Slashdot Mirror
Sony Music CD's Contain Mac DRM Software Too
brjndr writes "A MacInTouch poster has found that certain Sony CD's also contain a smaller extra partition for 'enhanced' content. Running one of the applications found within this partition installs kernel extensions containing DRM software by SunnComm. In Sony's defense you're told what is being installed within a EULA which pops up when the program is loaded. Thankfully we all read our EULAs completely."
[See my journal entry for my previous comments on this]
To summarise: it's impossible to protect against truly clueless users without severely inconveniencing everyone else, but Mac OS X at least lets you know something dodgy is going on (a request for administration rights, just to play a CD, say what ? No *other* CD's needed that!) I guess it helps to have gorms, though...
THM: It's a difference in attitude. It *does* make a difference.
Simon
Physicists get Hadrons!
I think the fact that it asks for your password on install should throw up *some* sort of red flag. And tosses in a rather easy way to get past the DRM.
a request for administration rights Oh, yeah I love to have to be root to play a CD...
According to the comments on the linked page, you have to type in your name/password after agreeing to the EULA. This is really non-standard and hopefully will set off alarms in people's heads when they wonder why they have to do that (OS X doesn't ask for your password often). But something tells me most users will just go ahead and give the app free reign anyway. Not that I blame them, you'd expect to be able to trust Sony, a freaking huge "legitimate" corporation for Pete's sake.
WARNING: If accidentally read, induce vomiting.
Business idea:
Customers buy DRM CDs and hand them over to you. You give them back a copy of the CD with the DRM removed, for the cost of the blank CD and a small service fee. Hold onto the original CD with customer records as evidence that the customer bought the CD and has the right to copy for personal use.
Not workable?
Jesus saved me from my past. He can save you as well.
are sony that determined to bury themselves?
Surely, they realise that its only going to create a backlash against DRM if they continue this nonsense?
Man, actually buying online music is starting to look more and more like S&M. I can hardly wait 'till they come out with CDs that come with shackles that have to be worn while listening to the CD.
I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
Why yes, I give my admin password out on request!
You would be amazed at what most users will do for music, porn, wallpapers, or screensavers.
Mac OS isn't immune to this kind of crapola - at least not for the average user.
Boy it seems like sony is just running around pissing everybody off...
Well, I for one pledge to no longer purchase any sony products. Nor will I buy online music from sony, purchase any games, or watch any sony movies until they stop being overbearing assholes with their stuff.
Who knows how evil the DRM is, once the install is made, but jeebus... talk about an issue of trust (just for the installer)!
Make sure everyone's vote counts: Verified Voting
Autorun is turned off by default on Macs, and there's never a good reason to turn it on. There's no way this could interfere with the usual insert/launch iTunes/click Rip method most people use.
This is a sign that Mac OS X has a large enough userbase for Sony to worry about Mac users stealing music.
A client of mine once got an email instructing telling her that a virus had been installed on her system. She was to immediately locate a file (I think it was COMMAND.COM) and delete it, which would remove the hazard.
She forwarded it on to me (just in case I needed it, you see) and then sent me a second email because the person who sent her the message had trashed their system, and she thought I was about to do same.
When it comes to stupidity among users, I will believe anything
http://michaelsmith.id.au
Fuck 'em. Really. In the ass. With a chili pepper.
In the past I've made a point of buying stuff I liked, either on CD or from an online retailer (iTunes).
Well, Sony just lost my business. And fuck them if they think I am going to subsidize this bullshit.
Goodbye Sony. Hello allofmp3.com.
If you walk the corridors of Sony Music right now all you can hear is the sound of a toilet flushing.
I'm not wrong. You haven't thought about it hard enough.
Windows is like decaf - it tastes like the real thing, but it won't get you through the day.
So, in effect, your computer is at less risk if you download Sony published music from peer to peer networks than if you try to play your Sony CD on your computer. Where's the value proposition?
the summary fails to mention that OSX has no autorun. There is no way it can install something behind your back like windows does.
The war with islam is a war on the beast
The war on terror is a war for peace
It will not only bury Sony, but also the DMCA (which actually prohibits you from de-installing the DRM code or even detecting that it's there) and will possibly cripple the credibility of the RIAA, who have been the main driving-force for DRM and the DMCA.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
We may not all read our EULA's. However I have found the following software EULAlyzer really handy in highlighting important items in the EULA.
