[Clips] Sony BMG's DRM provider does not rule out future use of stealth
R. A. Hettinga
rah at shipwright.com
Wed Nov 9 10:50:57 EST 2005
--- begin forwarded text
Delivered-To: clips at philodox.com
Date: Wed, 9 Nov 2005 10:50:05 -0500
To: Philodox Clips List <clips at philodox.com>
From: "R. A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Sony BMG's DRM provider does not rule out future use of
stealth
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com
<http://www.tgdaily.com/2005/11/04/f4i_says_sony_bmg_xcp_is_not_rootkit/print.html>
Tom's Guide Daily
Sony BMG's DRM provider does not rule out future use of stealth
By Scott M. Fulton, III
Published Friday 4th November 2005 22:27 GMT
Oxfordshire (UK) - The CEO of the company which provides digital rights
management tools and software to global music publisher Sony BMG, and which
developed the XCP system that was the subject of controversy this week,
told TG Daily in an exclusive interview that, despite what some security
software engineers, news sources, and bloggers have suggested, XCP is not,
and was never designed to be, a rootkit.
"We believe there are some comments that have been misunderstood in the
media," said Matthew Gilliat-Smith, chief executive officer of First 4
Internet, the manufacturers of XCP. "Our view is that this is a 'storm in a
teacup,' as we say over here in the UK ... I want to confirm that this is
not malware. It's not spyware. There's nothing other than pure content
protection, which is benign."
As we reported yesterday
(http://www.tgdaily.com/2005/11/03/sony_bmg_xcp_is_it_a_rootkit/), security
software engineer Mark Russinovich discovered, through the use of a program
he wrote called RootkitRevealer, that drivers deposited on his system from
a Sony BMG audio CD he purchased were using stealth techniques to hide
their appearance not only from the user, but also from portions of the
Windows operating system. These drivers had been installed in such a way
that they were run perpetually, loaded automatically - even in safe mode -
and were referenced in the Windows System Registry using a method that
could not be deleted without extensive reworking of the Registry, to enable
the operating system to recognize the CD-ROM drive again. In his
investigation, he identified these drivers as part of the XCP copy
protection system.
Russinovich's story, posted to his company's Web site
(http://www.sysinternals.com/Blog/), was widely read and generated enormous
response from bloggers, some of whom believed either that Russinovich was
suggesting, or that his evidence had substantiated, that XCP constituted a
rootkit. Under the more technical definition of that term, it would have to
open up an unmonitored Internet connection with a remote host, probably
with the intention of delivering a malicious payload in a very undetectable
manner. No such allegations were made of such behavior by Russinovich, yet
the characterization hung in the air.
"There's areas of misinformation which I'd be very happy to set straight,"
Gilliat-Smith told us. "The first is [the allegation that XCP is some form
of] rootkit technology, in the form that would be used to spread malware.
What it is, it's using cloaking techniques that are similar to a rootkit,
for the purpose of making speed bumps on the content protection, to make it
more difficult to circumvent the protection."
Gilliat-Smith said his software does not open up any connection between the
stealth driver and its host. "Ours does not do that," he said. "All we're
doing is using a hook and a redirect, so when you look for a file, it is
hidden. It is very widely used...since way back in 1994, by many shareware
companies and anti-virus companies."
A paper describing what appears to be the "hook and redirect" method to
which Gilliat-Smith refers, published by the online hacker magazine
Phrack.org, defines rootkit as "a program designed to control the behavior
of a given machine. This is often used to hide the illegitimate presence of
a backdoor and other such tools. It acts by denying the listing of certain
elements when requested by the user, affecting thereby the confidence that
the machine has not been compromised." By "backdoor," the paper can be
presumed to mean a method by which a remote party can take control of the
system undetected. Gilliat-Smith denies any such methods are, or have ever
been, used by XCP.
Furthermore, Gilliat-Smith stated, the version of XCP which utilized this
"hook and redirect" method to hide the presence of the persistent driver,
is no longer being used in new audio CDs. At the time these concerns arose,
he said, "we had already created the new version of the software, which
provides a range of additional features for the consumer. We have moved
away from the cloaking technology that gives rise to these concerns."
First 4 Internet (F4i) has made available to Sony BMG a removal tool, which
users can download from Sony BMG's Web site
(http://cp.sonybmg.com/xcp/english/updates.html), that removes the XCP
driver from users' systems and cleans up the mess left in the Registry. In
addition, F4i's Gilliat-Smith told TG Daily, the company has offered
anti-virus companies tools with which they can bypass the "hook and
redirect" API method, and scan files in XCP's stealth directory. One of the
anti-virus companies to which F4i has been talking, he said, has been
F-Secure, which recently claimed that malicious users could conceivably
craft methods that take advantage of XCP having opened up, in effect, a
"stealth channel" to the operating system, enabling them to fill in the
gaps and make XCP into a true rootkit. No material evidence of these claims
has been presented, though last Tuesday, F-Secure officially listed the XCP
DRM software (http://www.f-secure.com/v-descs/xcp_drm.shtml) as a virus. No
method of propagation or payload distribution was reported.
