Slashdot Mirror
Bad Day To Be Sony
Not only is Sony no longer selling the RootKit CDs, Arend writes "According to a USAToday article, Sony is to pull their controversial rootkit CDs from store shelves." A nice gesture, but a little late. bos writes "Sony's DRM rootkit has been found by Dan Kaminsky to have infected at least half a million networks, according to an article by Quinn Norton for Wired News. Dan has even put together some pretty pictures of the breadth of the infection." With so many people infected, it's unfortunate that wiredog writes "From The Washington Post comes the news that serious security flaws have been found in the software that Sony is distributing to users who want to remove the Sony rootkit. The article says: 'Because of the way the tool is configured ... it allows any Web page that the user subsequently visits to download, install and run any code that it likes.'" Oops. Even Microsoft is getting into the act. ares284 writes "Microsoft said it would remove controversial copy-protection software that CDs from music publisher Sony BMG install on personal computers, deeming it a security risk to PCs running on Windows."
I'm not a "boycott!!!" kind of guy. When I was younger I used to be, but no one ever stuck to it. This "error in judgement" is definitely something that I am adding to my (really small) short list of company-groups I won't buy from. I already won't buy CDs without the "CD" logo. I won't buy Sony TVs or receivers for the last 4 years because of their terrible support policies. I won't buy anything from Menard's either. And now Sony music CDs are permanently out.
How do those who are active boycotters stick to it? Do you actively pursue telling others, or is it just a "one person, one dollar, one vote" kind of life lead?
I could care less if other people want to support Sony artists or Sony products. All mercantilistic (using government to acquire wealth) corporations are bad, but that doesn't mean that every business is bad. Sony has actually been one of the least mercantilistic corporation I've tracked over the years, but their releasing of items without proper quality control is what kills them time and again.
And I believe that is the problem with this rootkit. Sony didn't test it properly. If they had tested it properly and kept it within its own little world on a customer's PC, I don't think the fallout would have been so excessive. They didn't test the product, they relied on the customers to do so. Luckily for Sony, the customers weren't happy and were vocal about it.
That is the free market at work. People unhappy about a company or a product have much more of a voice with the web being so readily available. The more the Internet allows billions of citizens to align on different issues, the more we'll see that a free market "democracy" is better than a democracy built around the use of force.
Vote with your dollars.
To have Microsoft call you on your bad business practices...
:D
I'm sure they'll find some sort of way to cheer themselves up...
I'd like to thank the fine folks at Sony for helping me decide which next-generation gaming console to buy (hint: It doesn't begin with the letter "P" or end in a "3"). It's a sad state of affairs when Microsoft has to come to the rescue and un-fsck your security blunders.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
I'm all in favour of letting the average person know the truth behind what content distributors are willing to do to protect "their" property.
Let us hope that people find out about DRMs before they saturate the market any further.
Am I open minded towards open source, or closed minded towards closed source?
the virus writers have done something good for us!
Good karma sticks to me like velcro on a piece of plexiglass.
Move along, citizen.
The DRM WANTS to be free!
Do not confuse "Freedom of Choice" with "Free Will".
you should have tried $sys$fp. Then see if the moderators would have caught you. Oh well...
In the end it probably would have been cheaper and much less hassle to just let us download the damn mp3s.
Read the comments for this protected disc by Van Zant on the Sony label.
,br>OUCH.
Trolling is a art,
Looks like Sony crossed the threshold from nuisance to crime. While DOJ is almost certainly going to soft-pedal this, a savvy attorney general with political ambitions from a state unencumbered by Hollywood and the RIAA could probably ride this case into the governor's office....
"Paging Eliot Spitzer, Paging Eliot Spitzer, Mr. Spitzer white courtesy phone..."
What a strange bird is the pelican, his beak can hold more than his belly can.
The Brotherhood of NOD has taken over 75% of the United States!
So we have a vulnerability on machines that was pushed out intentionally by somebody. We know who that somebody is.
The question is, will they get punished for this by the authorities? The FBI and police seem to be happy to jail writers of virii or worms or those who spread vulnerabilities to unsuspecting systems. Why shouldn't the product manager responsible for this pay for his crime of making the nations computers even more insecure?
Considering the rootkit is installed without owners realistically being aware, doesn't that make it equivalent to a form of worm, virus, or other type of nasty?
I seriously believe that someone should be doing jail time for this. Such a punishment would make any other malfeasants think twice before thinking that they don't have to obey the law.
Go to http://cp.sonybmg.com/xcp/ or http://cp.sonybmg.com/xcp/english/form14.html
...since Sony says over 2 million disks containing the rootkit have been sold, that puts them under the gun for roughly U.S. $150 billion in damages :)
Where it asks for the Artists name type in some diatribe
Where it asks for the Album Title, type in more diatribe
Where it asks for Store Name, type in yet even more diatribe
Where it asks for email address try something that will cause them trouble such as uce@ftc.gov or some chronic antispammer advocate.
This will hopefully force Sony to make the "patch directly downloadable."
Perhaps the copyright owners could offer to settle: have Sony repay all of the people who have been extorted for money because of filesharing (double for damages), and promise to stop all such activities in the future. That would only run them about $100 million, so it would be quite a deal.
I suggest people consider boycotting _all_ RIAA member labels, not just Sony. They just happened to be the fools who fell for this particular version. It's not hte implementation that's anathema, it's the concept of DRM. When in doubt, consult RIAA Radar. Don't buy discs produced by RIAA members, it't that simple.
.nosig
I wonder how many people, and their positions in the company, were shipped off to Sony's Siberian department for this debacle. I also wonder if anyone Even though the programmers were told to do this by management, I'm sure they are getting in trouble for not being sneaky enough with the code.
Murphy's Paradox... the more you plan for success, the more avenues there are for failure.
