Slashdot Mirror
Sony Music CD's Contain Mac DRM Software Too
brjndr writes "A MacInTouch poster has found that certain Sony CD's also contain a smaller extra partition for 'enhanced' content. Running one of the applications found within this partition installs kernel extensions containing DRM software by SunnComm. In Sony's defense you're told what is being installed within a EULA which pops up when the program is loaded. Thankfully we all read our EULAs completely."
I think the fact that it asks for your password on install should throw up *some* sort of red flag. And tosses in a rather easy way to get past the DRM.
After a short while, typing in your password becomes as much of an unconscious acticity as pressing "OK" on a dialog box. I think we need blinking lights, horns, mandatory timers, and permission from your sysadmin before you can do anything stupid.
According to the comments on the linked page, you have to type in your name/password after agreeing to the EULA. This is really non-standard and hopefully will set off alarms in people's heads when they wonder why they have to do that (OS X doesn't ask for your password often). But something tells me most users will just go ahead and give the app free reign anyway. Not that I blame them, you'd expect to be able to trust Sony, a freaking huge "legitimate" corporation for Pete's sake.
WARNING: If accidentally read, induce vomiting.
are sony that determined to bury themselves?
Surely, they realise that its only going to create a backlash against DRM if they continue this nonsense?
Why yes, I give my admin password out on request!
You would be amazed at what most users will do for music, porn, wallpapers, or screensavers.
Mac OS isn't immune to this kind of crapola - at least not for the average user.
Boy it seems like sony is just running around pissing everybody off...
Well, I for one pledge to no longer purchase any sony products. Nor will I buy online music from sony, purchase any games, or watch any sony movies until they stop being overbearing assholes with their stuff.
Maybe there ought to be a question when you set up your mac - "rate yourself on a scale of 1-10 on how good you are with computers, and we'll adjust the system alerts accordingly"...
I'm not *so* sure about the after-a-while thing though - I'm struggling to remember any time I had to type in the sysadmin password when I wasn't installing software. If I equate that action with installing stuff, and all I've done is put a CD in to play the damn thing, I'd be pretty curious as to why... Maybe that's just cynical old me, though...
Simon
Physicists get Hadrons!
Who knows how evil the DRM is, once the install is made, but jeebus... talk about an issue of trust (just for the installer)!
Make sure everyone's vote counts: Verified Voting
So, in effect, your computer is at less risk if you download Sony published music from peer to peer networks than if you try to play your Sony CD on your computer. Where's the value proposition?
Joe user: What's this I see? I have to enter my password to play a music CD? Oh no biggy, its just a music CD. What harm could it do?
That is my concern. The average user sees it comes from Sony, a "trustable" company, and doesn't give it a second thought. A very lethal comboIt will not only bury Sony, but also the DMCA (which actually prohibits you from de-installing the DRM code or even detecting that it's there) and will possibly cripple the credibility of the RIAA, who have been the main driving-force for DRM and the DMCA.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Maybe there ought to be a question when you set up your mac - "rate yourself on a scale of 1-10 on how good you are with computers, and we'll adjust the system alerts accordingly"...
...
You'd have to make it more of a quiz. After all, there's a lot of people that think they know everything but who really don't have a clue (Go to your local computer shop if you don't believe me). It could be pretty funny:
(1) what does RAM stand for?
(2) what is 0xF?
I'm struggling to remember any time I had to type in the sysadmin password when I wasn't installing software.
That's the problem. Clueless mac user is probably expecting to be installing software about then. The CD told them they need a player to see the dancing pigs, for example.
The full details would have to always be readily available, if behind a "Scary Computer Words" button. If novices have a problem, they should be able to give all the information to a sysadmin or tech support, even if they don't understand it.
Goodbye Sony. Hello allofmp3.com.
Ah, yes... Giving credit card numbers to (essentially) unknown foreign agencies that claim to be completely legal. I'm curious if there's a middle ground in there. Perhaps VISA gift cards? Set spending limit, so if they steal your number, they only get your $25 music money? Would that work?
Now that this sort of thing is coming to the Mac, I'll start to think about it more seriously... Given the lax attitude some of us Mac fanatics take to antivirus, one rootkit and one trojan could destroy Apple forever.
Yeah, Sony definitely wants to support all the 30+ platforms outthere.
/dev/null or something.
See, it's that sort of naivete that I'm talking about. If Sony put all their information through their Supercalculamotron 4000(TM) and somehow came to the conclusion that it would be in their own interests to invest millions upon millions on fundamentally flawed DRM methods using dubious moral standards, what makes you think that they won't suddenly wake up one morning and think, "Holy shit! Linux users are getting a free lunch! Let's fuck them over somehow! Get First4Internet on the phone, I'm sure they'll be able to come up with something!" If that happened, then the very best you could expect would be a putrid aborted foetus of a DRM clusterfuck. Heaven forbid that a company like First4Internet actually do the job right. Knowing their competency, they'd just manage to send your mp3s to
Obviously *nix is a much more difficult problem for them to deal with... but you're just asking for it by sitting around lazily thinking it could never happen to you.
