Slashdot Mirror
Bad Day To Be Sony
Not only is Sony no longer selling the RootKit CDs, Arend writes "According to a USAToday article, Sony is to pull their controversial rootkit CDs from store shelves." A nice gesture, but a little late. bos writes "Sony's DRM rootkit has been found by Dan Kaminsky to have infected at least half a million networks, according to an article by Quinn Norton for Wired News. Dan has even put together some pretty pictures of the breadth of the infection." With so many people infected, it's unfortunate that wiredog writes "From The Washington Post comes the news that serious security flaws have been found in the software that Sony is distributing to users who want to remove the Sony rootkit. The article says: 'Because of the way the tool is configured ... it allows any Web page that the user subsequently visits to download, install and run any code that it likes.'" Oops. Even Microsoft is getting into the act. ares284 writes "Microsoft said it would remove controversial copy-protection software that CDs from music publisher Sony BMG install on personal computers, deeming it a security risk to PCs running on Windows."
sony should die fp
I'm sure they'll find some sort of way to cheer themselves up...
Read the comments for this protected disc by Van Zant on the Sony label.
,br>OUCH.
Trolling is a art,
http://lwn.net/SubscriberLink/160023/27b2a2ec75f19 81b/
From Sony regarding the XCP CD received today in an email: Sony has already addressed the issue of the security concerns via the Service Pack 2 update on our website. According to the terms of the EULA that you agreed to when first installing our software, you agreed to obtain and install any recommended updates. All major security vendors have and Microsoft have announced that the installation of the SP2 update removes their concerns over the original technology used on our CDs. Sony BMG does not offer a refund/return program for this product.
I just found the website claiming to lead the charge http://www.boycottsony.us/ in the boycott.
I've been including information I think is important about the Sony case on my blog too since the story broke, but other sites have much more detail. I just try to break it down so the average joe knows what's going on if their brain turns off at acronyms like DRM.
Saskboy's blog is good. 9 out of 10 dentists agree.
RTFA. DNS cache is what he said.
American Express charges more than most major credit cards and companies that live on thin margins often times will not accept American Express.
This is very prevalent at places like computer shows where they quote cash prices and charge a percentage extra to cover credit cards - American Express will almost always cost you more to use than a Visa or MasterCard in such a situation.
To me, not taking American Express is a way of saying "we're doing everything we can to keep our prices as low as possible and pass the savings along to you!"
Now, I'm sure that someone will point out that Wal-Mart accepts AmEx, but I'd be willing to bet you that someone from Wal-Mart went to AmEx and said "here's the deal - reduce your cost to us or your out" - and I think we can all guess the outcome of that...
A computer once beat me at chess, but it was no match for me at kick boxing -- Emo Phillips
A bit of info about can be found here.
? /archives/52-Is-Sony-in-violation-of-the-LGPL-Part -II.html
http://www.the-interweb.com/serendipity/index.php
"Why hasn't Sony been raided by the Feds, yet?"
Two words: campaign contributions.
also
If you believe a Sony Music product has a manufacturing defect, please call our Quality Management Department at 800-255-7514; 856-722-8224 in New Jersey).
There is much cruelty in the universe, John.
Yeah, we seem to have the tour map.
Two years ago I stopped buying Belkin products after their routers started redirecting port 80 queries to their own adservers. Can't say that I miss 'em.
How do those who are active boycotters stick to it? Do you actively pursue telling others, or is it just a "one person, one dollar, one vote" kind of life lead?
Good question.
Work on the assumption that you are going it alone but don't be afraid to have an impact. When your friends ask your advice (and, like it or not, they will) tell them. Don't get evangelical--just point out how that companies policies can or might affect them. In Sony's case it is pretty easy: the best one can say about Sony is that they used to be great. Sony's big ticket items in particular are shoddy compared to what they used to be: I don't know anyone who has bought a Sony TV, stereo or computer in the last five years and been completely satisfied with it. They are also establishing a strong tradition of anti-customer business practices and technologies. Your friends aren't stupid, they can put the dots together and decide what a Sony TV is likely to mean in terms of being able to fully enjoy the next generation of media.
For media, it is a lot harder. Shady businesses with dodgy products don't hesitate to hide behind dozens of brands and Sony/BMG is no exception. The best bet for music is to just assume that all media companies are Sony unless you know otherwise.
Don't be afraid to use the influence you have. If you know lawyers, ask them about the legal ramifications. If you know record store owners, ask how it impacts them. Ditto for artists, politicians and systems architects. Don't tell them, let them tell you. What's more important than the immediate answer is to let them mull on the question.
Finally, don't be afraid to discuss this around the water cooler. Again, don't get evangelical..just express your amusement and disbelief at Sony's actions. You would be surprised what you learn.
According to the feedback page for Sony USA, you should call their Quality Management Department at 800-255-7514 (609-722-8224 in New Jersey) "if you believe a Sony Music product has a manufacturing defect".
I would seem reasonable to give them the courtesy of doing what they ask for, and phone them before doing anything else.