I use a PDA Phone to browser /. and type everything into MS's PDA version of Notepad. Then I copy and paste it into /. so I don't lose my comment from one of the billion reasons I have in the past.
/.d by the mass onslaught of others when the article goes live. The $10 a month or whatever I pay is well worth the consideration I receive from other regulars here, and has been very helpful in composing my views and thoughts on certain subjects. Yeah, the signal to noise ratio gets worse and worse here every day, but /. has probably increased my online reading rate at least 300% over the years, so it balances itself out :)
I subscribe because it allows me to read the articles before they're
http://lwn.net/SubscriberLink/160023/27b2a2ec75f19 81b/
Why hasn't Sony been raided by the Feds, yet?
... break into their offices, confiscate every single piece of electronics and CD in the place, and never give them back, ever (or at least, not until years after you've replaced everything).
If this had been an individual, or small business, you know they would already be behind bars awaiting trial for violating some law or another... possibly even being brought up on some sort of national security-related charges.
( Someone in a secure/top secret/classified government network has probably stuck one of these CDs into their machine at some point.)
I want to know why the Feds aren't treating Sony like they would anyone else
I'm a music nut. I've tried the boycott thing with mixed results. But what has "worked" for me lately is buying CDs and vinyl second hand. Unfortunately, They may already have the money from the original purchase of the music, but if you buy second hand, someone gets money and you get a CD or record and the RIAA partners get nothing.
Why yes I am paranoid! Thanks for asking!
Now that I have already got GTA: Liberty City Stories for my PSP.
NOt to change your mind or anything, I would like to point out that at Sony's size, the different divisions have little or nothing to do with each other.
So the same people who make decisions for the music products are not the same people who make decisions at the playstation divisions .
From what I hear, there is some pretty intense inside fighting going on between the people who make mop3 players, and the music division.
The Kruger Dunning explains most post on
What do you bet that spyware/rootkits on music CDs disappear for the next few years?
Sustainability and energy independence essay
What a shame that Scott Adams' "Weasel Awards" for 2005 have already been awarded. There's always 2006 I suppose, but this will probably have been long since done and dusted by then... unless it's still churning though legal systems in the US and elsewhere of course.
UNIX? They're not even circumcised! Savages!
From Sony regarding the XCP CD received today in an email: Sony has already addressed the issue of the security concerns via the Service Pack 2 update on our website. According to the terms of the EULA that you agreed to when first installing our software, you agreed to obtain and install any recommended updates. All major security vendors have and Microsoft have announced that the installation of the SP2 update removes their concerns over the original technology used on our CDs. Sony BMG does not offer a refund/return program for this product.
DRM is poised to intrude on our lives even more in the form of the HD-DVD/Blu-ray copy protection, Windows Vista, and the digital TV broadcast flag... isn't it about time Slashdot's least favorite acronym (besides SCO perhaps) got some bad mainstream press?
This Sony incident could help convince consumers and businesses alike that intrusive DRM is a bad idea.
I just found the website claiming to lead the charge http://www.boycottsony.us/ in the boycott.
I've been including information I think is important about the Sony case on my blog too since the story broke, but other sites have much more detail. I just try to break it down so the average joe knows what's going on if their brain turns off at acronyms like DRM.
Saskboy's blog is good. 9 out of 10 dentists agree.
... for a political maneuver where you first propose something so outrageous that it's sure to get shot down, and then withdraw the proposal and advance something only slightly less outrageous? Like, let's say Senator Boughtandpaidfor introduces a bill requiring the death penalty for anyone who cracks a copy-protected CD, and when that gets the desired uproar, he says, "Oh, okay, let's compromise and make it fifty years in prison instead" -- and that bill passes because it's more "reasonable."
Which makes me wonder what Sony's got coming next.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
You know you screwed something up when Microsoft comes in and calls it a threat to the security of windows.
"Everything worth innovating today will go to court tomorrow."
I'm not Marxist, in fact, as an AnCap I am the opposite of an Marxist.
I'm not young (31) and have been writing from a pro-market anarchism persepective for over 8 years.
Roads, bridges and schools can be much better built, maintained and managed by the free market of competition than by the force/coercion market created by government and the cronies of government.
Lincoln's War Between States was fought to create a mercantilistic country out of a free market country (not slavery as many people believe). Since the War, our country has slid into a really bad Warfare-Welfare State, focused on disposing the middle class workers of their income and giving it to the wealthy elite in control of the monopolistic use of force.
I study at last 40 hours a week the various documents that help me reinforce the views I hold dear to me. Slashdot is a great outlet for finding other people with similar beliefs who just don't know it, as well as getting a great peer review system that helps me find my mistakes. Even those on my "Foe" list give me some amazing insight into mistakes I make in my rants and recommendations.
If you're interested in why government is bad for roads, bridges and schools send me an e-mail.
this....
Disclaimer: In case those lawyers from Sony is not being work to death right now from all those demage lawsuit- I am joking.
Seriously - if some company hires a hitman to do illegal stuff they get in trouble. Why can Sony hack my network without any repercusions.
Sony really screwed the pooch on this one.
;)
They actually got the Department of Homeland Security to denounce them. I knew it had to be good for something
The great thing about all of this is that now that the Feds are aware of this evil DRM bullshit, they will start regulating it a little better. As it stands now, the DMCA basically give all the media companies "carte blanche" with regards to copy-protection schemes.
Joe Random, hacker, reading slashdot:
rootkit.. bad
microsoft.. good
hacker.. head explodes
I'm still trying to figure out what people mean by 'social skills' here.
That's a clear DMCA violation.
If DVD John gets in trouble for less, surely whomever at Microsoft decided to do this should suffer the same.
A bit of info about can be found here.
? /archives/52-Is-Sony-in-violation-of-the-LGPL-Part -II.html
http://www.the-interweb.com/serendipity/index.php
Yup, I thought I had finished reading the article, but I had gotten distracted and didn't read that far. My fault.
