Slashdot Mirror
President of RIAA Says Sony-BMG Did Nothing Wrong
Zellis writes "In a press conference held on Nov 18 Cary Sherman, the president of the RIAA, stated in reference to Sony BMG's "rootkit" software that "there is nothing unusual about technology being used to protect intellectual property." According to Sherman, the problem with Sony BMG's XCP DRM software was simply that "the technology they used contained a security vulnerability of which they were unaware". He goes on to praise Sony's "responsible" attitude in handling the problem, saying "how many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?" It seems that the latest spin is to portray the Sony rootkit as no more of an issue than a software coding error that unintentionally creates a security hole. Will they get away with it among the non-technical public?" Arguably, Sherman is right -- but I enjoy much more the fact that this whole r00tkit fiasco has set DRM back by years. Gogogo poor implementations!
Sherman would be correct -- in a free market. Fortunately for us, those who rely on helping create freedom-reducing laws eventually find themselves violating their own creations.
The real dilemma for content creators was their inability to collude together on a newer standard to replace CD, and now it is too late. Wouldn't you be mad if your cartel couldn't react in time to new situations?
The simple fact that any audible signal can be recorded is important, yet the record companies still seem blind that they have a viable MP3 market because most consumers (with jobs) would rather pay $1 (with Jobs) than spend 20 minutes finding a song illegally or even bothering to rip their own CDs. I have more than a few friends who've rebought albums from iTunes that they own on CD. $10, to them, is worth the time.
Does the RIAA need to continue the "piracy is wrong" campaign? Yes! But that should be the limit. Let honest people know they're not reimbursing others for the content they pirate, and I believe you'll see people continue to pay. I believe people are generally good and moral (99% of the time even a thief acts in a good way).
Do record labels need copy protection and lawsuits? Not against consumers, not even the guy seeding a torrent to hundreds of others. They need to re-evaluate their market and see that people will pay and more people are becoming more technologically inclined so even at a lower price they can see bigger profits.
Nonetheless I don't think we need to worry about the RIAA or rootkits or whatever much longer. The new generation (10-16) of kids recording today are already using the next distribution system (PureVolume and MySpace). I know of a few young bands already making decent money selling very professional CDs by promoting their music online for free.
I'm starting to filter the RIAA news (at least mentally) since it isn't news to me. They had a great run of 70 years, and just like gaslamp lighters, their time has come.
RIP A CD, R.I.P. R.I.A.A.
The comparison is apt and honest. I can't count how many times regular application software has done this to me. For example, the time I put Outkast's Speakerbox CD into my drive, and I found a buggy version of Firefox had installed and masqueraded as a system DLL. Or the time I was listening to William 0rbit's Strange Cargo, all the while the CD was secretly installing an unpatched IIS server and updating the kernel to keep the install from showing. Boy, that sucks every time. :(
Clearly the analogy as apt, and we need a more progresive, less bigoted view: Just because it's a shrouded rootkit doesn't mean it's a security hazard.
Satan says Hitler did nothing wring!
I wonder if Cary would be saying that if the RIAA was named in several lawsuits and was facing the the bad press Sony is currently getting?
The most surprising thing to me about this whole affair is that there are companies selling rootkits. Which makes me wonder -- who else is buying them? Who knew this was a legal commercial enterprise? Can we get a list of their other customers?
I'm sure they'd love the DMCA to include permission for them to place rootkits with impunity. Because we all know that DRM is FAR more important than protecting all the data on my hard drive. I'm sure he's perfectly willing to put his money where his mouth is and run the Sony rootkit on his personal and business computers...
Never mind that their software contained copyrighted code
"President of RIAA Says Sony-BMG Did Nothing Wrong"
In other news, cows give milk.
Anyone interested in local radio coverage of this story, CJME.com is about to do a show on the Sony rootkit, you can listen live at 10:05AM CST, and again in the evening for a rebroadcast. Sorry, no podcast is made.
Saskboy's blog is good. 9 out of 10 dentists agree.
Sony may not have done anything patently illegal. The EULA does inform the end user that they are making modifications to their system. However this fact is (reportedly) buried in the EULA and there is not any install notification. The fact the program goes so far to hide itself that it reprograms part of the windows core system (and does not implement proper checking which can lead ot deliberate crashing) is definantly unethical.
There is nothing wrong with being gay. It's getting caught where the trouble lies.
Actually, I'm only surprised it took the RIAA so long to stand in line with Sony on this publicly.
See my blog for my free opinions.
It's true, he never did his own laundry.
He who knows best knows how little he knows. - Thomas Jefferson
This post 0wn3d by sOny - Greets go out to Mitsubishi, Toyota... thanks to Toshiba for t3h maths. Secret message to Cary of RIAA: LOL can't believe u said it, now I owe you $5
This is awfully interesting... From TFA
University of Southern Mississippi, The Student Printz: History seems to show that anything done to stop files sharing will only create new methods and technologies to get around their controls. In light of that, should the middlemen (RIAA, et al) be thinking about ways to bring consumers what they want -- which they'll mostly end up getting in any case -- instead of futilely struggling to keep their finger in the dike, which ultimately only causes further public unhappiness with them?
Cary Sherman: History also shows that no matter what is done to stop bank robberies or shoplifting, some people will always find a way around those techniques. Does that mean we should simply give up and allow people to take what they should be paying for? Record companies ARE trying to give consumers what they want. Think of how music was available just a couple of years ago and how it's available now. You can buy an individual track, at any time of the day or night, and get it instantly on line. You can subscribe to services with a million-and-a-half tunes to choose from that you can listen to whenever you want, for an all-you-can-eat monthly fee.
Hrmmm Did he ever stop to think that if "Record companies ARE trying to give consumers what they want." Then the ratio of Illegal music downloads to Bank Robberies might be a little more consistent with what he is implying? Companies need to realize that copy protection isn't a trade off. It's a limitation. And it's a limitation that most people don't want to bother with.
