Slashdot Mirror
Sony Music CD's Contain Mac DRM Software Too
brjndr writes "A MacInTouch poster has found that certain Sony CD's also contain a smaller extra partition for 'enhanced' content. Running one of the applications found within this partition installs kernel extensions containing DRM software by SunnComm. In Sony's defense you're told what is being installed within a EULA which pops up when the program is loaded. Thankfully we all read our EULAs completely."
[See my journal entry for my previous comments on this]
To summarise: it's impossible to protect against truly clueless users without severely inconveniencing everyone else, but Mac OS X at least lets you know something dodgy is going on (a request for administration rights, just to play a CD, say what ? No *other* CD's needed that!) I guess it helps to have gorms, though...
THM: It's a difference in attitude. It *does* make a difference.
Simon
Physicists get Hadrons!
I think the fact that it asks for your password on install should throw up *some* sort of red flag. And tosses in a rather easy way to get past the DRM.
According to the comments on the linked page, you have to type in your name/password after agreeing to the EULA. This is really non-standard and hopefully will set off alarms in people's heads when they wonder why they have to do that (OS X doesn't ask for your password often). But something tells me most users will just go ahead and give the app free reign anyway. Not that I blame them, you'd expect to be able to trust Sony, a freaking huge "legitimate" corporation for Pete's sake.
WARNING: If accidentally read, induce vomiting.
are sony that determined to bury themselves?
Surely, they realise that its only going to create a backlash against DRM if they continue this nonsense?
Man, actually buying online music is starting to look more and more like S&M. I can hardly wait 'till they come out with CDs that come with shackles that have to be worn while listening to the CD.
I'm sorry. The number you have reached is imaginary. Please rotate your phone 90 degrees and try again.
Why yes, I give my admin password out on request!
You would be amazed at what most users will do for music, porn, wallpapers, or screensavers.
Mac OS isn't immune to this kind of crapola - at least not for the average user.
Boy it seems like sony is just running around pissing everybody off...
Well, I for one pledge to no longer purchase any sony products. Nor will I buy online music from sony, purchase any games, or watch any sony movies until they stop being overbearing assholes with their stuff.
Who knows how evil the DRM is, once the install is made, but jeebus... talk about an issue of trust (just for the installer)!
Make sure everyone's vote counts: Verified Voting
Autorun is turned off by default on Macs, and there's never a good reason to turn it on. There's no way this could interfere with the usual insert/launch iTunes/click Rip method most people use.
This is a sign that Mac OS X has a large enough userbase for Sony to worry about Mac users stealing music.
A client of mine once got an email instructing telling her that a virus had been installed on her system. She was to immediately locate a file (I think it was COMMAND.COM) and delete it, which would remove the hazard.
She forwarded it on to me (just in case I needed it, you see) and then sent me a second email because the person who sent her the message had trashed their system, and she thought I was about to do same.
When it comes to stupidity among users, I will believe anything
http://michaelsmith.id.au
Reasonable, yes, but legally workable not really, at least according to Sony. The sony eula says you must destroy any and all fair use copies of the music you possess, if you are no longer in possession of the actual cd. What a concept, your car gets robbed, you get cds stolen and then SONY makes you delete any copies you may have. I'd love to see it in court.
So, in effect, your computer is at less risk if you download Sony published music from peer to peer networks than if you try to play your Sony CD on your computer. Where's the value proposition?
Joe user: What's this I see? I have to enter my password to play a music CD? Oh no biggy, its just a music CD. What harm could it do?
That is my concern. The average user sees it comes from Sony, a "trustable" company, and doesn't give it a second thought. A very lethal combothe summary fails to mention that OSX has no autorun. There is no way it can install something behind your back like windows does.
The war with islam is a war on the beast
The war on terror is a war for peace
It will not only bury Sony, but also the DMCA (which actually prohibits you from de-installing the DRM code or even detecting that it's there) and will possibly cripple the credibility of the RIAA, who have been the main driving-force for DRM and the DMCA.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
We may not all read our EULA's. However I have found the following software EULAlyzer really handy in highlighting important items in the EULA.
Its not a substitute for truelly reading the whole EULA, however I find it good at helping me and my customers identify 'dodgy' software.
DSLIP Web Design and Content Management Australia.
Why not find the names of the individual programmers who coded these rootkits, and make sure they're unable to ever get a job ever again? It was perfectly reasonable to keep Communist sympathizers out of Hollywood and government when Senator McCarthy went on his crusade -- why not keep DRM sympathizers out of the programming industry? Treat them like shit, refuse to hire them anywhere, and make them unable to ever afford food and shelter ever again without humiliating welfare subsidies.
Of course, criminals will always hire criminals; a thief will always have a chance at getting hired by the Mafia, so I don't expect this will completely work. Computer companies that have overgrown beyond their event horizon of personal responsibility such as Sony and Microsoft will always be a haven for crooks and guttersnipes. But every responsible company still around should outright refuse to hire anyone who's ever knowingly developed anything related to DRM; conduct background checks on every potential employee's employment history and slam the door in the face of any DRM sympathizer looking for a job.