I was hoping that Dan had done some remote scanning. When I looked at the rootkit, I noticed that it registered a named pipe, which ought to be remotely reachable, and probably exploitable.
Download them from the net. It's much safer. ;)
"I would like to point out that at Sony's size, the different divisions have little or nothing to do with each other."
They're associated well enough to have the name "SONY" branded on them. Good enough for me.
>I study at last(sic) 40 hours a week the various documents that help me reinforce the views I hold dear to me. ...
Am I the only one who saw that as a disturbing statement? You spend 40 hours a week, which amounts to having a second job (I'm assuming that you're employed based on your previous statements) reinforcing your own point of view. I've met religious fanatics who don't spend that much time reading their religious scripture. Literally, you claim to be spending more time with whatever literature supports your views than a fundie does with a bible.
First off, if you wanted an informed opinion, wouldn't reading the opposition make more sense? If I want to know the full story about something, I find info from both sides, I don't just take the side I agree with as automatically infallable. Second, why the need to "reinforce" those things you already beleive? Sounds a bit too much like brainwashing for me - certainly if someone else was shoving their point of view down your throat that's the word I would use.
Erotic is when you use a feather. Exotic is when you use the whole chicken.
About the only way DRM will be tamed (I think, in the long run, it will be eliminated completely, but that will take people completely rethinking intellectual "property" as a lega concept) is if it intereferes or damages an average person's system. That is perhaps the biggest "problem" with DRM - its many failure modes usually screw you out of your content - or in this case, screw up your system. And it's a great, wonderful problem, because all we need are a few more screw-ups like this, and average people will start to associate "DRM" with "Sucks/Breaks" and avoid it like the plauge.
Go Sony! Do it again!
They're yanking them from the shelves? Quick! Go get one so you can be harmed!*
(* "In a very real, and legally binding sense.")
Was not the software used by Sony written by a UK limited company? Is not the commissioning and construction of such software illegal under UK law? (Computer Misuse Act 1990)
threadeds blog
I'd prefer to see those responsible put behind bars, for at least two or three years. Every other virus writer, rootkit-using hacker, or other species of malicious computer-diseaser has gone to jail for the same crime -- there's no reason this should be treated any different.
Slashdot requires you to wait longer between hitting 'reply' and submitting a comment.
Let's look at this from the stockholder's point of view, as well as the customer's. If that type of conflict of interest exists between Sony's divisions, then that is telling me that management is *not* maximising shareholder value because the music division is harming the Playstation division by reducing the utility of the Playstation console.
That tells me that the only way to increase shareholder value is to break Sony into at least two companies: the entertainment division and the electronics division. Each division will then float on its own merits without impeding the other.
In a nutshell, we can add Sony's own *shareholders* to the list of people that are getting screwed by the management. My prediction? Look for a shareholder suit against the Board of Directors within 3 years to break Sony into two companies.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
These CDs have been out since mid-2004, according to Sony. Why hasn't this been noticed? Were they all bought off?
This is what really disturbs me. Not "What was Sony thinking?" -- businesses can be really stupid. Not "How could they do this?" -- businesses can be really evil. Shit happens. Get over it. Bad security happens, whatever.
However, I did have some trust (not much, but some) for the anti-malware establishment. I'm in infosec; I believe that even in the biggest and stupidest infosec company, there will be people with the hackerish instincts (i.e. lower-than-average sense of self-preservation) to blow the whistle. However, the failure of all the big anti-whatever companies to notice and/or do anything about this, with full year of lead time, demonstrates that they are incompetent at best, unethical at worst.
I don't care, personally; I use a Mac. It's not a security panacea but it's a pretty darn good line of defense. Professionally, however, I feel downright ill.
Kudos to F-Secure and Sysinternals. Where the hell were the rest of them?
What I say does not represent the views of my employers, my friends, my cats, or myself.
That sounds to me like more reason to boycott, not less - the impact is not compartmentalised, but spreads across their entire business. It also gives ammunition to those on the inside who are fighting against the shenanigans. Sony need to get the message that their actions don't just do damage to their CD sales business, they also create a serious dent in the Sony "brand" as a whole.
My next sig will be ready soon, but subscribers can beat the rush
I used to work at Sony back in the UK. The divisions are set up semi-autonomously, the thinking being that competition is good for innovation. Problem is, anything you think of that slightly invades the 'territory' of a more politically powerful division will be denied funding or just cancelled without explanation.
Bitter? Why yes I am, thank you for asking.
I worked project support for a great team of engineers who had some amazing ideas way ahead of their time. Can they use PS2 hardware? Write DVD related software? Other video related stuff? Nope. All because of inter-division competition. (I was intentionally vague on the those project descriptions) Then there's the snobby attitude towards software; once a project I worked on was forced to use a very expensive piece of hardware to do something they were already doing in software. Quelle Suprise, Sony couldn't sell the software and eventually the project was canned.
I really can't believe Sony has survived into the 21st century.
----- Documentation is worth it just to be able to answer all your mail with 'RTFM' - Alan Cox.
But the RIAA told me that because of file sharing no one bought new CDs any more. Im confused! ;)
Dear aunt, let's set so double the killer delete select all
Blockquoth the AC:
Let's hope so. With a bit of luck, this case will demonstrate the idiocy of both draconian copy protection mechanisms and draconian anti-copying laws. If it becomes Sony vs. Microsoft, there will be a big, high profile case with both sides sending zillions of lawyers at each other and zillions of lobbyists at the government, ultimately with no winning option for either side since any outcome will hurt their corporate interests in the longer term even as it protects them in the short term. The government can't suck up to both parties forever, and public opinion is bound to sway against things like the DMCA, DRM, and so on the longer it goes on.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Why reserve jail for just script kiddies?
Luckily my tastes in music do not run parallel to the crap Sony pushes these days. I ran the rootkit remover and was pleased to see there was nothing to uninstall. But can I trust it? Hmm....