Losers whine about their best, Winners go home to fuck the prom queen
I agree with simple copy protection meant to keep Joe User from just sending files over the web but it's impossible to stop him from lending his CD to a buddy to be ripped. This will never hurt the pirates as they'll just find a way around it and continue what they do. The RIAA is hurting the legit users more than pirates who could care less.
"Nothing unusual" != "nothing wrong". Sherman's response that Sony's crimes against its customers aren't unusual makes it worse. He defends the crimes by saying they're standard practice. He should get frogmarched to prison after a RICO case shows he conspires with the media cartel to commit these crimes, and to cover for them.
--
make install -not war
If Sony clearly indicated that they were installing a rootkit on the users' systems, than I think indeed they did nothing wrong. It's their product, after all, so if they want to include a rootkit, that's fine. The only reason I say they need to indicate the presence of the rootkit is that it is the kind of software that you would normally expect not to be included (in good faith).
However, I doubt that Sony would have clearly indicated the presence of the rootkit. How do you even begin to clearly indicate the presence of something that most people don't even understand? I haven't been following the case, though, so I can't say anything more about it.
Please correct me if I got my facts wrong.
"RIAA, you're doing a heck of a job!"
We've sold off industry, education and science. Looks like our business leaders are now selling their soul. Sure they've done bad things in the past, but their actions are now so blatant. They don't even try to hide what they do any more; they just "pee on our legs and tell us that it's raining".
At what point can we say that business has gone to far? When PR boys start trying to convince us that it's ok for them to install stuff to spy on us? I'm waiting for the brain implants and mandatory goggles to "protect their intellectual privacy rights".
Yuck.
What are you eating? isItVeg?.
Well, I'm a sys-admin at a company with a few hundred desktops. AFAICT, there isn't any way to scan my whole network for the rootkit, and the only sure fire, safe way to remove it is to reimage the machines that have it. Thankfully, it does phone home, so we have started looking through firewall logs for anything trying to get to the phone-home website. Still, a major PITA.
I truly, deeply, and sincerely hope all his personal computer systems are rooted by all the DRM flavors out their simultaneously. Then he can live with what he claims is not a problem at all for the rest of us.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
There is a difference between a software bug that allows an attacker to take over your computer and deliberately installing a backdoor to allow anyone who knows how to take over your computer.
These are the same guys that believe that lobbying to create laws to protect intelectual property (DCMA) is a good thing.
One can hardly expect them to consider the technology arena as holy and untouchable.
Basically they only care about the bottom line - they'll do whatever it takes as long as they don't loose money by doing it it.
Those of us involved with IT security know this attack vector all too well. If you want to really scan for virus and trojans on a crtical PC, you map the administrative shares C$ D$ etc to another PC, and run the virus scanner on that machine.
That way you know for certain that you haven't been rooted, a kit can only hide from the PC it is hidden on, not another machine.
I see rootkits all the time, the main entry is through backup software exploits rather than O/S holes. (Or autorunning CDs). You will regularly see script kiddies taking advantage of a root kit placed there by other hackers.
So anyone who works in IT, especially someone who works in root kit creation, cannot claim that they were unaware of potential security problems.
It was incredibly irresponsible and pleading ignorance is no excuse.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
It took a California lawsuit, the EFF, and a week of bad press on Slashdot for them to pull this.. :)
This is "responsible"?
I tend to agree with a lot of other posters on here that if it were an individual they would be in jail right now.....
How the heck is it responsible?
I really like the part where Sherman says the record industry is really a lot more giving when it comes to allowing the copying of data...
The responsible thing would have never put the rootkit on the disks to begin with.......
Piracy is bad, but so is getting rooted...
Where is the middle ground? Id like to find it and sit there.
Jeez.....
"How many burns are you allowed of a movie? None. How many of a videogame? None. You get the idea. Even the CDs with content protection allow consumers to burn 3 copies or so for personal use. The idea is not to inhibit personal use, but to allow personal use but discourage (not prevent, you can never prevent) copying well beyond personal use."
Actualy it was my understanding the Supreme Court put this issue to rest about 8 years ago. We are entitled to one (1) archival copy of our media. I'm not aware of this having changed in the last few years. I guess I shouldn't be surprised they are saying this. It's a different world they live in.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
How can DRM be set back when it's never got off the ground in the first place? As far as I am aware there is yet to be a single form of DRM that has even come close to forcing the use of recording of the output signal(s) in order to make a copy of a digital media file. Even Gartner is apparently now saying that DRM is a waste of time and predicting that the studios will abandon the idea in favour of enforced DRM controls in the hardware. Personally, I doubt that is going to work out any better given the totally ineffective DVD region coding scheme, but there does seem to be a sharp increase in lobbying going on, so maybe Gartner is on the right track.
UNIX? They're not even circumcised! Savages!
Birds with similiar plummage are rumored to travel in like groups.
Arguably, Sherman is right
No, he and the others want to pretend that Fair Use doesn't exist. I pray for the day when they all get smacked royally for violating our rights.
Given that:
1) The Sony rootkit contains pirated open source code, and
2) The RIAA finds nothing wrong about the Sony rootkit
It follows that RIAA does not consider the piracy of copyrighted material wrong... Well, I'm off to go copy a few CDs, with the cartel's blessing this time.
The problem is, Windows by default has auto-run enabled upon CD insertion. Most people won't go through the hassle of turning this off (it's not even in a very obvious place to turn it off..)
Windows XP: Go to My Computer. Right click on your CD-ROM drive. Click Properties. Click the "Auto Play tab. Click "Prompt me each time to choose and action" or "Take no action". Done. How much easier or logical can it get?
-everphilski-
"how many times that software applications created the same problem?"
