1 The Sony CD DRM Debacle A case study of digital rights management

2 Overview: DRM Goals DRM Goals XCP XCP MediaMax MediaMax Defeating Defeating Software Engineering Code of Ethics and the principles that were broken Software Engineering Code of Ethics and the principles that were broken Lawsuit Lawsuit

3 Goals of DRM The primary goals of a DRM system is to protect and enable the business models of the record label and the DRM vendor. Lessons from the Sony CD DRM Episode (pg 2)

4 Record label Goals Overall purpose is to increase profit. Overall purpose is to increase profit. Increase sales Increase sales Limit disc-to-disc copying Limit disc-to-disc copying Limit local copying Limit local copying Get software onto users computers Get software onto users computers Sell advertising Sell advertising Gather and sell information about users Gather and sell information about users Lessons from the Sony CD DRM Episode (pg 2, 3)

5 DRM Vendor Goals Maximize price for DRM software by creating value for the record label Maximize price for DRM software by creating value for the record label Survive Survive Smaller companies need to take more risk Smaller companies need to take more risk Maximize installed base Maximize installed base Need to get major recording labels on board Need to get major recording labels on board Become THE DRM used, beat out other vendors Become THE DRM used, beat out other vendors Lessons from the Sony CD DRM Episode (pg 3)

6 CD DRM Systems Must play on ordinary CD players Must play on ordinary CD players Limited readability by computers Limited readability by computers Must prevent copying on computer without permission Must prevent copying on computer without permission DRM’s software must give access to music DRM’s software must give access to music DRM software must be installed somehow DRM software must be installed somehow Autorun on windows computers Autorun on windows computers Must be intentionally run by user on Mac Must be intentionally run by user on Mac DRM software must recognize the DRM discs DRM software must recognize the DRM discs Lessons from the Sony CD DRM Episode (pg 4)

7 XCP Relies on the autorun feature of windows Relies on the autorun feature of windows Commands in autorun.inf on cd executed Commands in autorun.inf on cd executed Auturun commonly used to display splash screens and initiate installation of programs Auturun commonly used to display splash screens and initiate installation of programs MacOS does not use autorun, user must manually run installer MacOS does not use autorun, user must manually run installer XCP protected discs contain two sessions XCP protected discs contain two sessions Music session Music session DRM content session DRM content session Lessons from the Sony CD DRM Episode (pg 5)

8 Two Session Disc

9 XCP (continued) Unprotected time between disc insertion and protection software installed Unprotected time between disc insertion and protection software installed User required to agree to End User License Agreement (EULA) User required to agree to End User License Agreement (EULA) Software is then installed Software is then installed CD can now be played CD can now be played If user declines, CD immediately ejected If user declines, CD immediately ejected Lessons from the Sony CD DRM Episode (pg 6,7)

10 XCP (continued) Temporary protection auto-loaded on cd insertion – not installed Temporary protection auto-loaded on cd insertion – not installed Uses blacklist of applications known for burning/ripping Uses blacklist of applications known for burning/ripping Loads window displaying any blacklisted applications running Loads window displaying any blacklisted applications running Will not continue until blacklisted apps are closed Will not continue until blacklisted apps are closed Lessons from the Sony CD DRM Episode (pg 7)

11 XCP (continued) Lessons from the Sony CD DRM Episode (pg 6)

12 MediaMax Also uses autorun Also uses autorun Also utilizes multi session discs Also utilizes multi session discs Temporary protection more invasive Temporary protection more invasive Immediately installs protection software Immediately installs protection software Temporarily activates protection software Temporarily activates protection software This happens even if EULA is declined This happens even if EULA is declined Lessons from the Sony CD DRM Episode (pg 5,7)

13 Defeating The Copy Protection Marker the Data Marker the Data Hold shift-key while inserting Hold shift-key while inserting Disable auto-run Disable auto-run Use alternative Operating System Use alternative Operating System Linux Linux Mac Mac Lessons from the Sony CD DRM Episode (pg 5)

