Slashdot Mirror
Sony RootKit Still A Problem?
XMilkProject writes "Current research indicates that some "350,000 networks--many belonging to the military and government--contain computers affected by [Sony's rootkit]." This is down from over half a million last month. "The security researcher worked from a list of 9 million domain-name servers.. asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches." Will Sony face future repercussions for this potentially long-term damage?"
I personally don't buy CDs so I wasn't affected but from what I've heard there are some serious problems with the "patch" Sony provided. I'm just a bit curious... Does the patch keep the rootkit permanently disabled and removed? It seems to me that if we put a deviant Sony CD back into our computer that the rootkit would just be reinstalled. Then do we have to run the patch again? This is rediculous. I've do not intend on purchasing any music that has the SONY lable on it. This to me is just plain stupid. What gives Sony the right to install deviant software on "MY" pc and then make it stealth so that I don't know it's there. As far as I'm concerned I think that's the lowest a company can go. That's stooping to the level of those bastard red headed step children Spammers/Spyware installer/Virus/worm pushing assholes.
I'm to the point now watching this rediculous attempt from Sony to attach it's controls on something that I purchase the rights to use/listen/backup and trying to enforce through deviant means. What is this rootkit supposed to do!? They just wanted to install it for the Hell Of It? Nope, it's supposed to reinforce their stupid DRM bullshit and keep me from listening to the music that I paid for. I'm to the end of my rope. I think that there needs to be a group or mutiple groups put together that should purposefully break what Sony is trying to do. I've been years out of the programming/Computer industry and thus lack the skills to do it, but I think that we should form Anti-DRM, anti-Sony groups to demolish the protection that they put on their stupid CD's. I will not from this day forward purchase anymore music from Sony until they drop their Bullshit practices. I call for a Boycot of Sony's Music. I'm not sure what one man can start, but I'll be damned if I'm going to stand around any longer and watch Sony impose itself on me! They want me to buy their shit, then they want to enforce by deviance their policy, and after all that they hijack my PC for WHo knows what! Ahhh! Time for a Revolution. I love my PS2, but am refusing to play it again until SONY stops all this Bullshit! No more video games purchased either. Damn you Sony! Leave me the Hell alone! Stay off of my Computer and my CD's! Damn you!
With that said, I feel somewhat better, but am still disturbed deep inside that they would have to stoop to that level to try and enforce their protection. Maybe they don't realize that as the sound comes out of the speakers it can be recorded with a MIC and pirated that way, or through LINE OUT. Damn them. Rant Over.
Fight the fall of slashdot by supporting PlayfullyClever in your sig.
"While the security issues related to the copy-protection software have apparently affected U.S. government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.
"I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."
By the way, regardless of the magnitude of this problem currently, has Sony ever formally apologized for their damaging rootkit? They've said that most people "shouldn't care", or that it was their "right" to cripple people's computers, but I've not once heard them say sorry. Can anyone clarify?
Robert K. Merton listed five causes of unanticipated consequences:
(I have applied them to Sony's decision to use rootkits)
1. Ignorance (It is impossible for Sony to anticipate everything.)
2. Error (Incomplete analysis of the rootkit problem, or following habits that worked in the past but may not apply to the current situation.)
3. Immediate interest in stopping a computer from copying something, may override long-term interests of sustaining their reputation as honest and trustworthy.
4. Basic values of trusting your customers may require or prohibit certain actions like installing a rootkit, even if the long-term result might be unfavorable. (These long-term consequences may eventually cause changes in those same basic values.)
5. Installing malware on people's computers is always a self-defeating prophesy (Fear of some consequence drives people to find solutions before the problem occurs, thus the non-occurrence of the problem is unanticipated.)
He who knows best knows how little he knows. - Thomas Jefferson
... what kind of person takes their Sony CDs to work in order to play them on PCs on a military network. Kinda bizarre that that's even possible.