How many times have software applications that were installed on my machine without my knowledge created the same problem? How many times have software applications that were impossible to uninstall from my system created the same problem?
The only instance I can think of are other root kits and spyware, and I do my best to keep my system free of those criminal pieces of software as well.
The problem with Sony BMG's software is not the defect, it's the underhanded way it is delivered to a computer to begin with. Sony BMG has no right to install software on my computer without my knowledge. When inserting a music CD into my computer, there is no expectation that software will be installed. Sony's software SHOULD pop up a big "I'm about to install this software on your machine" dialog, with a big "OK" and "CANCEL" button, like other comercial software from respectable companies.
What? "Well, come on judge. She was playing a CD...she was obviously looking to have a rootkit installed on her system."
What kind of elitist nonsense is this? Lots of people auto-play CDs. I autoplay CDs despite the fact I have ripped them, and know my way around the box. (Obviously I have to be more careful, now.)
Yes, ultimately the victims of these DRM-schemes are going to be the average schmucks, but that doesn't mean that being at the average level of sophistication means that you're so dumb that you brought it on yourself.
The opinion above is fiction. Any similarity to real opinions, including facts and logic, is purely coincidental.
We appreciate you as a customer, and want to do anything to make your shopping experince the very best!
However, because of a recent wave of shoplifting, everyone buying a product will have to shoot themselves in the foot with this here shotgun.
Thank you for your patience!
ps. If you shoplift, we'll prosecute your 14yo daughter, and fine her $250.000. Thank you!
Blog -
Sure, most of the schemes do not affect ripping on my platform(Linux), but I am unwilling to support a distribution method that unfairly restricts basic fair use. So whenever I see a CD that I would like to purchase but its copy protected, I make sure to give it a 1-start review on amazon stating the reasons why I wont purchase it. Its quite simple, if enough people refuse to buy copy protected content and make it publicly known, the industry will be forced to release real CD's.
No, but they do have auto-run on for everything, because turning it off requires editing the registry
FALSE
(Windows XP) Go to My Computer. Right click the CD-ROM drive, hit properties. Click the AutoPlay tab, and select "Take no action" or if you prefer "Prompt me each time to choose an action" to get a nice pop-up window asking what you want to do. No regedit required at all.
-everphilski-
Otherwise, you risk getting yourself in these situations. Just ask Microsoft.
I called up the Microsoft support line to ask. They told me they've never had any problems with faulty software or security vulnerabilities and that I should contact my hardware manufacturer.
Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
Just what is being sold here? Music, with a 3,000 word EULA -- or software? I think what has been created is an entirely new category of product.
And I, for one, feel this new product is being sold under deceptive marketing practices that have it masquerading as be a product it's not. It pretends to be a regular music CD, with only fine print informing you otherwise. This deserves full investigation by all regulatory authorities with appropriate punishments doled out. In addition. these CDs should be sold in an entirely different section of any store from regular music discs.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
"Hey, I know we were found in your house in the middle of the night after breaking in a window, but we've cleaned up the mess and put in a new pane of glass. Aren't we responsible"?
Now, if only the non-technical people could see this....
"And for generations, students have spent their hard-earned dollars on the music they love in the local college record store. How many of those stores are left now? Makes you realize just what the impact of illegal downloading can be, and why we've taken the actions we have."
0 -cd-settlement_x.htm
First of all, hard-earned is questionable. I know plenty of college students who never worked before or during college, so maybe he should quantify the statement by adding 'parents' hard-earned money. Also, it would be about one generation that has even dealt with this issue, not 'generations' as if file-sharing was something people did back in the Bronze Age.
Second of all, I highly doubt these college 'record' stores closed because of illegal filesharing, more likely they closed due to big-box retailers offering CDs at highly-discounted rates, thereby making money by overall volume of sales, not individual purchases.
Third of all, it doesn't make me realize anything, except that the music industry are hypocrites for having settle a lawsuit for price-fixing/gouging in 2002 and then claim they are losing money now. Was that price-gouged projected earnings, or actual earnings they are losing? This only leads me to believe that the music recording industry is a very greed-driven industry and they probably don't really care about the low-volume 'college record stores' anyway.
Read more here: http://www.usatoday.com/life/music/news/2002-09-3
He who knows best knows how little he knows. - Thomas Jefferson
Sony has been saying they did nothing wrong all along so it's not a surprise to hear the RIAA chime in. So others do it too, does that mean a burglar should get off because others have broken into your home? Protect their content, they are entitled to that, but not at the expense of our data.
This is another of the RIAA's great stabs at PR by pouring gasoline on a fire.
Makes you wonder of any of their people went to business school.
*coughbullshitcough*
Unauthorized installation of software.
Deliberate introduction of software that creates security vulnerabilities.
Unauthorized alterations to system function (namely, disabling the CD drive) if the DRM software is removed.
Is it any wonder that their CDs are now banned from most workplace computers, have been criticized as 'a threat to Homeland Security' by the DHS, and are facing multiple class actuion lawsuits?
I'd say Sherman has his head up his ass if he considers this the result of Sony "not doing anything wrong".
Patrolling ftw
What Sony did wasn't responsible, it was, in fact, a crime in many areas. Call and report it to your local police department.
On the civil side, you don't have to wait for the class action lawsuits against Sony BMG Music Entertainment and First 4 Internet to wind their way through the courts -- you can sue on your own in Small Claims Court. For a useful guide to get you started, visit SonySuit.com.
-- Mark Lyon http://www.marklyon.org
By attempting to take over computers with their rootkit, the anti-American, Fascist Sony leadership has committed electronic terrorism against the United States! Therefore, all members of their organization (Al-RIAA) should go directly to Guantanamo Bay, do not pass court, do not collect any more royalties!
(Okay, so I'm only half-serious -- but hey! It could happen, given that we've done it to others for less!)
