Slashdot Mirror
Sony Warned Weeks Ahead of Rootkit Flap
pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."
So Sony was lying its collective arse off when saying it reacted as quickly as it could? This is news how?
Scramble? To contain the crisis?
They almost never admitted what they had done, and continually denied the dangers posed by this rootkit.
They only started the recall after people pointed out repeatedly that their "uninstaller" didn't, and recieved criticism from the government.
"as quickly as they could" my ass.
Of course, they could have been smarter and never released it to begin with.
Why didn't Slashdot tell us before?!
I think this is great evidence that early public disclosure is very important. At the minimum, the affected users can start using workarounds (turn off insecure systems) until fixes are available.
...when a company becomes bigger than its customer base.
So Sony was lying its collective arse off when saying it reacted as quickly as it could?
That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.
I'm a big tall mofo.
Van Zant, Celine Dion, and Neil Diamond
They should have left the rootkit in place so we could download some good music directly to these misguided buyers' hard drives.
Not only is Sony not moving fast, NY AG Elliot Spitzer reports that affected CDs are still being sold at various retail outlets. I'm not sure how much control Sony has over recalling CDs at some Wally World in Drum Nebraska, but this snafu puts them right up there with Adobe in corporate arrogance and stupidity.
If this is true, then sony just lost them court cases we've been hearing about. Having been told about it and not issued a product recall at the earliest opportunity (i.e. within a day or two) means that they were intentionally subverting people's computers.
The only defence available to them was that they didn't realise this was happening. They've just lost that.
When the Sony rootkit case first hit the news, I considered F-Secure to be quite good for an anti-virus company because they were reasonably quick adding the rootkit to their signature file.
They've just lost that credit for me. They knew for a month and were sitting on it! That is not acceptable. There should have been no warning to Sony, just a public statement from F-Secure at the beginning of October about the rootkit.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. CDs by these artists should have been recalled anyway, rootkit or not.
"I'm a recall coordinator. My job was to apply the formula. It's simple arithmetic. It's a story problem. A new car built by my company leaves Boston traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now: Do we initiate a recall? You take the number of vehicles in the field (A) and multiply it by the probable rate of failure (B), multiply the result by the average out-of-court settlement (C). A times B times C equals X. If X is less than the cost of a recall, we don't do one."
The only thing more dangerous than a file named -rf is renaming it -rf\ /
In this case, "as quickly as they could" seems to really mean "as slowly as they could get away with."
How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business? Microsoft's "product activation", Sony's rootkit, etc. ad naseum do essentially nothing to stop real hackers from copying software, music, etc., as much as they want, so the only thing they really accomplish is hurting the legitimate customers.
These lousy business practices are reflected in their (lack of) sales too. I don't mean to say a boycott of Sony would necessarily be a bad thing, but for those who haven't looked, take a look at Sony's stock prices -- boycott or no, they're not exactly burning up the charts right now.
Now, Sony (etc.) will undoubtedly point to Napster and such as the reason they're not doing as well recently. I don't think that's the case. I think what's happened is that Sony is now concentrating more on forcing customers to pay than they are on producing things customers want. As is visible in their stock price, that simply leads to oblivion, not prosperity.
--
The universe is a figment of its own imagination.
The universe is a figment of its own imagination.
..how many other 'DRM kits' that were in development by other music publishers went to the toilet because of this? Or am I the only one? Bravo SONY!!! This is the fist time I saw you doing somehing good for the community.
It doesn't take that many weeks to recall CD's and tell resellers to take them off of their shelves.
They're telling the truth, in part: they reacted as fast as they could to the bad press. But not to the real issue - the flawed software.
akad0nric0
This sentence no verb.
Sony, like all megalithic corporations, behaves internally like dozens of smaller, independant companies. They're vying for their shares of the corp's limited resources and trying to justify their continued existence. I work for IBM, and it's the same way.
That said, I wouldn't be surprised if the people who received this warning never had any contact with the people responsible for the rootkit. Intra-company communication is horrid in large corps, and often the people implementing solutions get little or no real information beyond requirements and specs from those making the decisions above them.
One manager tells another manager who tells a team to hire people to write a DRM. Another manager gets a message about how dangerous these "rootkits" are, and forwards it to another manager who thinks "we're not making a rootkit, we're making a DRM."
Sony's music division cannot reconcile its business with Sony's technology division. They're competing directly, and eventually one of them is going to win. I'm hoping this was another nail in the former's coffin.
GeekNights!
Late Night Radio for Geeks!
Wouldn't that be an upload?
This line makes me so increadibly mad. Wow, they offered to exchange something that could do damage to my finances and business for something that won't... something that they were hiding and SHOULDN'T have been on an AUDIO cd in the first place. Gee, thanks.
