Slashdot Mirror
Sony Warned Weeks Ahead of Rootkit Flap
pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."
So Sony was lying its collective arse off when saying it reacted as quickly as it could? This is news how?
Scramble? To contain the crisis?
They almost never admitted what they had done, and continually denied the dangers posed by this rootkit.
They only started the recall after people pointed out repeatedly that their "uninstaller" didn't, and recieved criticism from the government.
"as quickly as they could" my ass.
Of course, they could have been smarter and never released it to begin with.
Why didn't Slashdot tell us before?!
I think this is great evidence that early public disclosure is very important. At the minimum, the affected users can start using workarounds (turn off insecure systems) until fixes are available.
...when a company becomes bigger than its customer base.
So Sony was lying its collective arse off when saying it reacted as quickly as it could?
That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.
I'm a big tall mofo.
Van Zant, Celine Dion, and Neil Diamond
They should have left the rootkit in place so we could download some good music directly to these misguided buyers' hard drives.
Not only is Sony not moving fast, NY AG Elliot Spitzer reports that affected CDs are still being sold at various retail outlets. I'm not sure how much control Sony has over recalling CDs at some Wally World in Drum Nebraska, but this snafu puts them right up there with Adobe in corporate arrogance and stupidity.
If this is true, then sony just lost them court cases we've been hearing about. Having been told about it and not issued a product recall at the earliest opportunity (i.e. within a day or two) means that they were intentionally subverting people's computers.
The only defence available to them was that they didn't realise this was happening. They've just lost that.
When the Sony rootkit case first hit the news, I considered F-Secure to be quite good for an anti-virus company because they were reasonably quick adding the rootkit to their signature file.
They've just lost that credit for me. They knew for a month and were sitting on it! That is not acceptable. There should have been no warning to Sony, just a public statement from F-Secure at the beginning of October about the rootkit.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. CDs by these artists should have been recalled anyway, rootkit or not.
to spread the love of Neil Diamond to all and sundry across the internet. I had so hoped to illegally share that ND CD... damn you Sony!
------ How can making people laugh lead to bad karma?
involve Microsoft!
-- TRUST ME! I KNOW WHAT I'M DOING!
No technical solution exists to correct the lack of taste of the potential buyers of these CDs. Even Orrin Hatch's PC Bomb isn't sufficient.
Rule #1 -- Politics always trumps technology.
"I'm a recall coordinator. My job was to apply the formula. It's simple arithmetic. It's a story problem. A new car built by my company leaves Boston traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now: Do we initiate a recall? You take the number of vehicles in the field (A) and multiply it by the probable rate of failure (B), multiply the result by the average out-of-court settlement (C). A times B times C equals X. If X is less than the cost of a recall, we don't do one."
The only thing more dangerous than a file named -rf is renaming it -rf\ /
N E FLAPS?
hisssssssssssssssssssssssssssssssssss
I found out that emptying a full clip in the buyer's face does wonders to his musical tastes
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
In this case, "as quickly as they could" seems to really mean "as slowly as they could get away with."
How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business? Microsoft's "product activation", Sony's rootkit, etc. ad naseum do essentially nothing to stop real hackers from copying software, music, etc., as much as they want, so the only thing they really accomplish is hurting the legitimate customers.
These lousy business practices are reflected in their (lack of) sales too. I don't mean to say a boycott of Sony would necessarily be a bad thing, but for those who haven't looked, take a look at Sony's stock prices -- boycott or no, they're not exactly burning up the charts right now.
Now, Sony (etc.) will undoubtedly point to Napster and such as the reason they're not doing as well recently. I don't think that's the case. I think what's happened is that Sony is now concentrating more on forcing customers to pay than they are on producing things customers want. As is visible in their stock price, that simply leads to oblivion, not prosperity.
--
The universe is a figment of its own imagination.
The universe is a figment of its own imagination.
It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond.
Watch for the recalled CD's in the bargan racks in the near future. You know that's where they will end up.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
..how many other 'DRM kits' that were in development by other music publishers went to the toilet because of this? Or am I the only one? Bravo SONY!!! This is the fist time I saw you doing somehing good for the community.
I don't think they are taking them off the shelf. According to a newspaper article I read, they're still amply on retail shelves everywhere. Amazon is the only company that has publicly written consumers to let them know about their CDs. I bought a new CD from a company advertising on amazon's auction space, not amazon itself, and I wasn't informed.
I think Sony said this to avoid heat. Since its too expensive to recall all those CDs, if they are caught, they will fall back to "well, we are offering an exchange if consumers write to us". This would match the other lie-ing Sony has been enganged in. For instance, they claimed to remove the rootkit, and they only removed the cloaking part of the rootkit. They made no mention of a spybot.
FUCK MICROSOFT, TOO!
It doesn't take that many weeks to recall CD's and tell resellers to take them off of their shelves.
They're telling the truth, in part: they reacted as fast as they could to the bad press. But not to the real issue - the flawed software.
akad0nric0
This sentence no verb.
And, of course, they blame another company, stating
So, they're really really sorry they outsourced their DRM rootkit to the wrong company. Rich.Sony, like all megalithic corporations, behaves internally like dozens of smaller, independant companies. They're vying for their shares of the corp's limited resources and trying to justify their continued existence. I work for IBM, and it's the same way.
That said, I wouldn't be surprised if the people who received this warning never had any contact with the people responsible for the rootkit. Intra-company communication is horrid in large corps, and often the people implementing solutions get little or no real information beyond requirements and specs from those making the decisions above them.
One manager tells another manager who tells a team to hire people to write a DRM. Another manager gets a message about how dangerous these "rootkits" are, and forwards it to another manager who thinks "we're not making a rootkit, we're making a DRM."
Sony's music division cannot reconcile its business with Sony's technology division. They're competing directly, and eventually one of them is going to win. I'm hoping this was another nail in the former's coffin.
