Slashdot Mirror

Go get Rootkit Revealer (http://www.sysinternals.com/Utilities/RootkitReve aler.html). That's the one that was used to find this rootkit and the Sony one. The guy who writes it, Mark Russonivich, is quite good at this kind of thing. HE wrote the book, literally, on Windows (Windows Internals).

Yeah AV *is* an extra cost. You're right there. You shouldn't have to update them manually though. Any good corporate AV solution will have systems for managing and reporting on AV deployments.

WSUS is a free tool from Microsoft for managing the testing and deployment of hotfixes.

Log files (IMO, the number one annoyance with windows systems) can be managed with scripts by using scheduled tasks, as can other mundane tasks like defragmenting. For Windows 2000 and NT4 which don't come with command line defragmentors there are free tools avaialable that will do the job. Email reports can be sent via email by piping (c:\maintenance.cmd >> c:\daily_report.txt) the output of your scripts to a textfile and using freely available command-line mailer tools to send them.

Security and other logs can be dumped to a freely available database automatically using freely avaiable tools.

One very valid complaint is that Windows doesn't come with these tools by default. Once you get everything together though, life becomes much easier.

I won't argue with you that UNIX is easier. An OpenBSD/Postfix box I set up about two years ago has not required a security patch yet, and if not for power outages and physical moves, would have two years of uptime right about now.

Yeah AV *is* an extra cost. You're right there. You shouldn't have to update them manually though. Any good corporate AV solution will have systems for managing and reporting on AV deployments.

WSUS is a free tool from Microsoft for managing the testing and deployment of hotfixes.

Log files (IMO, the number one annoyance with windows systems) can be managed with scripts by using scheduled tasks, as can other mundane tasks like defragmenting. For Windows 2000 and NT4 which don't come with command line defragmentors there are free tools avaialable that will do the job. Email reports can be sent via email by piping (c:\maintenance.cmd >> c:\daily_report.txt) the output of your scripts to a textfile and using freely available command-line mailer tools to send them.

Security and other logs can be dumped to a freely available database automatically using freely avaiable tools.

One very valid complaint is that Windows doesn't come with these tools by default. Once you get everything together though, life becomes much easier.

I won't argue with you that UNIX is easier. An OpenBSD/Postfix box I set up about two years ago has not required a security patch yet, and if not for power outages and physical moves, would have two years of uptime right about now.

You missed some!

Network

putty for SSH (even commandline SCP which rules), wget for sucking down the web, opera if you don't like firefox, and some form of bittorrent client, like bitcomet.

Utilities

gvim, unxutils or in a pinch some downloads from the gnuwin32 tools, tools from SysInternals.

Multimedia

Don't forget Mediaplayer classic (MPC) which by happy coincedence is included in the k-lite mega codec pack (from codecpack.nl).

Security

grisoft AV, tools from SysInternals.

You missed some!

Network

putty for SSH (even commandline SCP which rules), wget for sucking down the web, opera if you don't like firefox, and some form of bittorrent client, like bitcomet.

Utilities

gvim, unxutils or in a pinch some downloads from the gnuwin32 tools, tools from SysInternals.

Multimedia

Don't forget Mediaplayer classic (MPC) which by happy coincedence is included in the k-lite mega codec pack (from codecpack.nl).

Security

grisoft AV, tools from SysInternals.

Here's another example of what I was talking about above: Circumventing Group Policy as a Limited User.

Note the end of the article: "It's also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team."

That's another example of Microsoft's mindset, in my opinion. It appears to me that Windows is deliberately weak. It's not an accident that Windows has low security.

Try this book out:

http://www.sysinternals.com/WindowsInternals.html? v=glance&s=books/systemsinternals

I read a good chunk of it and it gets down and dirty... and yes, you're right. It's not really stuff that is useful for an application developer.

http://www.sysinternals.com/utilities/rootkitrevea ler.html

Consider this:

      http://www.sysinternals.com/utilities/regmon.html

robert

I got tagged by a trojan using the same exploit on IRC.

I downloaded the wmf file to my desktop, but accidentally double clicked it when I was trying to submit it to trendmicro

I closed the connection with TCP View, but it took out explorer.exe with it.

