Slashdot Mirror
President of RIAA Says Sony-BMG Did Nothing Wrong
Zellis writes "In a press conference held on Nov 18 Cary Sherman, the president of the RIAA, stated in reference to Sony BMG's "rootkit" software that "there is nothing unusual about technology being used to protect intellectual property." According to Sherman, the problem with Sony BMG's XCP DRM software was simply that "the technology they used contained a security vulnerability of which they were unaware". He goes on to praise Sony's "responsible" attitude in handling the problem, saying "how many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?" It seems that the latest spin is to portray the Sony rootkit as no more of an issue than a software coding error that unintentionally creates a security hole. Will they get away with it among the non-technical public?" Arguably, Sherman is right -- but I enjoy much more the fact that this whole r00tkit fiasco has set DRM back by years. Gogogo poor implementations!
"President of RIAA Says Sony-BMG Did Nothing Wrong"
In other news, cows give milk.
Anyone interested in local radio coverage of this story, CJME.com is about to do a show on the Sony rootkit, you can listen live at 10:05AM CST, and again in the evening for a rebroadcast. Sorry, no podcast is made.
Saskboy's blog is good. 9 out of 10 dentists agree.
Well, I'm a sys-admin at a company with a few hundred desktops. AFAICT, there isn't any way to scan my whole network for the rootkit, and the only sure fire, safe way to remove it is to reimage the machines that have it. Thankfully, it does phone home, so we have started looking through firewall logs for anything trying to get to the phone-home website. Still, a major PITA.
I've seen 2 local bands forgo major label representation because of BAD contracts. Yet most big bands do sign bad deals.
I see a big reason for "major" labels, actually. I look at it as a co-op of bands that distribute the cost of production and marketing across hundreds of "talented" bands.
My problem is with the anti-freedom maneuvers of the labels. They corrupted radio rights, they helped destroy copyright, they subsidized the DMCA and they fostered anti-speech creations like Tipper's parental warning label and other bad ideas. I have no problem with stupid business tactics, it is when the law protects it that I'll call foul.
I put Snort sigs in place for the Sony traffic http://www.bleedingsnort.org/ and got hits from the following company
/*, multipart/*, ..Content-Type: .Content-Length: ...
I have loaded the Sony DRM sigs but have gotten hits from other products. I am wondering if this is a false alert or another company using this root kit for DRM
000 : 50 4F 53 54 20 68 74 74 70 3A 2F 2F 77 77 77 2E POST http://www./
010 : 70 68 6F 74 6F 73 68 6F 77 2E 6E 65 74 2F 4D 50 photoshow.net/MP
020 : 53 4E 41 70 70 53 65 72 76 65 72 2F 73 65 72 76 SNAppServer/serv
030 : 69 63 65 73 2F 6C 6F 67 67 69 6E 67 20 48 54 54 ices/logging HTT
040 : 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 61 P/1.0..Accept: a
050 : 70 70 6C 69 63 61 74 69 6F 6E 2F 2A 2C 20 61 75 pplication/*, au
060 : 64 69 6F 2F 2A 2C 20 69 6D 61 67 65 2F 2A 2C 20 dio/*, image/*,
070 : 6D 65 73 73 61 67 65 2F 2A 2C 20 6D 6F 64 65 6C message/*, model
080 : 2F 2A 2C 20 6D 75 6C 74 69 70 61 72 74 2F 2A 2C
090 : 20 74 65 78 74 2F 2A 2C 20 76 69 64 65 6F 2F 2A text/*, video/*
0a0 : 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20
0b0 : 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 55 73 65 72 text/plain..User
0c0 : 2D 41 67 65 6E 74 3A 20 53 65 63 75 72 65 4E 65 -Agent: SecureNe
0d0 : 74 20 58 74 72 61 0D 0A 48 6F 73 74 3A 20 77 77 t Xtra..Host: ww
0e0 : 77 2E 70 68 6F 74 6F 73 68 6F 77 2E 6E 65 74 0D w.photoshow.net.
0f0 : 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A
100 : 20 31 36 33 0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E 163..Proxy-Conn
110 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali
120 : 76 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 ve..Pragma: no-c
130 : 61 63 68 65 0D 0A 0D 0A 3C 3F 78 6D 6C 20 76 65 ache..........
