Slashdot Mirror
Bad Day To Be Sony
Not only is Sony no longer selling the RootKit CDs, Arend writes "According to a USAToday article, Sony is to pull their controversial rootkit CDs from store shelves." A nice gesture, but a little late. bos writes "Sony's DRM rootkit has been found by Dan Kaminsky to have infected at least half a million networks, according to an article by Quinn Norton for Wired News. Dan has even put together some pretty pictures of the breadth of the infection." With so many people infected, it's unfortunate that wiredog writes "From The Washington Post comes the news that serious security flaws have been found in the software that Sony is distributing to users who want to remove the Sony rootkit. The article says: 'Because of the way the tool is configured ... it allows any Web page that the user subsequently visits to download, install and run any code that it likes.'" Oops. Even Microsoft is getting into the act. ares284 writes "Microsoft said it would remove controversial copy-protection software that CDs from music publisher Sony BMG install on personal computers, deeming it a security risk to PCs running on Windows."
Read the comments for this protected disc by Van Zant on the Sony label.
,br>OUCH.
Trolling is a art,
From Sony regarding the XCP CD received today in an email: Sony has already addressed the issue of the security concerns via the Service Pack 2 update on our website. According to the terms of the EULA that you agreed to when first installing our software, you agreed to obtain and install any recommended updates. All major security vendors have and Microsoft have announced that the installation of the SP2 update removes their concerns over the original technology used on our CDs. Sony BMG does not offer a refund/return program for this product.
I just found the website claiming to lead the charge http://www.boycottsony.us/ in the boycott.
I've been including information I think is important about the Sony case on my blog too since the story broke, but other sites have much more detail. I just try to break it down so the average joe knows what's going on if their brain turns off at acronyms like DRM.
Saskboy's blog is good. 9 out of 10 dentists agree.
Two years ago I stopped buying Belkin products after their routers started redirecting port 80 queries to their own adservers. Can't say that I miss 'em.
According to the feedback page for Sony USA, you should call their Quality Management Department at 800-255-7514 (609-722-8224 in New Jersey) "if you believe a Sony Music product has a manufacturing defect".
I would seem reasonable to give them the courtesy of doing what they ask for, and phone them before doing anything else.
Jennifer Granick, executive director of Stanford University's Center for Internet and Society, sees this as a question of how well written their EULA is, a topic of much conversation in the media lately.
But either way, she noted over IM, "if the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 usc 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony anytime soon.
"The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime."
In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existance back to Sony, along with as yet unknown information about the compromised computers.
The Sony/XCP uninstall process requires you to fill out a web form that uses an ActiveX control. That control has several serious security issues including the ability to run arbitrary code and even a handy built-in reboot function. The ActiveX control gropes around your system and encrypts some information that is submitted in a hidden form field. Their privacy policy does not mention this.
Feel free to go over there and try it yourself. If you install the ActiveX you can remove it in Tools, Internet Options, Settings, View Objects, "CodeSupport Control". Here's what they send you:
From: contentprotectionhelp
Sent: Monday, November 14, 2005 04:22 AM
To: sony-bmg-sucks@invalid.com
Subject: Re: ContentProtectionHelp Email Form
Thank you for contacting Sony BMG Online.
Sony BMG and First 4 Internet have released a Service Pack 2a update that addresses recent concerns surrounding the cloaking technology component on SONY BMG content protected CDs which use XCP technology. These components are not malicious nor spyware however to alleviate any concerns that users may have about the program posing potential security vulnerabilities the update removes the cloaking component from their computers. Please visit the link below to install the SP2a update.
http://updates.xcp-aurora.com/
If you do not want to install the SP2a update and only wish to uninstall the DRM software, visit the form below using IE 5.0 (or higher) from the computer where the software is installed. After submission, you will be emailed a customized uninstall link within 1 business day (M-F).
http://cp.sonybmg.com/xcp/english/form9.html
Your "Case ID" is: 9999999.
TIP: The uninstall request form will require an ActiveX plug-in.
Also you may need to temporarily turn off any pop-up blocker
software on the PC.
Thank you for the opportunity to be of assistance.
The Sony BMG Online Support Team
FKSZ
This message and any attachments are solely for the use of intended recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated.
- - - - -
So Sony is in real trouble. Watch this turn into a criminal case.
Sony's End User License Agreement requires the following things of all consumers who purchase this "content protected" music:
1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."
3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.
4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.
6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.
7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.
8. You have no right to transfer the music on your computer, even along with the original CD.
9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.
Refer to the following for details:
- List of Affected CDs
- EULA analysis
- Rootkit analysis
- Continued rootkit analysis
(From a Brendan Ribera, Amazon Post)Still, it's a great idea, and your perverted thoughts make me like you. :-)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It's widely published that legal actions have begun in California, New York, and Italy. The Italian situation is not just some class-action lawsuit. A complaint was filed with a criminal investigation unit last Friday.
i ty/story/0,10801,106064,00.html?source=NLT_PM&nid= 106064
"The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law," he said in an e-mail interview.
Should police determine that a crime has been committed, prosecutors will be required to begin criminal proceedings against Sony, Monti said."
Sony has declined to comment.
From:
http://www.computerworld.com/securitytopics/secur
What you do with a computer does not constitute the whole of computing.
Harrass customer service. It is not as effective but if a lot of people start consuming customer service with calls, again this costs them a measureable amount of money and also makes the VP in charge of customer service very angry. You want angry people at the same level in the company as the ones who are putting in things like the rootkit.
I work for a company that writes software for call centers. Customer support calls cost an average of $3-$30 per call for a company. Lots of upset customers add up quickly.