This is much worse than potential spyware, this exploit is silent and can easily be used to drop keyloggers, or in my case, it opened up a shell back to the guy i was chatting with.

(btw - I knew it was a trojan when i downloaded it)

The Nt* calls are the native interface (think unix syscalls). The Win32 subsystem is a translation layer and service provider between the native interface and applications. The POSIX and OS/2 subsystems work the same way; they do not speak to the Win32 subsystem.

Sysinternals has a nice description of how it works.

... Windows administrators should be aware that if a user, even one running with a limited account, can execute just one program of their choice that they also can circumvent many group policy settings, including ones aimed specifically at tightening security such as Software Restriction Policies and Internet Explorer Zones. ...

... It's also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team.

They were lazy. It can be run under a Limited account in XP. Here's how I did it:

Fire up the freeware app Regmon, and set the filters to ignore the standard things running in the background (windows services, anti-virus software, and firewall software - A good starting point is as follows: csrss.exe;explorer.exe;LSASS.EXE;Regmon.exe;WINLOG ON.EXE). Just look at the list of processes that are filling up the main window for the names to put in the filter. While you're still in that filter dialog, uncheck "Log successes."

Now, fire up the offending application and wait for it to give you an error. Go back to Regmon and look through the last few entries for one that has "FAILED" in the Result column. Open up regedit, find the key that returned the "FAILED" message and assign full permissions for the limited user account, or the Users group.

Sometimes, a program will need more permision for a directory or single file. For that, use Filemon. The process is very similiar to Regmon.

If that all sounds too tedious for you, you might want to try just changing permissions on the application's install folder (For example: C:\Program Files\Intuit) and HKLM key (For example: HKLM\Software\Intuit). (Although I can say for a fact that QuickBooks requires full permission on one or two keys outside of HKLM\Software\Intuit.)

This process works for every program I have tried running under a limited account.

They were lazy. It can be run under a Limited account in XP. Here's how I did it:

Fire up the freeware app Regmon, and set the filters to ignore the standard things running in the background (windows services, anti-virus software, and firewall software - A good starting point is as follows: csrss.exe;explorer.exe;LSASS.EXE;Regmon.exe;WINLOG ON.EXE). Just look at the list of processes that are filling up the main window for the names to put in the filter. While you're still in that filter dialog, uncheck "Log successes."

Now, fire up the offending application and wait for it to give you an error. Go back to Regmon and look through the last few entries for one that has "FAILED" in the Result column. Open up regedit, find the key that returned the "FAILED" message and assign full permissions for the limited user account, or the Users group.

Sometimes, a program will need more permision for a directory or single file. For that, use Filemon. The process is very similiar to Regmon.

If that all sounds too tedious for you, you might want to try just changing permissions on the application's install folder (For example: C:\Program Files\Intuit) and HKLM key (For example: HKLM\Software\Intuit). (Although I can say for a fact that QuickBooks requires full permission on one or two keys outside of HKLM\Software\Intuit.)

This process works for every program I have tried running under a limited account.

did you run tools like Filemon from Sysinternals http://sysinternals.com/ to see what was failing when running as a pleb? Too often the answer is to run everything as admin when all that is required is write access to some folder under "C:\PROGRA~1"

You can use NtCreateProcess to create processes that aren't Win32 clients, so have no GUI overhead. You can even use it to get a real copy on write fork (this is how SFU does it). The catch is that the new process can't use Win32 services: it can't link to kernel32, user32, gdi32, advapi32 or any other libraries that depend on them, since Win32 is required to use any of them. You have to use the functions that ntdll exports directly for IO, IPC, syncronization, etc. All the primitive functionality the kernel provides to user processes are there, but some things like sockets can be a pain, since you have to interface with TDI directly. Most of the standard Win32 programming doesn't apply for such a process.

Microsoft doesn't document the native API, so you have to find third party docs.
The Windows NT/2000 Native API Reference by Gary Nebbett (ISBN:1578701996) is an excelent reference.
Reactos is an open source clone of Windows NT, and it documents and implements almost all of the same internal functions.
Sysinternals also has a short native example program.
The books Inside Windows 2000 and Undocumented Windows NT are also quite useful.

An easier way might be to just write SFU apps. SFU processes aren't Win32 clients (SFU is its own subsystem) and it provides a UNIXy programming environemnt.

