the MediaMax driver tries to "protect the audio files embodied on the CD," but it also attempts to restrict access to any other CD that use SunnComm's technology. You only need to agree to installation on one album for the software to affect your ability to use many other titles.

2. MediaMax discs include either no uninstaller or an uninstaller that fails to remove major components of the software

None of the MediaMax albums I've seen from Sony-BMG include any option to uninstall the software. However, some titles from other labels do include an uninstall program. For instance, the album You Just Gotta Love Christmas by Peter Cetera (Viastar Records) adds MediaMax to the Windows Add/Remove Programs control panel, the standard interface for removing programs. If you elect to remove the software, it displays the following prompt:

Clicking "Yes" does cause parts of MediaMax to be deleted, including nearly all the files in the SunnComm shared folder. However, the protection driver remains installed and active despite the suggestion that "MediaMax and all of its components" would be removed. That means iTunes and other programs still cannot access music for any SunnComm-protected CD.

[Update: Apparently SunnComm was providing an uninstaller to users who persistently demanded one, but the uninstaller opened a severe security hole in users' systems.]

3. MediaMax transmits information about you to SunnComm without notification or consent

Sony and SunnComm seem to go out of their way to suggest that MediaMax doesn't collect information about you. From the EULA:

[T]he SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

SunnComm's customer care web page is equally explicit:

Is any personal information collected from my computer while using this CD?:
No information is ever collected about you or your computer without you consenting.

Yet like XCP, the MediaMax software "phones home" to SunnComm every time you play a protected CD. Using standard network monitoring tools, you can observe MediaMax connecting to the web server license.sunncomm2.com and sending the following request headers:

POST /perfectplacement/retrieveassets.asp?id=
   7F63A4FD-9FBD-486B-B473-D18CC92D05C0 HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: license.sunncomm2.com
Content-Length: 39
Connection: Keep-Alive
Cache-Control: no-cache


This shows that MediaMax opens a web page from a SunnComm server and sends a 32-character identifier (highlighted)—apparently a unique code that tells SunnComm what album you're listening to. The request also contains standard HTTP headers from which the company can learn what operating system you are running (in the above example, NT 5.1, a.k.a. Windows XP) and what version of Internet Explorer you use (here, IE 6).

SunnComm also gets to observe your computer's IP address, which is transmitted to every Internet server you connect to. You are assigned an IP address by your Internet service provider or system administrator. Many users are issued frequently changing "dynamic" IP addresses that make it difficult to track them individually, but others have fixed, "static" addresses. If you have a fixed address, SunnComm can piece together the messages from your computer to find out all the protected discs you listen to and how often you play them. In some cases, such as if you are a Princeton student, knowing the address is enough to let SunnComm track down your name, address, and phone number.

So why does MediaMax contact a SunnComm server in the first place? The server's response to the above request isn't very informative:

Microsoft VBScript runtime

error '800a000d'

Type mismatch: 'ubound'

/perfectplacement/retrieveassets.asp, line 26

Apparently a bug in the server software prevents it from returning any useful information. However, the name "Perfect Placement" in the URL provides a valuable clue about the server's purpose. A SunnComm web page describes "Perfect Placement" as a MediaMax feature that allows record labels to "[g]enerate revenue or added value through the placement of 3rd party dynamic, interactive ads that can be changed at any time by the content owner." Presumably the broken site is supposed to return a list of ads to display based on the disc ID.

Just because the server software is buggy doesn't mean it isn't collecting data. If SunnComm's web site is configured like most web servers, it logs the information described above for every request. We can't know for certain what, if anything, SunnComm does with the data, but that's why transmitting it at all raises privacy concerns.

…

To summarize, MediaMax software:

• Is installed onto the computer without meaningful notification or consent, and remains installed even if the license agreement is declined;
• Includes either no uninstall mechanism or an uninstaller that fails to completely remove the program like it claims;
• Sends information to SunnComm about the user's activities contrary to SunnComm and Sony statements and without any option to disable the transmissions.

Does MediaMax also create security problems as serious as the Sony rootkit's? Finding out for sure may be difficult, since the license agreement specifically prohibits disassembling the software. However, it certainly causes unnecessary risk. Playing a regular audio CD doesn't require you to install any new software, so it involves minimal danger. Playing First4Internet or SunnComm discs means not only installing new software but trusting that software with full control of your computer. After last week's revelations about the Sony rootkit, such trust does not seem well deserved.