For all the flak that Microsoft gets in regards to security... at least they're bugs, by bad design or not. This is something Sony deliberately put into their products. I want heads to roll.
Download free e-books, lectures, and tutorials at bookgoldmine.com
There already there...
I wonder if the artists will be "charged" for recalling their CD's and reissuing them... that would be sadly funny. Maybe it would make a few of these artists strike out on their own.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
I don't think this was a security hole so much as breaking and entering. I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.
http://www.rootstrikers.org/
It's always a lot easier to bust a corporation when there is evidence that they knew they were doing something wrong. Haven't you seen Erin Brockovitch? :D
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Not forever, just until January 02 /06.
If Sony misses out on the Christmas rush perhaps they, and the rest of the E! industry, will figure out that their customers don't like to be harrassed, lied to or spied on.
!!! - Arista Records, BMG Classics, BMG Heritage, BMG International Companies, J Records, Jive Records, LaFace Records, Provident Music Group, RCA Records, RCA Victor Group, RLG - Nashville, Sony Urban Music, So So Def Records, Verity Records, Columbia Records, Epic Records, Legacy Recordings, Sony Classical, Sony Nashville, Sony Wonder, Sony Ericsson, Sony Music, Sony Pictures, Sony Electronics & PlayStation. - !!!
Sony's actions were egregious, their behaviour is arrogant and their response has been without remorse.
A six week consumer action just might have the effect of reaching into the corporate boardrooms and making those who approve such actions pause. A six week consumer action just might make pension funds and other big $$ investors smack corporate leaders upside the head and direct them to 'do no evil'. A six week consumer action just might tip the balance, for a little while anyway, away from unaccountable corporate malfeasance.
Please keep in mind that while Sony is the target of this boycott; it is the insatiable, unconscionable corporate thinking that perverts any reasonable interpretation of capitalism that needs to be reformed... My hope is that Sony can go from loser to leader.
Phony Sony put its CDs on a shelf
Phony Sony had a rootkit which installed itself.
But all of Sony's lawyers and all of Sony's PR men,
Could not put the integrity back into Sony again.
He who knows best knows how little he knows. - Thomas Jefferson
Normally, I'm not in favor of suing. Seems that there are far too many frivolous lawsuits, these days. In Sony's case, however, I'll go so far as to say that they deserve to get their ass handed to them in court.
Not only did they put something like this in their cd's, but they were warned by a respected security/anti-virus firm about it... and they did nothing until the public caught on. An example needs to be made of companies that behave like this.
I say, write your state legislator as well as your congressmen and senators, and urge everyone to sue. Let those <sarcasm> lovely </sarcasm> DMCA laws work in our favor, for once.
/dev/random
Until there are devastating consequences for any company that dies this, it just doesn't matter. 90% of the their customers don't even know about this, and the ones that do, don't fully understand it. This can only change once the average consumer is educated on the issue and there are successful lawsuits that punish companies like Sony. Sony knows that this will blow over in a few months and most people will forget about it (except Slashdot readers of course). People will just continue to buy cds like they always have.
gasmonso http://religiousfreaks.com/They suddenly like gangsta rap?
*Short is generally between 60 days and 4 years - sometimes longer, but rarely shorter. It is mostly dependent on the type of auditing done, the desire of upper management to find a scapegoat, and the amount of publicity surrounding the original erroneous decision.
Is it just my observation, or are there way too many stupid people in the world?
This has already been said by Bruce Schneier, but...
F-Secure warned Sony about the dangers on October 4th, yet still failed to protect any of it's users in a timely manner.
I disagree. I think F-Secure did great. I also think Mark Russinovich did great.
I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.
On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.
I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.
Sony need not apply to that group,though.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Be proactive.
Watch out for yourself.
The only way to get a corporation to look out for your best interests is to convince it (remind it?) that your interests are their interests (happy customers!).
Make your interests clear by voting with your wallet. Is there a company out there that tries to fix security holes before the customer knows about them? If so, buy your products from them.
As I wrote that last bit, it occurred to me: perhaps leaving the security-hole-finding business up to the customer base is good business sense because it works and is cheaper than hiring your own security-hole-finders. I guess that brings us back to the proactive list.
In short, I agree totally with your post.
I cried real tears when Li Mu Bai died.
Buy a sony Walkman and it won't play anything but a Sony CD?
Sony's way ahead of you. Buy a sony Walkman "MP3" player and it won't play anything but propriatery ATRAC files. It won't even play MP3s, hence the quotation marks on MP3 above.
" From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers." How were they going to issue the software patch? An improved rootkit in the next CD!