GeekNights!
Late Night Radio for Geeks!
Wouldn't that be an upload?
This line makes me so increadibly mad. Wow, they offered to exchange something that could do damage to my finances and business for something that won't... something that they were hiding and SHOULDN'T have been on an AUDIO cd in the first place. Gee, thanks.
For all the flak that Microsoft gets in regards to security... at least they're bugs, by bad design or not. This is something Sony deliberately put into their products. I want heads to roll.
Download free e-books, lectures, and tutorials at bookgoldmine.com
I wonder if the artists will be "charged" for recalling their CD's and reissuing them... that would be sadly funny. Maybe it would make a few of these artists strike out on their own.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Buy any Sony DVD after Jan 1 2005 and you can't play it without using their player (or DVD Decryptor)....Why? They deliberately put bad sectors on the disk.
Buy a Sony music CD produced after Aug 1, 2005 it installs a root kit.
Whats next? Buy a sony Walkman and it won't play anything but a Sony CD? Idiots, time for a boycott.
Back in late 80's/early 90's, I worked at HP. Back then, openings in HP woudl take forever to get done. But that was also true of all the other unixes. By '95, the *nixes were cleaning up their acts. So, it was MS that took forever (and many would argue still do).
So now, we have appliances (cisco comes to mind), and even consumer manftr. that are taking forever.
Hard lessons are never learned until law suits hit. Too bad that ethics do not seem to matter in business or politics.
I prefer the "u" in honour as it seems to be missing these days.
I don't think this was a security hole so much as breaking and entering. I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.
http://www.rootstrikers.org/
It's always a lot easier to bust a corporation when there is evidence that they knew they were doing something wrong. Haven't you seen Erin Brockovitch? :D
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Wow, I'm intrigued by your brilliant musical insights. Even though you can't download it to their hard drives, you should at least start a newsletter, to tell everyone why the music they like sucks and why they should listen to what you tell them to instead.
Feel free to mod me "-1 - Angry Jerk".
Not forever, just until January 02 /06.
If Sony misses out on the Christmas rush perhaps they, and the rest of the E! industry, will figure out that their customers don't like to be harrassed, lied to or spied on.
!!! - Arista Records, BMG Classics, BMG Heritage, BMG International Companies, J Records, Jive Records, LaFace Records, Provident Music Group, RCA Records, RCA Victor Group, RLG - Nashville, Sony Urban Music, So So Def Records, Verity Records, Columbia Records, Epic Records, Legacy Recordings, Sony Classical, Sony Nashville, Sony Wonder, Sony Ericsson, Sony Music, Sony Pictures, Sony Electronics & PlayStation. - !!!
Sony's actions were egregious, their behaviour is arrogant and their response has been without remorse.
A six week consumer action just might have the effect of reaching into the corporate boardrooms and making those who approve such actions pause. A six week consumer action just might make pension funds and other big $$ investors smack corporate leaders upside the head and direct them to 'do no evil'. A six week consumer action just might tip the balance, for a little while anyway, away from unaccountable corporate malfeasance.
Please keep in mind that while Sony is the target of this boycott; it is the insatiable, unconscionable corporate thinking that perverts any reasonable interpretation of capitalism that needs to be reformed... My hope is that Sony can go from loser to leader.
It's like they're BEGGING the EFF to add to their complaint "the rootkit was so deeply embedded and so thoroughly concealed that Sony themselves say it would take even them a month or more to create an uninstaller".
Sony have got to be trying to lose. Nobody could be this incompetent by accident.
To summarise the summary of the summary: people are a problem. ~ h2g2
Really, then I suppose that when the head of Sony BMG's global digital business, Thomas Hesse, told National Public Radio:"Most people, I think, don't even know what a rootkit is, so why should they care about it?" I assume that he includes HIMSELF as part of those "people".
Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis.
Bad Russinovich, not giving Sony enough time to "do the right thing" [be a man ;)] I'm sure they were going to go public with the glitch as soon as they had found out about it. Because Sony is irresponsible enough to install software which they don't even "understand" apparently, I'm supposed to believe them when they claim that they were going to act responsible and actually go public with this thing? What the f*ck ever...
Make them all have Heavy Metal bouncing around in their heads?
Phony Sony put its CDs on a shelf
Phony Sony had a rootkit which installed itself.
But all of Sony's lawyers and all of Sony's PR men,
Could not put the integrity back into Sony again.
He who knows best knows how little he knows. - Thomas Jefferson
Good lord, I thought I'd never see the day.
Breakfast served all day!
It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers.
It rubs the lotion on its skin. It does this whenever it's told.
It depends how serious the affected company is about security. I like the idea of having a patch available concurrent with the disclosure of a threat. In this case Sony was trying to cover up its illegal doings, so they had no real interest in patching. I doubt that F-Secure would have let Sony get away with this for much longer.
Normally, I'm not in favor of suing. Seems that there are far too many frivolous lawsuits, these days. In Sony's case, however, I'll go so far as to say that they deserve to get their ass handed to them in court.
Not only did they put something like this in their cd's, but they were warned by a respected security/anti-virus firm about it... and they did nothing until the public caught on. An example needs to be made of companies that behave like this.
I say, write your state legislator as well as your congressmen and senators, and urge everyone to sue. Let those <sarcasm> lovely </sarcasm> DMCA laws work in our favor, for once.
/dev/random
Until there are devastating consequences for any company that dies this, it just doesn't matter. 90% of the their customers don't even know about this, and the ones that do, don't fully understand it. This can only change once the average consumer is educated on the issue and there are successful lawsuits that punish companies like Sony. Sony knows that this will blow over in a few months and most people will forget about it (except Slashdot readers of course). People will just continue to buy cds like they always have.
gasmonso http://religiousfreaks.com/Exactly and because sony did not publically apologize and do everything in their power to fix it My self and many others will never EVER buy another sony product again.