1. In Windows 2000 / 2003 you would probably be better off using Terminal Services in Admin mode or Remote Desktop in 2003

2. You can use PSTools http://www.sysinternals.com/Utilities/PsTools.html to remotely exicute command line apps on almost any Windows NT/2K/2003 OS.

CreateProcess is not a syscall; it's a Win32 function exported by a Win32 client library, kernel32.dll. The internal API handled by the kernel is the native API. All of the syscalls start with Nt* and are exported by ntdll. The related syscall is NtCreateProcess, a function that creates a process object, loads ntdll.dll, maps an image section (for the program binary) and nothing else. It does not have a STARTUPINFO parameter.

CreateProcess from Win32 does call NtCreateProcess, but it also does a lot of other things, like create a startup thread and report the new process to the Win32 subsystem server (csrss), where the GUI parameters are used. The GUI is a core part of Win32, but Win32 is not a core part of the kernel. Almost all Windows software depends on Win32 (and so the GUI), but the kernel is happy to without win32: see the recovery console or first stage setup program. Full kernel, no Win32.

Before NT4, the Win32 subsystem was implemented entirely in user mode (mainly winsrv.dll hosted by csrss.exe for the server, kernel32.dll, user32.dll, gdi32.dll, advapi32.dll for client libraries used in programs that depend on Win32). Since NT4, much of winsrv's code got moved into kernel mode in win32k.sys. The kernel mode part of Win32 is all contained in win32k.sys; it's not part of the kernel, it just runs in kernel mode.

Bruce Eckel has some great books here. I use them as reference for OO stuff. There is also Windows Internals, great book, for windoze code monkeys.

they withdrew the draconian DRM encumbered CDs almost as quickly as they could

I seriously doubt that Sony's behavior has changed in any significant way. Here is what Mark Russinovich had to say on November 30, 2005: Premature Victory Declaration?

Though the rest of the system is mainly undocumented. Read stuff from the guy who found the rootkit and be amazed at all the well hiden functions Mark found.

The $sys$ stuff is just one arbitrary string that a rootkit could express itself through. To be thorough, download and run the free RootKitRevealer (front info page here). This is the software made by the very guy (Russonovich) who blew the whistle on Sony, having discovered their rootkit while testing his software.

The $sys$ stuff is just one arbitrary string that a rootkit could express itself through. To be thorough, download and run the free RootKitRevealer (front info page here). This is the software made by the very guy (Russonovich) who blew the whistle on Sony, having discovered their rootkit while testing his software.

Really? So having a blog automatically makes you ignorant? Because it seems to me that a member of this imaginary Tech World Elite could take up blogging without suddenly becoming ignorant. Perhaps you can explain this amazing logical leap of yours to me. Oh, and better explain it to Mark Russinovich, too.

Dumbass.

And of course surf the web with Firefox or Opera.

1) He was told to; this does not mean he did it.
2) He may not have done a proper full (MBR) reformat
3) He may have backed up the infection vector with his "important" files, on other infected media.
4) If the infection vector was via email, he might have redownloaded and reopened the message from a POP/IMAP server that retained a copy.

It is also theoretically possible to make something that will survive anything short of degaussing or reformatting after taking apart the hard drive. Modern hard drives often include flashable firmware, a simple (roughly 486 grade) processor, and as much as 16MB of RAM. This is potentially powerful enough for a custom microkernel on the drive itself, able to meddle with the boot process and rootkit the OS as it loads into the machine's RAM. To implement something like this, a Black Hat would need to know the exact model drive and its firmware release, probably know the same on the motherboard as well, be able to work at (likely proprietary) machine language level for that model hard drive control board, and there would be nil room for error. On the bright side for the black hat, if done with the skill I'd expect from someone able to do the work at all, the only signs of infection would be a modest decrease in the hard drive performance, a few sectors marked as "bad", and the odd bit of (potentially intermittent and encrypted) network traffic.