$#!^ happens, but why does it always have to happen to me???
According to the feedback page for Sony USA, you should call their Quality Management Department at 800-255-7514 (609-722-8224 in New Jersey) "if you believe a Sony Music product has a manufacturing defect".
I would seem reasonable to give them the courtesy of doing what they ask for, and phone them before doing anything else.
That we can't hurt Sony by witholding our money so we shouldn't even try?
If you don't think a boycott is the way to go maybe suggesting something that you think will make a difference would be a good idea.
The race isn't always to the swift... but that's the way to bet!
Okay, I've fallen for your lines about downloading and not paying for mp3's "taking money away from artists", that downloading is illegal and immoral and God knows what else. Or maybe I've just gotten tired of trying to find a good copy of a song online. Or I might simply prefer to have a high-quality copy of my favorite album(s) so that, if for some reason my computer should crash, I can convert a new copy to MP3 and lose nothing but a little time.
...
For whatever reason, I buy one of your CD's, pay the $18 CAD or thereabouts for a new release. But this is the computer age, I don't even own a stereo, so I want to play the CD on my computer.
The first thing I notice is that the CD is DRM-ed to death so it's a pain in the ass to convert the songs to MP3 format; so much for listening to the music that I've bought on my iPod. (If I live in Canada, I may have also paid for this music twice, once through the purchase of the CD, and a second time through the levy on my iPod as "blank media".) Oh yeah, and for some reason, neither iTunes nor Winamp will play the CD.
The second thing I notice (because who really reads the EULA?) while researching how to crack the DRM, is that, among other things, if my house is burgled I will have to delete all the mp3's from this disc. (Because, you know, a burglar would spend all that time copying the MP3's from my hard drive instead of stealing the whole damn computer. And man, if I own a laptop, they're just going to leave it on the desk and take my crappy TV instead...) Also, if I don't update the software whenever it prompts me to, I will lose all access to the music that I have purchased. And I can't listen to the music on a work computer, nor can I re-sell the CD that I have just purchased. WTF?
But then my system crashes, and some virus I can't get rid of keeps me from accessing all the data on my hard drives that I haven't backed up in ages (of course). And how did this virus get on my system? Through a root kit that the Sony CD installed without even telling me it was doing so, thank you very much.
Alright, Sony, now you've shot yourself in the foot. You've basically persuaded millions of CD buyers out there (you know, the people who were actually paying for your product?) that it's easier, safer, and plain old less annoying to yoink MP3's from thier favorite website or file-sharing program.
Way to go.
(Idiots.)
Ah yes, broad generalization and stubborn ignorance, that'll solve the problem. Isn't that why they want DRM in the first place?
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
I don't fully understand why Microsoft comes off looking okay here. Why is it so easy to "patch Windows APIs" and override kernel operations? Why is this common practice? From the original SysInternals.com article: "Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel's system service table"... Sony did it and didn't think it through - left some bugs, and generally made a lot of people angry and worried... but Microsoft is at the heart of the issue isn't it? Why is it so easy to patch these APIs? Isn't this all just a Microsoft security hole that allowed Sony to make another one?
The kinds of machines that are in these secure environments are locked down big time...most don't even have a CD-ROM attached to the machine. The networks are closed (no direct internet access) and the machines with CD-ROMs/RWs have their lasers aligned differently so as to not be able to be read on a standard drive...one of the benifits of purposefuly misaligning the laser that writes the disks to be read in these machines is that you can't just insert a standard CD... Yes, contrary to what the media would have you belive, the folks in secure/top-secret/classified government positions are not stupid...
All I can say is I am in the know with regard to such matters and you are so amazingly wrong it is unbelieveable. There may be EXTREMELY isolated cases of such Machiavellian security measures, but it has been my experience that music CDs are always making it into secured areas and being played on secure machines.
Did anyone look at some of the titles they chose to infect with this thing?
Bob Brookmeyer - Bob Brookmeyer & Friends
Horace Silver - Silver?s Blue
Dexter Gordon - Manhattan Symphonie
Ahmed Jamal - The Legendary Okeh and Epic Recordings
Bob Brookmeyer???? Was Sony afraid of the cadre of L33t h4xx0r d00dz pirating their catalog of elderly jazz trombonists?
Jennifer Granick, executive director of Stanford University's Center for Internet and Society, sees this as a question of how well written their EULA is, a topic of much conversation in the media lately.
But either way, she noted over IM, "if the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 usc 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony anytime soon.
"The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime."
In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existance back to Sony, along with as yet unknown information about the compromised computers.
The Sony/XCP uninstall process requires you to fill out a web form that uses an ActiveX control. That control has several serious security issues including the ability to run arbitrary code and even a handy built-in reboot function. The ActiveX control gropes around your system and encrypts some information that is submitted in a hidden form field. Their privacy policy does not mention this.
Feel free to go over there and try it yourself. If you install the ActiveX you can remove it in Tools, Internet Options, Settings, View Objects, "CodeSupport Control". Here's what they send you:
From: contentprotectionhelp
Sent: Monday, November 14, 2005 04:22 AM
To: sony-bmg-sucks@invalid.com
Subject: Re: ContentProtectionHelp Email Form
Thank you for contacting Sony BMG Online.
Sony BMG and First 4 Internet have released a Service Pack 2a update that addresses recent concerns surrounding the cloaking technology component on SONY BMG content protected CDs which use XCP technology. These components are not malicious nor spyware however to alleviate any concerns that users may have about the program posing potential security vulnerabilities the update removes the cloaking component from their computers. Please visit the link below to install the SP2a update.
http://updates.xcp-aurora.com/
If you do not want to install the SP2a update and only wish to uninstall the DRM software, visit the form below using IE 5.0 (or higher) from the computer where the software is installed. After submission, you will be emailed a customized uninstall link within 1 business day (M-F).
http://cp.sonybmg.com/xcp/english/form9.html
Your "Case ID" is: 9999999.
