CommonException[dot]com

For the most part, I’ve stayed away from this subject because it’s really complicated; much more so than the casual user or music listener really cares about. But it is important and it’s something everyone should have at least heard about. I wanted to have a better idea of what has really been going on before I tried to write about it. Most of the pages linked here are pretty technical in nature, but even if you gloss over the tech speak you can still get the gist. If I’ve misrepresented anything here, please let me know so I can correct it.

Starting some time ago, Sony started manufacturing CDs with new DRM software called XCP from First 4 Internet. The discs require you to install a special media player to listen on your computer, but there’s something more happening behind the scenes. This went generally unnoticed for quite some time, then F-Secure identified the software and finally Mark Russinovich made the problem well known. He ran a scan using some software he co-wrote and discovered evidence of a rootkit on his machine.

Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden.

This was a serious discovery, so naturally he started investigating. What he found was pretty scary. He linked a hidden process to the media player installed by a CD from Sony/BMG.

I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software.

If I read that correctly, it’s scanning active processes eight times every two seconds. What purpose could that possibly serve?

But wait, there’s more. Mark wanted to remove the software from his computer. Sony claimed it was possible, and yet it was nowhere to be found in the Add/Remove Programs list, there was nothing about it on the Sony site (this is no longer the case), no help to be found at all. He took matters into his own hands and found that the software loads even in Safe Mode, meaning if something went wrong, you’d have a hell of a time fixing it. He was able to get it off his computer, only to find that his CD Drive had been disabled.

In the following few days, things have only gotten worse. Mark has made many more interesting discoveries and catalogued it all for us: Dangers and Phoning Home, First 4 Internet Responds, and his Uninstall Experience. I’d include more details here, but he’s already done a great job of that.

I’ve put together a summary of the information I’ve gathered from Mark and other articles on this issue.

• The EULA does not disclose the software’s use of cloaking and implies that it can be easily uninstalled (it cannot). It hides itself by modifying the Windows kernel without your permission. Sony denies the software poses a security threat.
• This rootkit can hide the DRM files as well as anything else set up to take advantage of it (think trojans, worms, and viruses). Sounds like a hacker’s dream come true.
• The hidden software scans your active processes constantly. 240 times per second. No one seems to know why.
• If you do manage to get the software off your computer it will disable your CD drive.
• Sony recently announced to the press that they were making an uninstall tool available, though they made no attempt to ensure their users knew about it. It is virtually hidden in the FAQ section of their website.
• Sony’s “patch” can lead to system crashes and data loss because of the way it removes the cloak.
• The rootkit has already been used to get around the World of Warcraft anti-cheat software and now new viruses are taking advantage of it.
• The Sony CD player establishes a connection to Sony’s site and tells them each time you listen to your protected CD. This behavior could be used to record the ID of a CD and the IP address of the person who played it, though there is no evidence of this. However, simply by logging standard server activity this information would likely be collected. Sony says they don’t use it.
• Uninstalling the software is a chore in itself with several hurdles to jump through. You have to tell them twice that you want to uninstall. Don’t forget the majority of users wouldn’t know they’d installed the software in the first place.
• The CDs are trouble for more than just Windows users; they affect Macs, too, though the software comes from a different vendor called Suncomm.
• This move by Sony likely breaks laws in many countries around the world. Sony claims the CDs have only shipped in the US, though this has already proven to be false.
• A class action lawsuit against Sony has been filed in the state of California. Expect more to follow.
• For now, Sony has halted production of the CDs but they have no plans to stop including it with their CDs.

Needless to say, this has people really upset for obvious reasons. I think it’s safe to say this takes the idiocy of DRM to a whole new level of “I can’t believe this.” I guess Sony figured that the only way to make DRM work was to hide it from the user. Maybe someday they’ll learn that you really can’t hide much from the public at all; there’s always a way around (a fundamental reason why DRM will never work). The worst part is that this software opens up a whole new issue with privacy and protection. The fact that Sony denies there is a problem is unforgivable. Their stories change each time new information is revealed which really leads me to believe they never thought anyone would figure out what they were doing. I’m not one to quickly start screaming about boycotts, but I will seriously think twice before I purchase another Sony product.