I'd bet on numbers 1-4, though. A hard drive native rootkit is at least one full level beyond what Sysinternals called "a level of sophistication not seen in rootkits to date" on their RootkitRevealer page. Probably more than one. As far as I know, not even a lab example of such has been reported developed, and it doesn't sound like this guy is high enough on the NSA's SPECIAL Christmas card list to be likely to encounter one of their toys. But I like keeping the tin-foil hat crowd awake at night. =)

may be in vain but, I don't think the article provided any proof that the software recorded mouse and keyboard input... it calls home but to do what? may be I'm getting used to Mark Russinovich'ish (http://www.sysinternals.com/blog/2005/10/sony-roo tkits-and-digital-rights.html) scrutiny style?

Wrong, the win32 function TerminateProcess is the equivalent. Selecting end process in task manager does this, but task manager only lets you terminate processes you own. If you are an admin process explorer will let you terminate any process. The only reason this won't kill a process is if the process is waiting on a kernel call to return, I beleive linux does the same thing in these circumstances.

Some more info here: http://www.sysinternals.com/blog/2005/08/unkillabl e-processes.html

You can change the location of the cache dir by setting the browser.cache.disk.parent_directory preference in about:config.

I've used a modification of the createprofile.vbs script from FFDeploy to set this up as new profiles are created from a login script.

I actually ended up creating my own msi files using a combination of regmon and filemon from Sysinternals to map it out, and Advanced Installer (the free version) to build the package. I ended up with a package that I can push out that includes flash and shockwave as well as a default profile with adblock included. I then use my version of the createprofile.vbs script in the users' login script to create an initial profile using the default one.

It takes a bit of effort to get right, but it's well worth it if you have a number of machines to push this out to. The bummer is that I only just got around to putting 1.0.7 out, and now 1.5 is out. Oh well.

...and a bit more risk.

Generally, running as a Power User is unnecessary. Occasionally, you'll find applications that appear to need this, but it's usually fixable by adjusting rights on specific files/directories/registry keys. Sysinternals' RegMon and FileMon are good tools for identifying where apps are bumping up against security. Occasionally you might have to tweak the local security policy but that's all.

You really should be running with LEAST privilege; a Power User can still (for example) walk all over the Program Files directory, and the ability to modify system time can cause havoc and renders any auditing suspect.

You've always got "Run as..." and the tips at Aaron Margolis's blog if you need to temporarily elevate your privs. I haven't had any lasting issues with running at mere User level, and my machine is as secure as a Windoze box gets.

Also, AutoRuns from http://www.sysinternals.com/Utilities/Autoruns.htm l is very useful for this kind of thing.

defragment your hard drive. Of course, you can't defrag the registry. So use sysinternal's PageDefrag utility which can. Over time, the registry accumulates a lot of stuff, and defragging it can help quite a bit.

using 1-2 percent system cycles is system slowdown even if it's not noticable. "I closed the player and expected $sys$DRMServer's CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent" from http://www.sysinternals.com/blog/2005/10/sony-root kits-and-digital-rights.html

...that is, that they have a product with a high degree of price inelasticity of demand (although record execs don't hvae the sophisticated vocabulary). The problem is they don't realize the cross elasticity of substitute products.

OK, so assume that RIAA member company Three Initial Recording (TIR) have a lock-in recording contract with the hottest band around, the Hong Kong Cavaliers. TIR makes a fistful of buckaroos from every one of HKC CDs they sell. But music from iTunes is a really close substitute, if not a superior replacement; changes in prices of one will affect the sales of the other pretty easily. Raising prices so as not to undercut sales makes sense to TIR.

The problem is, there are other substitutable choices besides CD and iTunes. TIR considers DRM-Rootkitted music disks: consumers don't like those much, but most are easily confused sheep, so the substitutibility is fairly good until ingenious folk at Sysinternals notice. Maybe they try it, maybe not.

There's live concert performances... but that's not a good substitute for most working stiffs who want to listen to the band at any given time of day, and the HKC can only do so many concerts; TIR can live with that.

There's music from other bands; although some folk feel there is no alternative to the HKC's unique sound, others are just as happy listening to Electric Mayhem, who are signed with another RIAA member. Well, it's within the cartel. But the band Disaster Area tends to have a wide overlap in the fan base, and they've not only working with an independent studio, they took pot shots with a sniper rifle at the last TIR contract rep who tried to persuade them to join up. Hmm...