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
It has already been reported that the anti-virus companys helped create the rootkit. The anti-virus companys were paid to protect their customer from these things. Can you ever trust them again? Is it worth paying them an annual fee when all they are doing is keeping out people that do not pay them off! MS may become the biggest loser as governments realize the Windows OS has this bigger then Everest hole in it. As they wake up they may realize they need another solution and FAST! Governments deal in billions of dollars, surely they have the expertise to review the code of FOSS to determine if there are back doors. So when you are protecting the keys to the kingdom who do you choose?
Gizmos Gagets For Ninjas
I was thinking about this the other day, we need a DJ P2P network. Where radio can play and rate any music on it. Music should have a tag pointing to the band's website where CDs / merchandise can be sold directly benefitting the band.
Cost of entry for a new band would be minimal, just upload your song(s) and convince a DJ to check it out and rate it. Which isn't that hard, most of them are pretty sick of hearing the same old crap 15 times a day. This already happens with tapes but tapes aren't easy to distribute, whereas with this, distribution is automatic (as long as the DJ liked it and others check out the particular DJ's new song list).
I am not in anyway affiliated with Max Cannon
No, no, no -- what they were unaware of was that people would be able to detect the rootkit!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
zone "spammers.com" in { type master; file "devnull.master"; };
zone "phishers.net" in { type master; file "devnull.master"; };
Then create a zonefile "devnull.master" with records like this:
* IN A 127.0.0.1
@ IN MX 5 127.0.0.1
and none of your users will see any web traffic or be able to "unsubscribe" from them ever again...
UNIX? They're not even circumcised! Savages!
I hope your company sends Sony an invoice for all of the time you spend fixing this problem at your standard charge-out rate (not your salary rate).
I am TheRaven on Soylent News
Yeah! See how easy it is when you're given the step-by-step procedure? I don't know what's wrong with these people.
The opinion above is fiction. Any similarity to real opinions, including facts and logic, is purely coincidental.
However I'd like to see the RIAA's feedback on the (at least alleged) LGPL violation by Sony in this. Would the RIAA (MPAA, BSA, etc.) encourage companies to practice what they preach? As posted previously on Slashdot there was a potential LGPL violation. My suspicion would be that the RIAA takes a "no comment" stance, hehehe....
...in bed
The thing that intrigues me is the RIAA has the nerve to support this action when Sony clearly suggested (not in a press release but in recalls) they made a mistake. This shows the RIAA does not care about their PR. It seems to me the RIAA views us as consumers who will buy their product at any cost, regardless of how they treat us. Like suggested before, they have a monopoly at hand. I'm hoping in the future that some of the consumers can conform to suggest reasonable methods of distribution and rights to combat the RIAA's evil actions. If not I think the RIAA will keep on pushing for complete control over digital distribution and rights.
"" According to Sherman, the problem with Sony BMG's XCP DRM software was simply that "the technology they used contained a security vulnerability of which they were unaware". He goes on to praise Sony's "responsible" attitude in handling the problem, saying "how many times that software applications created the same problem?".
The difference is that an application give the end user some benefit. This one limits the end users ability to control their own computer. Also an application can only make your system vulnerable while it is running. This root kit gets installed as a service I believe so it is running all the time.
Finally an Application can be uninsulated.
Nope Sony screwed up and we are made as hell. I am not going to buy any CDs from Sony for a while and if I feel the need too I will ripe them on my Linux box first and make new clean CDs ASAP.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
In other news, Satan says murder is fun!
What the PC world needs is a CD driver that comes up and says:
Multi-session disc inserted.
2 sessions detected.
Select session to use (cr for newest): __
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Did you all see today's FoxTrot? It appears that existence of Sony's rootkit is becoming more and more mainstream.m ics/20051121/cx_ft_uc/ft20051121
http://news.yahoo.com/news?tmpl=story&u=/uclickco
No, what Sony has done is much worse than copyright infringment; it's very nearly terrorism!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
The thing thats REALLY bad is that the software installs on your system (disabled) even if you DON'T say "yes" to the EULA.
I'm really hoping that lawsuits brought up with this stuff brings the whole "I can put anything I want into an EULA and it's binding" mantra we hear from certain software and content providers.
I completely agree.
FEMA was slower when an idiot was in charge, so we should be glad it's slightly less inept now that a bumbling moron is in charge!
To pass this off as a bug "of which they were unaware" is horribly inaccurate.
The software hides itself -- by design, not as a bug.
The software makes itself difficult to remove -- by design, not as a bug.
The software places itself in fundamental system areas, like accessing the CD, compromising those areas -- by design, not as a bug.
No, the problem isn't a bug. The problem is a company thinking they have the right to get into places on my system that they have no business being, and then hiding to make it difficult to clean.
A common component of all anti-spyware legislation and attempts that I'm aware of is that everything has to include a reasonable and effective uninstall procedure, that clears out the software. Sony didn't have this -- again by design.
Furthermore, the "vulnerability" in this program that SONY was "unaware of" is not a typical software bug that developers might be reasonably unaware of. This software is specifically designed to hide any file starting with the $sys$ prefix! The idea that the creators of this software are "unaware" of something they specifically designed this program to do is almost as insane as the fallacy above.
Whats worse, the uninstaller is designed to break security too! If you are putting a remotely accessible ActiveX control on a machine, which has a function called "ExecuteCode," you're allowing any web page to "ExecuteCode" on that machine. This isn't a vulnerability, its a bad design, and the design is so obviously bad that it is impossible to be sympathetic.
If you are savvy enough about computers to be designing DRM software in the first place then obviously you would know that these things are problems!
Causal fallacy.
It's not like he doesn't know it, but why bother building proper arguments when you can get away with absolute b*llshit and still be quoted as a respectable source? I couldn't finish reading the whole article, and to compare file-sharers to bank robbers and shoplifters was just insulting.