So I’m working on categorizing old posts while I watch the Chiefs game. The Raiders had just come back to take the lead late in the 4th quarter. They’re kicking off to Dante Hall with 1:45 left in the game, and suddenly CBS cuts to the beginning of the damn Packers’ game already in progress! With that little time left in a close game would it really have killed them to let me see if the Chiefs could pull out the win? No, I didn’t think so.

Update: The Chiefs drove down the field and Larry Johnson scored a touchdown from one yard out before time expired.

I Went to post tonight and Blogger was choking hard. For hours, it wouldn’t post anything, but instead threw up some unhelpful error (001 java.net.UnknownHostException - what the hell is that?). In the meantime I managed to screw up my template and left things looking crappy until I was able to hack together a fix. I don’t even know if this post will show up anytime soon. Anyway, it’s been a long time coming, and this was just the push I needed to end our 19 month relationship.

Blogger, you made it incredibly easy to get on the web, and I thank you for that. You’ve come a long way with new features, usability, and decent reliability. But It’s time to move on. Don’t take this personally, I’ve just found a better blog system.

I will very soon be switching over to WordPress, most likely before the end of the weekend. More on that later.

Edit: It’s now 7:45 the next morning and Blogger is finally allowing me to post again. I’ve also discovered that Blogger now has the ability to moderate comments, but I don’t get spam comments (yet) anyway, so I don’t think it’s enough to save this thing.

Read:

Students can be suspended for a lot of odd reasons these days — wearing “objectionable” T-shirts, cross-dressing for prom, planning elaborate senior pranks — but a principal at a Catholic high school in Sparta, New Jersey, has added another offense to the list: having a blog.

Ok, stop. I don’t care if this is a private school or not, this is absolutely ludicrous. Who is this guy to say that none of the students at his school can express themselves through a website? I can understand if they want to limit comments made about the school or its staff, and it would be perfectly appropriate to hand out school punishments for violations in that regard. But to say that you can’t even have a blog because of the possibility of exposure to the bad people of the world…give me a break. That’s like saying you should never go outside because there’s a possibility you’ll get a cold that leads to fatal pneumonia. No one can live their whole life inside a box.

What really gets me is that this is an issue for parents, not the school principle. It’s the parents responsibility to make sure they know what information their child is putting out on the web, and to teach them what is appropriate and what is not. The school can certainly teach guidelines (and they should), but for a kid to face suspension simply because he writes his thoughts online is shameful. A school trying to instill values into its students for home life is one thing, but actually trying to regulate home life is something altogether different and completely unacceptable.

read more | digg story

I’d heard that there could be more than a few versions of Microsoft Vista, but really hope this isn’t true because it’s just ridiculous. I can’t possibly see the point, unless they want to alienate every single Windows user who wants to upgrade because they won’t know if they should get Starter, Basic, Pro, Premium, or Ultimate. What a joke.

read more | digg story

This video is just sad. I can’t believe how stupid people are. “I see a country labeled on a map, therefore I will disengage my brain and believe it must be true.”

read more | digg story

I think this guy has an excellent point.

No one was suggesting they wanted a flash-based player over a hard drive one, and no one was complaining about the iPod mini being too wide or too heavy. In comparison to the iPod mini, the iPod nano made the battery even harder to get at, lowered its battery life, removed the “remote connector,” ditched FireWire support, weakened the device making it much more fragile, and features a scrollwheel inconsistent with that rest of the iPod lineup.

The nano is cool and all but I don’t really understand why they chose to completely replace the mini instead of just adding to the line or why someone who owned a mini would run out and replace it with a nano. I also like the mention of Motorola CEO Ed Zander’s supposed joke about his feelings for the nano.

read more | digg story

Apple and the major record labels have been cruising towards a confrontation over iTunes Music Store pricing for months now, but this is just ridiculous.

read more | digg story

I’m sorry, Epic. You really dropped the ball today.

