To Whom It May Concern,

I just wanted to write in and voice my extreme displeasure with the tactics your company has resorted to in regards to copy protection. Your efforts to limit the legal usage of legitimately purchased cds does absolutely nothing to hinder illegal use. Instead, it merely serves to make it difficult or impossible for those of us legally buying the albums to create back-ups, upload them to our MP3 players or, sometimes, even to listen to them on our computers or in our automobiles. Couple this with the automatic installation of hidden software onto the hard drives of our computers, and it adds up to you taking a giant piss in the face of those who shell out the hard earned money that makes your company profitable.

In response to your increasingly disrespectful attitude towards your customers, I've made the following personal decision. Until you take steps to eliminate copy protection or, at a bare minimum, come up with a model that ceases to limit fair use by your legitimate customers, I will no longer be purchasing albums on a Sony label. The following paragraph is a list of artists whose future releases this will affect. Keep in mind, these are all artists I have purchased albums from in the past and whose future albums I would most likely be purchasing, if not for your alienation of the law-abiding consumers of your products.

Fiona Apple, Aqualung, The Ataris, Audioslave, Cake, Harry Connick, Jr., Howie Day, Bob Dylan, Ben Folds, Franz Ferdinand, Hope of the States, Modest Mouse, Our Lady Peace, Pearl Jam, Bruce Springsteen, Tenacious D, Travis, The Zutons.

Please do not misinterpret this as me threatening to acquire these artists' future releases illegally, as that is most certainly not the case. Rather, I will simply do without them. As much as I enjoy some of these musicians, there is enough good music in the world that I can get by without hearing their future albums, especially if it decreases the profits of a company who shamelessly abuses its customers.

Additionally, I'd like to mention other Sony artists who have albums I have legally purchased in the past. While for one reason or another it's unlikely I'd be purchasing future releases from them, this list gives a little more perspective on my support of your company over the years.

AC/DC, Aerosmith, Alice in Chains, The Allman Brothers Band, Black Sabbath, Blue Oyster Cult, Boston, Jeff Buckley, Johnny Cash, The Clash, Neil Diamond, The Doobie Brothers, Duran Duran, Fuel, Marvin Gaye, Billy Joel, Live, Lo Fidelity Allstars, Mad Season, Bob Marley & The Wailers, Johnny Mathis, John Mellencamp, Van Morrison, Willie Nelson, Oasis, Roy Orbison, Ozzy Osbourne, Pink Floyd, Rage Against the Machine, Carlos Santana, Simon & Garfunkle, Frank Sinatra, Soul Asylum, Switchfoot, Toto, Uncle Tupelo, Steve Winwood, Pete Yorn

Over the next several weeks, I'll be emailing each of the bands in the first list, informing them of my decision and encouraging them to do what they can to stop you from abusing your customers' rights and to refrain from resigning to your label when their contracts are up for renewal.

I will also be emailing or mailing letters to your parent and sister Sony companies. While I only plan on a total boycott of music, I will also avoid purchasing other Sony products if possible. This is coming from someone who owns a Sony digital camera, television, dvd player, surround sound system, portable stereo and god knows how many dvds.

I know that in the large scheme of things, I'm just one customer and that you could probably not care less about the loss of my business. It is my hope, though, that true music fans all over the country are reaching the same decision I have and that there are enough of us to cause you to be little more concerned about treating your customers with respect in the future.

Feel free to write me back if you like, but at this point the only thing that will cause me to change my mind will be a change in your public actions.

Sincerely,
Jim May

Viruses Exploit Sony CD Copy-Protection

By MATTHEW FORDAHL, AP Technology Writer

SAN JOSE, Calif. - A controversial copy-protection program that automatically installs when some Sony BMG audio CDs are played on personal computers is now being exploited by malicious software that takes advantage of the antipiracy technology's ability to hide files.
ADVERTISEMENT

The Trojan horse programs — three have so far been identified by antivirus companies — are named so as to trigger the cloaking feature of Sony's XCP2 antipiracy technology. By piggybacking on that function, the malicious programs can enter undetected, security experts said Thursday.

"This could be the advanced guard," said Graham Cluley, senior technology consultant at the security firm Sophos. "We wouldn't be surprised at all if we saw more malware that exploits what Sony has introduced."

The copy protection program is included on about 20 popular music titles, including releases by Van Zant and The Bad Plus, and disclosure of its existence has raised the ire of many in the computing community, who consider it to constitute spyware.

Sony BMG Music Entertainment and the company that developed the software, First 4 Internet, have claimed that the technology poses no security threat. Still, Sony posted a patch last week that uncloaks files hidden by the software.

On Thursday, Sony released a statement "deeply regretting any disruption that this may have caused." It also said it was working with Symantec and other firms to ensure any content-protection technology "continues to be safe."

Neither Sony spokesman John McKay nor First 4 Internet CEO Mathew Gilliat-Smith returned messages seeking additional comment.

Windows expert Mark Russinovich discovered the hidden copy-protection technology on Oct. 31 and posted his findings on his Web log. He noted that the license agreement that pops up said a small program would be installed, but it did not specify it would be hidden.

Manual attempts to remove the software can disable the PC's CD drive. Sony offers an uninstallation program, but consumers must request it by filling out two forms on the Internet.

"What they did was not intentionally malicious," Cluley said. "If anything, it was slightly inept."