Cary Sherman: Obviously, anyone who has stopped downloading (or uploading) illegally will not get sued.
Thank you, Cary Sherman, for your infinite compassion towards us petty thieves, we are not worthy of such.
A high-placed source at Sony BMG has emailed me with some interesting information about the ongoing rootkit DRM fiasco. My source says,
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
He's right. But those applications are usually called 'viruses,' 'trojans,' or 'worms,' and their authors face jail time when they're caught.
Never shake hands with a man you meet in a fertility clinic.
Maybe it's just a coincidence, but I just blogged earlier this morning that they should be compensating users financially for the trouble they have caused. And/or face some criminal liability.
Seems like the only way to rid yourself of their blunder is to wipe and reinstall windows. IMHO users should be compensated for that.
There's absolutely no way that Sony didn't realize the risks associated with using a rootkit. It's been covered here before (among many other places, typically regarding spyware). So we can safely say they knew what risk existed.
They were just hoping everyone was to dumb to realize what they were doing.
Am I bias or just looking to attack Sony? No, definately not. I didn't get this garbage, heck I'm not even a real music fan, so the whole thing is a null as far as I'm concerned. To be honest, I like Sony hardware. So I'm not a anti-sony jerk taking advantage.
I just know I hate reformatting my computer because windows got screwed up, and I know what I'm doing and can do it quickly. There's quite a few people out there with this garbage installed on their computer... and some don't even realize what's going on.
Come on Sony... open up your wallets and compensate them for your blunder. You knew what you were doing was wrong. You did it anyway. Now compensate. If it were up to me, your execs would be in jail for a year or two for hacking, since that's effectively what you did.
I really don't want Sony to get off free here. Just think about what the next one is going to try and get away with. Just wait until version 2.0 includes a keylogger to ensure you don't transcribe the lyrics.
Come on Feds... don't back down.
So as long as Sony apologised then everything is ok? So when we catch the next hacker that installs a rootkit, we can let them go secure in the knowledge that they have apologised!
Comment removed based on user account deletion
"How much easier or logical can it get?"
Those steps are neither easy nor logical. You're giving wayyyyyyyyyyy too much credit to the average computer user. Most people will not even make the assumption that they have a choice in disabling any of that stuff. It scares the hell out to me to see the amazement of friends and co-workers when I show them how to do things that the average Slashdot reader takes for granted as easy.
The easiest and most logical thing that can be done is NOTHING WHATSOEVER. Most people seem to forget that "do nothing" should always be the first option. If you're putting a music CD in your CDROM drive to listen to music, you'll know that you need to launch your music player.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
However, that is not really the issue which Sony is attempting to defend. Sony is attempting to defend an action which essentially transfers ownership of _your_ computer to itself. And it is that which prompted the legal slap, and rightly so, for what it's worth.
The fact that Sony seems to be unable to learn that lesson is another issue, and apparently one's only recourse seems to be to boycott their recordings. In my case, that seems incredibly easy to do, since I own a vanishingly small number of them.
Just got a press release in our newsroom that the Texas Attorney General Greg Abbott is suing Sony BMG.
Full release can be found at http://www.oag.state.tx.us/oagnews/
Don't mess with Texas.
Just to touch on the subject of the RIAA and the true theft that occurs...
If you do the research you will find out that a band's first contract (and sometimes their ONLY contract) is NOT designed to give them any say. Remember Hootie and the Blowfish? Their debut album (Cracked Rear View) grossed over 12 million copies. Do you know how many of those 12 million their label gave away to record clubs like BMG or Columbia House (you know the buy 1 get 12 free deals)? 4 million. That is 4 million albums that they will NOT get paid for, and guess what else? It was written into their contract and they had NO say about it. This hasn't happened to them only either. This type of clause is in 98% of new band contracts. The same thing goes for promotional discs sent to record stations. The bands pay for those (and everything else including, studio time, music videos, producer's fees, mixing fees, mastering fees) out of the advance they receive from the label, but they don't get paid for the promotional copies. They have to eat the cost, and hope they can make it up somewhere else, like touring or merchandising. Furthermore, remember that the band doesn't begin to make ANY money until every dime of their advance from the record label is paid back.
The ONLY way that you begin to have any say in your contract negotiations is if you have 2 or 3 really successful albums. Only then can you begin to negotiate your contracts. Do you think a band like Green Day was able to get a really great contract when they first signed up? NO, they didn't. However, after 10+ years and more than a few platinum albums, they now have negotiating power, but most labels aren't looking that far in to the future. As far as they are concerned, most artists have a shelf life of about 3-4 years and then they are old news (just look at Britney, Christina, and Creed if you want some examples).
Remember Record Labels are nothing more than banks. They will stand there with the money and the contract, waiting to see which of the new artists will wade through the river of crap and emerge from the crap with a pen, just waiting to sign. If you don't want to sign the contract, they aren't going to beg you because they know there are others that are willing to do it, if you don't.
I have nothing clever to put here...
If you want to really scan for virus and trojans on a crtical PC, you map the administrative shares C$ D$ etc to another PC, and run the virus scanner on that machine. You surely can't think that can you? If you are accessing the shares remotely, you need the kernel on the compromised machine to tell you what files exist. If the kernel doesn't list the files, do you think it will make them available over the share? The only way to be sure is to boot from CD or another, known good, hard disk.
The real "Libtards" are the Libertarians!
Hey, FBI, there's still time.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Comment removed based on user account deletion
Uhh, this is a very, very ugly way to do things. You twist the semantics of the global namespace and potentially redirect all traffic to those domains to 127.0.0.1.
What if your users are developers running a local httpd?
If you want to block HTTP traffic, use an HTTP proxy. The proper way to implement ACLs is to return a code that indicates "denied", not return false information as if it were real. This only leads to headaches later, when noone thinks about this "solution" anymore and tries to debug a real problem.