I do not care about the PSP or audio or TV or whatever are seperate. the main corperate management are to blame here and because they are untrustable I will forever boycott them until they issue a public apology to everyone on the planet admitting to the underhanded BS they tried to pull.
I.E. they never will.
From Business Week: That's when F-Secure got into the act. Guarino sent an e-mail to the Finnish company, since it makes the rootkit-detector software that he used to investigate. F-Secure did its own investigation and notified Sony DADC, which manufactures Sony BMG CDs, on Oct. 4. Sony BMG says the e-mail, which was forwarded to it on Oct. 7, didn't signal a serious security issue.
Let's see: someone tells you that the software you are blithely putting on other people's computers has a security flaw, one that potentially leaves millions of machines vulnerable to attack, and that's not considered "serious"? I think we should all be grateful that the Sony's executives are not running the country... but then again, maybe they are?
GetOuttaMySpace - The Anti-Social Network
They suddenly like gangsta rap?
*Short is generally between 60 days and 4 years - sometimes longer, but rarely shorter. It is mostly dependent on the type of auditing done, the desire of upper management to find a scapegoat, and the amount of publicity surrounding the original erroneous decision.
Is it just my observation, or are there way too many stupid people in the world?
Buy any Sony DVD after Jan 1 2005 and you can't play it without using their player (or DVD Decryptor)....Why? They deliberately put bad sectors on the disk.
I buy tons of DVDs and I have never encountered this problem. Not just in my Sony DVD player, mind you, but in my computer, my Xbox, my Pioneer DVD player, or my car's player. Not to mention, the first reaction of a consumer will be to exchange the disc, not buy a new DVD player, let alone a Sony model.
I will admit, though, that it's the Sony DVD player that is the most likely to have problems reading a disc. I do attribute that problem to them.
In line with parent, hone your skills. There will be some openings at Sony Music fairly soon I wager.
This has already been said by Bruce Schneier, but...
F-Secure warned Sony about the dangers on October 4th, yet still failed to protect any of it's users in a timely manner.
Yeah, yeah, I have been told many times before my musical insights are brilliant. But, you see the problem, the unwashed masses are not prepared or willing to listen to me. That is why the rootkit solution is so good - one could even leave the filenames intact and change the file under them and there you are: the unsuspecting listener fires up his/her usual playlist and suddenly Celine Dion sounds heavenly.
Comment removed based on user account deletion
I disagree. I think F-Secure did great. I also think Mark Russinovich did great.
I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.
On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.
I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.
Sony need not apply to that group,though.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Be proactive.
Watch out for yourself.
The only way to get a corporation to look out for your best interests is to convince it (remind it?) that your interests are their interests (happy customers!).
Make your interests clear by voting with your wallet. Is there a company out there that tries to fix security holes before the customer knows about them? If so, buy your products from them.
As I wrote that last bit, it occurred to me: perhaps leaving the security-hole-finding business up to the customer base is good business sense because it works and is cheaper than hiring your own security-hole-finders. I guess that brings us back to the proactive list.
In short, I agree totally with your post.
I cried real tears when Li Mu Bai died.
"Sony BMG is in a catfight with a well-known computer-security outfit..."
If I were managing editor of Business Week, I would be wondering now whether the author of the article, Steve Hamm, should be fired or re-trained.
"Catfight" reads like a P.R. release from Sony.
" From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers." How were they going to issue the software patch? An improved rootkit in the next CD!
How anyone in his position could use the words "rootkit" and "benign" in the same sentence and expect to be taken seriously is beyond me.
How about:
'err, this e-mail seems to be about a routine matter. While it did introduce the notion of 'death and dismemberment', it did not suggest that the actions were anything but benign.
I don't think that any competent techie would consider the word "rookit" as something to ignore in an e-mail ... and if Sony doesn't have techies reviewing things when mgt doesn't understand what they are, then they deserve everything coming to them.
At this time, I'd like to thank Mr. Hesse for doing a world of favour to the anti-DRM community. Keep up the good work!
And when you think of Infected by DRM , think/thank Hesse...
If you think imaginary property and real property are the same, when does your house become public domain?
Bruce Schneier has covered this already, but I would like to know why F-Secure didn't contact, say, everyone else when they found out that Sony was installing a rootkit on people's machines. I would like to know why nobody else on the long list of companies that get paid protection money to keep this sort of thing from happening saw fit to inform the world about this, instead of having it appear on some guy's weblog. It's not like that little cabal isn't paid what amounts to protection money specifically so that this kind of thing doesn't happen.
Mike Hoye
If you have a device driver named Sbcphid.sys (which shows up as a hidden non-plug-and-play device named Sbcphid when active), you've got MediaMax and should remove it.
Only the EFF has mentioned MediaMax in the various legal claims against Sony, and Sony has remained silent about it in public as well. Obviously they're not sorry about using DRM at all -- they're just sorry they got caught.
-- Old Man Kensey
Oh man nothing like sucking up to
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
""Most people, I think, do not even know what a Rootkit is, so why should they care about it?"
You can just hear the urgency can't you...
for the sound of that resounding *SMACK* as the gates of Sony/BMG hit the collective arses of the executive brain trust responsible for green lighting this reprehensible action in the first place.
Unfortunately the usual suspects are busy defending them.
Some days it's just not worth
chewing through my restraints.
They'll settle out of court so as not to have their EULA quashed.
This way they can hold it over individual consumers who are likely to decide that it's not worth their life's savings, as opposed to wasting it on an organisation with arguably deeper pockets than Sony has.
If you think imaginary property and real property are the same, when does your house become public domain?
I may be in the minority of /. readers: I don't really know the story of Mitnik. But if GP is accurate, he spent time in jail. You can't put a corporation in jail. $100,000 is a slap on the wrist; probably any fine that will be assessed is a slap on the wrist and probably is just a drop in the bucket of all the money that Sony will spend on legal matters in any given year. But if you fine a corporation enough to actually hurt it, a lot of innocent people lose jobs. So what's the solution to this?