The copy-protection software, which Sony says is a necessary "speed bump" to limit how many times a CD is copied, only works on Windows-based PCs. Users of
Macintosh and
Linux computers are not restricted.

The viruses also only target Windows-based machines.

The infection opens up a backdoor, which could be used to steal personal information, launch attacks on other computers and send spam, antivirus companies said.

Sony also is facing legal headaches. On Nov. 1, Alexander Guevara filed suit in Los Angeles County Superior Court seeking class action staus. He claims Sony's actions constituted fraud, false advertising, trespass and violated state and federal laws barring malware and computer tampering.

His attorney, Alan Himmelfarb, did not immediately return calls seeking comment.

The Electronic Frontier Foundation, an online civil liberty group, said it is hearing from people who have run into problems with the copy protection software. It is considering filing its own lawsuit, said EFF staff attorney Jason Schultz.

"You can't uninstall it, you can't find it, and it's vastly more invasive in terms of privacy and personal property than any other (digital rights management) program to date," he said.

Sony to Suspend Making Antipiracy CDs By TED BRIDIS, Associated Press Writer
2 hours, 29 minutes ago


WASHINGTON - Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.


Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the "XCP" technology as a precautionary measure. "We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," the company said in a statement.

The antipiracy technology, which works only on Windows computers, prevents customers from making more than a few copies of the CD and prevents them from loading the CD's songs onto Apple Computer's popular iPod portable music players. Some other music players, which recognize Microsoft's proprietary music format, would work.

Sony's announcement came one day after leading security companies disclosed that hackers were distributing malicious programs over the Internet that exploited the antipiracy technology's ability to avoid detection. Hackers discovered they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony technology.

A senior Homeland Security official cautioned entertainment companies against discouraging piracy in ways that also make computers vulnerable. Stewart Baker, assistant secretary for policy at DHS, did not cite Sony by name in his remarks Thursday but described industry efforts to install hidden files on consumers' computers.

"It's very important to remember that it's your intellectual property, it's not your computer," Baker said at a trade conference on piracy. "And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Sony's program is included on about 20 popular music titles, including releases by Van Zant and The Bad Plus.

"This is a step they should have taken immediately," said Mark Russinovich, chief software architect at Winternals Software who discovered the hidden copy-protection technology Oct. 31 and posted his findings on his Web log. He said Sony did not admit any wrongdoing, nor did it promise not to use similar techniques in the future.

Security researchers have described Sony's technology as "spyware," saying it is difficult to remove, transmits without warning details about what music is playing, and that Sony's notice to consumers about the technology was inadequate. Sony executives have rejected the description of their technology as spyware.

Some leading antivirus companies updated their protective software this week to detect Sony's antipiracy program, disable it and prevent it from reinstalling.

After Russinovich criticized Sony, it made available a software patch that removed the technology's ability to avoid detection. It also made more broadly available its instructions on how to remove the software permanently. Customers who remove the software are unable to listen to the music CD on their computer.

When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things.

Sony Yanks Copy-Protected CDs Robert McMillan, IDG News Service
Wed Nov 16,11:00 AM ET

After two weeks of relentless criticism over its XCP copy protection software, Sony BMG Music Entertainment is pulling CDs that contain the software from store shelves. The company is also planning to offer customers a way to exchange CDs that contain the flawed copy-protection software.


"We share the concerns of consumers regarding discs with the XCP software, and we are instituting a program that will allow customers to exchange any CD with XCP software for the same CD without copy protection," Sony said in a statement posted on Tuesday.

'Sneaky' Software

XCP, which stands for Extended Copy Protection, is Windows software designed to limit the number of copies a PC user can make of a CD, but it uses controversial cloaking techniques to hide itself on the computer. Critics had warned that these techniques could gum up a computer's performance or possibly even be used by attackers to attack the machine.


Late last week, the first examples of malicious software that exploited the XCP cloaking mechanism began surfacing, prompting Sony to temporarily cease production of XCP-enabled CDs.


Sony had originally defended its use of XCP, and had downplayed the security and privacy risks associated with the software. With Tuesday's recall, however, the company finally appeared to acknowledge the seriousness of the matter. "We deeply regret any inconvenience this may cause our customers," Sony's statement said.


Still, Sony has some important questions to answer, according to the computer expert who first discovered the problems with XCP.


The biggest problem Sony now faces is helping customers who have installed the nearly undetectable software to remove it from their machines, said Mark Russinovich, chief software architect with Winternals Software LP, who originally identified the potential problem. Users who want to take XCP off their computers had been forced to send an e-mail to Sony and then download an ActiveX control that exposes them to further security risks, he said.

Mop-Up Still Needed

Sony on Tuesday suspended use of this uninstall process and promised to provide a "simplified and secure procedure" for uninstalling XCP. But the company provided no details on what this new procedure might be, or on how customers might exchange their XCP CDs. It also failed to address concerns about a second type of copy-protection software, called MediaMax, that ships with Sony CDs. Computer experts have said that this software suffers from many of the same problems as XCP.


Russinovich had some advice for Sony on how to simplify things. First off, the company should drop the dangerous ActiveX software, he said. Secondly, they should release a secure uninstaller that is easier to obtain. "They should just say, 'If you want the uninstaller, here it is: Click this link to execute it,'" he said. "I've seen no valid reason to have the uninstall process be what it is."


XCP is included in about 20 Sony titles including CDs by Van Zant, Sony has said. Security researcher Dan Kaminsky has estimated that at least 500,000 computers have installed the software.