Business your connection to The Boston Globe

New security flaw vexes Sony BMG piracy battle

Expert says patch makes problem worse

Sony BMG Music Entertainment has acknowledged a new security problem affecting nearly 6 million of its CDs, and a Princeton University computer expert said yesterday that a patch the company designed to fix the problem may only make things worse.

The new security problem is the latest embarrassment for Sony BMG, which last month recalled millions of CDs that contained a different antipiracy program that also was plagued with technical flaws.

Computer security experts say that Sony BMG's problems show the near-impossibility of writing software that will prevent consumers from making illicit copies of recorded music and sharing them over the Internet without posing risks to consumers' computer security.

''I think there are problems with compact disc copy protection that can't be resolved," said Edward Felten, professor of computer science and public affairs at Princeton. One security expert, Alex Stamos of Information Security Partners LLC in San Francisco, recommended that consumers should not play Sony BMG music CDs in their computers until further notice.

The problems for the company began last month, when computer programmer Matt Russinovich found that Sony BMG was shipping many of its music discs with a program called XCP. The program has no effect on standard CD players. But it installs itself on computers running Microsoft Corp.'s Windows operating system when a CD owner tries to play the disc on the computer.

XCP was designed to limit the number of times a user could copy the tunes on the disc, and to ensure that these copies could not be played on other computers. But the software also concealed itself on users' computers and was extremely difficult to remove. In addition, XCP secretly sent information about users' listening habits over the Internet to Sony BMG.

Russinovich published his discovery on the Internet, spawning an international outcry from computer users, and a spate of class-action lawsuits. In response, Sony agreed to withdraw about 4.7 million affected discs from stores, and set up an exchange program for consumers who had purchased about 2.1 million of the discs. Sony BMG kept on using a different anticopying program called MediaMax, produced by SunnComm Inc. of Phoenix.

But the Electronic Frontier Foundation filed a lawsuit against the company's use of both XCP and MediaMax, saying that the SunnComm program was also flawed. The EFF cited research by J. Alex Halderman, one of Edward Felten's students at Princeton. Halderman said MediaMax sends information about users over the Internet without their permission. He also claimed that although MediaMax installs itself even if the user clicks a button that's supposed to stop installation.

The EFF hired Information Security Partners to analyze MediaMax. In the process, the security company found a new problem with the software -- a vulnerability that could allow unauthorized users to take full control of the computer's operations.

Even though this new problem was unrelated to EFF's lawsuit, the group notified Sony BMG and SunnComm, which quickly moved to issue a patch that would solve the problem. The problem affected 27 Sony BMG titles, including Alicia Keys' ''Unplugged," and Cassidy's ''I'm A Hustla." The patch was posted Tuesday on Sony BMG's website.

But yesterday, Halderman struck again. He said that Sony BMG's patch was also flawed and could actually cause the security problem it was supposed to block. Thomas Hesse, president of Sony BMG's global digital business unit, said that his company's experts were working to verify Halderman's claim, and would issue a modified patch if necessary.

Hesse said the company is rethinking its antipiracy policies.

''We need to reevaluate where we go with CD content protection overall," said Hesse. ''I think we have definitely learned many lessons from this episode." But Hesse refused to speculate on whether Sony BMG would abandon efforts to put antipiracy software on its music CDs.

Beyond being a public relations nightmare for Sony BMG, these episodes have underscored how difficult it is for the recording industry to halt rampant piracy of recorded music. Other major music companies are working on their own solutions. EMI Group, which produces discs by such acts as the Rolling Stones, Lenny Kravitz , and Snoop Dogg, uses software from Macrovision Inc. of Santa Clara, Calif., to block piracy.

But two other major labels, Warner Music and Universal Music, have so far refrained from using similar software. A spokesman for Universal, Peter LoFrumento, said his firm is open to the idea. But Universal won't use any antipiracy products that make it harder for customers to enjoy music.

''It can't in any way hurt the user experience," LoFrumento said.

Alex Stamos said that making reliable antipiracy software is tough because such programs are designed to interfere with the normal operation of other software on computers.

''That will never be reliable," said Stamos, ''and it will be very, very difficult to make secure."

Hiawatha Bray can be reached at

Today (free)
Yesterday (free)
Past 30 days
Last 12 months
 Advanced search / Historic Archives