Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sony Warned Weeks Ahead of Rootkit Flap

Posted by Zonk on from the going-a-little-slowly dept.

pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."

9 of 335 comments (clear)

  1. Still on the Shelves by Anonymous Coward · · Score: 5, Informative

    Not only is Sony not moving fast, NY AG Elliot Spitzer reports that affected CDs are still being sold at various retail outlets. I'm not sure how much control Sony has over recalling CDs at some Wally World in Drum Nebraska, but this snafu puts them right up there with Adobe in corporate arrogance and stupidity.

  2. Re:Sony made a rootkit? by gg3po · · Score: 2, Informative

    Surely you jest...

    ...and that doesn't even count all the Slashbacks. Maybe you should consider adding a </sarcasm> tag :-) . I must admit, however, that this is one case where I don't mind the repeated updates. I hope Sony isn't allowed to forget what they did. This will make an example of them to anyone considering such tactics in the future.

    --
    ---
  3. Don't forget Sony's other nasty DRM by Old+Man+Kensey · · Score: 5, Informative
    Lest we forget, Sony is still shipping CDs with SunnComm's MediaMax DRM on them -- ten times as many as the XCP rootkit, in fact (that's 20 million CDs at last count, for those keeping score at home). It's still just as easy to defeat as it was in 2003, but if you make the mistake of letting it install like my wife did, it's fairly nasty. In particular it actually installs before you agree to the EULA -- the only difference between agreeing and declining is that if you decline, the software is not activated (but it remains installed).

    If you have a device driver named Sbcphid.sys (which shows up as a hidden non-plug-and-play device named Sbcphid when active), you've got MediaMax and should remove it.

    Only the EFF has mentioned MediaMax in the various legal claims against Sony, and Sony has remained silent about it in public as well. Obviously they're not sorry about using DRM at all -- they're just sorry they got caught.

    --
    -- Old Man Kensey
    1. Re:Don't forget Sony's other nasty DRM by Husgaard · · Score: 4, Informative
      the only difference between agreeing and declining is that if you decline, the software is not activated (but it remains installed).
      Originally it was thought that no matter if the user declined, the software would be activated. The difference was that it was thought that if the user declined the software would not be active after a reboot.

      However, yesterday word came out that in some cases the software can become permanently activated even though the user declined to have it installed.

    2. Re:Don't forget Sony's other nasty DRM by hords · · Score: 2, Informative

      I have not bought a single music cd since they started puting copy protection on them. I'm sure I'm not the only one. I don't pirate my music, but I imagine some people who want to be able to play their music on their computer find it easier to pirate then to bypass the copy protection. I don't mind copy protection per say, but when it limits what you can do with your media, or spys on your every move, it pisses me off. I buy tons of DVDs and video games, but the music industry isn't going to get a dime out of me through cd sales.

  4. Re:Proves public disclosure is the best for securi by shawn(at)fsu · · Score: 3, Informative
    I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.


    Oh man nothing like sucking up to /. to get a +5 insightful. No it's not Ok . If you would follow the news you would see that several states and contries are consider criminal charges against Sony. A quick news.google search will give you a result like this "Legal threats are now being discussed in some countries, notably the US and Italy, including criminal charges of computer misuse. For example, on 21 November the Texas State Attorney General Greg Abbott filed a civil lawsuit against Sony seeking civil penalties of $100,000 per violation of the state's Consumer Protection Against Computer Spyware Act." from Ovum

    --
    500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
  5. Re:recalled? by Anonymous Coward · · Score: 1, Informative
    A recent trip to Best Buy that I took revealed that many contaminated albums are still on the shelves. Some recall.

    If it was discovered that one of Ford's vehicles had faulty seat belts, dealers would certainly not continue selling the affected vehicles before having the problem addressed. Why is it permissible for retailers to continue offering these tainted discs? It makes me wonder if retailers could also be held responsible to some degree in the upcommming lawsuits against Sony.

    Always remember to look for this logo before purchasing audio compact discs. It ensures that the disc follows the Red Book standard which does not permit anything but music.

  6. Re:Another possibility exists... by terrymr · · Score: 4, Informative

    Actually it is ignorance of the law that can not be a defense. However ignorance of the harm you are doing would tend to suggest negligence.

  7. Re:If this is true... by yfkar · · Score: 2, Informative

    If someone sued them for the MediaMax too, they wouldn't even have the EULA defense as it installs (and in some cases, runs) kernel-level drivers even if the user declines the EULA.