Viewed together, the MediaMax and XCP copy protection schemes reveal a pattern of irresponsible behavior on the parts of Sony and its pals, SunnComm and First4Internet. Hopefully Sony's promised re-examination of its copy protection initiatives will involve a hard look at both technologies.

Here's a handy bag of tricks for people whose computers are (or might be) infected by the SonyBMG/First4Internet rootkit DRM. The instructions here draw heavily from research by Alex Halderman and Mark Russinovich.

This DRM system operates only on recent versions of Windows. If you're using MacOS or Linux, you have nothing to worry about from this particular DRM system. The instructions here apply to Windows XP.

How to tell whether the rootkit is on your computer: On the Start menu, choose Run. In the box that pops up, type this command:

cmd /k sc query $sys$aries

and hit the Enter key. If the response includes "STATE: 4 RUNNING", then your machine is infected with the rootkit. If the response includes "The specified service does not exist as an installed service", then your machine is not infected with the rootkit.

How to disable the rootkit: On the Start menu, choose Run. In the box that pops up, type this command:

cmd /k sc delete $sys$aries

and hit the Enter key. Then reboot your system, and the rootkit will be permanently disabled.

Note that this does not remove or disable the main anti-copying technologies. It only turns off the rootkit functionality that hides files, programs, and directory entries. The main DRM software is still present.

How to remove the DRM software entirely: Use the official uninstaller offered by the vendors. They'll make you jump through unnecessary hoops, and give them unnecessary information, before you can uninstall. Feel free to complain to the vendors about their refusal to offer a simple uninstaller for download.

It is possible to remove the DRM software by hand, but I recommend against it – if you mess up, you can render your machine unbootable.

Probably someone will create an unofficial but easy-to-use uninstaller, but I haven't seen one yet.

How to get songs from these discs into iTunes, an iPod, or anywhere else you can legally put them: SonyBMG will send instructions on how to do this to anyone who asks. Note that their instructions direct you to agree to their End User License Agreement; be sure to read the agreement and think about whether you want to accept it.

To save you time, I'll quote their instructions here:

Place the CD into your computer and allow the supplied Sony BMG audio player on the CD to start. If our player software does not automatically start, open your Windows Explorer. Locate and select the drive letter for your CD drive. On the disc you will find either a file named LaunchCD.exe or Autorun.exe. Double-click this file to manually start the player.

Once the Sony BMG player application has been launched and the End User License Agreement has been accepted, click the "Copy Songs" icon/button and follow the instructions to copy the secured Windows Media Files (WMA) to your PC's hard drive.

TIP: Once the WMA files are on your hard drive, be sure to remove the original CD from your optical drive before proceeding. The original CD is designed to only allow playback using the Sony BMG audio player software included on the disc.

Once the WMA files are on your PC, open and listen to the songs with Windows Media Player 9.0 or higher (version 10 is recommended for XP) to verify that they imported correctly. Then use Windows Media Player to burn the songs as a standard Audio CD.

TIP: By default Windows Media Player may assume that you want to create a data CD rather than an audio CD. This just creates a data CD of the audio files in their secured WMA format rather than first converting them to standard Red Book Audio format. Before creating the CD be sure to verify "Audio CD" is selected.

Having followed these instructions, you will then have a copy of the CD that is unencumbered by copy protection. You can then proceed to make any lawful use of the music, including ripping it into iTunes and downloading it onto your iPod.

You read that correctly – SonyBMG, which is willing to surreptitiously install a rootkit on your computer in the name of retarding copying of their music, will send, to anyone who asks, detailed instructions for making an unprotected copy of that same music.

Mark Russinovich has yet another great post on the now-notorious SonyBMG/First4Internet CD "copy protection" software. His conclusion: "Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall."

Here's how the uninstall process works:

• The user somehow finds the obscure web page from which he can request the uninstaller.
• The user fills out and submits a form requesting the uninstaller. The form requests information that is not necessary to perform the uninstallation.
• The vendor sends the user an email asking them to install a patch, and then to visit another page if he still wants to uninstall the software.
• The user is directed to install and run yet more software – an ActiveX control – on his computer.
• The user has to fill out and submit yet another form, which asks unnecessarily for still more information.
• The vendor sends the user an email containing a cryptic web link.
• The user clicks on that web link. This will perform the uninstall, but only if the user is running on the same computer on which he performed the previous steps, and only if it is used within one week.

