Powered by Movable Type 3.121
Home The Book Training Events Tools Stats
Web log archive.
A Dispatch

« Address Database: Not Good Enough | Main | Phishing for D'oh! »

December 03, 2005

Beware of Sneaky Music CDs

One of the prime ways that crackers gain access to your PC is by disguising their Trojan loading software within some kind of supposed custom "media player" or "media viewer" that is required to access free stuff that won't play on widely available and trusted players (e.g., Windows Media Player or QuickTime). The unsuspecting user wants to see the funny e-card, hear the latest sound sensation, or see cute smileys, and glibly okays the license agreement prior to installing the player. After that, they're hosed. They'll probably be bombarded with adware or have their computer taken over by a bot-net commander somewhere on the far side of the planet.

As we have learned, however, it's not just no-name guys doing this stuff. Sony BMG loaded software on numerous music CDs in the hope of stopping illegal copying. It's a very sordid affair, and you should pursue the details excellently itemized in parts One, Two, Three, and Four of an ongoing story.

Among the horrors you'll learn is that even if you decline to install the software that comes on the CDs, it can install itself anyway. Although the software is not necessarily itself a Trojan, the way it was designed makes it easy for other Bad Guys to hide their garbage on your PC.

Let me share with you my policy on music CDs. I rip every CD that I buy so that I have the music as part of my iTunes library. My iTunes library is larger than the largest iPod (I'm holding onto my 30GB iPod until an 80GB or 100GB model comes around—but even that won't be big enough), so I manually select music from the main Library to transfer to my iPod. I have a decent audio setup in my office, but the CD player hasn't had much use in quite awhile. Instead, I use an Airport Express to beam my iTunes output to my office stereo. I don't play any CDs on my computers directly, but I understand why many users might do that.

Even so, I can tell you this: If a new CD's labeling indicates any kind of personal computer requirements (e.g., operating system version, player type, etc.), I wouldn't place that CD anywhere near the disc tray/slot on my computers. This information is, to me, a giant red flag that the publisher may screw with my computer, with or without my knowledge and permission. Inserting the CD into the computer could be just as dangerous as opening an unexpected attachment in an unexpected email message.

I never had to look for this kind of information on the labeling before, but it is now a vital step to take before putting any CD (or DVD I would assume) in a personal computer optical disc drive.

I applaud amazon.com for advising customers of discs it has identified as bearing some kind of computer-centric copy protection. Right after the disc's title listing, they say in all caps: "[CONTENT/COPY-PROTECTED CD]". You can be sure that such a disc will never fall into my amazon shopping cart.

I'm fortunate because the types of CDs I buy are not mainstream pop titles. The labels I buy for the most part tend to be small, independent ones, many of which are based outside of the U.S. There is less likelihood for the pirating of the music I listen to than the CDs that Sony tried to lock down. But that doesn't mean I shouldn't be just as vigilant about what the labels could try in the future. My taste for the non-mainstream also presents a potential problem for the way I buy music. For reasons of availability, I tend to buy the majority of my CDs from a dealer in the United Kingdom. I won't necessarily see the warnings that amazon puts on its listings. I won't be able to know if the packaging lists PC requirements until the disc arrives at my door.

The question remains, then, would I try to find a way to get a pirated copy or mp3 tracks of a protected CD that I wanted? Maybe it's just me (sometimes I think it's only me), but my answer is "no." I like to own the music I listen to, whether I buy CDs or electronic versions through places such as the iTunes Music Store. I'm just not a free-download kinda guy unless the material is presented by its owner as such. Your mileage probably varies, and you think I am the squarest of squares. I'd rather send my silent protest message to both the label and the artist that I won't listen to their music if they're going to potentially screw with my computer.

Simple rules by which to live and to sleep soundly.

Posted on December 03, 2005 at 01:17 PM