Slashdot Mirror
President of RIAA Says Sony-BMG Did Nothing Wrong
Zellis writes "In a press conference held on Nov 18 Cary Sherman, the president of the RIAA, stated in reference to Sony BMG's "rootkit" software that "there is nothing unusual about technology being used to protect intellectual property." According to Sherman, the problem with Sony BMG's XCP DRM software was simply that "the technology they used contained a security vulnerability of which they were unaware". He goes on to praise Sony's "responsible" attitude in handling the problem, saying "how many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?" It seems that the latest spin is to portray the Sony rootkit as no more of an issue than a software coding error that unintentionally creates a security hole. Will they get away with it among the non-technical public?" Arguably, Sherman is right -- but I enjoy much more the fact that this whole r00tkit fiasco has set DRM back by years. Gogogo poor implementations!
Those of us involved with IT security know this attack vector all too well. If you want to really scan for virus and trojans on a crtical PC, you map the administrative shares C$ D$ etc to another PC, and run the virus scanner on that machine.
That way you know for certain that you haven't been rooted, a kit can only hide from the PC it is hidden on, not another machine.
I see rootkits all the time, the main entry is through backup software exploits rather than O/S holes. (Or autorunning CDs). You will regularly see script kiddies taking advantage of a root kit placed there by other hackers.
So anyone who works in IT, especially someone who works in root kit creation, cannot claim that they were unaware of potential security problems.
It was incredibly irresponsible and pleading ignorance is no excuse.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
The parts of the software are installed and activated before the EULA is even displayed to the user.
I can confirm that at least one disk "Chris Botti" the rotkit installed WITH NO EULA. That IS patently illegal in any handbook.
Did you all see today's FoxTrot? It appears that existence of Sony's rootkit is becoming more and more mainstream.m ics/20051121/cx_ft_uc/ft20051121
http://news.yahoo.com/news?tmpl=story&u=/uclickco
Just got a press release in our newsroom that the Texas Attorney General Greg Abbott is suing Sony BMG.
Full release can be found at http://www.oag.state.tx.us/oagnews/
Don't mess with Texas.
If you want to really scan for virus and trojans on a crtical PC, you map the administrative shares C$ D$ etc to another PC, and run the virus scanner on that machine. You surely can't think that can you? If you are accessing the shares remotely, you need the kernel on the compromised machine to tell you what files exist. If the kernel doesn't list the files, do you think it will make them available over the share? The only way to be sure is to boot from CD or another, known good, hard disk.
The real "Libtards" are the Libertarians!
The issue being that if you close it without saying yes, it still installs the rootkit anyway.
This article on Yahoo! says DRM is doomed. FTA: "The fact that so-called digital rights management might always be a doomed experiment became painfully clear with the fiasco that erupted after Sony BMG Music Entertainment added a technology known as XCP to more than 50 popular CDs."
Let's hope. I always thought this was stupid. I bought the CD. The concept of fair use says I should be able to listen to it when, where and how I want. Fussing about people trading music just goes to show how badly the music industry knows it's wrong and that it's been screwing artists since the beginning. They're not treating their artists nor their customers well.
"Sometimes the truth is stupid." - Lawrence, creator of Prime Intellect
``It follows that RIAA does not consider the piracy of copyrighted material wrong... Well, I'm off to go copy a few CDs, with the cartel's blessing this time.''
No, no, no, you've got it all wrong!
It's not about breaching copyright.
It's about who harms who. Small folk harming the large corporations? BAD! Large corporations harming the small folk? Standard practice!
Please correct me if I got my facts wrong.
everphilski, have you actually checked that with the Sony CDs? Because it doesn't work.
The settings on the AutoPlay tab are for "Autoplay V2" which determines the action based on the content of the CD (mp3 files, image files, etc.). The Sony CDs use "Autoplay V1" which only requires a file named Autorun.exe in the root of the drive. Even if you turn off all the features on the Autoplay tab, it will not disable Autoplay V1.
There are several ways to disable the V1 variety, if you don't want to manually RegEdit just download TweakUI and you can turn it off that way. If you prefer the registry method, Google for DriveTypeAutoRun to disable them on a per-drive letter basis or services cdrom autorun to turn it off for all CD/DVD drives.
No, that isn't the case. Again, you are finding the user mode rootkits that way. They are only hiding from ntdll.dll (and hence Explorer.exe doesn't show them, cmd.exe doesn't show them). The redirector is running as system, so the user mode ones can't hide from that. This is why you can see them over remote mounted disks (C$,etc.).
However, if you read up on the kernel mode ones (some of the talks Mark Russinovich has given -like at Tech Ed this year), you'll see that these touch the kernel itself and the redirector will not expose them (so C$, etc. won't work).
It's just a matter of different architectures and different methods of "rooting" a machine.