None of these steps is necessary. It would be perfectly feasible to provide for download a simple uninstaller that works on any computer that can run the original software. Indeed, it would have been easier for the vendor to do this.

In all the discussion of the SonyBMG software, I've been avoiding the S-word. But now it's clear that this software crosses the line. It's spyware.

Let's review the evidence:

• The software comes with a EULA which, at the very least, misleads users about what the software does.
• The software interferes with the efforts of ordinary users and programs, including virus checkers and other security software, to identify it.
• Without telling the user or obtaining consent, the software sends information to the vendor about the user's activities.
• No uninstaller is provided with the software, or even on the vendor's website, despite indications to the contrary in the EULA.
• The vendor has an uninstaller but refuses to make it available except to individual users who jump through a long series of hoops.
• The vendor makes misleading statements to the press about the software.

This is the kind of behavior we've come to expect from spyware vendors. Experience teaches that it's typical of small DRM companies too. But why isn't SonyBMG backing away from this? Doesn't SonyBMG aspire to at least a modest level of corporate citizenship?

There are three possibilities. Maybe SonyBMG is so out of touch that they don't even realize they are in the wrong. Or maybe SonyBMG realizes its mistake but has decided to stonewall in the hope that the press and the public will lose interest before the company has to admit error. Or maybe SonyBMG realizes that its customers have good reason to be angry, but the company thinks it is strategically necessary to defend its practices anyway. The last possibility is the most interesting; I may write about it tomorrow.

Outside the SonyBMG executive suite, a consensus has developed that this software is dangerous, and forces are mobilizing against it. Virus researchers are analyzing malware now in circulation that exploits the software's rootkit functionality. Class-action lawsuits have been filed in California and New York, and a government investigation seems likely in Italy. Computer Associates has labeled the software as spyware, and modified its PestPatrol spyware detector to look for the software. Organizations such as Rutgers University are even warning their people not to play SonyBMG CDs in their computers.

Last week the EFF released a report criticizing the RIAA's lawsuits against individuals accused of P2P infringement. Some commentators have criticized the EFF. Tim Lee at Tech Liberation Front summarizes their argument:

I’m ordinarily sympathetic to the EFF’s arguments, but in this case, I agree with Adam [Thierer]:

"OK Fred, then what exactly IS the answer to the P2P dilemma? Because you don’t favor individual lawsuits, you don’t favor P2P liability, or much of anything else. This is what infuriates me most about the Lessig-ites; they give lip service to the P2P problem but then lambaste each and every legal solution proposed. In my opinion, if you can’t even support the lawsuits against individual users, then you essentially don’t believe in ANY sort of copyright enforcement."

People who don’t like the RIAA’s litigous agenda need to come up with a workable alternative. Too many people on the anti-RIAA side like to criticize every attempt to enforce current copyright laws without suggesting alternative enforcement mechanisms, and without proposing an alternative legal regime. I’m not comfortable with simply shrugging at wide-spread piracy and telling the RIAA to lower their prices and stop whining.

Arguments about the lawsuits often get bogged down in confusion over exactly which argument the lawsuit opponents are making. There are three types of anti-lawsuit arguments.

A moral argument against lawsuits says that bringing the lawsuits is morally wrong.

A pragmatic argument against lawsuits says that bringing the lawsuits isn't the most clever strategy for a self-interested RIAA to follow.

An empirical argument against lawsuits says that the lawsuits are not reducing infringement.

You can believe any subset of these arguments (including the empty set) without logical inconsistency. For example, you can believe that filing lawsuits is wrong but that doing so will help the RIAA by reducing infringement. Or you can believe that the lawsuits are morally justified and will reduce infringement but still aren't the cleverest thing for the RIAA to do.

It goes without saying that each of the three arguments is either justified or not, so that some subset is correct to believe. My point is merely that no subset is logically inconsistent.

The EFF report combines threads of all three arguments. They argue at times that the lawsuits are unfair, beating up on defenseless grandmothers. They argue at times that the RIAA would be better off forgoing lawsuits. And they argue at times that the lawsuits are not reducing infringment. Although they don't make it crystal clear, my reading is that the EFF is making all three arguments.

The Thierer/Lee criticism – that lawsuit critics have an obligation to suggest an alternative course for the RIAA – applies only to pragmatic arguments. If you believe a pragmatic argument, then you must believe there is something more clever the RIAA can do; and you should tell us what that is. But if you're making a moral argument or an empirical argument, then you have no obligation to describe a better plan, because you're not asserting that there is a better plan.