Let me back up a bit…One of the things I think is pretty cool about Epic is that the company really values the relationship they have with customers. One of the ways they reach out is by holding a week long conference called the Users’ Group Meeting every September. They set a theme every year and it’s a chance to mingle with customers and learn what others are doing with the software, etc. To be honest, I’ve been kinda looking forward to going to some of the sessions to hear a little bit about other parts of the company and what customers really think. Don’t get me wrong, I’m glad Epic cares so much about their customers, but today they totally forgot about their employees.

There is only one session that every employee is required to go to: the general session. Since Epic has been growing so fast over the last few years (current population is over 2100, up from 1600 when I interviewed in February) it would require a very large venue to house all of the employees and even more customers. So they decided to split us up: the customers in the convention center, the employees in the Orpheum Theater. Keep in mind we are still required to dress up even though we won’t see any customers for the only session we’re required to go to.

So some people on my team and I decided to carpool. We get downtown, find a place to park, and walk into the Orpheum right at 8 o’clock when the session is supposed to start. The first thing I notice is that it’s a little warm inside. I immediately took off my suit jacket, knowing I would be miserable if I didn’t. We proceed up to the balcony, knowing we will be able to better see the screen where they will be projecting the feed from the convention center. They’ve got a video on one side of the giant screen and a powerpoint presentation on the other. Not a bad setup. Or so I thought.

Each year a video is made to match the theme. This year: Mystery in the Midwest. I’m sure the video was pretty good, but I can’t really tell you for sure. As soon as the presentation started, a nasty speaker buzz started from the only speakers projecting the audio feed from the convention center. The volume wasn’t bad, but the voices were so garbled I caught about every fifth word. I thought maybe they were having issues and would fix them, but I was wrong. As the movie ended and the first speaker started, the feedback got worse. They made an adjustment and the sound stopped crackling during high volume, but everything was still garbled.

So here we go. Roughly 2000 Epic employees sitting in the dark in their nicest suits and dresses in an 85 degree theater for four hours watching a video feed from the nice (cool) comfy convention center that we can’t even hear well enough to understand. The video, the CEO, the Vice President, the keynote speaker from Princeton…I’m sure it was all great. I think I caught one joke in four hours, meanwhile I’m sitting there sweating through my dress clothes. Absolutely fan-frickin’-tastic.

I went to two sessions in the afternoon after enjoying (sort of) a free box lunch. They weren’t too bad, but I still can’t believe they didn’t test their setup ahead of time. That ranks right up there with a tech company that relies on Microsoft Outlook for absolutely everything having to go without access for 2 days while they install patches, updates, and make server changes.

So I just sat down to start cutting my fingernails. I know, I haven’t posted in weeks and the first thing I come back with is fingernails. Well, deal with it. There’s at least a reason for it.

One month ago while messing with the plugs for lights on a U-Haul tow dolly, I bent my thumbnail back. It hurt like hell, and there was really no reason for me to have done it. Why should you care? Well you probably won’t even after I explain it (I’m not sure I’ve even got any readers anymore), but here I go anyway.

One month ago is about the last time I knew what I was doing. I’ve been in Madison for almost a month and I’m still completely lost. Sure I’ve got this job, and I’ve got this great girl with me. But I have almost no clue where I am or where I’m going. Too make things more fun, on this particular night I happen to be sitting alone in an empty apartment after angering said wonderful girl for something very stupid. So here I sit, listening to depressing music wondering where she’s gone and why, after three weeks I still have no clue what my job is. Why I’m even here.

The girl has been telling me since we got here how lonely she is and if it weren’t for my job I would be in the same boat. I don’t think I’m really that far off though. Sure I have something to do during the day but I have yet to meet anyone I would consider a friend.

That night I bent my thumbnail back is now probably one of the last memories I’ll have of Manhattan and how my life used to be. This would have to be the first time since graduation that I really wish I was back there, or home, or pretty much anywhere but here. My parents are mad at me, the girl is mad at me, we have no friends here. Isn’t life grand.

Currently Playing: Flickerstick - Coke