Slashdot Mirror
President of RIAA Says Sony-BMG Did Nothing Wrong
Zellis writes "In a press conference held on Nov 18 Cary Sherman, the president of the RIAA, stated in reference to Sony BMG's "rootkit" software that "there is nothing unusual about technology being used to protect intellectual property." According to Sherman, the problem with Sony BMG's XCP DRM software was simply that "the technology they used contained a security vulnerability of which they were unaware". He goes on to praise Sony's "responsible" attitude in handling the problem, saying "how many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?" It seems that the latest spin is to portray the Sony rootkit as no more of an issue than a software coding error that unintentionally creates a security hole. Will they get away with it among the non-technical public?" Arguably, Sherman is right -- but I enjoy much more the fact that this whole r00tkit fiasco has set DRM back by years. Gogogo poor implementations!
Those of us involved with IT security know this attack vector all too well. If you want to really scan for virus and trojans on a crtical PC, you map the administrative shares C$ D$ etc to another PC, and run the virus scanner on that machine.
That way you know for certain that you haven't been rooted, a kit can only hide from the PC it is hidden on, not another machine.
I see rootkits all the time, the main entry is through backup software exploits rather than O/S holes. (Or autorunning CDs). You will regularly see script kiddies taking advantage of a root kit placed there by other hackers.
So anyone who works in IT, especially someone who works in root kit creation, cannot claim that they were unaware of potential security problems.
It was incredibly irresponsible and pleading ignorance is no excuse.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
"How many burns are you allowed of a movie? None. How many of a videogame? None. You get the idea. Even the CDs with content protection allow consumers to burn 3 copies or so for personal use. The idea is not to inhibit personal use, but to allow personal use but discourage (not prevent, you can never prevent) copying well beyond personal use."
Actualy it was my understanding the Supreme Court put this issue to rest about 8 years ago. We are entitled to one (1) archival copy of our media. I'm not aware of this having changed in the last few years. I guess I shouldn't be surprised they are saying this. It's a different world they live in.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
The parts of the software are installed and activated before the EULA is even displayed to the user.
The problem is, Windows by default has auto-run enabled upon CD insertion. Most people won't go through the hassle of turning this off (it's not even in a very obvious place to turn it off..)
Windows XP: Go to My Computer. Right click on your CD-ROM drive. Click Properties. Click the "Auto Play tab. Click "Prompt me each time to choose and action" or "Take no action". Done. How much easier or logical can it get?
-everphilski-
I can confirm that at least one disk "Chris Botti" the rotkit installed WITH NO EULA. That IS patently illegal in any handbook.
What I would like:
I would like to be able to go download a recording of , and would like at least 80% of the money I pay for it to go to the composer and the performers. They, after all, did the hard work.
I would like this recording to be available as a plain old 192kbps mp3 or 160kbps ogg, or a FLAC encode, at my choice.
Is that really so hard to ask?
No, but they do have auto-run on for everything, because turning it off requires editing the registry
FALSE
(Windows XP) Go to My Computer. Right click the CD-ROM drive, hit properties. Click the AutoPlay tab, and select "Take no action" or if you prefer "Prompt me each time to choose an action" to get a nice pop-up window asking what you want to do. No regedit required at all.
-everphilski-
Did you all see today's FoxTrot? It appears that existence of Sony's rootkit is becoming more and more mainstream.m ics/20051121/cx_ft_uc/ft20051121
http://news.yahoo.com/news?tmpl=story&u=/uclickco
Just got a press release in our newsroom that the Texas Attorney General Greg Abbott is suing Sony BMG.
Full release can be found at http://www.oag.state.tx.us/oagnews/
Don't mess with Texas.
Just to touch on the subject of the RIAA and the true theft that occurs...