This is a common fallacy in policy analysis: assuming that whenever there is a problem, the solution must be some kind of bold new action. Sometimes bold action is just what's needed. But sometimes bold action doesn't solve the problem. Sometimes it only causes new problems. Sometimes your problem has no solution and your best course is to suck it up and figure out how to live with the problem.

Breaking down the anti-lawsuit arguments this way tells us one more imporant thing about this debate: there aren't just two sides. There are at least eight logically consistent positions one could take – one for each subset of the three arguments – and I'm quite sure that more than two of those eight positions can be backed by plausible arguments.

If people are clearer about which arguments they are making, and which they aren't making, maybe we can make some progress in this debate.

SonyBMG and First4Internet, the companies caught installing rootkit-like software on the computers of people who bought certain CDs, have taken their first baby steps toward addressing the problem. But they still have a long way to go; and they might even have made the situation worse.

Yesterday, the companies released a software update that they say "removes the cloaking technology component that has been recently discussed in a number of articles". Reading that statement, and the press statements by company representitives, you might think that that's all the update does. It's not.

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they're not just taking away the rootkit-like function – they're almost certainly adding things to the system as well. And once again, they're not disclosing what they're doing.

No doubt they'll ask us to just trust them. I wouldn't. The companies still assert – falsely – that the original rootkit-like software "does not compromise security" and "[t]here should be no concern" about it. So I wouldn't put much faith in any claim that the new update is harmless. And the companies claim to have developed "new ways of cloaking files on a hard drive". So I wouldn't derive much comfort from carefully worded assertions that they have removed "the ... component .. that has been discussed".

The companies need to come clean with the public – their customers – about what they did in the first place, and what they are doing now. At the very least, they need to tell us what is in the software update they're now distributing.

Meanwhile, lawprof Eric Goldman asks whether the SonyBMG EULA adequately disclosed what the company was doing to users' computers. If not, the company may be legally liable for trespass to chattels, or may even have violated the Computer Fraud and Abuse Act. Goldman concludes that the disclosure may be adequate as a legal matter, though he doesn't assert that it's a good business practice.

While the legal question is beyond my expertise, it's awfully hard to see how, from a common-sense viewpoint, SonyBMG could be said to have disclosed that they might be installing rootkit-like software. Surely the user's consent to installing "a small proprietary software program ... intended to protect the audio files embodied on the CD" does not give SonyBMG free rein to do absolutely anything they like to the user's computer. Whether, as a legal matter, Sony exceeded their user-granted authorization to modify the user's computer would ultimately be for a court to decide.

Goldman says, with some justification, that today's EULAs expose a "crisis" in contract law by attenuating, almost beyond recognition, the notion of consent to a contract. Part of the problem is the well-known fact that hardly anybody reads EULAs. But another part of the problem is that EULAs don't give even the most diligent users a clear idea of what they are consenting to.

SonyBMG and First4Internet are in the doghouse now, having been caught installing rootkit-like software on the computers of SonyBMG music customers, thereby exposing the customers to security risk. The question now is whether the companies will face up to their mistake and try to remedy it.

First4Internet seems to be trying to dodge the issue. For example, here's part of a news.com story by John Borland:

The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said.

In any case, First 4 has moved away from the techniques used on the Van Zant album to new ways of cloaking files on a hard drive, said Mathew Gilliat-Smith, the company's CEO.

"I think this is slightly old news," Gilliat-Smith said. "For the eight months that these CDs have been out, we haven't had any comments about malware (malicious software) at all."

The claim that the software is not a risk is simply false, as Alex explained yesterday. And if the company is indeed working on new ways to hide the contents of your computer from you, that just shows that they haven't learned their lesson. The problem is not that they used a particular rootkit method. The problem is that they used rootkit methods at all. Switching to a new rootkit method will, if anything, make the problem worse.

The claim that there haven't been any complaints about the software is also false. The reviews on Amazon have plenty of complaints, and there was a discussion of these problems at CastleCops. And, of course, Mark Russinovich has complained.

The claim that this is old news is just bizarre. First4Internet is offering this system to record companies – today. SonyBMG is selling CDs containing this software – today. And this software is sitting on many users' computers with no uninstaller – today.