The actual people that did the hacking were working for this "First4Internet" company. Anyone that designed, wrote or approved a part of the software deemed to be inappropriate could face jail time. There were people at Sony that approved this technology for use on CDs; they could face jail time. There were people at Sony that knew that their software included a rootkit and insecure kernel modifications, and yet claimed otherwise; they could face fraud charges (for an individual to say, "I am not a crook," is legal, but to knowingly lie about a product offered for sale is fraud). Anyone with much knowledge of the workings of this product should have known that it was illegal, just as Kevin Mitnik or any other cracker surely knows that whatever he does (like I said, I have no idea what it was that he did) is illegal. That would be equal justice.
It makes design meetings very uncomfortable.
Nice try. I was giving an excerpt form the article. the Parent post said that it must be ok when a company does what Kevin Mitnik did. I'm offering proof that it isn't and that both civil and criminal charges are either being considered or are being filled.
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
In their mind, the entire fiasco boils down to the following --
a. How to hide the DRM software better so it will not be detected NEXT TIME.
b. How to silence the whistle blower so that if line item a fails, the word never leaks out.
c. How to fabricate pausable deniablity if the word leaked out despite line item b.
In summary, for the media company, the entire affair isn't about what wrong they inflicted on their PAYING CUSTOMERS, but about how to contain the situtation and continue to "protect THEIR rights."
ELOI, ELOI, LAMA SABACHTHANI!?
Ok jackass, there was mention of criminal cases in the references that the poster pointed out. Did you not see those as well? If so, WTF is your point?
Nothing like trashing someone else to get modded up.
Aside from that, I guess the Sony case will be nothing like the Mitnick case as he was held without bail and spent time in solitary confinement. It seems a safe assumption that the Sony execs will suffer no similar fate. Not to mention the other poster here who points out that they are only facing a civil suit, not a criminal one.
http://www.rootstrikers.org/
Sony didn't make the root kit First4Internet did. Sony used First4Internet's DRM on their disks. If you really want go after someone it should be First4Internet since they designed and built the root kit.
"Let those lovely DMCA laws work in our favor"
DMCA is for copyright violations, where is the copyright issue with this rootkit? Presumably they (Sony) have the rootkit's authors' permision to use the rootkit...
OmniNerd is carrying a decent article on the nature of rootkits (Rootkit: The "r00t" of Digital Evil) that isn't watered down like everything else the media has been using to describe rootkits. I think the principle problem with the legal system, the general public and Sony is that most people just don't understand what a rootkit really is and the capabilities they present to hackers. The media has been lumping them into the malware category as nothing more than the latest virus going around - a misconception that is costly to consumers because the threat has been greatly downplayed.
Perhaps once people really fathom just what a rootkit can do to them and how a properly written rootkit will not be detected by their anti-virus software, they'll take the threat more seriously. And in doing so, demand rightful compensation from Sony in lieu of a new audio CD. Are you comfortable with rootkits installed on the computers of your local financial institution? College records? Law enforcement? Wall Street? The military?
When you understand your disbelief in other gods, then you will understand my disbelief in yours.
oops!
Please to be accepting this free gift of Niels Diamond CD.
Mary Christmess!"
It's been 56 minutes since you last successfully posted a comment
The Texas law allows for a fine of up to $100,000 per occurrance. Granted a judge in this case is not likely to award the maximum penalty, but should they choose to do so the fine could get very, very large. Say there were 5000 computers affected in the state, that would mean potentially a fine of $500,000,000. A half a billion dollars is no small matter, even to a large corporation.
Wake up, bitch. Governments "consider" prosecuting, whereas in the case of an individual it's a certainty. And the case you mentioned is civil. How much jail time for the responsible executives does THAT entail?
Corporate apologist shitbag. Go the fuck away with your debunked-in-2-seconds propaganda. It's clear corporations break the law with impunity for things the individual would be jailed (even killed) for. We need a Corporate Imprisonment Penalty and a Corporate Death Penalty. Until then, morons like you will keep spouting apologia while corporations run rampant over the populace and the law itself.
[You have a stable society when some nut guns down a schoolyard and the law doesn't change.]
In their defense, the ignoramuses at Sony may not have been told that in so many words. Their level of understanding has been clearly shown by the much hyped and once again relevant quote:
Perhaps what he meant was: "I don't even know what a Rootkit is, so why should I care about it?"F-Secure may have assumed someone around Sony ought to have half a clue about security, and would not need the term "rootkit" defined or the nasty security implications spelled out. Of course, this doesn't excuse the ignoramuses at Sony for being ignoramuses.
//Information does not want to be free; it wants to breed.
yet much shorter, i bet.
And shorter meetings meen more time to ... code and be a valuable asset to your company... Yeah, be a valuable asset.
"The way we can tell it's C# instead of Haskell is because it's nine lines instead of two." -- wadler
While I find your timeline plausible, I think it's only part of the story. It wouldn't surprise me at all if that happened at the START of the project, but I don't find it plausible that they never involved themselves in the software at all. Sony, like any other large scorporation is risk averse, especially in terms of their image. I'm sure they reviewed the software/technical design of what was being suggested by First4. What I don't buy is that Sony distributed software they were so clueless about. Lets face facts, folks: Sony has definitely behaved badly, but they're not stupid. The amount of incompetence required to justify their "duh, we just shipped it" argument is staggering to the point of absurdity.
Sony is screwed in court -- how can they argue they're innocent, and that this wasn't a deliberate act of sabotage when their own CEO (Howard Stringer) said in 2001;
"Right now it would be possible for us, and I've often thought it would cheer me up to do it, you could dispatch a virus to anybody whose files contain us or Columbia records..."