14 Marking the CD

15 Hold down shift-key while inserting disk

16 Disabling Auto-Run

17 Alternative Operating Systems Apple image from: Tux image from:

18 XCP Rootkit XCP detected as rootkit XCP detected as rootkit Hidden from detection Hidden from detection Files Files Network access Network access Processes Processes Registry keys Registry keys Potentially allows root access to system Potentially allows root access to system Lessons from the Sony CD DRM Episode (pg 18,19)

19 XCP Detection as rootkit

20 XCP Vulnerabilities Installed and ran invisibly Installed and ran invisibly Undetectable by even virus software Undetectable by even virus software Hides itself and its processes Hides itself and its processes Hides anything starting with $sys$ Hides anything starting with $sys$ Any malicious code can be hidden by $sys$ Any malicious code can be hidden by $sys$ Exploited by at least two malicious programs Exploited by at least two malicious programs Also allows random crashing of system via updated system files Also allows random crashing of system via updated system files Lessons from the Sony CD DRM Episode (pg 19)

21 MediaMax Vulnerabilities Automatically installs on CD insertion Automatically installs on CD insertion Permissions set so any user can modify Permissions set so any user can modify Allows malicious code to easily be installed Allows malicious code to easily be installed Next time MediaMax protected cd inserted, malicious code executed Next time MediaMax protected cd inserted, malicious code executed Lessons from the Sony CD DRM Episode (pg 17,19)

22 Vulnerabilities (continued) Requires Power User privileges to run Requires Power User privileges to run Allows attacker’s code to have complete control Allows attacker’s code to have complete control Aggressively updates installed code with each protected CD Aggressively updates installed code with each protected CD Patch to rectify attack initiated attack code Patch to rectify attack initiated attack code Lessons from the Sony CD DRM Episode (pg 17,19)

23 Spyware-like Activities Report user activities to label/vendor Report user activities to label/vendor Vendors said it did not, it infact does Vendors said it did not, it infact does Retrieve images or adds to display from web Retrieve images or adds to display from web Log user’s info Log user’s info IP address IP address Date and time Date and time Identity of album Identity of album Lessons from the Sony CD DRM Episode (pg 14)

24 Software Engineering Code of Ethics (ACM/IEEE-CS Joint – shortened version) Software engineers shall commit themselves to making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles: Info from:

25 1. PUBLIC - Software engineers shall act consistently with the public interest. 1. PUBLIC - Software engineers shall act consistently with the public interest. 2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer and consistent with the public interest. 2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer and consistent with the public interest. 3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible. 3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible. 4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment. 4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment. Software Engineering Code of Ethics (continued) Info from:

26 Software Engineering Code of Ethics (Continued) 5. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance. 5. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance. 6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest. 6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest. 7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues. 7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues. 8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession. 8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession. Info from:

27 Ethical Issues Install without user permission Install without user permission Users left vulnerable to malware Users left vulnerable to malware After uninstall, user still vulnerable After uninstall, user still vulnerable Spyware tactics used Spyware tactics used Prevents fair use Prevents fair use Damages the reputation of software manufacturers Damages the reputation of software manufacturers Sony refused to deny wrong-doing Sony refused to deny wrong-doing

28 Class Action against Sony Requests from Electronic Frontier Foundation (EFF) Requests from Electronic Frontier Foundation (EFF) Stop production of CDs with bad DRM Stop production of CDs with bad DRM Get people non-DRM’d versions of music Get people non-DRM’d versions of music Do this quickly Do this quickly Get people free music or money in case of XCP Get people free music or money in case of XCP Ensure independent security testing pre-launch of any new DRM Ensure independent security testing pre-launch of any new DRM Agree to quick response by Sony BMG in future security flaws of DRM Agree to quick response by Sony BMG in future security flaws of DRM

29 Settlement Sony agreed to EFF’s requests Sony agreed to EFF’s requests Never admitted to wrong doing Never admitted to wrong doing No reparations for crashed systems No reparations for crashed systems At present no criminal cases At present no criminal cases Sony still left open to future law suits, but EFF’s case over Sony still left open to future law suits, but EFF’s case over

30 Sources: Lessons from the Sony CD DRM Episode, Authors: J. Alex Halderman and Edward W. Felten Center for Information Technology Policy,Department of Computer Science, Princeton University, Extended Version. February 14,