If the First4Internet wants to stop spinning and address the problem, and if SonyBMG wants to start recovering consumer trust, I would suggest the following steps.

(1) Admit that there is a problem. The companies can admit that the software uses rootkit-like methods and may expose some consumers to increased security risk.

(2) Modify product packaging, company websites, and EULA language to disclose what the software actually does. Thus far there hasn't been adequate notification. For example, the current EULA says this:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

Clearly a rootkit neither protects the audio files nor facilitates use of the content. This is not the only misleading aspect of the description. For example, this does not convey to users that they will be unable to make lawful uses of the music such as downloading it to an iPod, or that there is no way to uninstall the software (indeed, it strongly implies the opposite), or that attempting to remove the software may make the computer's CD drive inaccessible.

(3) Release a patch or uninstaller that lets any consumer easily remove or disable the rootkit-like functions of the software. Having caused security problems for their users, the least the companies can do is to help users protect themselves.

(4) Make clear that the companies support, and give permission for, research into the security implications of their products. Saying "trust us" won't cut it anymore. Having betrayed that trust once, the companies should publicly welcome the Mark Russinoviches of the world to keep studying their software and publishing what they find. If you act like you have something to hide – and you have had something to hide in the past – the public will be smart enough to conclude that you're probably still hiding something. This is especially true if you announce that you are trying to find new ways to do the thing that you were just caught doing!

Finally, let me just point out two things. First, we don't know yet whether the First4Internet/SonyBMG software causes even more security or privacy problems for users. Given what we've seen so far, I wouldn't be at all surprised if there are more problems lurking.

Second, this general issue applies not only to F4I and SonyBMG's technology. Any attempt to copy-protect CDs will face similar problems, because this kind of copy-protection software has a lot in common with standard malware. Most notably, both types of software try to maintain themselves on a user's computer against the user's will – something that cannot be done without eroding the user's control over the computer and thereby inhibiting security.

If you're using a recent version of Windows, you can protect yourself against this type of software, and some other security risks, by disabling autorun.

Yesterday, Sysinternals's Mark Russinovich posted an excellent analysis of a CD copy protection system called XCP2. This scheme, created by British-based First4Internet, has been deployed on many Sony/BMG albums released in the last six months. Like the SunnComm MediaMax system that I wrote about in 2003, XCP2 uses an "active" software-based approach in an attempt to stifle ripping and copying. The first time an XCP2-protected CD is inserted into a Windows system, the Windows Autorun feature launches an installer, which copies a small piece of software onto the computer. From then on, if the user attempts to copy or rip a protected CD, the software replaces the music with static.

This kind of copy protection has several weaknesses. For instance, users can prevent the active protection software from being installed by disabling autorun or by holding the shift key (which temporarily suspends autorun) while inserting protected discs. Or they can remove the software once it's been installed, as was easily accomplished with the earlier SunnComm technology. Now, it seems, the latest innovations in CD copy protection involve making the protection software harder to uninstall.

What Russinovich discovered is that XCP2 borrows techniques from malicious software to accomplish this. When XCP2 installs its anti-copying program, it also installs a second component which serves to hide the existence of the software. Normally, programs and data aren't supposed to be invisible, particularly to system administrators; they may be superficially hidden, but administrators need to be able to see what is installed and running in order to keep the computer secure. What kind of software would want to hide from system administrators? Viruses, spyware, and rootkits (malicious programs that surreptitiously hand over control of the computer to a remote intruder). Rootkits in particular are known for their stealthiness, and they sometimes go to great lengths to conceal their presence, as Russinovich explains:

Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel's system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon. Every kernel service that's exported for use by Windows applications has a pointer in a table that's indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API.

Sure enough, XCP2 adopts the latter technique to conceal its presence.

Russinovich is right to be outraged that XCP2 employs the same techniques against him that a malicious rootkit would. This makes maintaining a secure system more difficult by blurring the line between legitimate and illegitimate software. Some users have described how the software has made their anti-virus programs "go nuts," caused their system to crash, and cost them hours of aggravation as they puzzled over what appeared to be evidence of a compromised system.

But things are even worse than Russinovich states. According to his writeup, the XCP driver is indiscriminant about what it conceals:

I studied the driver's initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with "$sys$". To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.

Once the driver is installed, there's no security mechanism in place to ensure that only the XCP2 software can use it. That means any application can make itself virtually invisible to standard Windows administration tools just by renaming its files so that they begin with the string "$sys$". In some circumstances, real malicious software could leverage this functionality to conceal its own existence.