TIP: The uninstall request form will require an ActiveX plug-in.
Also you may need to temporarily turn off any pop-up blocker
software on the PC.
Thank you for the opportunity to be of assistance.
The Sony BMG Online Support Team
FKSZ
This message and any attachments are solely for the use of intended recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated.
- - - - -
All I can say is I am in the know with regard to such matters and you are so amazingly wrong it is unbelieveable. There may be EXTREMELY isolated cases of such Machiavellian security measures, but it has been my experience that music CDs are always making it into secured areas and being played on secure machines.
This guy is NOT a troll. He is far more correct than the GP is.
The difference is that I don't have "pirate" stamped on my forehead. If Sony didn't want to milk its name recognition for every dime it's worth, they wouldn't have "SONY" written on everything they sell. Even if they didn't want to spin off their hardware division, they still could have followed Disney's example of "Touchstone," et al.
They want to make money on the Sony name, period. If there's going to be a consumer response, then the response should show the industry just what that "SONY" nameplate is worth.
Why, Microsoft is fighting this? Wow! Suddenly I find myself liking Microsoft much better than Sony! ... ... ...Say, what's this I hear about a major Microsoft product launch in a field dominated by Sony?
So Sony is in real trouble. Watch this turn into a criminal case.
I have kept up with this saga of the Sony "root kit" and I think that the Slashdot-esque communities are reacting a little harshly to Sony.
... right?
I think that once people started referring to the software as a root kit, it really crossed the line to some degree because even though technically it might have been, it was not exactly malicious in the way other root kits are. Once tech zealots got up in arms about this, news media covered it and adopted the same terminology. Of course all readers of this media are not tech junkies so they require definitions for terminology, and I think that reporters who themselves are not techies cannot do justice to the situation when defining technical things.
Maybe this bit of trickery was deliberate, and well, I bet it was... I mean, not only is using a misleading discourse awesome, but it is also a blast to describe how to exploit systems with this "rootkit" and then even code up a proof of concept worm and let it free! After all, this is 1984 style, which is just wrong, so the end justifies the means, right guys,
A rootkit is any set (which could be one) of software that an attacker uses to attack your (or other) computer and cover his tracks so you don't notice and cannot uninstall.
This meets both definitions. It covers it tracks, and it allows Sony to prevent you from ripping the disk.
A rootkit might include software to attack other computers, but the rootkit itself is whatever is used on YOUR computer AFTER it is cracked.
Sony didn't just screw the pooch, my friend.. this is more than that.. straight-up goatse!!
It's all very well for the biggies to hop on the 'We will remove it' bandwagon now, but why weren't they the ones to discover it in the first place?
Groklaw has a nice essay on this, which reveals that these guys ALREADY KNEW what Sony was doing 8 months ago and turned a blind eye.
In fact the maker of the rootkit (UK company) is on record as saying they consulted with Symantec to make sure that their rootkit would not be classified as a virus.
The moral? The current PC/entertainment/gaming/recording industry is a scratch-my-back oligopoly.
Go for FREE(as in dom) SOFTWARE while you still have a choice.
http://money.excite.com/jsp/qt/full.jsp?time=0&typ e=QT
This news story has really only begun to break onto mainstream media and just wait for it to hit the general public. I bet Sony cant wait to have regular Joe Schmoe think that when they buy a Sony CD, they are going to mess up and get a virus on their computer. And just before the Christmas season as well. Average consumers have no was to discern what the real problem was here, the concept of a "rootkit" would probably lead to potato or carrot issues, so they will just blanket Sony products with the "full of bad stuff" stigma. And then just wait for the sales #'s to come in after the Christmas season. This stock is going from bad to worse. Boycotts are fun, but when the guys who own $300 million in stock are getting screwed, then the fun really begins. Seppuku anyone?
I am and always will be a stereotype, because who in their right mind prefers mono?
Or are we simply waiting for their current management to fall on their sword when the post bad-will boycott sales figures arrive?
My hope is that this will force companies to actually tell you what they've been able to hide behind the scenes and lawyers up to now.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
You know, you're right...I don't know what got into me there...they would never do anything like that...
Always make sure your hardware is within standard civilian specs...wouldn't want to have problems reading that satellite data if you needed to run out to Wal-Mart and replace a drive would you?
I also agree boycotts will not work. A major reason? Because there's no way Sony can measure what you are not buying. If you can get enough people not buying something it might work, but as the poster said that task is really impossible when it comes to Sony as a company.
So what will work:
Litigation. That's a great start because it costs them money they can count (legal fees) instead of four people not buying some Sony product. It looks like this might end up costing them big.
Harrass customer service. It is not as effective but if a lot of people start consuming customer service with calls, again this costs them a measureable amount of money and also makes the VP in charge of customer service very angry. You want angry people at the same level in the company as the ones who are putting in things like the rootkit.
The main goal in all this should be to try and make a public example of Sony so that other companies do not do the same thing, and Sony themselves will not want to try again for quite some time.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Don't just wait for something like this to happen, make it so. I think the Sony rootkit debacle has produced enough media coverage to get support for some countermeasures. It's time to start putting through laws along the lines of:
- Ban proactive DRM measures on content media. Permit encryption of data but ban executables on media that are supposed to be plain content.
- DRM measures, either hardware or software, on general purpose playback systems (home computers, DVD players etc) may not hinder the playback of non-DRM content.
- Create a labelling scheme, either mandatory or otherwise, for digital content that clearly tells the customer if the product
1) Is encrypted or DRM'd
2) Contains executables
3) Requires registration
4) Requires an Internet connection
5) Requires payment beyond the purchase price
6) Calls home, and what it does
Comments welcome.
I'm sorry if I haven't offended anyone
acronyms like DRM
Digital Restrictions Managment.
for making it possible for Sony to do this in the first place.