The war between states is what the southerners like to call the civil war as they viewed things with an emphasis on state rights. Big government did not come in until the 20th century under Theodore Rosevelt. I do not even recall a national income tax before ww1. Lincoln was not a radical liberal like those in the south believed. It was only a justification for the seperatist to declare independance. Most of the big government came during the depression which was 70 years later.
My macroeconomics class 101 that I learned was that governmental services are public goods. Public goods need to be run by the government since the private sector wont produce a public good if the free rider dilempa hurts profits. Without the public sector we would have a market-failure. How would these free enterprises delivery their goods without roads? What if all we had were toll roads? How would they hurt prices? How about lack of schools since only the rich then could afford private schools? How efficient would your workers be if a third could not read? There is a reason why corporate offices are based in teh us and not india or china even though outsourcing has started there. Its because Americans are more efficient because they are better educated. There is a vast difference in education between the poor and wealthy in china and india.
The macro economy is inherientantly unstable and classic economic theory as you hold has been proven false time and time again. The market mechanism only magnifies the problem when a crisis hits the economy and government intervention with interest rates and bank regulations mixed with public goods that support business stabilize and help the market. Its a fact.
Jennifer Granick, executive director of Stanford University's Center for Internet and Society, sees this as a question of how well written their EULA is, a topic of much conversation in the media lately.
But either way, she noted over IM, "if the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 usc 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony anytime soon.
"The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime."
In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existance back to Sony, along with as yet unknown information about the compromised computers.
The Sony/XCP uninstall process requires you to fill out a web form that uses an ActiveX control. That control has several serious security issues including the ability to run arbitrary code and even a handy built-in reboot function. The ActiveX control gropes around your system and encrypts some information that is submitted in a hidden form field. Their privacy policy does not mention this.
Feel free to go over there and try it yourself. If you install the ActiveX you can remove it in Tools, Internet Options, Settings, View Objects, "CodeSupport Control". Here's what they send you:
From: contentprotectionhelp
Sent: Monday, November 14, 2005 04:22 AM
To: sony-bmg-sucks@invalid.com
Subject: Re: ContentProtectionHelp Email Form
Thank you for contacting Sony BMG Online.
Sony BMG and First 4 Internet have released a Service Pack 2a update that addresses recent concerns surrounding the cloaking technology component on SONY BMG content protected CDs which use XCP technology. These components are not malicious nor spyware however to alleviate any concerns that users may have about the program posing potential security vulnerabilities the update removes the cloaking component from their computers. Please visit the link below to install the SP2a update.
http://updates.xcp-aurora.com/
If you do not want to install the SP2a update and only wish to uninstall the DRM software, visit the form below using IE 5.0 (or higher) from the computer where the software is installed. After submission, you will be emailed a customized uninstall link within 1 business day (M-F).
http://cp.sonybmg.com/xcp/english/form9.html
Your "Case ID" is: 9999999.
TIP: The uninstall request form will require an ActiveX plug-in.
Also you may need to temporarily turn off any pop-up blocker
software on the PC.
Thank you for the opportunity to be of assistance.
The Sony BMG Online Support Team
FKSZ
This message and any attachments are solely for the use of intended recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated.
- - - - -
So Sony is in real trouble. Watch this turn into a criminal case.
A rootkit is any set (which could be one) of software that an attacker uses to attack your (or other) computer and cover his tracks so you don't notice and cannot uninstall.
This meets both definitions. It covers it tracks, and it allows Sony to prevent you from ripping the disk.
A rootkit might include software to attack other computers, but the rootkit itself is whatever is used on YOUR computer AFTER it is cracked.
It doesn't say that Microsoft will be circumventing the copy protection software. Just removing it from the PC. The CDs in question will still be copy protected.
Nice try.
While that's true, the whole copy protection mechanism can be bypassed by holding down the SHIFT key when inserting CD. That is a clear DMCA violation by Microsoft. Yes it's silly, I know.
You know, you're right...I don't know what got into me there...they would never do anything like that...
Always make sure your hardware is within standard civilian specs...wouldn't want to have problems reading that satellite data if you needed to run out to Wal-Mart and replace a drive would you?
Sony's End User License Agreement requires the following things of all consumers who purchase this "content protected" music:
1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."
3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.
4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.
6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.
7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.
8. You have no right to transfer the music on your computer, even along with the original CD.
9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.
Refer to the following for details:
- List of Affected CDs
- EULA analysis
- Rootkit analysis
- Continued rootkit analysis
(From a Brendan Ribera, Amazon Post)The Sony Mac malware, as far as I can tell, required the user to look at the CD in Finder, double-click Start.app, and provide the administrator username and password. This is too much like work, especially since all I do with audio CDs is open iTunes, ping Gracenote (-- am pathetic traitor, conceded), and rip the CD to mp3. I doubt many Mac users go looking for the data track of an audio CD so they can install random unexplained Start.apps.