Ian Ameline
A good amount of MS exploits are actually found by 3rd party companies, and you never hear of them until patch day. The reason is the company finds it, tells MS, MS makes a fix, and then the announcement accompnies the fix.
Now it doesn't always work that way, of course, sometimes you have to light a fire under companies, but not usually. Usually you tell them, they fix it.
Often as not the public notices before the patch are publicity moves.
Sony warned weeks ahead? Yeah, in was probably in the requirements document that they gave to First 4 Internet.
How come there is so little talk about the corporate connection between Sony and First 4 Internet? I'm glad that Sont hasn't shaken the blame off themselves and onto First 4, but the two were in cahoots as they say. A "You scratch my back, I'll scratch yours" kind of thing.
Sony is RootKit. This is really bad for Sony.
Bullshit, Sony.
What's the over-under on how long it takes for somebody to use the security holes in Sony's DRM this to create a botnet used to DDoS Sony?
The actual people that did the hacking were working for this "First4Internet" company. Anyone that designed, wrote or approved a part of the software deemed to be inappropriate could face jail time.
Don't know if anyone has thought of this but would they really be the responsible company? Even though they wrote the software, they wrote it for Sony Corp. It's my understanding that most software developers write code which is owned by the Company (their employer). Wouldn't this indemnify First4Internet of any wrong doing?
I agree this requires a severe penalty. If non corporate hackers could face jail time or severe financial penalties then Corporations should be held to the same standards put into law.
Has Comcast disconnected your Internet account? Same here. You can read about it at http://comcastissue.blogspot.com
I wasn't questioning the assertion of the Grandparent post that criminal charges were being considered, just that the evidence offered to support it was poor. The post undermined its' own argument; that's all I was pointing out.
Now I'm pissed (and I don't mean drunk). This suckes (and I don't mean vacuums up well). F-Secure knew a month earlier about this lying stinking RootKit and kept it to themselves. They have just lost my respect as someone who looks out for me. How many more computers were infected while F-Secure was playing footsie with Sony-BMG?
Not that the rest of the anti-virus/anti-spyware companies have been that much better here. Those that say we'll tell you its on your system, but don't expect us to safely remove it for you. The whole industry, music and computer protection, has come out looking pretty scummy over this one.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I doubt seriously Sony has recalled. I saw these CD's in Target last night doing christmas shopping.
these CD's will linger in store for ages
A consumer boycott could possibly make SONY management act responsibly, meaning they actually admit responsibility for the rootkit, but I doubt it unless the boycott spreads outside of geekdom. Well, maybe. But if it doesn't here's what you can do personally: sue them yourself.
s cbasics.htm
In California (where I live), we have a thing called "Small Claims" court. It's a civil court where an ordinary citizen can sue another ordinary citizen or a company for monetary damages. Punitive damages are not awarded and neither are "pain and suffering" damages. You actually have to have been damaged in a way that cost you money in order to collect in small claims court. The good thing about small claims court is that lawyers are not allowed. The bad thing is if you're suing a corporation they can send an employee (such as a laywer they have on the payroll). This this is a good thing in a way as you will see.
First of all, you need to be damaged by SONY. That's easy: put one of the XCD music CDs in your PC. Of course, you should not do this knowing about the rootkit. But if it happened before you learned about it or if you happened to get one of those XCD disks and didn't notice it then it's a different matter.
Second, you need to pay someone to clean your PC. Make sure you get a receipt.
Third, you need to follow the rules regarding filing a claim, getting court papers served, making sure you're prepared to present your case, etc. All this is here:
http://www.courtinfo.ca.gov/selfhelp/smallclaims/
The neat thing about small claims court is that if the defendant (SONY in this case) doesn't show up, you are entitled to ask for a summary judgment which means you win your case by default. You can then proceed to collect your damages from SONY. Companies tend to pay such claims because the cost of having assets attached and liquidated (such as one of their bank accounts) exeeds the cost of just paying it.
If they send someone it's an employee of the company which means they are paying wages for someone to be there. If you win your case, you've not only made SONY liable for your damages (plus your court costs) you've also cost them probably more than your damages especially if they send one of their legal department lawyers. If you lose, you've still won a moral victory that cost you no more than the cost of one of SONY's CDs and some of your time.
If enough people did this SONY will take notice. So if you've been damaged go for it. If you know someone whose been hit by the rootkit, perhaps they can be urged to do it. You can even make some money on the side if you're the one cleaning the PCs.
It's really quite a simple choice: Life, Death, or Los Angeles.
to be figured in to the "war on piracy".
I'm glad it's a couple big states here with these laws. Sony might be able to ignore Delaware as a market if selling their DRM-infected crap broke that state's law, but together CA and TX are bigger than some countries.
And isn't the RIAA's home office in CA? :^) Interesting how I've yet to hear the RIAA staff saying we play DRM protected CDs on our home computers all the time. I mean, don't they use their own products?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
$100,000 per violation. so that's each cd that was purchased and installed in the state of texas. figure there's at least 1,000 people in the state of texas who installed it only once. that's $100,000,000 that sony has to pay out, and that's only in texas. if every state files a similar lawsuit with similar charges, the cost to sony could be upwards of $1,000,000,000. sony's gonna settle this one out of court, but hopefully the people won't let them. first4internet didn't do the hacking, sony knowingly put the software on their cd's and didn't provide any type of warning as to what it did. sony knew exactly what it did.
kevin mitnick stole code. he didn't just look around, he took some for himself. no, he did not distribute it. he knew what he was doing was wrong. he's not a hero, he's an ex-con.
please me, have no regrets.
$100,000 is a slap on the wrist
Per violation.
Online backup with Mozy, sounds like Ozzie, but more!
Funny, with a month's quiet warning time themselves I didn't see F-Secure releasing a detect and remove solution to this infection. Are they really this slow in responding to all threats already out in the wild?
That gives the developers time to at least create a patch to prevent any further damage.
