Beware of Sony BMG CDs
What you need to know
“Purchasers of the XCP discs are eligible for $7.50 cash and one free album download — or no cash and three free downloads — from a list of 200 albums from online services expected to include Apple's iTunes Music Store, Napster and Sony Connect.
Consumers with CDs using the MediaMax software — including titles by Keys, Maroon 5 and Babyface -get either a replacement CD download or a replacement CD download and a free CD download, depending on which CD title was purchased.”
This will likely require the
approval of a judge, and there are other outstanding lawsuits. No word whether the settlement would apply to
The list of the roughly 5.7 million MediaMax CDs, as it is being provided (i.e. it may be incomplete):
This includes Alicia Keys, Avril Lavigne, Britney Spears, Dido, Foo Fighters, Maroon 5, OutKast, Pink, Santana, Sarah McLachlan, Tears for Fears, Velvet Revolver, Whitney Houston and “Soundtrack” and “Various Artists”
According to the Sunncomm website Amici Forever’s “Defined” has MediaMax, but is not labelled to tell one about this.
The uninstall for MediaMax is at:
I have not tried this out – however stories late December 7th and on December 8th indicate there may be a security problem with it – see links below.
Media reports have about 2 million CDs affected by the Sony BMG XCP copy protection. Artists include Celine Dion, Neil Diamond, Patty Loveless, Rosanne Cash, George Jones, and Cyndi Lauper.
The Sony site for XCP information as they are willing to provide it is:
This includes details for an exchange program that seems to work only for US and Canadian addresses.
Click on the options they show at the top (Home, Uninstall Requests etc.) for information.
Canadian information is at:
There is no refund process from Sony BMG, and there is no exchange program for Sony BMG MediaMax CDs at this time.
I have tried out the Sony XCP uninstall finally made available December 5th. At first it seemed to work okay based on 48 hours of testing, except for leaving registry settings at HKLM/SYSTEM/ENUM/ROOT. However subsequent experience indicates that the Registry might have been altered at some point so as to not accept CDs that were burned – in two cases the registry setting, until corrected, prevented data backups on CD from being accessing in Windows Explorer.
In the Fall of 2005, I purchased
the Sony BMG Switchfoot “Nothing is Sound” CD from
Future Shop (
- Install a secret service that would hide all files, services, and registry settings on the computer beginning with $sys$, even for files etc. that were not from Sony BMG, regardless of whether or not I was using the CD or using its content;
- Communicate with Sony via the Internet;
- Install the Sony BMG XCP software without any method of removing it, and if one found the files and removed them, one would not be able to use the CD drive of the personal computer.
As of November 15, 2005 Sony BMG Canada could not provide me with an uninstall utility, could not provide me with details on how to uninstall it myself, has not offered a return & refund for the CD, and has not returned phone calls on this matter, nor has replied to an email that asked for help after removing their files stopped the CD-ROM drive from working.
As of November 21st, the promised uninstall software still is not available, as noted below.
If you know of methods of resolving this, or if you know of consumer and/or legal avenues to force Sony BMG Canada to resolve this, please contact me at firstname.lastname@example.org
Sony’s long list (can you trust this company? –> they said about 20, and it turns out to be 52):
THIS LIST DOES NOT INCLUDE SONY BMG CDs WITH THEIR OTHER COPY PROTECT SOFTWARE (not XCP), including:
My Morning Jacket, Z
Santana, All That I Am
Sarah McLachlan, Bloom Remix Album
According to the following link, this “SunnComm” MediaMax software may install software on your PC even before you agree to anything:
Back to XCP, Sony still cannot provide uninstall software for XCP.
When Sony is able to provide an XCP uninstall this link should be updated by them:
Right now it says: “We currently are working on a new tool to uninstall First4Internet XCP software … We encourage you to return to this site over the next few days. Thank you for your patience and understanding”
Turning off the Secret Service – Song XCP ‘Rootkit’ Cloaking
For how to turn off the secret service (but still leave the software installed that cannot be removed without not being able to use one’s CD drive) click on:
To see if you have the software and secret service installed:
1) Run “net stop $sys$aries”
2) Search your c: drive for files that begin with $sys$
Various Links for Updates and Reactions
Each quote is from the link directly above it.
Meanwhile, Carlos Santana's camp has issued numerous apologies to fans on his website. The most heartfelt apology was by his wife Deborah Santana writing, "We are pressing our record company to provide us with CDs that do not contain any copy protection to replace the ones you have purchased and we are trying to get facts and answers for every one of you. We have never been in a position where our music has caused harm -- we feel extremely sad and angry that we have caused our fans distress with what we intended would bring you joy."