Its not a substitute for truelly reading the whole EULA, however I find it good at helping me and my customers identify 'dodgy' software.
DSLIP Web Design and Content Management Australia.
Why not find the names of the individual programmers who coded these rootkits, and make sure they're unable to ever get a job ever again? It was perfectly reasonable to keep Communist sympathizers out of Hollywood and government when Senator McCarthy went on his crusade -- why not keep DRM sympathizers out of the programming industry? Treat them like shit, refuse to hire them anywhere, and make them unable to ever afford food and shelter ever again without humiliating welfare subsidies.
Of course, criminals will always hire criminals; a thief will always have a chance at getting hired by the Mafia, so I don't expect this will completely work. Computer companies that have overgrown beyond their event horizon of personal responsibility such as Sony and Microsoft will always be a haven for crooks and guttersnipes. But every responsible company still around should outright refuse to hire anyone who's ever knowingly developed anything related to DRM; conduct background checks on every potential employee's employment history and slam the door in the face of any DRM sympathizer looking for a job.
When can we expect Linux support? I'd like to think that Linux is big enough now to demand proper support from Sony, just like Windows and OSX.
Oh christ, you just reminded me of something-- a great recollection....
//e had some lame-ass program to "meet the machine", it had routines to deal with typists who cheated by using l's for ones s and o's for zeros... if you did this, it went into this little diatrabe about how "to a computer, a 0 and an o are very different things"
My original
Snort...
every day http://en.wikipedia.org/wiki/Special:Random
Ummm..."Ha ha, it doesn't affect us!" At least, none of us who don't type in the administrator password without understanding why we're doing it.
Ha ha, only serious. Seriously, this isn't an "any computer" issue. This is an issue with the only "modern" OS that have been specifically engineered to run arbitrary binaries with privileges without challenging the user. It's isn't a matter of Mac OS X or Linux (or VMS or Solaris or SunOS or VM/CMS) being better, it's a matter of Windows being worse .
This isn't even a matter of Windows' original design, as Dave Cutler's original security model was solid and included a good separation of privileges away from the desktop user, drawing on the last half a century of computing experience. This is a matter of Microsoft Management specifically and intentionally deciding to screw you. They will say it was necessary to make a desktop OS usable by novices - Mac OS X does give the lie to such horseshit (and that is the only place Mac OS X specifically figures in this topic).
Yes, Sony deserves a lot of the blame. But Microsoft deserves just as much. You can start to "fight this stupidity" by not using Windows.
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
Because of OS X default security, even when running as the administrator, you still need to click to run the program, then type in your password. Deceptive, but not really secretive or automatic, thanks to the default Mac security.
;)
In Windows, you just insert the CD. Maybe into someone else's system when their back is turned. Windows OS trusts external content much more than the user sitting at the desk. "Do me", it says.
Unfortunately, people are still stupid enough to follow these ludicrous steps. Remember the teddy bear "virus" in Windows? Consisted only of an email, the instructions to delete a standard Windows exe file, and a directive to resend the email to all of your friends.
PS. Join us... you know you want to.
Everyone is entitled to his own opinions, but not his own facts.
Yeah, Sony definitely wants to support all the 30+ platforms outthere.
/dev/null or something.
See, it's that sort of naivete that I'm talking about. If Sony put all their information through their Supercalculamotron 4000(TM) and somehow came to the conclusion that it would be in their own interests to invest millions upon millions on fundamentally flawed DRM methods using dubious moral standards, what makes you think that they won't suddenly wake up one morning and think, "Holy shit! Linux users are getting a free lunch! Let's fuck them over somehow! Get First4Internet on the phone, I'm sure they'll be able to come up with something!" If that happened, then the very best you could expect would be a putrid aborted foetus of a DRM clusterfuck. Heaven forbid that a company like First4Internet actually do the job right. Knowing their competency, they'd just manage to send your mp3s to
Obviously *nix is a much more difficult problem for them to deal with... but you're just asking for it by sitting around lazily thinking it could never happen to you.