In one way, this solution is slightly better than the stupid hosts-file-mangling you see everywhere because it's centralised. OTOH, it's just as stupid as that because it's like driving a screw with a hammer.
There is one case where fiddling in BIND is appropriate. This is cases like omniture.com. They smuggle data through DNS by requesting weird hostnames like [long encoded string].omniture.com. I saw this when browsing through ebay one day. In this case, you have to block on the DNS level, but not by falsifying the information.
I checked out which nameservers are authoritative for omniture.com. Then I checked which networks they belong to. Those networks I put in a blackhole clause in named.conf. So whenever I request something in omniture.com , at least I get a "server failed" which hints me to BIND, should I forget one day that I blocked them.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Well, I don't really think that the ILoveYou virus was any serious because I WASN'T INFECTED. I wonder what would the RIAA say if their computers were breached because of the rootkit. Just imagine the irony of downloading songs directly from the RIAA because they were infected with a rootkit virus... Sweet...
"I see undead people" Warcraft III - Necromancer
..for someone to bring a lawsuit against Sony under the DMCA for circumventing Windows security or something. Surely the DMCA is ambiguously worded enough to allow for this? :)
I suppose the problem is going to be that all cartels fall in time, and in every case the role played by the market is going to be open to debate.
Anyway, I'm curious as to whether you cite any examples.
Don't let THEM immanentize the Eschaton!
First let's take a look at the claim that Sony was merely trying to add a layer of protection to their IP by using XCP and weren't aware of the potential security flaws.
For starters, if they just wanted to encrypt their data or have a program running in the background that prevented the user from opening a certain application, this is all possible with XCP. In fact, the only reason to use XCP is to bypass the built-in security measures that your computer should have immutably enabled and functioning. That is, they wanted their DRM software to be in a position of ultimate control over your computer. Ordinary security features prevented this, so they install XCP to hijack your computer, to bypass security - and not only that, but they provide that control to any program that prefixes its name with $sys$. That is, XCP is a security flaw by its very nature and it was licensed with just this functionality in mind. There is no other reason to use it, but to circumvent security measures.
Now I'd like to address the seemingly prevalent belief that people are up in arms against this software primarily because it may allow a virus or other undesirable program unfettered access to you system.
People are used to security flaws within windows. They happen all the time and MS releases patches. They are not well loved for it, but for the most part, people continue to use windows and tolerate the seemingly ubiquitous lack of security. Why then, would they make an exception for Sony's case? I believe the answer lies not in the DRM itself, but in Sony's arrogant and anti-consumer attitude that they're right to control their "property" usurps the consumer's right to control the functionality of his or her computer.
One statement that whoever-it-was in this interview made in defense of Sony was that DVD's have been DRMed forever. You can't rip them to disk, you can't copy them, you can't even play them in non-licensed players. CDs, on the other hand, (as manufactured by Sony) are designed not to prevent you from playing them, or copying them, or presumably using them as you see fit, but rather to prevent you from copying in excess and giving too much of Sony's IP away without their consent. The problem with this logic is that for one thing, nobody is giving the movie companies kudos for locking down their DVDs. That I can't legally rip my copy of Spaceballs to my iPod video isn't a fact that gains MGM much love. And secondly, CDs were never designed to be crippled in the first place. When I buy a CD, I expect it to behave like a CD. Sony wants to change the way CDs behave - and the only notice they give you about it is an enigmatic little "CP" icon and the words "content protected". Content protection sounds good to me - does that mean that my CDs will scratch less, or that if I lose the CD, the content will continue to be made available to me, because I paid for the content? I thought not.
Lastly, I'd like to take issue with the notion that the Sony fiasco has set DRM back for years. I don't think it has. In the official release, Sony has only recalled the discs with XCP and has all but promised that future CDs will be released with some form of DRM. As long as the methodology doesn't usurp the functionality of the computer or provide in any egregious way a security risk, Sony will continue to distribute crippled CDs. That is, after all, the reason for the fiasco in the first place. It wasn't the DRM that got them in hot water, it was the way they went about achieving it. There are still many CDs out there with the "CP" logo that Sony hasn't recalled. Santana's newest CD comes to mind.
This is the way that the future is going to go. DRM has more than a foot in the door, it nearly has a whole leg. The Sony fiasco must serve as a wake-up-call for us, or we risk losing the public domain forever. (DRM + DMCA = unlimited copyright terms) We mu
It's a good point, but I've never seen it happen. All rootkits I've seen are visible over a share.
Rootkits are revealed on the network via firewall logs, and I've always tracked them down via this method. I suppose there may be kits that I may not be seeing, but they don't appear to be phoning home.
Remember that you can hide a file from the API, but you can't hide from NTFS itself otherwise you risk getting overwritten.
It's entirely possible that administrative shares get their file list from the disk volume itself and translate the information when it arrives using the clean kernel rather than the potentially infected API on the remote machine.
I'd be interested to know if anyone knows for certain if this is the case?
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
Sherman is wrong. There's an enormous difference between a security hole in DRM software and standard software: normally, any software I install on my machine is running with my permission and knowledge, performing a function that I chose and doing it for my benefit. Sony were trying to get their code onto end users' computers without those users understanding exactly what is was doing, and naturally the software functioned entirely for the benefit of Sony and not the users.
Richard Stallman clearly explained the problem and explained all the issues that Sherman doesn't want us to think about in an essay called Can you trust your computer?. If Stallman had the marketing clout of the RIAA's members and vice versa, I suspect we wouldn't be in this situation today.
Tim from http://www.boycottsony.us/ was the guest on the radio program, and he did a fine job of convincing the radio host John Gormley how bad this DRM infection is. If all technical people were as gifted verbally as Tim is, then we'd see a lot fewer problems from companies trying to exploit consumer ignorance.
The rebroadcast is tonight CST at www.ckom.com
Saskboy's blog is good. 9 out of 10 dentists agree.