And really, any form of entertainment might be a substitute; cheap, safe, designer hallucinogens might leave everyone just sitting around giggling at their fingers, but the War on Drugs makes most people stay away. Movies are another alternative, but the MPAA has enough overlap and common interest that they're not likely to be a deliberate threat. Books... well, nobody reads those any more. Video games are a growing problem, but they look to be gelling into a cartel pretty soon.

But that leaves the big one: there's pirate copies of the music, in all of their many forms. Recorded live in concert while in the audience. Sketchy dealers on NY sidewalks selling counterfeit CDs. Music ripped to MP3/Ogg/FOO format and traveling over the internet by FTP, HTTP, NNTP, KaZaa, BitTorrent, and the six surviving Gopher sites. Yes, it's illegal... but cheaper, all the way down to free. The extra costs are only to the pirate's self respect (which there's less to lose of each time they give in) and if they get caught. And almost EVERYBODY is doing it.

Some flexibility in pricing might help both Apple and the RIAA, especially if they put more of the long tail up on iTunes (which would probably be the best way to grow revenue), with opportunities for having sales, and making a litte more on the megahits. (Yeah, bands with gold albums probably ought to be going for $1.25 IMHO). But my back-of-the-hand guess is that if the average price (weighted by number of sales) of iTunes song starts rising, there will be more "sales" really lost to piracy, as opposed to the RIAA claimed losses. And with those short-term real losses come longer term erosion to the foundation social mores (EG: piracy=theft=bad) that the music industry is reliant on. And that is something TIR and the other RIAA members aren't factoring in on their economics.

• F-Secure - Nov 1st, 2005
• Symantec - November 8, 2005: Renamed to SecurityRisk.First4DRM from SecurityRisk.Aries November 11, 2005: Added link to removal tool.
• Computer Associates - listed, unknown date.
• Kapersky - Nov 2, 2005

It's interesting how some of the vendors are listing information about the rootkit, but see uninterested in adding a signature, claiming that it's not really a virus (which is true) because it doesn't self-replicate. That's fine, I guess, because if they started detecting rootkits, they'd have a lot more work to do, but I think it's kind of shortsighted of them to think that people won't get angry that they paid for a $40/year subscription for a product that doesn't detect when their system gets totally rooted.

(I'm always tempted to spell it r00tk1t, but I'm trying to act more mature these days...)

"but they haven't done any of the things a reputable company should be doing: Offering complete replacement discs (without foistware), coupons/credit for further Sony products ("Don't boycott our brand, please"), and promise not to abuse their actual customers again."

Actually, it appears that they *do* plan to offer replacement discs. I tried to post this to the main page (a fairly significant development, IMHO), but alas it was rejected. In other news, Mark Russinovich is declaring victory as a result.

I'm not saying that makes everything okay... I'm just saying that they're not being *total* jerks about this (just *partial* jerks). I expect we'll see more of a response out of Sony once that large bureaucratic ball eventually does get rolling. In an organization the size of Sony, I'd bet it has quite a lot of intertia.

And no, I won't be buying any more Sony CDs... or probably anything else - just on principle.

http://www.sysinternals.com/blog/sony-eula.htm/

Article 6. LIMITATION OF LIABILITY....

FIVE US DOLLARS (US $5.00)

12 million in actual damages + punitive damages sounds about right to me.

If you're doing windows cloning, you may want to look into this free NewSid Utility from sysinternals.

Agree.

Same thing happens with software documentation:

Analysis, Requirements specifications document.
Design: Design Specification document [with or without UML, DTDs, etc].
Quality control/assurance: (Quality testing metrics documents).

Nobody (at least not programmers) likes to spend their time doing that, which results in a lot of good Open Source projects (just look at sf.net) that have only the source code available. So, when/if someone wants to start helping (be it a programmer or a non programmer) they must dive into the source code, reverse engineer it and (to their better understanding) see how is the program working.

When developing a propietary software for anyone, documentation is the one most important thing, and often the one that programmers hate to do. That is why System designers are better paid than programmers.

In open-source world, nobody cares about documenting [and mantaining the domcumentation] of their software. My personal experience is with VirtualDimension multi-desktop software. I wanted to enhance the program with some ideas I had, but I hated that the only place to understand how it worket was the CVS repository C++ files. Although I know C++ (and I am good at it if-u-ask-me) it is the "logic" of the program what I wanted to find and, well, my time is worth more than what I needed to understand the inners of the program.