I just renewed my living-room home-entertainment system for almost 5000 euros. The two finalists were a all Sony set vs. Panasonic + Harman Kardon + Infinity. Guess which finalist got my money after reading up on the Sony DRM scheme... Yep, I'm a happy Panasonic+HK+Infinty owner. Added a One-for-All remote and the functionality is pretty much the same as using a complete set from the same vendor.
And this was definitely the last time I even consider Sony. Forget the new Playstation, if I have to choose from the two bad options M$ vs. Sony my money goes to M$ in this case.
As big a fan as I am of the Van Zant brothers, I just can't think of buying the album after all this. Luckily it was available without DRM somewhere else. It's a shame for the artists though, they didn't get thei $0.50 or whatever they make per sold CD.
I know my 5000 doesn't bankrupt Sony but if more of us start voting with our wallets maybe they will realize they can't keep on shafting customers every chance they get.
It may sound paranoid, but once they start messing with the kernel, you really don't know what they're going to do...
The CB App. What's your 20?
"November 8, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers. Please note, Service Pack 2a is a maintenance release designed to reduce the file size of Service Pack 2. It includes all previous fixes found in Service Pack 1 and Service Pack 2."
http://cp.sonybmg.com/xcp/english/updates.htmlHMM it does not compromise security? It installs a root kit, then it lets people hide a trojan on your computer. Who needs sony anyway, I have my game cube and X-box.
You can start to "fight this stupidity" by not using Windows.
See, that's the thing. It's easy to say those three words, "Don't use Windows." But it's just not that simple. Hell, it's not even practical. Perhaps it's a bad analogy but it would be like saying to people who are complaining about gas prices, "Don't drive cars that run on gas." It's not as simple as just flicking a fucking switch and bam, you're home free. A lot of people know a thing or two about internal combustion engines and like to tinker around under the hood, but who would know the first fucking thing about a hybrid engine or a hydrogen-powered engine? If you have a problem with your car, you take it to your local friendly mechanic; how far do you have to go to find a mechanic who knows how a hydrogen fuel cell works? Perhaps you need your car to drive to work; what if your workplace doesn't allow you to drive a hybrid car onto the grounds? I used to be a manager at a shipping port and the only vehicles that were allowed on the premises ran on diesel. If your car wasn't a diesel, you weren't allowed within a hundred yards of the port due to safety concerns (tanker refuelling and the transportation of dangerous chemicals were common).
Perhaps I may have gone overboard, but the purpose of the analogy was to demonstrate that there are a plethora of reasons why "not using Windows" just isn't a very likely option. A lot of people find it hard enough trying to understand that there are different browser options out there other than "the blue 'e'", yet alone that they could replace their entire operating system. I've played around with a dozen flavors of Linux, UNIX, IRIX and all those others and I'd like to think I'm fairly competent in the field, but that doesn't mean I *like* having to dick around with the stuff. Most people don't look at computers the same way we do and I don't blame them for not wanting to be 'adventurous' when it comes to their PC. Unless you actually enjoying the tinkering, it can seem like a colossal waste of time.
And even if they did, trying to find a good quality source of support for insert-name-of-nix-platform-here is nowhere near as likely as Windows support. Sure, that nephew of the neighbor next door or your friend Bob's brother who's the assistant manager at Costco might not be the greatest person to turn to for Windows advice, but at least it's something tangible to lean on; not just a link to a FAQ from some obscure no-name blog.
Sometimes the environment dictates what OS to use. I've liaised with countless businesses that maintain a Windows-only environment for numerous justifiable reasons. Employees have to use company computers because connecting non-company PCs can cause a security issue, a compliancy issue, even a legal issue. Sometimes such a rule is enforced because management got stuck with the bill of having to hire contractors to provide support for additional platforms. Why pay someone else a premium rate just because you have a couple of cowboys who want to use their G4 Powerbooks at work? Fact is, a LOT of people spend a LOT of their time in front of computers which they DON'T own and therefore do not have the final say in how it is configured. They might be allowed to install iTunes or Winamp or maybe even their own choice of email client... but it's wishful thinking if you think that the operating system could be considered a variable.
Don't get me wrong, I agree with pretty much everything you say... but you had me until the final sentence. Sometimes it's just not that simple.
No, he forgot to mention how many people here think it's a piece of shit and refuse to buy it... while anxiously waiting for their torrent to complete.
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
...and it runs much snappier!