However, because of a recent wave of shoplifting, everyone buying a product will have to have their bags checked.
They already do this, and it's equally illegal.
http://news.bbc.co.uk/1/hi/technology/4456970.stm
About 2 hours old now. And yup, It even touches on the rootkits own copyright infringments.
Estimates the damage caused to SONY's bottom line in the tens of millions for this one incident, not counting the pending legal action taking place in Cali, NY, and now Texas.
The real piracy problem is with people mass-producing illegitimage copies of CDs and DVDs and passing them off as genuine. It's the discs that end up for sale at the corner of Nevins St and Flatbush Ave that are really hurting them, not the paying customers. Instead of directing all this energy and money towards DRM, lawsuits against filesharers, and Sony's defense, maybe they should focus more on helping the police crack down on illegal production and warehousing of ripoff CDs/DVDs and lobby the government to do something more aggressive about China.
If it causes harm intentionally, then you are guilty of fraud and destruction of property, and should be subject to criminal as well as possible civil penalties.
If it causes harm unintentionally, you should still be subject to civil penalties.
There is no excuse for software that causes harm unless I clearly waived my rights to redress and that harm was unintentional.
While this may be reasonable if the software is free (as in either speech or freedom), it is not reasonable if the purpose of the software is to protect someone else's property interests.
The bottom line, is that such untrusted, unvetted code, should only be deployed to dedicated machines where the harm is not likely to be wide-spread (i.e single purpose devices), and particularly where the harm will affect those who would naturally benefit from what the software should do: if a firmware upgrade is sent to my cable box by my cable company, and it kills the box so that I get a refund on not being able to view content, this is likely reasonable. But it should certainly not kill a general purpose computer. If anything, that is an argument for dedicated devices who's sole purpose is the decryption and display of encrypted content.
You could've hired me.
However, that is not really the issue which Sony is attempting to defend. Sony is attempting to defend an action which essentially transfers ownership of _your_ computer to itself. And it is that which prompted the legal slap, and rightly so, for what it's worth.
It's easy to lose sight of what the issue is here -- the parent post is very much right.
It doesn't matter whether you like the RIAA, the artists, or whether you use MP3s.
The issue at hand is very simple.
Sony dumps some very low-level software on your system that alters the way the system works in some unexpected ways. The vector that this software is arriving in is not expected -- many sysadmins on corporate networks, for example, allow audio CDs (to help prevent copyright violation from people bringing in MP3s).
Sony has essentially done something to the system that the user does not expect.
This is a very classic case of going behind the user's back to do something that he is not going to want to have happen. The same thing happens with a lot of other software out there, true, but having a Gator or Bonzi Buddy from *Sony* instead of a random shady startup is a little different -- that says that this is an attempt to legitimize doing anything to a user's computer that a software vendor can get away with.
The counterclaim made by Sony when someone pointed out that they were doing something nasty surreptitiously was that "most users don't know what a rootkit even is". Yes, that may well be true. However, the problem is that something is being done to my system at a low level -- I don't know how my car works, but I trust my mechanic not to break it. When I stick an audio CD in a CD drive, I expect it to play music, not to modify the function of my kernel. The fact that the typical user does not have the knowledge necessary to understand how he is being screwed over and what to do to repair the problem is absolutely no defense against this.
Furthermore, they claimed that this was perfectly acceptable, and appear to be ready to do it again. The question is not minor -- this is the first time that I'm aware of that a mass-market company is attempting to do nasty stuff to computer users, and taking advantage of the fact that few users are able to identify what software is causing problems and what might be a bad idea to do to their system. Fortunately, there are a few technically knowledgeable and competent people out there (like the well-respected gentleman at Sysinternals) who are able to bring this up. If Sony can get away with this, it's a green light to any *other* company that sees a perceived advantage in somehow modifying your computer system to do so via any means necessary. Today, Windows boxes are the only ones affected, but what about tomorrow, when Linux and Mac OS boxes are hurt?
If Sony is not slapped down *hard* legally for this action, the floodgates of adware and spyware from major companies will have been opened.
I'm rooting very, very hard for the ambulance-chasers on this one, and it has nothing to do with the fact that this involves DRM. Software is something that Joe Average has to deal with on a daily basis, and his ignorance about how his system works or how to fix damage done to it should not be something that it's okay for every company in the world to exploit.
Sony is *not* going to listen to anything other than legal suits on this one -- if they were going to listen to common ethics, they would have done so by now.
Any program relying on (nontrivial) preemptive multithreading will be buggy.
This article on Yahoo! says DRM is doomed. FTA: "The fact that so-called digital rights management might always be a doomed experiment became painfully clear with the fiasco that erupted after Sony BMG Music Entertainment added a technology known as XCP to more than 50 popular CDs."
Let's hope. I always thought this was stupid. I bought the CD. The concept of fair use says I should be able to listen to it when, where and how I want. Fussing about people trading music just goes to show how badly the music industry knows it's wrong and that it's been screwing artists since the beginning. They're not treating their artists nor their customers well.
"Sometimes the truth is stupid." - Lawrence, creator of Prime Intellect
``It follows that RIAA does not consider the piracy of copyrighted material wrong... Well, I'm off to go copy a few CDs, with the cartel's blessing this time.''
No, no, no, you've got it all wrong!
It's not about breaching copyright.
It's about who harms who. Small folk harming the large corporations? BAD! Large corporations harming the small folk? Standard practice!
Please correct me if I got my facts wrong.
Except for violating the license for LAME and DVD-Jon's work? Will developers of both of these products sue Sony blind for stealing (and then trying the public's patience with this PR agency directed campaign to clean up their image?) If Johansen gets a big settlement would it cripple DRM permanently? Will the lawsuits include pressure from governments, who now realize they could leak secrets just because their secretary listened to a music CD at work? And that's only the accidental espionage...