190 : 3C 69 6E 73 74 61 6C 6C 49 64 3E 35 66 37 35 30 5f750
1a0 : 34 66 36 33 61 66 38 37 38 35 61 39 32 63 36 33 4f63af8785a92c63
1b0 : 63 62 64 38 30 61 38 66 63 63 66 3C 2F 69 6E 73 cbd80a8fccf
1d0 : 3C 2F 73 65 72 76 69 63 65 3E 0D 0D 0A
"Hey, I know we were found in your house in the middle of the night after breaking in a window, but we've cleaned up the mess and put in a new pane of glass. Aren't we responsible"?
Now, if only the non-technical people could see this....
What Sony did wasn't responsible, it was, in fact, a crime in many areas. Call and report it to your local police department.
On the civil side, you don't have to wait for the class action lawsuits against Sony BMG Music Entertainment and First 4 Internet to wind their way through the courts -- you can sue on your own in Small Claims Court. For a useful guide to get you started, visit SonySuit.com.
-- Mark Lyon http://www.marklyon.org
The thing that intrigues me is the RIAA has the nerve to support this action when Sony clearly suggested (not in a press release but in recalls) they made a mistake. This shows the RIAA does not care about their PR. It seems to me the RIAA views us as consumers who will buy their product at any cost, regardless of how they treat us. Like suggested before, they have a monopoly at hand. I'm hoping in the future that some of the consumers can conform to suggest reasonable methods of distribution and rights to combat the RIAA's evil actions. If not I think the RIAA will keep on pushing for complete control over digital distribution and rights.
A high-placed source at Sony BMG has emailed me with some interesting information about the ongoing rootkit DRM fiasco. My source says,
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
there's a problem with the way you buy your records. do you really think that more of the money goes to the artist? is the artist really running the webstore or is the record label? think about that one...
for your parent's argument about major labels having a place... big bands do sign bad contracts all the time. why? advertising. they know they can get somewhere. think about that one. the beatles had a terrible contract, but they made more money afterwards when they did their own thing with apple records. a lot of the bigger bands today make their money through other means, not record sales. record sales means popularity, nothing more, nothing less. the more popular they are, the more poeple go to their concerts (where almost all the revenue goes to to the band). so far, the record labels haven't been able to touch concert revenue (don't you think they would've loved a chunk of the change bands like phish and the grateful dead made from touring alone?). the big label gets them advertisements, that's all (although phish and the dead became popular through word of mouth, the label just got them new fans).
please me, have no regrets.
It's a good point, but I've never seen it happen. All rootkits I've seen are visible over a share.
Rootkits are revealed on the network via firewall logs, and I've always tracked them down via this method. I suppose there may be kits that I may not be seeing, but they don't appear to be phoning home.
Remember that you can hide a file from the API, but you can't hide from NTFS itself otherwise you risk getting overwritten.
It's entirely possible that administrative shares get their file list from the disk volume itself and translate the information when it arrives using the clean kernel rather than the potentially infected API on the remote machine.
I'd be interested to know if anyone knows for certain if this is the case?
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
Advertising is one reason for joining with a major label, but performances and word-of-mouth themselves are better advertisment; in fact, only recently have television commericals or billboards played an important role in advertising. Radio traditionally has been an artist's best medium for advertisment. Advertising, however, means nothing without distribution. Major labels distribute globally through retailers, which independent artists would have a difficult time emulating, unless they have achieved substantial success on the charts (Which is difficult, if not impossible, for indie artists due to the connections between radio--Viacom, Infinity, and Clearchannel--and the labels. Thus indie artists have to find different means of advertising as well). It's not some arcane industry secret that artists typically only make 8-15 points (cents per dollar) from album sales, and from that have to pay for studio time/musicians, managers, lawyers, tours, etc. The label handles manufacturing and distribution.
Interestingly, though, a growing number of artists, including myself, are choosing to survive as 'independent' as its profit margins are higher, and the artists themselves do not forfeit the copyrights to their songs to the labels. When you pirate music, the copyright you are breaching is not of the artist; the copyright for the recording typically is owned by their label.
More on this (and more) is discussed in a paper I wrote, available here.