If you do the research you will find out that a band's first contract (and sometimes their ONLY contract) is NOT designed to give them any say. Remember Hootie and the Blowfish? Their debut album (Cracked Rear View) grossed over 12 million copies. Do you know how many of those 12 million their label gave away to record clubs like BMG or Columbia House (you know the buy 1 get 12 free deals)? 4 million. That is 4 million albums that they will NOT get paid for, and guess what else? It was written into their contract and they had NO say about it. This hasn't happened to them only either. This type of clause is in 98% of new band contracts. The same thing goes for promotional discs sent to record stations. The bands pay for those (and everything else including, studio time, music videos, producer's fees, mixing fees, mastering fees) out of the advance they receive from the label, but they don't get paid for the promotional copies. They have to eat the cost, and hope they can make it up somewhere else, like touring or merchandising. Furthermore, remember that the band doesn't begin to make ANY money until every dime of their advance from the record label is paid back.
The ONLY way that you begin to have any say in your contract negotiations is if you have 2 or 3 really successful albums. Only then can you begin to negotiate your contracts. Do you think a band like Green Day was able to get a really great contract when they first signed up? NO, they didn't. However, after 10+ years and more than a few platinum albums, they now have negotiating power, but most labels aren't looking that far in to the future. As far as they are concerned, most artists have a shelf life of about 3-4 years and then they are old news (just look at Britney, Christina, and Creed if you want some examples).
Remember Record Labels are nothing more than banks. They will stand there with the money and the contract, waiting to see which of the new artists will wade through the river of crap and emerge from the crap with a pen, just waiting to sign. If you don't want to sign the contract, they aren't going to beg you because they know there are others that are willing to do it, if you don't.
I have nothing clever to put here...
If you want to really scan for virus and trojans on a crtical PC, you map the administrative shares C$ D$ etc to another PC, and run the virus scanner on that machine. You surely can't think that can you? If you are accessing the shares remotely, you need the kernel on the compromised machine to tell you what files exist. If the kernel doesn't list the files, do you think it will make them available over the share? The only way to be sure is to boot from CD or another, known good, hard disk.
The real "Libtards" are the Libertarians!
Uhh, this is a very, very ugly way to do things. You twist the semantics of the global namespace and potentially redirect all traffic to those domains to 127.0.0.1.
What if your users are developers running a local httpd?
If you want to block HTTP traffic, use an HTTP proxy. The proper way to implement ACLs is to return a code that indicates "denied", not return false information as if it were real. This only leads to headaches later, when noone thinks about this "solution" anymore and tries to debug a real problem.
In one way, this solution is slightly better than the stupid hosts-file-mangling you see everywhere because it's centralised. OTOH, it's just as stupid as that because it's like driving a screw with a hammer.
There is one case where fiddling in BIND is appropriate. This is cases like omniture.com. They smuggle data through DNS by requesting weird hostnames like [long encoded string].omniture.com. I saw this when browsing through ebay one day. In this case, you have to block on the DNS level, but not by falsifying the information.
I checked out which nameservers are authoritative for omniture.com. Then I checked which networks they belong to. Those networks I put in a blackhole clause in named.conf. So whenever I request something in omniture.com , at least I get a "server failed" which hints me to BIND, should I forget one day that I blocked them.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
RICO requires extortion.. The legal definition of extortion is.
The term "extortion" means the obtaining of property from another, with his consent, induced by wrongful use of actual or threatened force, violence, or fear, or under color of official right.
So any threatening of something fearful will do, as well as pretending to be an official, (ie pretending to be a police officer or court official of some sort). I believe that in some of their early legal threats they crossed that line as well from what I recall.
> From what I understand
s p
/. for the last couple weeks. Are you really that stupid to ignorantly post something contrary to what has been very public knowledge for some time now, or are you just a stupid troll?
not really all that much, as it turns out, huh?