As disturbing as everything about this case is, the scarier part is how Marc stumbled across this rootkit. Are there enough genius-level diagnosticians amoung us to find the dozens of rootkits that are better crafted than this F4I junk? Rootkits used by governments to spy on each other, AND US? Who was it that called the internet the greatest boon to covert intelligence gathering since the submarine cables in the North Atlantic?
Mr Russinovich, PLEASE open a trade craft school to teach the best and brightest how to detect and code for removal of these threats. Corporations and governments will pay for their security experts to learn, professors will seek the knowledge to teach others, and AV companies will pay to send programmers to learn how to code removal tools for a lucrative new market, Ignore pleas by our overlords at MS and the Fed. Hopefully the designers of removal tools will not bow to pressure from the lazy spook types, who won't be able to sit back and snoop PCs for much longer before being found out.
_____ Computers are so complicated... I thought I never learn how. Then I found out there was Free Pornography on them.
I do, however, have a problem with not being able to give 1 cent to the artist, without HAVING to give $1 to the record company.
Sure and you can. Many of these bands have an address for fan mail. Send them a few bucks. What are they going to do, send it back?
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
No, that isn't the case. Again, you are finding the user mode rootkits that way. They are only hiding from ntdll.dll (and hence Explorer.exe doesn't show them, cmd.exe doesn't show them). The redirector is running as system, so the user mode ones can't hide from that. This is why you can see them over remote mounted disks (C$,etc.).
However, if you read up on the kernel mode ones (some of the talks Mark Russinovich has given -like at Tech Ed this year), you'll see that these touch the kernel itself and the redirector will not expose them (so C$, etc. won't work).
It's just a matter of different architectures and different methods of "rooting" a machine.
> All rootkits I've seen are visible over a share.
Really? You haven't seen the ones that aren't visible?
echo "America - It's not fascism when /we/ do it!" | sed s/America/Sony/ | sed "s/fascism/copyright infringement/"
Well, it can mean royalties. And it depends on if you are talking about musicians, performers, or writers. Songwriters get money when their songs do well. Think of the song Torn performed by Natalie Imbruglia. It was a cover song made to fit popular radio. But the original band that did it didn't complain, because they were getting songwriting royalties. (BTW, the original song, of which there are several versions, is much better IMO)
My beliefs do not require that you agree with them.
No, he's not.. because I know of these other applications running on my PC (either because I installed them myself, or they came preloaded), so I'm able to update them. Furthermore, these applications (or operating systems), even if they are sometimes buggy, fulfill a purpose for me. Users who listen to a Sony CD on their PC and thus unintendedly install the rootkit a) don't know that it's there and therefore will not patch it, and b) don't take any advantage of this rootkit.
Georg
Seems like we are going back to the time of Robber Barons (hah, p2p filesharers aren't the only robbers) with William Vanderbilt's famous quote: "The public be damned!"
"how can they call it a MINE if everything here is THEIRS?!?!" -Straight Jacket
In Chapter 4 of So Long, And Thanks For All The Fish," Douglas Adams described Ford Prefect's predicament in a bar in the lower side of Han Dold City when the barman wouldn't accept his American Express card:
"He glanced around at the motley collection of thugs, pimps, and record company executives that skulked on the edges of the dim pools of light with which the dark shadows of the bar's inner recesses were pitted. They were all very deliberately looiing in any direction but his, carefully picking up the threads of their former conversations about murders, drug rings, and music publishing deals. They knew what would happen now and didn't want to watch in case it put them off their drinks."
And later...
"He had, after all, been in the bar all day, he had been drinking a lot of stuff with bubbles in it, and he had bought an awful lot of rounds for all the pimps, thugs, and record executives who suddenly couldn't remember who he was."
Okay, the "music publishing deals" part wasn't exactly accurate, but this stuff was published in 1985. One would be tempted to say it was awfully prescient of Adams, but then again, maybe not.
Those who can, do. Those who can't, write technology blogs.
I am concerned for your mental health as I have been tracking the growing battle between the RIAA and its member companies and the nefarious 'downloaders' they seek to curb. I envision countless stressful budget meetings, security meetings and reactionary meetings whenever a new DRM method is cracked or discovered like Sony's. The legal budget alone to push record company friendly legislation through in every country you operate in, the necessary 'bribes' to get this to pass, along with the legal funds necessary to enforce these laws and punish offenders must be considerable.
Have you ever thought that perhaps all this money the battle is costing you is ... too much? Would the money you lose by 'giving in' be offset by the great sum of money you are spending to curb a worldwide phenomenon that shows no signs of stopping? Perhaps instead of fighing downloaders, you should recruit them. Find out from them exactly what they would like to see with their downloads (security, high bit rate, different bands, etc.) and then get in the game yourselves. Charge $5 a song, but give the downloader lifetime rights to copy, backup and re-use the contents of the file to his or her heart's content in exchange for this price. Let them choose the bitrate and file type of their download to maximize their possible usage. I know that you miss the days where we bought seven copies of the cassette because they wore out long before our love of the music wore out, but those days are gone and never to return.
You'll make more than a download at iTunes, would embrace a new technology that you should have embraced a long time ago, would save on that giant legal budget and get the rest you most certainly need and deserve. What price is peace of mind?
Sincerely,
Empty Yo
I'll tolerate anything except intolerance.
This is why, ladies and gentlemen, I listen to public radio. I do not buy CDs from any label that is under the RIAA, and if I do buy a CD it's for a physical copy of something that is in Public Domain.
Only listening to PD stuff doesn't stop me from being afraid of a large corporation like this though, they're bullies and it's apparent that they'll sue anyone, guilty or not. I honestly don't think I could list a single band that is on the top 40, let alone very many current (as in new) bands!
$fortune
Tomorrow has been canceled due to lack of interest.