To understand how, you need to know that user accounts on Windows can be assigned different levels of control over the operation of the system. For example, some users are granted "administrator" or "root" level access—full control of the system—while others may be given more limited authority that allows them to perform every day tasks but prevent them from damaging other users' files or impairing the operation of the computer. One task that administrators can perform that unprivileged users cannot is install software that uses the cloaking techniques that XCP2 and many rootkits employ. (Indeed, XCP2 is unable to install unless the user running it has administrator privileges.)

It's a good security practice to give users as little permission as they need to do their jobs—we call this the "Principle of Least Privilege" in the security trade—because, among other reasons, it restricts the activities of malicious software. If every user on a system has administrator access, any malicious programs that become installed can put up their own cloaking mechanisms using the same techniques that XCP2 uses. However, consider what happens when there are multiple accounts on the system, some with Administrator access and some with more limited control. Such a setup is fairly common today, even on family computers. If the administrator uses a CD that installs XCP2, the XCP2 cloaking driver will be available to applications installed by any user on the system. Later, if one of the unprivileged users installs some malware, it can use the XCP2 driver to hide itself from the user and the Administrator, even though it wouldn't have permission to perform such cloaking on its own.

This kind of security bug is called a "privilege escalation vulnerability." Whenever such a vulnerability is discovered in Windows, Microsoft quickly rolls out a patch. If Sony and First4Internet have any regard for their customers' security, they must immediately issue a fix for this serious problem.

Copy protection vendors admit that their software is merely a "speedbump" to copyright infringement, so why do they resort to such dangerous and disreputable means to make their systems only marginally more difficult to bypass? One of the recording industry's favorite arguments why users should avoid P2P file sharing is that it can expose them to spyware and viruses. Thanks to First4Internet's ill-conceived copy protection, the same can now be said of purchasing legitimate CDs.

In case you haven't already disabled Autorun, now might be a good time.

No sooner do I start writing about net neutrality than Ed Whitacre, the CEO of baby bell company SBC, energizes the debate with a juicy interview:

Q: How concerned are you about Internet upstarts like Google, MSN, Vonage, and others?

A: How do you think they're going to get to customers? Through a broadband pipe. Cable companies have them. We have them. Now what they would like to do is use my pipes free, but I ain't going to let them do that because we have spent this capital and we have to have a return on it. So there's going to have to be some mechanism for these people who use these pipes to pay for the portion they're using. Why should they be allowed to use my pipes?

The Internet can't be free in that sense, because we and the cable companies have made an investment and for a Google or Yahoo or Vonage or anybody to expect to use these pipes [for] free is nuts!

This is a pretty dumb thing for him to say, for several reasons. First, it shows amazing disrespect for his home broadband customers, who are paying $40 or so every month to use SBC's pipes. If I were an SBC broadband customer, I'd be dying to ask Mr. Whitacre exactly what my monthly payment is buying, if it isn't buying access to Google, Yahoo, Vonage, and any other $%&^* Internet service I want to use. Didn't SBC's advertising say I was buying access to the Internet?

Second, if somebody is going to pay somebody in this situation, it's not clear who should be doing the paying. There is some set of customers who want to use SBC broadband service to access Google. Why should Google pay SBC for this? Why shouldn't SBC pay Google instead?

Sure, SBC would like its customers to have free access to Google, Yahoo, and Vonage. But as Mr. Whitacre would put it, the Internet can't be free in that sense, because Google, Yahoo, and Vonage have made an investment and for SBC or anybody to expect to use those services for free is nuts!

My point is not that SBC should necessarily pay, but that there is no rule of nature saying that one layer of the protocol stack should pay another layer. If SBC gets paid by Google, it's because SBC faces less competition and hence has more market power. As Susan Crawford observes, Mr. Whitacre speaks with "the voice of someone who doesn't think he has any competitors."

At this point, economists will object that it's sometimes efficient to let ISPs levy these kinds of charges, and so requiring net neutrality from SBC may lead to an inefficient outcome. I appreciate this point, and will be writing more about it in the future.

For now, though, notice that Mr. Whitacre isn't speaking the language of efficiency. He wants to extract payments because he can. There's a whiff here of the CEO-tournament syndrome that infected the media world in the 1990s, as documented in Ken Auletta's "mogul" stories. Can Mr. Whitacre make the CEOs of Google, Yahoo, and Vonage genuflect to him? Is he really the man with the biggest ... market power? If there are to be side payments, will they reflect business calculation, or just ego?