"rate yourself on a scale of 1-10 on how good you are with computers, and we'll adjust the system alerts accordingly"...
Think what a hell would become the customer support: everytime something happens the system may respond to the user in 10 different ways.
And if a user logs into another mac (at Internet café, library, university etc..), she well have to know if it's configured for dummies or super-geeks or whatever. I may even add that as she gets used to her mac she will want to try to step to the next level, but the user has to learn again how the system behaves.
And so on.
It has been proposed more than once, but I doubt it will be ever implemented, as it is a usability nightmare.
You can start to "fight this stupidity" by not using Windows.
See, that's the thing. It's easy to say those three words, "Don't use Windows." But it's just not that simple. Hell, it's not even practical. Perhaps it's a bad analogy but it would be like saying to people who are complaining about gas prices, "Don't drive cars that run on gas." It's not as simple as just flicking a fucking switch and bam, you're home free. A lot of people know a thing or two about internal combustion engines and like to tinker around under the hood, but who would know the first fucking thing about a hybrid engine or a hydrogen-powered engine? If you have a problem with your car, you take it to your local friendly mechanic; how far do you have to go to find a mechanic who knows how a hydrogen fuel cell works? Perhaps you need your car to drive to work; what if your workplace doesn't allow you to drive a hybrid car onto the grounds? I used to be a manager at a shipping port and the only vehicles that were allowed on the premises ran on diesel. If your car wasn't a diesel, you weren't allowed within a hundred yards of the port due to safety concerns (tanker refuelling and the transportation of dangerous chemicals were common).
Perhaps I may have gone overboard, but the purpose of the analogy was to demonstrate that there are a plethora of reasons why "not using Windows" just isn't a very likely option. A lot of people find it hard enough trying to understand that there are different browser options out there other than "the blue 'e'", yet alone that they could replace their entire operating system. I've played around with a dozen flavors of Linux, UNIX, IRIX and all those others and I'd like to think I'm fairly competent in the field, but that doesn't mean I *like* having to dick around with the stuff. Most people don't look at computers the same way we do and I don't blame them for not wanting to be 'adventurous' when it comes to their PC. Unless you actually enjoying the tinkering, it can seem like a colossal waste of time.
And even if they did, trying to find a good quality source of support for insert-name-of-nix-platform-here is nowhere near as likely as Windows support. Sure, that nephew of the neighbor next door or your friend Bob's brother who's the assistant manager at Costco might not be the greatest person to turn to for Windows advice, but at least it's something tangible to lean on; not just a link to a FAQ from some obscure no-name blog.
Sometimes the environment dictates what OS to use. I've liaised with countless businesses that maintain a Windows-only environment for numerous justifiable reasons. Employees have to use company computers because connecting non-company PCs can cause a security issue, a compliancy issue, even a legal issue. Sometimes such a rule is enforced because management got stuck with the bill of having to hire contractors to provide support for additional platforms. Why pay someone else a premium rate just because you have a couple of cowboys who want to use their G4 Powerbooks at work? Fact is, a LOT of people spend a LOT of their time in front of computers which they DON'T own and therefore do not have the final say in how it is configured. They might be allowed to install iTunes or Winamp or maybe even their own choice of email client... but it's wishful thinking if you think that the operating system could be considered a variable.
Don't get me wrong, I agree with pretty much everything you say... but you had me until the final sentence. Sometimes it's just not that simple.
That's the problem. Clueless mac user is probably expecting to be installing software about then. The CD told them they need a player to see the dancing pigs, for example.
You don't need to authenticate to install applications on Mac OS X. Installing applications - like Microsoft Office - involves just dragging the application (or the folder it's in) from the CD into the Applications folder on your hard disk. Even things like Real One Player and Windows Media Player work this way.
When you do actually get a dialog, Mac OS X also tells you what permissions are being requested on the password dialog (e.g. full admin access, or just permission to modify a specific system setting, etc) as well as which application is requesting the permission. In reality, most of the time people see a dialog in Mac OS X which requires authentication, it's because of an interaction with the OS itself (such as changing a system setting) that the user has just performed.
If a users sees an Application (including plugins) requesting this sort of permission that should really ring alarm bells. Only things like new drivers (e.g. for that new camera you just bought) should be asking for things like that.
It's fair to say here is room for some improvement in the dialog in that it should better reflect this (perhaps rasing a more severe looking alert when it's anything other than the OS or bundled Application requesting any sort of privileged access, which explains something along the lines of the previous sentence).