;)
Makes me sleep better, on the other hand, to see that there are music lovers even there.
You know how the saying goes: Where one sings you may sit down and sing along, bad people have no song.
A World in a Grain of Sand / Heaven in a Wild Flower,
Infinity in the Palm of your Hand / And Eternity in an Hour.
The whole concentration on the fact that military and government computers were infected is a tad sensationalist. You hear military or government and see DARPA or CIA.
In all odds the machines they're talking about are your typical office machines, used mostly for clerical work. Your network admin might not really worry or care about someone screwing it up; in all odds the people using them don't know enough to mess stuff up that badly.
I think all this is going to entail is the IT divisions of the important branches of the US government running rebuilds a little ahead of schedule...
Take away the sonybmg.com domain name. Seems a reasonable punishment for domains used in such a way... Yes, I know the problem of infested machines that remain vulnerable thanks to Sony would still exist.
Sony won't be harmed at all. But since this incident an Air Force unit I used to belong to can no play music cd's on computers. Doing so can result in corporal punishment.
I agree. And consider this: If Sony is NOT prosecuted, then we have "lowered the bar" to the point where nobody can be convicted of hacking anything. They might still prosecute hackers for theft, fraud, phising, etc. but the malicious virus writers will be off the hook. And if the civil class action suits are settled for chump change, then the bad guys could ride on that bandwagon as well. "Your honor, the precendent has been set. Sony deliberately infected millions of PCs. Our research indicates the class action settlement had a net cash value of about $1.00 per class member. Why should my client have to pay any more than Sony did?"
Well, second only to Intel's dropping their Pentium brand from their Pentium chips. To quote Weird Al, "It's all about the pentiums, baby"
I used to do assistant net admn in the armed forces, and it's amazing how little security there is on most military computer networks. They don't allow DHCP, but as the admin I found that there were no lockdowns on installing software like AIM and such. Only problem was, network security was dictated by higher commands, so I could do nothing but watchdog the system.
So it's really no suprise to me to so this rootkit affecting so many military and government compys, given their lack of conecern about system security.
The sony rootkit fiasco is an example of criminal conduct, not a civil tort matter. Why some high level Sony USA execs aren't in the slammer now is beyond me. Like you said, if some teenage scripter had done this, they would be facing 30 years or something, but because it's a large important company they are facing a few fines.
This damned rootkit certainly continues to be a problem, because 95% of the population has no clue that this fiasco ever occurred, or even cares what label produces their music CDs.
I had someone call me last week, complaining that Nero wouldn't copy her music CD. "It says I have the wrong CD," she said. I went to her office, looked at the CD box, and saw Sony/BMG. Considering the fact that I e-mailed all of my users two months ago about this problem, this called for an immediate and severe penalty: replacement of her computer with The Spare while I cleaned it up.
I have since advised all of my users that if they have any Sony music CDs purchased within the last year, they should take them back where they bought them and demand a refund because of the illegal malware they contain. I don't really expect any action on that request though; rather I expect another few calls like the one last week.
The worst part is that this is my day job, so I can't even bill extra time for it.
Find environmentally and socially responsible products on http://buy-right.net
"Even more interesting is that there may be at least half a million infected computers... I say 'may be at least' because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business."
As Schneir notes, these are not big selling CDs. Here is the list from the EFF link above:While Dan Kaminsky's methodology seems basically sound, if the results don't add up it suggests that there is something else going on. Maybe somehow each computer queried more than one DNS server, or some similar effect occured to artifically inflate the number of computers he is counting.
As an administrator of a 80 node (both PC and Mac) campus, I just instituted this security rule with all of my users mainly because of the Sony rootkit exploit. Albeit, the Corporate policy is that Company computer resources should only be used for business purposes, and playing music CDs on your computer isn't a business purpose.
The less problems I can proactively prevent BEFORE I have a problem is less work that I have to do to fix the problem AFTER something sneaks up.