It's one thing to argue that a policy can lead to efficient results. It's another thing entirely to show that itwill lead to efficient results, in the hands of real human beings.

Adam Thierer has an interesting post about network neutrality over at Tech Liberation Front. He is reacting to a recent Wall Street Journal story about how some home broadband service providers (BSPs) are starting to modify their networks to block or frustrate network applications they don't like.

Why would a BSP discriminate against an application's traffic? The standard scenario that people worry about is that a BSP hinders traffic from Vonage or some other VoIP application, because the BSP wants to sell phone service to the customer and VoIP competes with that phone service. One can cook up a hypothetical like this whenever a BSP wants to sell an application-level service. The standard response to this worry is to suggest "net neutrality" regulation, which would require BSPs to carry all traffic on an equal footing, regardless of which application or protocol is used. There is a complicated literature about the economics of net neutrality; for now, suffice it to say that net neutrality regulation can help or hurt, depending on the precise circumstances.

Thierer opposes net neutrality regulation. He seems especially worried that neutrality might require BSPs to treat all customers the same, regardless of how much network traffic they generate. If a few customers use lots of bandwidth this will leave less for everybody else, or alternatively will require the BSP to upgrade the network and pass on the cost neutrally to all users. It's better, he argues, to let BSPs price differentially based on bandwidth usage.

It's hard to argue with that proposition. I don't think any reasonable net neutrality advocate would object to a BSP discriminating or pricing based solely on bandwidth usage. They would of course object if a BSP blocked a particular app and rationalized that act with vague excuses about saving bandwidth; but a real bandwidth limit ought to be uncontroversial.

(Technically, customers already have bandwidth limits, in the sense that a given class of service limits the maximum instantaneous bandwidth that a customer can use. What we're talking about here are limits that are defined over a longer period, such as a day or a week.)

It's already the case that some customers use much more bandwidth than others. Thierer quotes a claim that fewer than 10% of Time-Warner customers use more than 75% of bandwidth; and another BSP makes an even stronger claim. This isn't a surprise – this kind of business is often subject to an 80/20 rule (80% of the resources used by 20% of the customers) or even a 90/10 rule.

But will ISPs actually apply bandwidth limits? Here's Thierer:

This raises the most interesting issue in this entire debate: Why is it that BSPs are not currently attempting to meter broadband usage and price it to account for demand and "excessive" usage by some users? In my opinion, this would be the most efficient and least meddlesome way of dealing with this problem. Per-minute or per-bit pricing schemes could help conserve pipe space, avoid congestion, recover costs and enable BSPs to plow the savings into new capacity / innovation. Despite this, no BSP seems willing to engage in any sort of metering of the pipe. Why is that?

I think there are two reasons that BSPs have so far been unwilling to price discriminate. Frist broadband operators are probably concerned that such a move would bring about unwanted regulatory attention. Second, and more importantly, cable and telco firms are keenly aware of the fact that the web-surfing public has come to view "all you can eat" buffet-style, flat-rate pricing as a virtual inalienable right. Internet guru Andrew Odlyzko, has correctly argued that "People react extremely negatively to price distrimination. They also dislike the bother of fine-grained pricing, and are willing to pay extra for simple prices, especially flat-rate ones."

So if BSPs aren't willing to bandwidth-discriminate now, and doing so would anger customers, why would we expect them to start discriminating in the future? It's not enough to point to a 90/10 rule of bandwidth usage. If, as seems likely, a 90/10 rule has been operating for a while now, and BSPs have not responded with differential pricing, then it's not clear why anything would change in the future. Perhaps there is data showing that the customer-to-customer imbalance is getting worse; but I haven't seen it.

Ultimately, BSPs' general refusal to bandwidth-discriminate would seem to contradict claims that bandwidth discrimination is necessary. Still, even net neutrality advocates ought to support BSPs' freedom to bandwidth-discriminate.

Alert readers have surely noticed by this point that I haven't said whether I support net neutrality regulation. The reason is pretty simple: I haven't made up my mind yet. Both sides make plausible arguments, and the right answer seems to depend on what assumptions we make about the markets and technology of the near future. I'll probably be talking myself through the issue in occasional blog posts here over the next few weeks. Maybe, with your help, I'll figure it out.