You may have not heard, but a company called First 4 Internet actually developed and licensed this "DRM Solution" to Sony
http://www.eweek.com/article2/0,1895,1887181,00.a
Dan Kaminsky, an independent security researcher, discovered evidence that so-called "rootkit" style stealth programs developed by U.K. firm First 4 Internet Ltd. and used by Sony while conducting an audit of the DNS (Domain Name System) infrastructure.
This has been all over
The issue being that if you close it without saying yes, it still installs the rootkit anyway.
Then what you like is www.allofmp3.com + mail your favorite band $10 for each record you download (make sure you write a note telling them what you did and why).
After thinking for a while, my conclusion is that that is a fair way to back your artist. You may write them and tell them to give you a PayPal account to make them a deposit.
Why allofmp3 instead of p2p? because in allofmp3 you can download the music in several (mp3, ogg, flac, ape, mpc, wav, mp4... etc) codecs.
Ubuntu is an African word meaning 'I can't configure Debian'
1) They're being "responsible" because they're being "sued."
2) Regardless of the myriad cybercrimes under which SonyBMG is currently being sued, usually when companies install software that circumvents a customer's expected right to a freedom of choice, they get punished by the government under anti-trust law. See Microsoft.
There's nothing about this issue that's either legal, moral, or intelligent.Tim from http://www.boycottsony.us/ was the guest on the radio program, and he did a fine job of convincing the radio host John Gormley how bad this DRM infection is. If all technical people were as gifted verbally as Tim is, then we'd see a lot fewer problems from companies trying to exploit consumer ignorance.
The rebroadcast is tonight CST at www.ckom.com
Saskboy's blog is good. 9 out of 10 dentists agree.
http://news.bbc.co.uk/1/hi/technology/4456970.stm
About 2 hours old now. And yup, It even touches on the rootkits own copyright infringments.
Estimates the damage caused to SONY's bottom line in the tens of millions for this one incident, not counting the pending legal action taking place in Cali, NY, and now Texas.
They don't "develop" squat.
They might dish out illegal payola to radio stations to get airplay but that's about it. Most of the time, they don't even do that. More typically, the labels are just a bunch of loan sharks and cartel brokers.
Some acts have even managed to develop their own following as well as their own master recordings. A musician needs a label as much as a fish needs a bicycle.
A Pirate and a Puritan look the same on a balance sheet.
This article on Yahoo! says DRM is doomed. FTA: "The fact that so-called digital rights management might always be a doomed experiment became painfully clear with the fiasco that erupted after Sony BMG Music Entertainment added a technology known as XCP to more than 50 popular CDs."
Let's hope. I always thought this was stupid. I bought the CD. The concept of fair use says I should be able to listen to it when, where and how I want. Fussing about people trading music just goes to show how badly the music industry knows it's wrong and that it's been screwing artists since the beginning. They're not treating their artists nor their customers well.
"Sometimes the truth is stupid." - Lawrence, creator of Prime Intellect
``It follows that RIAA does not consider the piracy of copyrighted material wrong... Well, I'm off to go copy a few CDs, with the cartel's blessing this time.''
No, no, no, you've got it all wrong!
It's not about breaching copyright.
It's about who harms who. Small folk harming the large corporations? BAD! Large corporations harming the small folk? Standard practice!
Please correct me if I got my facts wrong.
No, that isn't the case. Again, you are finding the user mode rootkits that way. They are only hiding from ntdll.dll (and hence Explorer.exe doesn't show them, cmd.exe doesn't show them). The redirector is running as system, so the user mode ones can't hide from that. This is why you can see them over remote mounted disks (C$,etc.).
However, if you read up on the kernel mode ones (some of the talks Mark Russinovich has given -like at Tech Ed this year), you'll see that these touch the kernel itself and the redirector will not expose them (so C$, etc. won't work).
It's just a matter of different architectures and different methods of "rooting" a machine.
EFF Files Class Action Lawsuit Against Sony BMG. Sony BMG is also facing at least six other class action lawsuits nationwide and an action by the Texas Attorney General.