I may be wrong in my characterization of the Mac version. I haven't seen it. But that's what the interwebs tell me.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Still, it's a great idea, and your perverted thoughts make me like you. :-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It's widely published that legal actions have begun in California, New York, and Italy. The Italian situation is not just some class-action lawsuit. A complaint was filed with a criminal investigation unit last Friday.
i ty/story/0,10801,106064,00.html?source=NLT_PM&nid= 106064
"The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law," he said in an e-mail interview.
Should police determine that a crime has been committed, prosecutors will be required to begin criminal proceedings against Sony, Monti said."
Sony has declined to comment.
From:
http://www.computerworld.com/securitytopics/secur
What you do with a computer does not constitute the whole of computing.
I think the term is "Door in the Face" - as opposed to "Foot in the Door"
e p.htm
Interesting synopsis here: http://www.as.wvu.edu/~sbb/comm221/chapters/twost
Harrass customer service. It is not as effective but if a lot of people start consuming customer service with calls, again this costs them a measureable amount of money and also makes the VP in charge of customer service very angry. You want angry people at the same level in the company as the ones who are putting in things like the rootkit.
I work for a company that writes software for call centers. Customer support calls cost an average of $3-$30 per call for a company. Lots of upset customers add up quickly.
That would be the case for normal copyright infringement, which is a civil case. But doesn't the DMCA provide for criminal prosecution? In that case, the government could make a case against Microsoft for violating the DMCA by circumventing Sony's DRM system. It would be the US Government vs. Microsoft, not Sony vs. Microsoft.
If I assault you and put you in the hospital, the DA can still make a case against me, even if you don't want charges pressed. Of course, your refusal to participate weakens the DA's case.
I know I'm jumping in WAY late in this conversation, but if just a few people see this and respond, it'll do some good.
Go to the following sites and complain:
Department of Homeland Security - Select "Security Threats"
US Secret Service - They do computer fraud cases.
FBI
One now-odious trend that was started around 1995 was the "Enhanced CD", which was a multisession music CD with a primary redbook music session, and a data session that would be recognized as a CD-ROM when inserted into multisession-capable CD-ROM drives. I'm not that versed in how Enhanced CD tells the computer to recognize the data session, but I do know that the CD-ROM drive must be multisession capable (every drive after about 1996 is capable). When you inserted the CD into a Windows 95 computer, the data session would be loaded, and whatever was scripted in AUTORUN.INF would run. I'm inclined to believe that Microsoft had a hand in this by creating autorun, as that would not only make installing software easier, but would create the impression of a hands-free multimedia experience for all the luddites. Some Enhanced CDs contained things like music videos, movie cast interviews, and so on, but much more of this was devoted to promotional advertising.
One other way to have music and data on the same disc was to have a "mixed-mode CD", which would have track 1 as the data and tracks 2-99 as music. Many PC games from 1996 onward did this, as having the CD play presented less CPU overhead than WAV/MP3/MOD music, and sounded better and more consistent from system to system than MIDI. Of course, these CDs ended up having track 1 used for data, which would sound like either silence or noise when played on a regular CD player, depending on whether the CD player would screen out the data track as noise.
When the copy protection rush started to develop, music companies used the multisession hole combined with AUTORUN.INF in Windows to present "media players" that would obscure the music track and force the user to agree to a EULA and load some proprietary player to play less-than-CD-quality tracks with a monitored player that would phone home. When combined with a non-redbook CD-audio track that had spurious errors injected, this provided the "ultimate unrippable CD". Well, throw in Linux and Mac users either getting around the autorun hole or having their systems crash due to the protection, along with consumer outrage at not being able to play the "spurious error" CDs in any multi-speed CD player, along with this new debacle, and you have a big conundrum.
Apple's OS X already has an option to show all sessions on a CD as different CD icons when a disc is loaded. Microsoft still hasn't done anything like this for Windows, nor have they considered ditching the security vulnerability that is Autorun.
If I remember correctly, Macromedia was responsible for the whole "Enhanced CD" craze.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer
Member of DMusic by any chance? If not, it's a great resource for non-RIAA music. And, there's a heated debate on the front page about this very rootkit.
I don't know if this site is serious, but they claim to have a list with more than 20 infected title. Here the link : http://www.idiotabroad.com/2005/11/cds-affected-by -the-sony-bmg-spyware/
Sony makes components for lots of companies, however it is nikon who uses sony CCD's Canon rolls their own for DSLR's.
Snowden and Manning are heroes.
Perhaps you should read some Adam Smith. He's widely regarded as the founding father of capitalist economic theory. He's a bit of a bugbear to socialist, but is often badly misrepresented. In fact he was insistent that regulation by government was vital if capitalist economics was to realise the maximum social good. He believed that capitalism is simply a means to an end, which is the welfare of the general population and the promotion of civil society. Much of the modern terminology we use in this area was 'invented' after his time, but the same ideas are there in his books.
You are raising a straw man. Yes it's possible for capitalist theory to be taken too far, but in practice you won't find many people actualy promoting such extreme forms of it. Well, outside the White House anyway.
Simon
Libertarianism, with a Big "L", has more to do with freedoms of individuals. When Libertarians talk about free markets, rarely are they talking about multinational corporations, they don't belive in them. You are right about all the other stuff.