One of the advantages of teaching in a good university is the opportunity to hear smart students talk to each other about complicated topics. This semester I'm teaching a graduate seminar in technology and privacy, to a group of about ten computer science and electrical engineering students. On Monday the class discussed the future of RFID technology.

The standard scenario for RFID involves affixing a small RFID "tag" to a consumer product, such as an item of clothing sold at WalMart. (I'm using WalMart as a handy example here; anyone can use RFID.) Each tag has a unique ID number. An RFID "reader" can use radio signals to determine the ID numbers of any tags that are nearby. WalMart might use an RFID reader to take an inventory of which items are in their store, or which items are in the shopping cart of a customer. This has obvious advantages in streamlining inventory control, which helps WalMart operate more efficiently and sell products at lower prices.

This sounds fine so far, but there is a well-known problem with this scheme. When a customer buys the item and takes it home, the RFID tag is still there, so people may be able to track the customer or learn what he is carrying in his backpack, by scanning him and his possessions for RFID tags. This scares many people.

The risk of post-sale misuse of RFID tags can be mitigated by having WalMart deactivate or "kill" the tags when the customer buys the tag-containing item. This could be done by sending a special radio code to the tag. On receiving the kill code, the tag would stop operating. (Any practical kill feature would allow a special scanner to detect that a dead tag was present, but not to learn the dead tag's ID number.)

Killing tags is a fine idea, but perhaps the consumer wants to use the tag for his own purposes. It would be cool if my laundry hamper knew which clothes were in it and could warn me of an impending clean-sock crisis, or if my fridge knew whether it contained any milk and how long that milk had been present. These things are possible if my clothing and food containers have working RFID tags.

One way to get what we want is to have smarter tags that use cryptography to avoid leaking information to outsiders. A smart tag would know the cryptographic key of its owner, and would only respond to requests properly signed by that key; and it would reveal its ID number in such a way that only its owner could understand it. At the checkout stand, WalMart would transfer cryptographic ownership of a tag to the buyer, rather than killing the tag. Any good cryptographer can figure out how to make this work.

The problem at present is that garden-variety RFID tags can't do fancy crypto. Tags don't have their own power source but get their power parasitically from an electromagnetic "carrier wave" broadcast by the reader. This means that the tag has a very limited power budget and very limited time – not nearly enough of either to do serious crypto. Some people argue that the RFID privacy problem is an artifact of these limitations of today's RFID tags.

If so, that's good news, because Moore's Law is increasing the amount of computing we can do with a fixed power or time budget. If Moore's Law applies to RFID circuits – and it seems that it should – then the time will come in a few years when dirt-cheap RFID tags can do fancy crypto, and therefore can be more privacy-friendly than they are today. The price difference between simple tags and smart tags will be driven toward zero by Moore's Law, so there won't be a cost justification for using simpler but less privacy-friendly tags.

But here's the interesting question: when nicer RFID tags become possible, will people switch over to using them, or will they keep using today's readable-by-everybody tags? If there's no real cost difference, there are only two reasons we might not switch. The first is that we are somehow locked in by backward compatibility, so that any switch to a new technology incurs costs that nobody wants to be the first to pay. The second is a kind of social inertia, in which people are so accustomed to accepting the privacy risks of dumber RFID technologies that they don't insist on improvement. Either of these scenarios could develop, and if they do, we may be locked out from a better technology for quite a while.

Our best hope, perhaps, is that WalMart can benefit from a stronger technology. Current systems are subject to various uses that WalMart may not like. For example, a competitor might use RFID to learn how many of each product WalMart is stocking, or to learn where WalMart customers live. Or a malicious customer might try to kill or impersonate a WalMart tag. Smarter RFID tags can prevent these attacks. Perhaps that will be enough to get WalMart to switch.

Looking further into the future, the privacy implications of small, communicating devices will only get more serious. The seminar read a paper on "smart dust", a more futuristic technology involving tiny, computationally sophisticated motes that might some day be scattered across an area, then picked up by passersby, as any dust mote might be. This is a really scary technology, if it's used for evil.

Today, inventory control and remote tracking come in a single technology called RFID. Tomorrow, they can be separated, so that we can have the benefits of inventory control (for businesses and individuals) without having to subject ourselves to tracking. Tracking will be more possible than ever before, but at least we won't have to accept tracking as a side-effect of shopping.