Do not be alarmed. This is only a test.
What if that movie file is flawed?
The Windows OS only opens a autorun file too; which is linked to a executable; but the principles are just the same, only the practical side is much more exploitable in Windows with its flawed autorun system...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
Just look for the Compact Disc Digital Audio mark on the case, anything with that mark is a pure audio CD, it has to be otherwise phillips won't let them use that mark.
Granted, this will also include any mixed mode CDs with bonus video content, but whats to stop that data layer from trying to install DRM?
Music is everybody's possession.
It's only publishers who think that people own it.
Fuck Beta
~John Lenno
I spend most of my time on a Mac (at work) but have a PC at home. If I had the money for a new computer I'd buy a Mac, but everytime I think of ditching my PC altogether I have to stop and think...
well, I won't be able to play most of the games I bought anymore...and there's an application or two that's Windows only that I need occasionally...
It pisses me off because I don't want to use Windows. I guess I could live without the old games, but there have been many times where I think, well, at least I can just open that in windows and re-save it.
The best situation I can see is that OS X and/or Linux gets enough market share so that it's common for certain businesses/people to have a PC for occasional compatibility purposes only, which will lead to Mac/Linux converters that will eliminate the need for a PC, so that 100% Mac/Linux shops will have to be a consideration at least.
If I may go on a tangent here...
I used to work at a pre-press company (my title was "Mac Operator" which I always thought would be a cool 80's rap name. I'd change it to "Mac O" in the 90's [a la P. Diddy], then to "MOpe" around 2003). Anyway, we had one WinNT machine we kept around for the clients who were too low-scale to realize that all print work was done on Macs.
Any Windows job was a guaranteed pain-in-the-ass, mostly for compatibility reasons, but also because WinNT was stupid about networking and printing issues. It always seemed stupid to me that, while we printed to million dollar imagesetters and had clients like the Dell computer catalog, we had to keep this red-deaded stepchiled to run a Windows version of Quark (or for the real low-rent clients who submitted Windows Pagemaker files).
I'm a video editor now, and I still get annoyed when someone wants a non-Quicktime movie file. Some of the blame surely lies with Apple who won't even let you import an MP3 into Final Cut Pro unless you convert it into a Quicktime file first, but for the most part Apple tries to be universal, whereas Microsoft's attitude is "Fuck everyone else. If you're not using .avis and Word .docs you can go screw yourself."
Thank god that blu-ray won out so we don't have do deal with even more forced-incompatibility issues. I just want shit to work. I'm not totally computer-illiterate (I know enough to install a new OS, or random expansion card, or hard drive. I've used Linux a bit on my personal computer), but when there's work to be done I don't want to have to use Google to search for the best way to convert a file or get a random piece of PC hardware to work on a Mac.
Well.. Let see... I will NOT be buying the following:
1. Sony music CD's
2. Sony HD TV
3. Sony Playstation 3 and games
4. Sony Bluray DVD player
5. Sony Ericson phones
6. Sony VAIO laptop
7. Sony DVD burner
8. Sony digital camera
9. Sony video recorder
The only way Sony will regain my trust is if they were to:
1. publically admit that what they did was wrong
2. put a link on sony.com to a page explaining what exactly happened and provide software to uninstall the rootkit
3. recall all CD's on the shelf containing rootkit DRM
4. offer replacement CD's to all customers
No, no, no, no and no. If I have a CD that has some audio tracks and a data track on it, it is just a perfectly standards conforming multisession CD. I personally own many such discs with CD-DA logo printed on them (no DRM, just some videos etc.). If a data track on a disc happens to have a file called autorun.inf, that tells Windows to execute another file called InstallDRMRootkit.exe, it won't make the disc itself any way non-standard. CD standard does not dictate contents of a data track!
The myth that no copyprotected CDs are standards conforming comes from the older generation copy protections, which relied on deliberate redbook errors and unclosed data sessions instead of Windows' autorun.
Besides, many standard discs without DRM no longer have any CD-DA logos printed on them either.
“Wait for Hurd if you want something real” –Linus
Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia)
from the eff
Perhaps this DRM is your punishment for listening to Ricky Martin and Celine Dion?