On the subject, it could do with some means of forgery protection (things like an embedded image in the window have been suggested) so that you can better trust it's an authentic authentication dialog. If your paranoid.
Technically Windows allows for roughly this sort of behaviour too (that is, you should never need admin permissions to install a regular application) but the large number of badly written installers - combined with the lack of a K.I.S.S. approach in the OS - seem to have conspired to make admin level access madatory for even the most mundane tasks.
I bet if vendors (and I include both Apple and Microsoft in that) implimented privilage dialogs that were scary and intimidating enough to users (perhaps with a default action of 'deny') 3rd party application developers wouldn't ask for them unless they really needed those permissions.
In all fairness, Windows requires admin rights for this sort of installation as well. It's just that there's an awful lot of "legitimate" software that needs admin rights as well.
If every fifth app required you to type in your admin password when you started it, the security measure would quickly lose its effectiveness.
What if that movie file is flawed?
The Windows OS only opens a autorun file too; which is linked to a executable; but the principles are just the same, only the practical side is much more exploitable in Windows with its flawed autorun system...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
So: let me get this straight, you modded the grand parent down. Then you posted a comment. Which automatically removes the moderation.
Are you feeling OK today? Would you like someone else to help you to moderate?
(Not me, of course, as by posting I prevent myself from moderating...)
--- My dad's political betting
I'm amazed at moves like this from Sony, because as this DRM chaos goes on, it's actually EASIER to download music illegally than to buy it on CD. Sony are just alienating their paying customers and pushing them to piracy. Idiots.
Jezza, this is not intended to be a personal slam on you. It's more of a general comment.
This is very true - very little Windows software can cope like this, now Windows Vista (aka Longhorn) will work like this by default, so I expect LOTS of software to fail for this reason alone. Hopefully once everything get updated for Vista we can run our XP boxes in this mode too (which will be much better.
Hope seems to spring eternal in the MS windows world. I've been hearing people say essentially the same thing since NT3.5. It hasn't happened yet, and unfortunately I don't believe it's going to happen with "vista" either. I just want to know how long people are going to fall for this "the next version will fix everything" line we constantly hear from microsoft apologists.
I have nothing but Linux running in my household (1 desktop and 3 laptops). Sometimes my wife is annoyed that she can't do something right out of the box that windows lets you do, but Linux does not. This especially true of permissions issues. What she doesn't realize is that many times, what she'd wanted to do wouldn't have been possible for a user under windows either, but since she's never not been administrator on windows, she doesn't realize it.
My point is, it is going to be really hard for windows users to change their ways from having administrative rights (and all the horrible pitfalls that entails), to just being a user even if more of the software actually supports user mode correctly.
This is an ex-parrot!
And the reason why it's not going to happen is games. Any game that is available today will simply not run in user mode, be it XP or Vista, simply because their copy-protection schemes require access to some files and registers that a regular user should never have access to. When people get Vista and realize their games don't work, and they either go to forums or call tech support, they will be told that they need to run the game in admin mode. To avoid switching all the time, users will then always use the admin mode, and there goes all the security through the window...
After 3 days without programming, life becomes meaningless
- The Tao of Programming
This should work in most homes, where the parents are the only one who know the master password. That way the kids can't so easily mess up the whole computer. ALL games even work just fine without the master password, once they are properly set up.
I realize that since you are in IT, you probably do some kind of drugs, but this statement seems over the top. Maybe you accidentally reversed it, because on the last informal survey I've done, it's often kids who need to keep their parents away from trying to "improve" anything.
Never confuse volume with power.
.. I'd call it professionalism.
I've never been so hungry that I would write code like that. If the ethical situation of a job makes you uncomfortable, leave it. That actually plays pretty well while interviewing for your next job. At least for any job you actually want.
Speaking as someone who has actually done quite a bit of engineering hiring, I can say that I do filter people by where they have chosen to work before. I learned that lesson by bitter experience. People joke about "resume stains", but let me tell you as a hiring manager that they are very real.
All of the applications in /Applications are writable by group admin. That's a huge security problem.
/Library and a lot of stuff underneath it is writable by group admin. That's Internet plug-ins, printers, trusted certificates, help files, scripts, some frameworks, stuff in Application Support - a lot of stuff points things at executables, or has scripting capabilities, or is otherwise assumed to be trusted.
Much of the stuff in /Developer is writable by admin. That means something could do a sneak attack, so anything you build and distribute is a virus vector.
There is absolutely no reason to run as an administrator, except to do installations (you can do installations as a non-administrator, but ownership of installed files seems to be cleaner if you always do it from one login, and then the same principle applies - if you do it using your normal login, then some things will be owned by you which means they are vulnerable).
With user switching enabled, there's even less reason to run as an administrator, since you can easily switch back and forth. Even for sudo, all you need to do in a terminal window is su to your admin login first, then you can sudo to your heart's content.