How do these "CD"s play in a normal CD player, or do they?
I was pissed off at first when my SysAdmin disabled autorun on my new XP box, but now I am enlightened.
If you disagree with me on social issues, then it's pretty clear that you are a narrow-minded bigot.
...and I don't trust Sony anymore...that's for sure.
/me doesn't.
Now...with all the DRM crap etc about...why should I buy music from a big retailer such as Sony/BMG? I mean, OTHER than to support the artist(s).
I want my money to support the artist's music I buy...but not like this. I don't want to support Sony or any other recording industry giant's "protective" measures.
This is the digital age...we are all equals here. Meaning, it's relatively easy (at least in recent history) to DUPLICATE those zeros and ones on a CD (or DVD for that matter). Yet Microsoft befuddles the issue with DRM, and Sony causes worldwide loss of faith with a rootkit.
Trust?
I'm not advocating piracy...I'm just saying it's far EASIER (and now...safer) to find and play that MP3 than any of the "legit" *cough cough* alternatives.
I truly would like to see a less corporate model, in which the artist gets paid more fairly, and where artist and fan have a better relationship.
or blah, blah, blah.
It's been over ten years since i've been in that business, but i'd be seriously surprised if there were locally mountable devices, or even ports (USB, etc) on TS machines. We had no floppy drives and removable hard drives in our Secret machines, plus they were all tempest hardened, plus in lockable cabinets (those who know, know what i mean). We only had a few areas where we could even work on TS docs, much less create them from scratch. Having a CD drive (even read only) seems like something a security officer would have jumped on as a "duh" very early on in any project. If you needed a CD it would be mounted as a share to a server in the "vault" and you would be granted access to it for the time you needed it. No personal electrical devices were allowed in any way, shape, or form so no radios, CD players, etc.
I suppose if a contractor was lax this could all take place, someone could use the document blender to make margaritas, but in my experience there was no way to just pop in some disk or attach a device. I mean we didn't even have printers! They were locked up in the vault also and you had to sign for the number of pages you printed! This was just a SECRET rated facility (o.k., Secret with SAR, I'll give you that much). So be realistic. I could take CDs in all day long but they were only good as drink coasters.
It's an even worse day to be Sony, in the UK. Today's newspapers have headlines like "Sony accused of Internet rip-off" and "End to online bargains as Sony forces prices higher".
, 00.html
According to The Times, "the practice of charging different prices to Internet retailers and high street stockists -- known as dual pricing -- was started by Sony and has been followed by other manufacturers." Here's the article:
http://www.timesonline.co.uk/article/0,,2-1872549
In order to circumvent piracy, they try to be sneaky and put this rootkit garbage on people's PC's whenever they PAY for the CD. Now they just got in a bigger mess and the result is that if you wanted to the "right" thing and buy a CD, you're at bigger risk if you wanted to download it. Hilarious.
I wonder if the backlash will be enough for all artists to do what the Flecktones did:
"Frustrated when he bought a copy-protected Dave Matthews release and couldn't copy it to his Apple iPod, Fleck insisted that Sony not release his new album with such restrictions"
.. paranoid crackpot leftover from the days of Amiga.
People infected with a rootkit should be re-imbursed from Sony Music for the cost of the removal service, provided by whom ever the person chooses to use to remove the kit.
Rootkits are designed to avoid detection, and only an idiot would trust a company destributing rootkits to provide them with software to remove the rootkit. For all I know, they just changed the cloaking mechanism, and left the machine vulnerable to attacks, still running the rootkit.
Shouldn't Sony pay the cost of having machines backed up, wiping and formating of the drives, re-install of the OS, re-install of the software, re-configure the software, and reimbursement for the time and productivity lost in the process.
Right now the whole thing is being treated like a childish goof up and a big oops. Sony has installed rootkits, on personal machines and corporate equipment, and they should be paying for the equipment to be restored as deemed necessary by the owner. Simply giving a link to a download that claims to remove the rootkit is entirely insufficient.
I would like to point out that at Sony's size, the different divisions have little or nothing to do with each other.
Irrelevant.
Not that the people working in the other divisions, who didn't make such stupid decisions, deserve to be punished, but the way to stop companies from doing crap like this is to hit them where it will hurt the top-level decisionmakers: their stock price. To do that, you have to damage their profits, and the best way to do *that* is to decrease their revenues by not buying their stuff. If Sony's stock takes a 20% drop as a result of some decisions by the entertainment division, the C-level execs will take action, and if they don't then the board of directors will, and if *they* don't, the stockholders will. If it gets nasty enough, no one in Sony will ever again dare to do something that has even the remotest possibility of bringing that sort of shitstorm down on their heads.
Not that I believe a lot of "boycott Sony" shouting and posturing on slashdot will really affect their revenues noticeably, much less their stock price. But still, the theory is sound, even if follow-through is insufficiently widespread to make any difference.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
You laugh, but I call a recent article on Tom's Hardware into witness. The reason that the graphics card companies (nVidia, ATI) go so intensely after that performance crown is that the people who care deeply about it tend to be influencers -- I think the article claimed something like those graphics card companies can be assured of 20 mainstream target purchases due to the influence of one high-end customer.
Point being, people here care, and deeply, about the stuff Sony has been up to, and in many of these markets, *we* are the influencers.
If your company gets bad press on Slashdot, and you do technology, that's not just bad, that's very very bad, because for every post and every reader, there may well be 20 or more people who are going to stop doing business with you. And if you get repeated bad articles, over and over again, well, golly. This is only worse when there is a choice in the market, and for almost everything Sony makes, somebody else makes something like it.
In Soviet Russia, us are belong to all your base.
If the CD is a valid music CD and will play in a standard player,
Why is the operating system trying to run a program from the CD?
You should be able to set the OS to treat music CD's as music CD's and ignore any other content.