How anyone in his position could use the words "rootkit" and "benign" in the same sentence and expect to be taken seriously is beyond me.
How about:
'err, this e-mail seems to be about a routine matter. While it did introduce the notion of 'death and dismemberment', it did not suggest that the actions were anything but benign.
I don't think that any competent techie would consider the word "rookit" as something to ignore in an e-mail ... and if Sony doesn't have techies reviewing things when mgt doesn't understand what they are, then they deserve everything coming to them.
At this time, I'd like to thank Mr. Hesse for doing a world of favour to the anti-DRM community. Keep up the good work!
And when you think of Infected by DRM , think/thank Hesse...
If you think imaginary property and real property are the same, when does your house become public domain?
Bruce Schneier has covered this already, but I would like to know why F-Secure didn't contact, say, everyone else when they found out that Sony was installing a rootkit on people's machines. I would like to know why nobody else on the long list of companies that get paid protection money to keep this sort of thing from happening saw fit to inform the world about this, instead of having it appear on some guy's weblog. It's not like that little cabal isn't paid what amounts to protection money specifically so that this kind of thing doesn't happen.
Mike Hoye
But if they are not destroyed, then they will be most likely be given away as a prize to the ninth caller to your local Clear Channel radio station.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
If you have a device driver named Sbcphid.sys (which shows up as a hidden non-plug-and-play device named Sbcphid when active), you've got MediaMax and should remove it.
Only the EFF has mentioned MediaMax in the various legal claims against Sony, and Sony has remained silent about it in public as well. Obviously they're not sorry about using DRM at all -- they're just sorry they got caught.
-- Old Man Kensey
Oh man nothing like sucking up to
500 dollar reward for tip(s) leading to the arrest of the person(s) who stole my sig.
""Most people, I think, do not even know what a Rootkit is, so why should they care about it?"
You can just hear the urgency can't you...
I may be in the minority of /. readers: I don't really know the story of Mitnik. But if GP is accurate, he spent time in jail. You can't put a corporation in jail. $100,000 is a slap on the wrist; probably any fine that will be assessed is a slap on the wrist and probably is just a drop in the bucket of all the money that Sony will spend on legal matters in any given year. But if you fine a corporation enough to actually hurt it, a lot of innocent people lose jobs. So what's the solution to this?
The actual people that did the hacking were working for this "First4Internet" company. Anyone that designed, wrote or approved a part of the software deemed to be inappropriate could face jail time. There were people at Sony that approved this technology for use on CDs; they could face jail time. There were people at Sony that knew that their software included a rootkit and insecure kernel modifications, and yet claimed otherwise; they could face fraud charges (for an individual to say, "I am not a crook," is legal, but to knowingly lie about a product offered for sale is fraud). Anyone with much knowledge of the workings of this product should have known that it was illegal, just as Kevin Mitnik or any other cracker surely knows that whatever he does (like I said, I have no idea what it was that he did) is illegal. That would be equal justice.
In their mind, the entire fiasco boils down to the following --
a. How to hide the DRM software better so it will not be detected NEXT TIME.
b. How to silence the whistle blower so that if line item a fails, the word never leaks out.
c. How to fabricate pausable deniablity if the word leaked out despite line item b.
In summary, for the media company, the entire affair isn't about what wrong they inflicted on their PAYING CUSTOMERS, but about how to contain the situtation and continue to "protect THEIR rights."
ELOI, ELOI, LAMA SABACHTHANI!?
Nothing like trashing someone else to get modded up.
Aside from that, I guess the Sony case will be nothing like the Mitnick case as he was held without bail and spent time in solitary confinement. It seems a safe assumption that the Sony execs will suffer no similar fate. Not to mention the other poster here who points out that they are only facing a civil suit, not a criminal one.
http://www.rootstrikers.org/
OmniNerd is carrying a decent article on the nature of rootkits (Rootkit: The "r00t" of Digital Evil) that isn't watered down like everything else the media has been using to describe rootkits. I think the principle problem with the legal system, the general public and Sony is that most people just don't understand what a rootkit really is and the capabilities they present to hackers. The media has been lumping them into the malware category as nothing more than the latest virus going around - a misconception that is costly to consumers because the threat has been greatly downplayed.
Perhaps once people really fathom just what a rootkit can do to them and how a properly written rootkit will not be detected by their anti-virus software, they'll take the threat more seriously. And in doing so, demand rightful compensation from Sony in lieu of a new audio CD. Are you comfortable with rootkits installed on the computers of your local financial institution? College records? Law enforcement? Wall Street? The military?
When you understand your disbelief in other gods, then you will understand my disbelief in yours.
oops!