The same happened with jabref. I would like to contribute to those projects with programming, but bah, at the end, all of them are just a mess.

Returning to the accessibility issue. The only way accessibility could be handled is by creating a base framework (from the GTK, or QT or JSwing or any other GUI toolkits) that provides accessiblity features to the interfaces. This means that the application developers will not need to worry (too much) about accessibility because the "text control" will contain the features by default*(and this is the "most-most-important-issue"*. And, the programmer will just have to addere to a set of minimum accessibility rules (like using system defined colors and fonts [something, the great Mark's sysinternals process explorer doesn't do for example, as after I changed my font DPI to 144, the process list font is not changed and I also use background color as Black and font as white, but it is not adopted by this program)).

* Talking on this "default state" of the features, it is the same story with accessibility as with security. For an example, I know that Java has some interfaces wich allow for accesibility properties (although I have not used them). It also has some classes for secure comunication. But these are not the DEFAULT classes which everyone uses.

Iff Java had implemented security and accessibility in the common controls/classes used by everyone, of course it would be more work for the developers but it would help them to LEARN to implement those features.

New sig:
--
Days since my last Sony purchase: 602

Sony's End User License Agreement requires the following things of all consumers who purchase this "content protected" music:

1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

8. You have no right to transfer the music on your computer, even along with the original CD.

9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

Refer to the following for details:

• List of Affected CDs
• EULA analysis
• Rootkit analysis
• Continued rootkit analysis

Sony's End User License Agreement requires the following things of all consumers who purchase this "content protected" music:

1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

8. You have no right to transfer the music on your computer, even along with the original CD.

9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

Refer to the following for details:

• List of Affected CDs
• EULA analysis
• Rootkit analysis
• Continued rootkit analysis

This has turned into quite a piece of work on their behalf.

This has turned into quite a piece of work on their behalf.

"We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," Sony BMG added.
I really can't believe this clown is saying that. Did they ever have a security goal in mind??? Does this statement mean that they continue to do business as usual???

I went back to their FAQs, and found a few interesting lines:

- You must log on to your computer with Administrator rights or Power User rights to fully use the disc.
So I must be an admin just to listen to Ricky Martin??? Gimme a break.

- To date, Apple has not been willing to cooperate with our protection vendors to make ripping to iTunes and to the iPod a simple experience.
And hopefully it'll stay that way for a long, long, long time...

- the protection components are never installed without the consumer first accepting the End User License Agreement.
But nowhere in the EULA it is mentioned what the user is in fact installing.

- If at some point you wish to remove the software from your machine simply contact customer service through this link. You will, though, be unable to use the disc on your computer once you uninstall the components.
Now this is another issue. Sony is marketing their discs as CDs, but their are not campatible with standard CD players??? They can't slap the CD logo anywhere they want and get away with it. They have to follow the standards, or call their DRM discs something else and anounce in big bold letters that such disc may not be playable in all devices.

After I RTA, I was inspired to install and run RootKitRevealer http://www.sysinternals.com/Utilities/RootkitRevea ler.html. I didn't find any Sony malware, but I did find the IBIS Websearch Toolbar rootkit for that other malware vector, Internet Explorer.

Now how to get rid ot it . . ?

Oh, wow, that sucked retry :)

This is the link you get from sony after jumping through a lot of hurdles:

http://www.xcp-aurora.com/support/sonybmg/process. aspx?opt=1&id=XYAUfasSFoSdasfDoFPPEWFFEoibnaZPQlSf FgKGSGGIA

See:

http://www.sysinternals.com/blog/2005/11/sony-you- dont-reeeeaaaally-want-to_09.html

Enjoy

This is the link you get from sony after jumping through a lot of hurdles:

http://www.xcp-aurora.com/support/sonybmg/process. aspx?opt=1&id=XYAUfasSFoSdasfDoFPPEWFFEoibnaZPQlSf FgKGSGGIA [xcp-aurora.com]

See:

http://www.sysinternals.com/blog/2005/11/sony-you- dont-reeeeaaaally-want-to_09.html [sysinternals.com]

Enjoy