Slashdot Mirror
Sony Rootkit Phones Home
strider44 writes "Mark from Sysinternals has digged a little deeper into the Sony DRM and discovered it Phones Home with an ID for the CD being listened to. XCP Support claims that "The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities." Also on this topic, Matt Nikki in the comments section discovered that the DRM can be bypassed simply by renaming your favourite ripping program with "$sys$" at the start of the filename and ripping the CD using this file, which is now undetectable even by the Sony DRM. You can use the Sony rootkit itself to bypass their own DRM!" Update: 11/07 14:21 GMT by H : Attentive reader Matteo G.P. Flora also notes that an Italian lawyer has filed suit against Sony on behalf of the Italian equivalent of the EFF. Translation availabe through the hive mind. Update: 11/07 15:18 GMT by H : It does appear that in fact Sony does see through the $sys$ - see Muzzy's comment for more details.
"No information is ever fed back or collected about the consumer or their activities."
Other then your IP address, date and time it's connected to the net, the CD you're listening to, how often you listen to it...
Most ony customers care little for this Sony solution. My 12 year old sister doesn't seem to care one bit. Sony has the "right" to provide this feature as you're not being forced to buy it.
You're responsible for checking out a product before buying it. I won't buy any music ROM disc that doesn't have the "CD" certification logo, unless it is from an indie band. I still rip eve y CD from a CD player with an optical out into my PC. Safety first.
You obviously never read the original article. Sony didn't advertise in any way shape or form that this was on the CD, so even you wouldn't have been able to "check out" the product before buying it!
Of course, this presumes that the product and the producer don't take active steps to deceive the consumer, and presumes a technically-sophisticated consumer capable of analyzing the technology involved. Your idealistic scenario kind of falls flat when it runs into the real world.
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
These copy protection schemes are NEVER goign to work as long as the content is still available to play on regular cd players. Even if it's not, it will be hacked as long as some hacker thinks it might be an amusing way to spend an afternoon.
why are sony SO unbeleivably stupid as to think otherwise. They must be wasting hundreds of thousands of pounds on this utterly useless rubbish, that even the least technical of people can bypass.
These things are so childish no hacker would even bother with them, as stated this one even defeats itself!
It only takes one breach to distribute a copy, why piss off thousands of genuine paying clients?
The mind boggles, the only people winning are the copy protection companies living happy lives doing nothing but ripping Sony off.
aren't they supposed to do maketing studdies on things before release?
maybe employ a 16 year old to independantly test the schemes for them rather than taking the word of the people selling them this rubbish
(I'd have said 10 year old but it wouldn't be legal)
revenue lost to purchasing clients who will have to return product as it wont run. $X,0000
revenue lost to potential clients who will be scared off buying in the first place. $Y,0000
estimated reputation damage to company. priceless.
estimate of no. of pirated copies prevented. ZERO.
So you can use their own rootkit to bypass their own DRM. And exactly what level of control do you even have at the point where you are screwing with a rootkit to rip CD's on your own computer?
I hope Microsoft is paying attention here, because this could set an EXTREMELY bad trend here. Why do we have these "certified" drivers? Because a lot of them were crap. Now we have software injecting stuff directly into the OS. I can't say this is going to help MS in the security and stability department.
If it installs this rootkit through autorun when you put the CD into your Windows machine, how is this any different from a worm? Just because it isn't spread through the internet doesn't change the fact that it is a virus.
Sig: I stole this sig.
What's the goal here? To stop the people who buy CDs and rip copies for a few friends... by driving everybody to rely on safer online distribution exclusively?
Ah, but you didn't say illegal, you said wrong. The equation of the two is perhaps the greatest threat to liberty in the modern world.
Real Daleks don't climb stairs - they level the building.
If you care about this, then don't buy Sony games, music or movies. If you don't care about DRM and spyware issues then by all means go out and buy more product from them.
Is sending a clear message that you will not tolerate corporate abuses worth going a few months without shelling out $18 for a CD that has two decent tracks on it?
Accept nothing less - the public firing of the VP who oversaw the department that gave the green light to this - or no purchase of any Sony game, music or movie.
Personally I don't think enough people value unhacked systems enough to make the sacrifice. My prediction is that Sony will essentially get away with it, may have their insurance company pay a few settlement checks, and make a better attempt next time around. Or simply write enough checks to MS to ensure that the DRM is included in the Colonel (weak joke about a police state... sorry). And write enough checks to Motorola and Intel to make sure that DRM is included at the chip level. And write enough checks to US Senators to make sure that the law will back them up next time.
Again, the only recourse is to refuse to buy Sony products until a VP is fired. Nothing else will work.
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
Isn't it a problem if you can't read the EULA before buying the product? And since you unpacked the CD you are actually stuck with it.
This is totally insecure, but very convenient.
The way I heard it, it sounded like it was copying itself from the CD to the machine without the users consent. I assumed this would be called a virus as it is replicating itself. Maybe trend micro's quiz didn't educate me very well
After finding more information about it, it sounds as if it blocks programs from accessing the CD drive that are in sony's list.
Step 1: Rename your Windows Server App to ITUNES3.EXE
Step 2: Put all the config files for that server app on a CD
Step 3: Insert Sony music CD into secondary drive
Step 4: The DRM that installed itself without your consent crashed your mission critical server. Sony is liable!
Step 5: ???
Step 6: Profit!
Sig: I stole this sig.
Lets stop pretending that retailers allow you to return CDs.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
Btw, Since distracting CD-ROM functionality by randomizing the signal a little seems to be "OK", you can expect the record companies to target P2P apps with future DRM systems. If it's OK to screw your system and ripping software, it's going to be ok to screw your p2p if they think you're sharing their stuff. This kind of malware along with DRM is a slippery slope, and you'll never know where it ends if you tolerate it even a little.
-- Matti Nikki
Now, I didn't buy that CD (or any others in the last five or six years) but if I had, I'd like to see where the terms and conditions of the contract that I SIGNED AND AGREED to are. If they are available for viewing BEFORE I make the purchase AND they explicitly indicate everything that Sony is allowed to do to my computer if I choose to put it in my computer, then you have a point. If not, then it is nothing more than a con, equivalent to me mailing you a letter that you open to see "the act of opening this letter means you agree to give me all your worldly assets, and none of your debts". If you feel Sony isn't WRONG, then you'd better fork over everything you own when you get that letter, because it's the same thing. Now, if I posted "the act of opening this letter means you agree to give me all your worldly assets, and none of your debts" and you open it, well, that's fair game because you had the option, and if you weren't a dumbass, you wouldn't open it. That's the difference. Sony is not providing OUTSIDE of the purchase the terms and conditions that you are claiming binds the purchasor, and Sony is NOT refunding your money if you disagree with what you find inside.