This is all due to MS advanced features messing the user over. Pressure should also be placed on Microsoft to treat music CDs as music CDs.
Perhaps a configuration to easily switch between
1. Play Music
2. Access any Autorun features
3. Offer option of 1 or 2
It's widely published that legal actions have begun in California, New York, and Italy. The Italian situation is not just some class-action lawsuit. A complaint was filed with a criminal investigation unit last Friday.
i ty/story/0,10801,106064,00.html?source=NLT_PM&nid= 106064
"The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law," he said in an e-mail interview.
Should police determine that a crime has been committed, prosecutors will be required to begin criminal proceedings against Sony, Monti said."
Sony has declined to comment.
From:
http://www.computerworld.com/securitytopics/secur
What you do with a computer does not constitute the whole of computing.
I have noticed one aspect from all of this Sony/BMG rootkit fallout that seems to have gone unnoticed; but which I believe is a positive thing:
Up until now the RIAA trade group has been the front-man for all of the label cartels' untenable activities -- it's never been BMG, Geffen, Warner Brothers, Universal, EMI, et al, suing 12 year old girls and old ladies--noo, it's the RIAA.
Up until now whenever the consuming masses are outraged, all they have to derive their seering hatred towards is a large anonymous trade association which exists purely to absorb all of that yucky malevolent P.R.
Finally the pressure is being put on a specific corporate entity who happens to also be an RIAA member, and they will feel the wrath directly. It couldn't happen to a better company (well... okay, perhaps EMI; Bronfman is a real chode smacker).
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
1. MS pays the Sony DRM people to include gaping security holes.
2. MS makes sure the story on the holes breaks.
3. MS has their cronies post "boycott PS3" on Amazon, Slashdot, blogs, etc.
4. People decide to buy the XBox 360 instead of waiting for the PS3.
</ConspiracyTheory>
"Ah yes. An AMERICAN."
Somebody from Texas does something you don't like. Abroad, everything from Texas or New York or even Saipan is only labelled "made in the USA." Additionally, federal taxes collected from businesses in New York still benefit those folks in Texas.
Now, would you like to go even further out of your way in the course of your boycott to make sure that you only penalize those businesses from Texas, or do you want to make sure that everybody in the US, regardless of what state they're in, is penalized for allowing Texas to do what it does and helping them to do it?
Just because there are times when you should ask whether the scalpel or the chainsaw is the best tool to use doesn't mean the chainsaw is always the wrong choice.
I've had a Vaio for years and loved it. I may be a rare breed in this regard. Because of my experiance with this computer, I've bought a lot of other Sony products. No more. They lost me. The next laptop I get will not be a Sony, the same goes for cameras, music, etc. Man, it seemed like they were just beginnnig to get their act together...then this.
Last I checked the PS3 is going to ship with Blu-Ray which is filled with its own DRM restrictions, so essentially his "broad generalization" is fairly accurate IMO.
No sig for you!!
So isn't Microsoft violating the law by removing the Sony copy protection software, even though it's buggy and poses a security threat? Even though their intentions are good?
Should it be a violation of law to circumvent such copy protection schemes, even though they are harmful to the user?
It's still copy protection software, and they're still removing it.
Of course I don't think Sony would take Microsoft to court over this since they put themselves in such a bad position -- it would make them look twice as bad.
I think we finally found the missing link:
1. Sell a CD with copy protection / spyware or virus in one program
2. Antivirus will remove the program, circumventing the copyright measure and therefore breaking the law
3. Sue the antivirus maker for the huge loss of billions of dollars (per second) and the awful personal damages from such a terrible disaster.
4. PROFIT!!!
As a programmer, I have felt for quite some time that we need to have a "Programmers Guild" similar to the guilds of Medieval times. In the guilds of yore, the professionals of a craft actively monitored the products of other craftsmen and would punish/train/certify those who performed the craft badly. It has always bothered me that the most inept programmers continue to find work in our industry. Sadly, the only people in the industry who seem capable of evaluating a programmer's ability is other good programmers. The people responsible for this crappy code should simply not be allowed to work as programmers ever again. Instead these people will have a resume that proudly proclaims, "Worked to create high quality software with millions of users for Sony," and the managers they interview with will be quite impressed and put them in charge of more programming projects. For the sake of our craft, we desperately need to create a software programmers' guild.
So if I first hit you with a hammer - and then *stop*, I'm nice?
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
However, with the advent of internet-based human networking (IM, blogs, etc.), this is starting to change. You still can't get the old airplay and venues, but it is now affordable to distribute your music over the internet, using word of mouth to increase demand. Similarly, you might not be able to book the good venues, but with blogs etc., people can find the alternative venues that don't get ad-time in newspapers, on the radio, or on TV.
So in summary, artists often are victims, but with the new technologies of the last 10 years, more and more artists are able to emancipate themselves and survive.
3 words
HD-DVD vs. Blue-Ray
Why else would Microsoft violate copyright law when they're already in Anti-trust hot water? Because it makes them look like friggen Angels when compared to Sony. With people boycotting sony product, and two different data formats pending, HD-DVD, from the company that doesn't put a rootkit on your PC is going to be a much more appealing bet.
Shots: A Populist Parable
I know I'm jumping in WAY late in this conversation, but if just a few people see this and respond, it'll do some good.
Go to the following sites and complain:
Department of Homeland Security - Select "Security Threats"
US Secret Service - They do computer fraud cases.
FBI
I'm sure there are people who post on Slashdot who really have worked in facilities doing classified work. Hell the guy who sits across from me at work was cleard TS/SCI when he was in teh Ariforce years ago, and one of our student employees actually has active secret clearence for his internship.
However, for every person on here who legitmately knwos what they are talking about, you have someone who's just making shit up. They want to appear "in the know" and believe they really know how it is, because they heard a story somewhere or something like that. However in the retelling, they pretend like it was them, because of course it makes them seem to be more knowledgable on the topic.