When can we expect Linux support? I'd like to think that Linux is big enough now to demand proper support from Sony, just like Windows and OSX.
Oh christ, you just reminded me of something-- a great recollection....
//e had some lame-ass program to "meet the machine", it had routines to deal with typists who cheated by using l's for ones s and o's for zeros... if you did this, it went into this little diatrabe about how "to a computer, a 0 and an o are very different things"
My original
Snort...
every day http://en.wikipedia.org/wiki/Special:Random
Ummm..."Ha ha, it doesn't affect us!" At least, none of us who don't type in the administrator password without understanding why we're doing it.
Ha ha, only serious. Seriously, this isn't an "any computer" issue. This is an issue with the only "modern" OS that have been specifically engineered to run arbitrary binaries with privileges without challenging the user. It's isn't a matter of Mac OS X or Linux (or VMS or Solaris or SunOS or VM/CMS) being better, it's a matter of Windows being worse .
This isn't even a matter of Windows' original design, as Dave Cutler's original security model was solid and included a good separation of privileges away from the desktop user, drawing on the last half a century of computing experience. This is a matter of Microsoft Management specifically and intentionally deciding to screw you. They will say it was necessary to make a desktop OS usable by novices - Mac OS X does give the lie to such horseshit (and that is the only place Mac OS X specifically figures in this topic).
Yes, Sony deserves a lot of the blame. But Microsoft deserves just as much. You can start to "fight this stupidity" by not using Windows.
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
Because of OS X default security, even when running as the administrator, you still need to click to run the program, then type in your password. Deceptive, but not really secretive or automatic, thanks to the default Mac security.
;)
In Windows, you just insert the CD. Maybe into someone else's system when their back is turned. Windows OS trusts external content much more than the user sitting at the desk. "Do me", it says.
Unfortunately, people are still stupid enough to follow these ludicrous steps. Remember the teddy bear "virus" in Windows? Consisted only of an email, the instructions to delete a standard Windows exe file, and a directive to resend the email to all of your friends.
PS. Join us... you know you want to.
Everyone is entitled to his own opinions, but not his own facts.
Yeah, Sony definitely wants to support all the 30+ platforms outthere.
/dev/null or something.
See, it's that sort of naivete that I'm talking about. If Sony put all their information through their Supercalculamotron 4000(TM) and somehow came to the conclusion that it would be in their own interests to invest millions upon millions on fundamentally flawed DRM methods using dubious moral standards, what makes you think that they won't suddenly wake up one morning and think, "Holy shit! Linux users are getting a free lunch! Let's fuck them over somehow! Get First4Internet on the phone, I'm sure they'll be able to come up with something!" If that happened, then the very best you could expect would be a putrid aborted foetus of a DRM clusterfuck. Heaven forbid that a company like First4Internet actually do the job right. Knowing their competency, they'd just manage to send your mp3s to
Obviously *nix is a much more difficult problem for them to deal with... but you're just asking for it by sitting around lazily thinking it could never happen to you.
I just renewed my living-room home-entertainment system for almost 5000 euros. The two finalists were a all Sony set vs. Panasonic + Harman Kardon + Infinity. Guess which finalist got my money after reading up on the Sony DRM scheme... Yep, I'm a happy Panasonic+HK+Infinty owner. Added a One-for-All remote and the functionality is pretty much the same as using a complete set from the same vendor.
And this was definitely the last time I even consider Sony. Forget the new Playstation, if I have to choose from the two bad options M$ vs. Sony my money goes to M$ in this case.
As big a fan as I am of the Van Zant brothers, I just can't think of buying the album after all this. Luckily it was available without DRM somewhere else. It's a shame for the artists though, they didn't get thei $0.50 or whatever they make per sold CD.
I know my 5000 doesn't bankrupt Sony but if more of us start voting with our wallets maybe they will realize they can't keep on shafting customers every chance they get.
It may sound paranoid, but once they start messing with the kernel, you really don't know what they're going to do...
The CB App. What's your 20?
"November 8, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers. Please note, Service Pack 2a is a maintenance release designed to reduce the file size of Service Pack 2. It includes all previous fixes found in Service Pack 1 and Service Pack 2."
http://cp.sonybmg.com/xcp/english/updates.htmlHMM it does not compromise security? It installs a root kit, then it lets people hide a trojan on your computer. Who needs sony anyway, I have my game cube and X-box.
Citibank (I think) has a credit card mask generator. You can generate a credit card number for use online and then you tell the credit card company the spending and number of transations limits. You get a safe, one time use credit card number.
http://brandonbloom.name
What if that movie file is flawed?
The Windows OS only opens a autorun file too; which is linked to a executable; but the principles are just the same, only the practical side is much more exploitable in Windows with its flawed autorun system...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I spend most of my time on a Mac (at work) but have a PC at home. If I had the money for a new computer I'd buy a Mac, but everytime I think of ditching my PC altogether I have to stop and think...
well, I won't be able to play most of the games I bought anymore...and there's an application or two that's Windows only that I need occasionally...