Oh really??? And how is this patch delivered? When your music CD phones home the next time, is it supposed to download Service Pack 1? And are you asked if you want to do this? And if your computer isn't even connected to the Internet, but you want to be able to rip and burn other CDs while not having your limited memory and processing resources continually sucked up by this permanently running program?
Face it, there was no way for Sony to fix this once they let it out on CD.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Then why didn't F-Secure release a update to detect and remove the rootkit and the rest of the compromising software without waiting for Sony? Not what I call acting in the best interest of anybody except Sony.
And if they were ducking for cover from Sony's lawyers and legal threats, then they're even worse!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Is something like norton ghost a workable remedy when infected by a sony root kit or similar?
Is it possible to set up a windows system so a simple restore of a ghost image will put your system back how you intended it to be.
or has microsofts obsession with the C: drive left it impractacal to have data away from the programs that use it.
There's plenty of microsoft fans read slashdot some even claiming to be qualified so I would be glad to learn how to set up a system where its possible to run a restore without losing data? I think i could be disiplined enough to make a new image when software requires updating or installing.
Blarney Quality Restaurant, Plants
Could you rephrase this post in a way that is intelligible please?
Feel free to mod me "-1 - Angry Jerk".
Make sure you get a receipt.
Get the most highly inflated receipt you think you can get away with. Something like $75/hour for an entire day's diagnosis, reformat, reload operating system, reload all applications, fully test system, and give a new burn in. Since Sony's paying, let them pay for the deluxe treatment.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Please.
But if you fine a corporation enough to actually hurt it, a lot of innocent people lose jobs. So what's the solution to this?
This almost sounds like the "do it for the children" mantra. The solution is that if a corporation does something stupid, it gets penalized. You can't hold justice hostage to [insert sob story here].
Long term, it might help if any settlement resulted in smacking the senior management around a little, too, making them fully aware that they will be accountable if they violate the law.
If someone bought Celine Dion and Niel Diamond CD's I'd go so far as to say they deserved to get rooted...
I've got hundreds of original albums. I buy music all the time - at least one CD per week, sometimes three or four. I've got better things to do that spend my time searching through file sharing systems trying to find valid mp3's of reasonable quality. I make a pretty good living, so I pony up my dough. I make a copy for the car, and I rip it to MP3's for work and for the gym.
When I buy a CD that is copy protected, I copy it anyway. If I can't pull it out using my normal software, I use Poikosoft's product to rip it cleanly. Then I take ten blanks, and copy the CD. I take a photo of the ten CD's, carefully labelled with the album title, and I send the picture, along with an explanation, to the band and the label, via a freshly registered anonymous e-mail account. Then I give away those ten CD's.
While I believe people should pay for the music they have, I also believe the only people who are inconvenienced by copy protection are people like me - the ones who paid. Nobody else is really aware of it.
Everybody should do this.
"This was really bad," he says. "The worst thing you can have on your computer right now is a rootkit, and Sony was installing it on people's computers."
That's when F-Secure got into the act. Guarino sent an e-mail to the Finnish company, since it makes the rootkit-detector software that he used to investigate. F-Secure did its own investigation and notified Sony DADC, which manufactures Sony BMG CDs, on Oct. 4.
And why didn't Guario go public? I blame him too!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
But if you lose, is there not a good chance you'll have to pay their legal fees?
Yes, Mitnick did time - he got a severe sentence, including solitary. It was out of proportion to his crime because his was an early instance of cracking (the swallow before the summer) and he was made a scapegoat. Also, the press paid great interest partly because of the fascinating story of his pursuit and capture, which the authorities treated as a mission deserving all their energy.
Looking back now, you can't help wondering why all the fuss. Mitnick did pry around some academic, corporate and military related systems but always maintained he did no damage. He certainly seemed to act out of curiosity and as a challenge rather than with malice. He has yet to write his account of the episode.
What Mitnik did pales into insignificance compared with what goes on now - spammers acting with apparent impunity, crackers installing and controlling bots in their tens of thousands, market researchers planting spyware, and even previously respected household names like Sony pushing Trojans onto the unsuspecting public. Activities which seriously threaten the continued viablity of the internet as a medium.
Company directors can be sent to jail, as Mitnik was. However I doubt it will happen because the legal authorities and the public are now punch drunk with misbehaviour in the IT field. They were sharp and keen against Mitnik but now they are weary and cannot be bothered to pursue the wrong-doers.
It is much easier for the authorities to dismiss this case with "Oh well, surely Sony couldn't have meant any harm, could they?"
The terms should have been:
First4Inernet: We need a nondisclosure agreement that covers our arses (British company) in all this.
F-Secure: We don't need any nondisclosure agreement at all to just go public with what we already know.
First4Inernet: We'll sign whatever you want. Just please get our arses out of the sling before anyone else finds out about this!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Has anyone contemplated sueing F-Secure and other virus/malware/rootkit software checker company???
After all, these companies get money from people. These people expect a service in return: the detection of malware and viruses (virii?). If it is clear that F-Secure knew about it, how could they sit on their hands and do nothing? Just because it is Sony? Do they give the same leway to hackers in Russia?
I think that this demonstrates that you really cannot trust businesses to take care of users. They all seem to be in for themselves...
When the result means recalling Neil Diamond and Celine Dion? More of that in the wild, we do not need!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
Who the hell is going to pirate Neil Diamond tunes? Is there rampant copyright violation involving Neil Diamond's music? Are thousands of new U.S. citizens trading illegal MP3s of Diamond's anthem "Coming to America"? Does Neil Diamond's demographic even know how to rip a CD? Did I just miss the Tower Records "midnight madness" sale of the new Neil Diamond CD? Is Neil Diamond really the most pirated name in the music industry?