Gilliat-Smith cited F-Secure's development of a rootkit removal tool,
called Blacklight, "so it seems that they have a vested interest in the
subject," he said. F-Secure officials have informed XCP of its opinions and
stand on F4i's software, he added. But the potential for leveraging XCP as
the backdoor for a real rootkit, as well as any vulnerabilities alleged by
Russinovich, he said, should all be treated as theoretical, adding,
"Vulnerabilities can occur in any software application that a user puts on
his computer.
The balancing act: Protection vs. fair use
"Independent consumer surveys [about] the CDs that have been released have
shown very positive consumer reactions to the way the CDs work in their
computer, and the ability to make backup copies," stated First 4 Internet's
Gilliat-Smith. "So we're always reviewing the ways forward...and we will
recommend and suggest different ways of putting in these speed bumps, but
we will not be using the same methodologies that have been written about in
[Russinovich's] article."
Ross Rubin, director of industry analysis for NPD Techworld, has been
following the XCP DRM story with us. "It's a difficult challenge to balance
the convenience of listening to music with the desire to protect
intellectual property," he told TG Daily. "I think, at this point, it's
very difficult to try to go back in time and turn CDs into a secure
mechanism, because there's just such a tremendous installed base of
compatible products, and consumers are used to listening to CDs on their
computers and ripping them." The ultimate solution, Rubin believes, is to
work toward focusing upon preventing the undesired behavior, rather than
preventing a large class of behaviors, most of which are not necessarily
illegal or even unethical.
But what's a company like F4i to do? If it uses completely benign copy
protection methods, even novice users can easily smooth out its "speed
bumps;" if it uses stealth in any form (especially now), it opens itself up
to ridicule. "It's kind of a no-win situation," responded Rubin. "It's very
hard to find the medium that's not going to punish the legitimate users of
your product, but which is going to discourage those who would abuse fair
usage privileges. I think up until now, most of the criticism has been
around the protection schemes being too easy to circumvent. Now, perhaps,
the pendulum has swung the other way."
Responses we received to yesterday's article about the Russinovich story
included a comment that XCP may be undesirable from a consumer's
perspective not because it's malware, but because it wastes processor space
and that it monitors customers' CD-ROM listening habits. Gilliat-Smith
denied both claims: "I sense what's happening is, people are making
assumptions without having run the discs themselves. There is no suggestion
that there is any monitoring of what's going on at all...It has not been
reported to me that excessive CPU usage is being made here. There is the
cloaking technology that had been used up until now, to 'hook and redirect'
to disguise the files; [that] might be using minimal CPU usage, but there's
certainly no [indication] that it's been making an onerous usage of it."
In an update to his original article (http://www.sysinternals.com/Blog/)
posted today, Sysinternals' Mark Russinovich elevated his language. Not
only does he now refer to XCP directly as a rootkit, he adds that since
XCP's built-in media player software (with which limited backup copies can
be produced) does establish a connection with a remote server, the DRM
software as a whole truly does "phone home," in essence fulfilling the
extra requirement necessary to qualify for the hackers' definition of a
rootkit. Further, he cites the fact that the end-user license agreement
(EULA) shipped with the Sony BMG audio CD does not make mention of this
capability. For proof, Russinovich reproduces the entire language of the
EULA on a Web page unto itself, highlighting the portion which references
the XCP software package directly. In very rudimentary boilerplate
language, it states, "The SOFTWARE is intended to protect the audio files
embodied on the CD," and will reside on the user's system until removed or
deleted. However, it states, the software will not collect personal
information of any form.
In his update, Russinovich characterized Sony BMG's EULA with these words:
"An end user is not only installing software when they agree to the EULA,
they are losing control of part of the computer, which has both reliability
and security implications."
The EULA, states F4i's Gilliat-Smith, is a matter for Sony BMG to determine
for its customers. However, based on his understanding of it, "The EULA is
very clear, and it's a very straightforward process. It clearly states that
content protection technologies can be loaded. If the user doesn't agree to
accept, then the CD does not load, and the program does not load.
"This is not malware, not spyware," Gilliat-Smith reiterated. "No one has
suggested that it is. What they're saying is that rootkit technology -
which this is not, in its entirety - is something that potentially could be
used to masquerade behind, and I confirmed that the XCP technology no
longer uses the cloaking technologies that this article suggested could
potentially pose a threat."
But Gilliat-Smith would not go so far as to say current or future versions
of XCP would refrain from using stealth techniques going forward - just the
"hook and redirect" method discovered by Russinovich. "Going forward in the
future, we will obviously take forward any concerns, and we will make sure
that the consumer is foremost in our minds in terms of how we do it," he
told us. "Because it's a balance between protection and keeping the
consumer foremost in our minds...We very quickly alleviated anybody's
concerns, and are moving forward, and continuing to perform the task that
badly needs to be done."
NPD's Ross Rubin sees the same balancing act, but perceives a different
solution: "It comes down to the balance argument: Do you really need to be
operating that far down in the OS to discourage casual piracy? I don't
think you do. The users who are determined to crack the codes are really
going to focus time and energy on those kinds of efforts anyway. I wouldn't
agree that it's necessary to dig that deep."
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list