Well, I hate to break it to you then, but this does show how OS X is better. ;-) Note how a window popped up before the DRM was able to be installed, and required user input. That is the default under OS X, and it's such a simple thing that is baffles to no end why MS hasn't implemented it. It's basically "thou shalt not install ANYTHING without user approval in the form of their password".
That's not exactly stupidity. Maybe ignorance or just being uninformed is a better term to use. A LONG time back, my dad was trying to free up disk space on our DOS machine, which basically meant going through the drive deleting files we didn't use or that we didn't need, etc. It all went pretty good, until he looked in c:\ and saw command.com, thought "we never run THAT program!", and deleted it.
Do not read this sig!
Installers can install a lot of things without asking for a password. This is a *good* thing, otherwise you'd always have to enter your password to do anything, and hence it would lose all meaning. For example, an installer can add files to /Applications without a password, but if it wants to delete anything in /Applications, it needs the password to work. Of course most Mac apps install by drag-and-drop, but there you go.
A mate installs a Windows XP OEM version onto a PC. Activates it and everything is sweet. A few days later his pc is stolen. So he buys a new PC, because he still has the Windows XP CD, the manual, the license and all the little stickers, he goes to install it on the new PC. It wont activate. He rings Microsoft. They refuse to activate the software since its been activated on another pc, and that violates the OEM license. They suggest he reports it to his insurance company as stolen and they can pay for a new license.
So they encourage him to commit insurance fraud as the software has not been stolen, because he has all the software and the licenses to run it.
In Soviet Russia the insensitive clod is YOU!
The problem with these EULAs are that they are so verbose that any important facts are lost and I believe that is the intention.
That is how these Spyware companies gain "permission" and certainly how Sony has gained "permission" to install anything they want. Most users aren't able to read a 5 page legal document squeezed into a tiny little box very effectively.
We need to write our Congressmen and Senators and tell them that EULAs should be simplified, even standardized. I'd even suggest that some sort of color coding be required to indicate the severity of changes to be made. Unlike Homeland Security's approach, I suggest three simple colors: GREEN, YELLOW, RED (You might recognize these colors from your local STOPLIGHT).
GREEN - This EULA just contains standard legal protections of the company for their software.
YELLOW - This application will install some components to run at the same permission level as the user.
RED - This application will install SYSTEM-LEVEL COMPONENTS.
This may not be perfect, but the 10-pages of legal mumbo-jumbo is hard for even the paranoid to go through. For example, I installed several updates to my Mac OS X system (10.4.3, Java, Quicktime, iTunes, Airport) and EACH ONE contained an EULA that was extremely long.
The current system is broken and, unfortunately, we need to change the law to fix it because I know that the large companies with their lawyers have no intention of fixing it.
This should work in most homes, where the parents are the only one who know the master password. That way the kids can't so easily mess up the whole computer. ALL games even work just fine without the master password, once they are properly set up.
I realize that since you are in IT, you probably do some kind of drugs, but this statement seems over the top. Maybe you accidentally reversed it, because on the last informal survey I've done, it's often kids who need to keep their parents away from trying to "improve" anything.
Never confuse volume with power.
This kind of thing really illustrates Mac OS X's malware resiliency. There is no CD auto-run, so there is no way for these extensions to even be installed without the user manually double-clicking on this Start.app thing. From there, the user has to enter his administrator password, assuming he's an administrator on the machine. Only then will this DRM software get installed. So I don't expect this to cause too much trouble.
And even after that, it's not the gigantic pain in the ass to remove that the Windows stuff is. Removal is a simple matter of unloading the kernel extensions and deleting them with administrator privileges. For some reason, Windows seems to facilitate the development of software that installs silently and is utterly impossible to remove.
This is why it's not just the popularity factor that keeps OS X malware-free. It's a solid design based around the idea of minimal automation and least privileges needed. Even if OS X was twice as popular, any malware would still have the same hurdles to jump through.
.. I'd call it professionalism.
I've never been so hungry that I would write code like that. If the ethical situation of a job makes you uncomfortable, leave it. That actually plays pretty well while interviewing for your next job. At least for any job you actually want.
Speaking as someone who has actually done quite a bit of engineering hiring, I can say that I do filter people by where they have chosen to work before. I learned that lesson by bitter experience. People joke about "resume stains", but let me tell you as a hiring manager that they are very real.