Even the 1973 treeware dictionary should have given him pause. Perhaps a 'root kit' simply helps the gardener to vegetatively propagate plants- ok, that sounds benign. But since when does Sony bundle plant hormones with their CD's? However, a 'root kit' could perhaps also imply Toys of a Certain Nature in Australia. Sexual content could get the CD pulled in WalMart. Is annoying WalMart benign?
For future reference, Mr. Hesse, if you see these other seemingly benign words in an email, please do look them up before assuming all is well: "neoplasia," "engine preignition," "crack propagation," "blue screen," "elegant worm," "percussive maintenance," "cereal rust"...
Why hasn't anyone been thrown in jail? Had this Been Joe blow techie that decided to copy protect his works with this protection he'd be behind bars.
I'm Tired of Corporate America being able to Step where they want when they want with no repercussions..
oh.. they will pay out a few million to settle the states lawsuits. But in the end who still suffers? the Customer.
Until I get a Guarantee that this type of behavior will not be repeated I'm going back to Usenet and p2p..
The simplest (but probably not cheapest) way to avoid problems like this under Windows would be to aquire a copy of VMware, create a virtual machine with two drives, and install Windows into the VM. The first virtual drive should be a "snapshot" drive (C:), the second is a normal drive and holds any data you want to work with. Immediately after installing Windows, commit the snapshot. After that, every time the VM is restarted the contents of C: will be reset to their original state, eliminating viruses, rootkits, spyware, etc. One significant drawback of this approach, however, is that VMware does not perform any hardware-accelerated 3D graphics, so e.g. games will not work properly within the VM. Other than graphics, the speed difference between the VM and the underlying hardware is fairly small.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
It's as if Sony got caught breaking into your house to install surveillance cameras. They're pretending that their only wrongdoing is not locking up properly on the way out.
Was this to ensure that F****4Internet, a UK company didn't violate UK law.
In the old days you attacked a country using "high energy release devices", but in the modern world you can get "payback" for such devices by sticking your WDM on music CDs.
Mitnick case as he was held without bail
That's pretty normal for people who flee arrest. Mitnick didn't end up in jail for breaking the law. He got there by getting caught, continuing to break the law, getting caught again, breaking more laws, and finally fleeing to avoid arrest. You don't give someone like that bail, just so they can flee again.
That's because the Sony execs will have decent lawyers and listen to them, and won't have been caught bragging about what they could do with this power.
Then why didn't F-Secure release a update to detect and remove the rootkit and the rest of the compromising software without waiting for Sony? Not what I call acting in the best interest of anybody except Sony.
And if they were ducking for cover from Sony's lawyers and legal threats, then they're even worse!
Now this is based hearsay, so take it with a grain of salt:
F-Secure (being a Finnish company) couldn't just create a removal tool for the rootkit, because of the uncertainty whether it would be legal or not thanks to the new copyright legislation in Finland.
That's what you get when you vote a former Miss Finland to the parliament.
Enough said!
...turn in your geek card.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Nope, if someone hires someone else to kill you or even break into your office to plant a listening device the hitman/spy is going to jail along with the person who hired the hitman/spy. Unlike the case of an employee First4internet is a seperate company and therefore a seperate entity responsible for it's own actions.
If you win your case, you've not only made SONY liable for your damages (plus your court costs) you've also cost them probably more than your damages especially if they send one of their legal department lawyers. If you lose, you've still won a moral victory that cost you no more than the cost of one of SONY's CDs and some of your time.
And after all of this fiddling around in court, and assuming that you win, what have you actually gained?
You got your money back that you spent for computer repair that you could have done yourself for free, and in less time than you spent sitting around in court dealing with it.
And what else?
If you're a zombie and you know it, bite your friend!
What are you talking about, you can download Vmware for free. As for the serial number required, you just visit one of the many crack/keygen/serial sites using Opera or Firefox (actually, anything other than MSIE and MSIE based browsers like Maxathon) and get the code you need.
No you didn't. You just like to talk big on the internet to make up for your insecurities. Or you're just an asshole.
Want good corporate governance? Apportion jail time for criminal actions as proportional to stock holdings.
That'll solve this problem Right Freakin' Now.
Why yes, I AM a rocket scientist!
How soon the masses forget:
http://www.freesklyarov.org/
Or you could legally use the free trial they offer to create the image, and then use the VMware Player application once the trial runs out. I'm well aware that you can find the serial numbers online, but why invite trouble when there is an easy alternative?
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
Does anyone use an F-Secure antivirus program and have experience with the rootkit. We use some of their products at work, but I haven't as of yet run into a rootkitted machine so I'm unsure of whether the antivirus does anything about it.
A friend of mine came in last year with a sony mp3 player (it must have been the RC5, for it was marketed as a "real" mp3 player). He's computer illiterate and wanted me to put some of his cd's on the stick. I don't have windows, so I just stuck it into the usb port and it showed up as a drive. I ripped the CD's under linux and copied the resulting mp3's. It didn't work. So I imagined there was something wrong with the mp3 format and tried different options for converting to mp3. Nothing worked, and he was going on vacation in a few days so it needed to be done asap. I spent all night trying to make it work.
Eventually, at 5AM, I gave up. I had my sister's computer at home for cleanup, and she had winXP. I installed SonicStage on it and copied the files using that crappy software. I suspected call-home "features", so I made sure it wasn't connected to the internet. Later, I didn't manage to uninstall it, so I just deleted the folder in program files. Now, I suspect there still are some "drivers" present. I'm not sure, maybe it's just an irrational fear, and I'm really just paranoid. Maybe not.
Bottom line: I vowed never to buy Sony. Ever.
"It's too bad that stupidity isn't painful." - Anton LaVey
If this is the kind of professional their general counsel is, they need to clean house. It is totally unacceptable to blame a contractor for the fuckup you sold to your own customers, and any lawyer worth an hour's consulting fees should know this. The customers harmed by this action don't have any relationship with the contractor, they have one with Sony BMG. If I was their general counsel, I certainly would not be giving this kind of pass-the-buck statement to the press.
