Re: Sony to patch copy-protected,

[Nick FitzGerald <nick () virus-l demon co uk>]

Rob Thompson wrote:

> Can you say "backpeddle" ?

Indeed!

I "enjoyed" the following:

   http://cp.sonybmg.com/xcp/english/updates.html

   SOFTWARE UPDATES/ PLUG-INS

   November 2, 2005 - This Service Pack removes the cloaking technology
   component that has been recently discussed in a number of articles
   published regarding the XCP Technology used on SONY BMG content
   protected CDs. This component is not malicious and does not
   compromise security. However to alleviate any concerns that users
   may have about the program posing potential security
   vulnerabilities, this update has been released to enable users to
   remove this component from their computers.

   http://updates.xcp-aurora.com/

...particularly "This component is not malicious and does not 
compromise security".

I guess the first claim is debatable, as it depends on your definition 
of "malicious" and this typically hinges on both subjective notions of 
"sufficiently bad" and the difficult/impossible to prove intentions of 
the designer/implementor/distributor/installer of the software.  I'm 
prepared to accept that First4Internet/Sony really had no overtly 
malicious intentions in the design and use of the "cloaking technology" 
in this software, however, I won't give them that they were not 
incompetent, and I certainly do not want incompetetntly designed and 
implemented software on my machine, _especially_ when it patches itself 
into device driver/filter chains at Ring 0 AND sets itself up as 
"necessary" so as to be run in Safe Mode...

> Sad part is the patch that they are pushing out via their website
> attempts to install itself via ActiveX.  As far as I know, doing it
> that way, doesn't that mean that they are taking away our ability to
> see what exactly they are doing to our machine when they "patch" it? 

Yes, this is rather concerning...

> As there isn't an actual executable that can be taken apart and
> analyzed?

Well, you can always RE this process.  The installation package has to 
be downloaded from the web somewhere, which you can get from RE'ing 
their web pages or simply from sniffing the network traffic of a 
suitably prepared goat system.  You can then manually unpack, 
disassemble, etc the installation package and its contents, od you can 
simply "black box" it by preparing a suitable goat and then let it 
install the "remover", very carefully and thoroughly monitoring the 
before and after state (noting you have to do this in a transparent-to-
rootkit tricks way) and, during the process also monitoring whatever 
real-time file system, registry, network, etc access you think may be 
relevant.

> Even worse than that, to get the removal tool, you have to apply for
> it with Sony.  And then they will decide if you can have it?  What's
> up with that.

In my limited tests of this kind of thing (haven't tried for the F4I 
"rootkit" yet though), Sony (and other music publishers) have been 
quite forthcoming with instructions on how to work around possible 
problems caused by their various DRM warez included on various forms of 
"copy protected" CDs.  They usually want to know a little information, 
such as what title and where you bought it -- just tell them Amazon and 
then it doesn't matter that you may not be in the US where (supposedly) 
most of these DRM/copy-protected discs have been released.

> Too little, too late.

Yep -- it was absolutely downright stupid of them to think that such 
actions would be acceptable, or to think that they may be able to plant 
such warez on people's machines without its presence being detected and 
the kind of uproar we're seeing not ensuing.

They may be big and they may be rich, but they're clearly farking 
stupid and worse, are too stupid to get _good_ advice before embarking 
on something that anyone with two functioning brain cells would rightly 
tell them would lead to big trouble.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.