While I find your timeline plausible, I think it's only part of the story. It wouldn't surprise me at all if that happened at the START of the project, but I don't find it plausible that they never involved themselves in the software at all. Sony, like any other large scorporation is risk averse, especially in terms of their image. I'm sure they reviewed the software/technical design of what was being suggested by First4. What I don't buy is that Sony distributed software they were so clueless about. Lets face facts, folks: Sony has definitely behaved badly, but they're not stupid. The amount of incompetence required to justify their "duh, we just shipped it" argument is staggering to the point of absurdity.
A consumer boycott could possibly make SONY management act responsibly, meaning they actually admit responsibility for the rootkit, but I doubt it unless the boycott spreads outside of geekdom. Well, maybe. But if it doesn't here's what you can do personally: sue them yourself.
s cbasics.htm
In California (where I live), we have a thing called "Small Claims" court. It's a civil court where an ordinary citizen can sue another ordinary citizen or a company for monetary damages. Punitive damages are not awarded and neither are "pain and suffering" damages. You actually have to have been damaged in a way that cost you money in order to collect in small claims court. The good thing about small claims court is that lawyers are not allowed. The bad thing is if you're suing a corporation they can send an employee (such as a laywer they have on the payroll). This this is a good thing in a way as you will see.
First of all, you need to be damaged by SONY. That's easy: put one of the XCD music CDs in your PC. Of course, you should not do this knowing about the rootkit. But if it happened before you learned about it or if you happened to get one of those XCD disks and didn't notice it then it's a different matter.
Second, you need to pay someone to clean your PC. Make sure you get a receipt.
Third, you need to follow the rules regarding filing a claim, getting court papers served, making sure you're prepared to present your case, etc. All this is here:
http://www.courtinfo.ca.gov/selfhelp/smallclaims/
The neat thing about small claims court is that if the defendant (SONY in this case) doesn't show up, you are entitled to ask for a summary judgment which means you win your case by default. You can then proceed to collect your damages from SONY. Companies tend to pay such claims because the cost of having assets attached and liquidated (such as one of their bank accounts) exeeds the cost of just paying it.
If they send someone it's an employee of the company which means they are paying wages for someone to be there. If you win your case, you've not only made SONY liable for your damages (plus your court costs) you've also cost them probably more than your damages especially if they send one of their legal department lawyers. If you lose, you've still won a moral victory that cost you no more than the cost of one of SONY's CDs and some of your time.
If enough people did this SONY will take notice. So if you've been damaged go for it. If you know someone whose been hit by the rootkit, perhaps they can be urged to do it. You can even make some money on the side if you're the one cleaning the PCs.
It's really quite a simple choice: Life, Death, or Los Angeles.
Yes, Mitnick did time - he got a severe sentence, including solitary. It was out of proportion to his crime because his was an early instance of cracking (the swallow before the summer) and he was made a scapegoat. Also, the press paid great interest partly because of the fascinating story of his pursuit and capture, which the authorities treated as a mission deserving all their energy.
Looking back now, you can't help wondering why all the fuss. Mitnick did pry around some academic, corporate and military related systems but always maintained he did no damage. He certainly seemed to act out of curiosity and as a challenge rather than with malice. He has yet to write his account of the episode.
What Mitnik did pales into insignificance compared with what goes on now - spammers acting with apparent impunity, crackers installing and controlling bots in their tens of thousands, market researchers planting spyware, and even previously respected household names like Sony pushing Trojans onto the unsuspecting public. Activities which seriously threaten the continued viablity of the internet as a medium.
Company directors can be sent to jail, as Mitnik was. However I doubt it will happen because the legal authorities and the public are now punch drunk with misbehaviour in the IT field. They were sharp and keen against Mitnik but now they are weary and cannot be bothered to pursue the wrong-doers.
It is much easier for the authorities to dismiss this case with "Oh well, surely Sony couldn't have meant any harm, could they?"
When the result means recalling Neil Diamond and Celine Dion? More of that in the wild, we do not need!
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
I own a Sony Network Walkman HD-5 and it plays MP3 just fine, thank you.
Isn't that pretty much the only one they have that plays non-ATRAC files? Didn't they release it only after having their asses handed to them with widespread criticisms over the inability of their players to actually work with common MP3 files? You're shading the truth worse than the person you're responding to. Sony is a shit company, and your need to justify your mistake in purchasing their garbage is sad.
F-Secure would probably be facing legal action from Sony if they deliberately prevented Sony's software from running. In the land of the DMCA where a guy who plays chess against the Russians is a traitor and a guy who sells weapons to Iran to give money to a drug dealer is a patriot who knows which way it would go? Either way the antivirus companies lose - viruses and malware produced by companies with major legal clout will most likely be a major headache for the antivirus companies from now own.