I've had lots of people tell me how things work in regards to secret data, however most of the people doing the telling, I know for a fact have never worked in such a facility. So what they are saying may be based entirely on fiction.
As always, take what you hear on Slashdot with a grain of salt.
New sig:
--
Days since my last Sony purchase: 602
This type of tactic that was used with this virus ware is nothing new for Sony. It wasn't a simple mistake or an accident or simple bad judgment. Sony has a long history of this type of strong arm tactics in almost every branch of the company. Another example in particular is the SOE entertainment branch that runs Everquest and Everquest 2. Throughout the game of Everquest Sony placed spyware on machines in a form that captured user specifics about their computers, connections, and names, credit card information and other personal data. When confronted about this collection of information on the Everquest players they quickly turned tail and ran into the legal jungle of vague response and said it was needed to properly manage the game environment and accounts. This of course was complete garbage. It was a campaign to collect, sell and profit from this data. To this day that data collection continues according to the very EULA they force you to agree too in order to play any of the games they now operate. Not only did Sony collect data and lie about its purpose but they also actively engaged tactics to force players into huge fees to simply be able to allow the players to be able to sell the very software they had already purchased. This is just one of more then 20 easy to find examples of Sony's business model that exploits abuses and damages the public's security, welfare and privacy.
Karma: a simple way of silencing those with unpopular views regardless how correct or just that view might be.
You are correct. It is not a rootkit. But not for the reason you stated. If it makes you feel any better, icydog and bluGill didn't get it right, either. The term is from Unix, and I'm a Unix/Linux security guy, so I'm going to stay in that context: what rootkit really means.
/. post about this, someone recommended double-quoting rootkit. He or she was dead-on.
Say you've just rooted a system. In order, you want to 1) hide your presence, and 2) make sure you have a way back in if 1) fails.
To hide your presence, you do things like clean log files, and install Trojaned versions of various system tools, such as the 'ps' process lister and the 'ls' file lister. Maybe you don't stop with Trojans. Maybe you load kernel modules, and hook system calls. That isn't a requirement for a rootkit, though. It's a technique. Nor is it a requirement to include a replication mechanism, which would tend to give you away. This isn't a worm, it's a means of hiding yourself and maintaining access.
What you do on the system is then up to you. Maybe you're attempting to compromise other systems, but that's not a requirement, either. Maybe you only wanted this machine because it has huge disk capacity or something. Maybe you don't want it for anything at the moment, and are just checking it's resources and their usage patterns, to determine how you might best employ it in future, without revealing yourself.
Specific attack tools, etc., are not part of the definition, though you definitely have a means of hiding them. Or pretty much anything else. You have a way back in if the original security vulnerability is patched.
You are now the worst nightmare of many sysadmins of business and government installations (hosts + network). Many of these guys would actually much rather you did launch a worm or something. Then you're findable.
It gets much deeper than this (it's a career in itself)--but the two requirements are those above. Sony's DRM software didn't provide a way back in. It was a screwup of epic proportions, and the first piece of mallware (Backdoor.IRC.Synd.A) known to be leveraging it was found in a spam message on the 9th.
But that's an IRC backdoor, meaning the system will most likely become part of a Botnet. Again, easier to find. And, again, that remote access component is not part of Sony's DRM screwup.
I one or another
What you do with a computer does not constitute the whole of computing.
Have they publicly acknowledged they did wrong?
Have they fired the executive who approved this idiocy?
Sony will need to do this if they ever want my business, my family's business, or my employer's business again. And this includes EVERYTHING SONY.
Why should a corporation who does this to their customers, have customers?
While everyone is whining (rightly so) about what Sony has done, why is there not obvious and loud whining about what Microsoft has done? How come by simply inserting a disk into a CDROM drive, Windows will read the disk and automatically execute code as a privileged user? The Sony DRM stuff is evil and hooks into and hides at the kernel level. It is more evil that kernel level drivers are automatically installed by Windows by the mere insertion of media with no user interaction or confirmation. There is no excuse for this.
I'm all for MS removing the rootkit, but doesn't Sony now have grounds to go after anyone that makes a tool to remove this under the DMCA? I suppose they could waive rights to it or such... I'm kind of hoping they do so that DMCA proponents can watch in horror as the worst of all possibilities come to fruition. Perhaps we can then look at getting rid of that legislative piece of trash.
Please leave the DRM on the Ricky Martin and Celine Dion CDs. If you could make the DRM stronger so that they can't be played on ANY device, that would be even better.
Sincerely,
Everyone
Sony has a habit of wanting to control everything. Betamax, Memory Sticks (manufactured exclusively by and for Sony), UMD, blue ray, the PSP, even the new PS3 will have the ability to control all of your media on the machine. The only thing they have learned over the years is that for new technologies to catch on, you do need the support of the other big dogs. What Sony recently learned is that they are going too far in their attempts to "control" their consumers.
I don't know if this site is serious, but they claim to have a list with more than 20 infected title. Here the link : http://www.idiotabroad.com/2005/11/cds-affected-by -the-sony-bmg-spyware/
Why shoudln't the same rules applied to black hat hackers who compromise and exploit the security of systems be applied towards sony executives? They should really make an example out of these guys so that other corporations and even spyware makers won't attempt anything like this EVER AGAIN.
http://www.awwsheezy.com
I worked in a county office as a sysadmin, and while I didn't have detailed schematics for stealth bombers, I handled payroll/personnel data for jail guards, judges, prosecutors... I brought in my own music CD player even though I could have polayed them my machines CD-Rom, because I believed in keeping personal things out of government equipment. Now, thinking of other departments... Bus Schedules, you could phone in an listen to recorded bus schedules, something that messes with audio could hose that. The county hospital, people have died from bugs in radiology software, as well as patient records. Court records, crime Victim/witness information. Computer controlled sewage equipment...