Digital rights groups warned the music maker about
vulnerabilities its MediaMax copy protection system
created on users PCs. The same groups
have now found that a patch Sony produced to close these holes is itself insecure and leaves users open to a separate attack.
The MediaMax system has been used on more than 5.7
million CDS spread across 50 titles sold in the
But the Electronic Frontier Foundation filed a lawsuit
against the company's use of both XCP and MediaMax,
saying that the SunnComm program was also flawed. The
EFF cited research by J. Alex Halderman, one of
Edward Felten's students at
Windows allows for different levels of access to a computer. The copy-protection software installs a file folder in the computer that could allow a guest user to gain unauthorized access to the computer.
"It's a privileged escalation attack," said Kurt Opsahl, an EFF staff attorney. "On Windows you can have users with different privileges, and because of security weakness in the permissions of a folder, it allows a low-ranked user to act as a high-ranked user."
Researchers at ISEC Partners, working with the Electronic Frontier Foundation (which has since filed a class-action lawsuit against Sony), found that the SunnComm software also contained a worrying security hole.
"Making digital files not copyable is like making water not wet," says Bruce Schneier, chief technology officer at security consulting firm Counterpane Internet Security. "You can't do it. DRM is a desperate attempt to cling to their old business model. They have to figure out how to make money in the new world."
Now, the Sony BMG debacle has drawn the scrutiny of New York Attorney General Eliot Spitzer. … "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," Spitzer said in a written statement. "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."
If music is among your gift-giving ideas this holiday, beware of the danger still lurking on some store shelves.
Compact discs containing software that some have called spyware still can be found at Chicago-area record stores, despite a recall and lawsuits filed by several states against record label Sony BMG.
"The message sent by the
After more than five years of trying, the recording industry has not yet demonstrated a workable DRM scheme for music CDs," Gartner concluded in a newly published research note.
The use of a piece of tape will defeat any future DRM system on audio CDs designed to be played on a stand-alone CD player, the analyst said.
"Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," Abbott said.
An understanding of how the company's hidden software works is important to understanding what all the hubbub is about — and to protecting yourself.
"I could understand Sony's reticence if we were talking about a big-ticket item, like a computer," says crisis management expert Robin Cohn, the author of The PR Crisis Bible. "But a $15 CD? That's nothing. Sony should have been able to handle this in two days. Instead, the story just kept on going and going."
The fact that nobody at Sony stopped this from happening suggests to me they may not have had someone on the team tasked with asking the kinds of privacy and security questions that would have raised red flags. When there's nobody to see the warning signs and no one empowered to pull the cord on the emergency brake, it becomes a lot harder to keep the train from running off the edge of the cliff.
After the whole Sony BMG fiasco originally broke, lots of smart people were saying it could be the death knell for DRM technologies. I was not so convinced of that at the time, but as each passing day brings more revelations about how poorly designed these products are, I am beginning to come around to that opinion myself.
ISS has deemed the copyright protection software bundled with certain Sony BMG music CDs as malware. This software actively attempts to hide its presence from users and does not offer uninstall functionality. The software also provides a cloaking mechanism that is being used by different Trojans to hide their presence. The software presents security implications as it allows privilege escalation.
Consumers who used computers to listen to Sony BMG music CDs containing flawed software were still exposed to potentially crippling security breaches yesterday, experts said, as the company continued to try to fix the problem.
Hackers are exploiting flaws in the software Sony is using to remove its controversial copy protection system.
The Sony code modifies Windows so you can't tell it's there, a process called "cloaking" in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can't be removed; trying to get rid of it damages Windows.
More than half a million networks, including military and government sites, were likely infected by copy-restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts Tuesday.
It's unclear how much Sony BMG knew of the technicalities involved in the DRM system, however it's obvious that they knew the main features - taking over the consumer system.
I congratulate everyone that voiced their concern over the trend Sony’s software portended and I encourage you to continue to fight for a long-lasting resolution on the issue of software installation and disclosure.
It's always hard to tell how things are actually being decided at high levels within major companies like Sony and Microsoft, but to an outside observer, right now it looks like Sony is a company which is waging a battle with itself. The outcome of this battle will have a major impact on the future not only of the videogames industry, but of the digital media industry as a whole - and may determine the survival, or otherwise, of a firm which has led the market for consumer electronics for decades.
The Bottom Line - Opinion
Sony is a company that just doesn’t get it anymore. In other words, you can’t trust Sony to get it right. Apple, Dell, Microsoft, Samsung and many others are carving up the markets that Sony once dominated. Clearly Sony is no longer the quality option, so as a consumer and/or investor one should carefully consider your dependency on this company.