It pisses me off because I don't want to use Windows. I guess I could live without the old games, but there have been many times where I think, well, at least I can just open that in windows and re-save it.
The best situation I can see is that OS X and/or Linux gets enough market share so that it's common for certain businesses/people to have a PC for occasional compatibility purposes only, which will lead to Mac/Linux converters that will eliminate the need for a PC, so that 100% Mac/Linux shops will have to be a consideration at least.
If I may go on a tangent here...
I used to work at a pre-press company (my title was "Mac Operator" which I always thought would be a cool 80's rap name. I'd change it to "Mac O" in the 90's [a la P. Diddy], then to "MOpe" around 2003). Anyway, we had one WinNT machine we kept around for the clients who were too low-scale to realize that all print work was done on Macs.
Any Windows job was a guaranteed pain-in-the-ass, mostly for compatibility reasons, but also because WinNT was stupid about networking and printing issues. It always seemed stupid to me that, while we printed to million dollar imagesetters and had clients like the Dell computer catalog, we had to keep this red-deaded stepchiled to run a Windows version of Quark (or for the real low-rent clients who submitted Windows Pagemaker files).
I'm a video editor now, and I still get annoyed when someone wants a non-Quicktime movie file. Some of the blame surely lies with Apple who won't even let you import an MP3 into Final Cut Pro unless you convert it into a Quicktime file first, but for the most part Apple tries to be universal, whereas Microsoft's attitude is "Fuck everyone else. If you're not using .avis and Word .docs you can go screw yourself."
Thank god that blu-ray won out so we don't have do deal with even more forced-incompatibility issues. I just want shit to work. I'm not totally computer-illiterate (I know enough to install a new OS, or random expansion card, or hard drive. I've used Linux a bit on my personal computer), but when there's work to be done I don't want to have to use Google to search for the best way to convert a file or get a random piece of PC hardware to work on a Mac.
Well.. Let see... I will NOT be buying the following:
1. Sony music CD's
2. Sony HD TV
3. Sony Playstation 3 and games
4. Sony Bluray DVD player
5. Sony Ericson phones
6. Sony VAIO laptop
7. Sony DVD burner
8. Sony digital camera
9. Sony video recorder
The only way Sony will regain my trust is if they were to:
1. publically admit that what they did was wrong
2. put a link on sony.com to a page explaining what exactly happened and provide software to uninstall the rootkit
3. recall all CD's on the shelf containing rootkit DRM
4. offer replacement CD's to all customers
Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia)
from the eff
Perhaps this DRM is your punishment for listening to Ricky Martin and Celine Dion?
A mate installs a Windows XP OEM version onto a PC. Activates it and everything is sweet. A few days later his pc is stolen. So he buys a new PC, because he still has the Windows XP CD, the manual, the license and all the little stickers, he goes to install it on the new PC. It wont activate. He rings Microsoft. They refuse to activate the software since its been activated on another pc, and that violates the OEM license. They suggest he reports it to his insurance company as stolen and they can pay for a new license.
So they encourage him to commit insurance fraud as the software has not been stolen, because he has all the software and the licenses to run it.
In Soviet Russia the insensitive clod is YOU!
The problem with these EULAs are that they are so verbose that any important facts are lost and I believe that is the intention.
That is how these Spyware companies gain "permission" and certainly how Sony has gained "permission" to install anything they want. Most users aren't able to read a 5 page legal document squeezed into a tiny little box very effectively.
We need to write our Congressmen and Senators and tell them that EULAs should be simplified, even standardized. I'd even suggest that some sort of color coding be required to indicate the severity of changes to be made. Unlike Homeland Security's approach, I suggest three simple colors: GREEN, YELLOW, RED (You might recognize these colors from your local STOPLIGHT).
GREEN - This EULA just contains standard legal protections of the company for their software.
YELLOW - This application will install some components to run at the same permission level as the user.
RED - This application will install SYSTEM-LEVEL COMPONENTS.
This may not be perfect, but the 10-pages of legal mumbo-jumbo is hard for even the paranoid to go through. For example, I installed several updates to my Mac OS X system (10.4.3, Java, Quicktime, iTunes, Airport) and EACH ONE contained an EULA that was extremely long.
The current system is broken and, unfortunately, we need to change the law to fix it because I know that the large companies with their lawyers have no intention of fixing it.
This kind of thing really illustrates Mac OS X's malware resiliency. There is no CD auto-run, so there is no way for these extensions to even be installed without the user manually double-clicking on this Start.app thing. From there, the user has to enter his administrator password, assuming he's an administrator on the machine. Only then will this DRM software get installed. So I don't expect this to cause too much trouble.
And even after that, it's not the gigantic pain in the ass to remove that the Windows stuff is. Removal is a simple matter of unloading the kernel extensions and deleting them with administrator privileges. For some reason, Windows seems to facilitate the development of software that installs silently and is utterly impossible to remove.
This is why it's not just the popularity factor that keeps OS X malware-free. It's a solid design based around the idea of minimal automation and least privileges needed. Even if OS X was twice as popular, any malware would still have the same hurdles to jump through.