Edith Keeler Must Die
F-Secure would probably be facing legal action from Sony if they deliberately prevented Sony's software from running. In the land of the DMCA where a guy who plays chess against the Russians is a traitor and a guy who sells weapons to Iran to give money to a drug dealer is a patriot who knows which way it would go? Either way the antivirus companies lose - viruses and malware produced by companies with major legal clout will most likely be a major headache for the antivirus companies from now own.
Hmm, so the xcp client gets its banners from connected.sonymusic.com
I wonder if the tech community cant teach SonyBMG a lesson by cracking Sony's DNS server and only redirecting the XCP banner requests to a banner that tells users about XCP flaws. The rest of connected.sonymusic.com.. could still be transparently directed to the original site I suppose.
That would certainly be a case of cracking for some social good. If Sony wont/cant do the right thing, a case of tech vigilantism could be justifiable
Regds
That said, I wouldn't be surprised if the people who received this warning never had any contact with the people responsible for the rootkit.
Yeah, but here's the funny thing. I haven't heard about anyone getting fired for this yet.
No. You download from high to low and upload from low to high, which is why you download from the internet or any other network. Since these people have Sony's rootkit on their computers they are clearly low, making download the proper term.
What if everyone just decided to go to http://www.upsrow.com/sonybmg/ and automatically "exchange" a CD (or choice note, or rock or [insert your item]) using a fake email and address? Wouldn't that be a sort of poetic justice for Sony who's haxored the computers of those who bought their CDs? Not that I'm suggesting it or anything...it would just be an interesting /. effect.
They should have left the rootkit in place so we could download some good music directly to these misguided buyers' hard drives.
That would be a total waste of time. The malware that also ships corrupts the data from a rip giving a corrupt file full of pops and clicks. That is what the DRM software hidden by the root kit does. It corrupts the data from the drive to your ripping program to make corrupt MP3 files. Only their included player can re-create the original sound, but it's not saving any clean MP3 files for grabbing.
The truth shall set you free!
Throwing a bunch of corporate excutives and directors in jail for the actions of their corporation whilst they were at the helm will soon start to bring the others back under control.
Fining or punishing a corporation is pointless, convicting those individuals responsible for the actions of that corporation is the only thing that makes any sence at all.
Chaos - everything, everywhere, everywhen
I'm not so sure. Do you really think the Sony Music execs truly understood what they approved? Most people don't know what rootkits and kernels are, and I don't think the music execs fully grasped its implications either. I don't think the following is so unlikely:
Sony Music: We want a DRM solution.
First4Internet: Here you go.
Sony Music: And you assure us this works?
First4Internet: Sure.
Sony Music: Okay!
Even if First4Internet explained to them how their system worked, most people aren't very forward-thinking. Lots of people don't really have the imagination or the comprehension to consider the consequences and implications of their actions, especially in the software realm. (Also keep in mind that Sony Music is separate from Sony Electronics, Sony Computer Entertainment, etc.. Do they have a staff of qualified software engineers?) Would it have occurred to any of the Sony Music execs that viruses or other malware could take advantage of this system? I doubt it. I think it's pretty evident they're not that creative.
IANAL, but this is misleading. First, the rules vary from state to state. For example, NY used to require an attorney represent a corporation going to Small Claims Court (either as plaintiff or defendant), and allowed but did not require it for individuals. Other states allow private individuals to choose whether or not to have an attorney represent them; all, however, allow pro se representation in Small Claims — individuals never need a lawyer.
While it seems California does not allow attorney representation in SCC, they may consult with you before and after. Some states that don't allow attorney representation will permit having the attorney in the courtroom to advise; it doesn't look like CA allows that, however.
Second, while California does not allow a lawyer to be hired to represent a side in court, if a corporation has a lawyer already as an employee, they may send the lawyer (as an employee) as the representative. What are the odds that Sony has a lawyer employed? Hmmm....
You actually have to have been damaged in a way that cost you money in order to collect in small claims court.
Note that, if you do the system reinstallation yourself, you can usually try and collect reimbursement for that time at your normal hourly wage. This is easier if you do computer work on the side, but is still possible -- after all, this took your time, which has a demonstrated cash value.
If you win your case, you've not only made SONY liable for your damages (plus your court costs) you've also cost them probably more than your damages especially if they send one of their legal department lawyers.
Well... no. Corporate lawyers as I understand are usually salaried; they'd be paid regardless. Sony's really only out travel expenses. This only seriously costs Sony if enough people do it that Sony needs to hire more lawyers.
//Information does not want to be free; it wants to breed.
Haven't been able to find any information about CDs distributed by Sony subsidiaries like RCA/BMG, and whether they, too, would be exchanging CDs. Foo Fighters' In Your Honor is carrying the copy protect software, but does not appear on the list of "official" CDs acknowledged by Sony as having the flawed protect software. The site for the copy protect (sunncomm.com) and the label/artist page have no info on whether this CD will be included, along with others published under another label. Or, am I completely off base? Is this a different software altogether? If so, does it have the same vulnerabilities?
The universe is made of atoms and empty space. All else is speculation. --Democritus of Abdera, 435 BC
You can't put a corporation in jail. $100,000 is a slap on the wrist; probably any fine that will be assessed is a slap on the wrist and probably is just a drop in the bucket of all the money that Sony will spend on legal matters in any given year.
You can't put a corporation in jail but as you state, people in the corporation knew about it. I'm sure any one of them would love to go to jail. $100k is a slap on the wrist but it is $100k for each violation for some of the lawsuits that have been filed. *That* may not end up being a slap on the wrist. I'd love to see Sony fined a bunch of money or even 1 Chief Officer from Sony Ent. go to jail over this.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
No, it'd be sharing it, since they don't have the actual music.
AC's modded -6. I don't see you, I don't mod you, anything you say is lost. Don't like it? Don't be a coward.