Slashdot Mirror
Sony RootKit Still A Problem?
XMilkProject writes "Current research indicates that some "350,000 networks--many belonging to the military and government--contain computers affected by [Sony's rootkit]." This is down from over half a million last month. "The security researcher worked from a list of 9 million domain-name servers.. asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches." Will Sony face future repercussions for this potentially long-term damage?"
The first rule of the Sony Rootkit is that we do not talk about the Sony Rootkit.
The second rule of the Sony Rootkit is that we DO NOT TALK about the Sony Rootkit.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
Because new music sucks.
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
NOSY
I personally don't buy CDs so I wasn't affected but from what I've heard there are some serious problems with the "patch" Sony provided. I'm just a bit curious... Does the patch keep the rootkit permanently disabled and removed? It seems to me that if we put a deviant Sony CD back into our computer that the rootkit would just be reinstalled. Then do we have to run the patch again? This is rediculous. I've do not intend on purchasing any music that has the SONY lable on it. This to me is just plain stupid. What gives Sony the right to install deviant software on "MY" pc and then make it stealth so that I don't know it's there. As far as I'm concerned I think that's the lowest a company can go. That's stooping to the level of those bastard red headed step children Spammers/Spyware installer/Virus/worm pushing assholes.
I'm to the point now watching this rediculous attempt from Sony to attach it's controls on something that I purchase the rights to use/listen/backup and trying to enforce through deviant means. What is this rootkit supposed to do!? They just wanted to install it for the Hell Of It? Nope, it's supposed to reinforce their stupid DRM bullshit and keep me from listening to the music that I paid for. I'm to the end of my rope. I think that there needs to be a group or mutiple groups put together that should purposefully break what Sony is trying to do. I've been years out of the programming/Computer industry and thus lack the skills to do it, but I think that we should form Anti-DRM, anti-Sony groups to demolish the protection that they put on their stupid CD's. I will not from this day forward purchase anymore music from Sony until they drop their Bullshit practices. I call for a Boycot of Sony's Music. I'm not sure what one man can start, but I'll be damned if I'm going to stand around any longer and watch Sony impose itself on me! They want me to buy their shit, then they want to enforce by deviance their policy, and after all that they hijack my PC for WHo knows what! Ahhh! Time for a Revolution. I love my PS2, but am refusing to play it again until SONY stops all this Bullshit! No more video games purchased either. Damn you Sony! Leave me the Hell alone! Stay off of my Computer and my CD's! Damn you!
With that said, I feel somewhat better, but am still disturbed deep inside that they would have to stoop to that level to try and enforce their protection. Maybe they don't realize that as the sound comes out of the speakers it can be recorded with a MIC and pirated that way, or through LINE OUT. Damn them. Rant Over.
Fight the fall of slashdot by supporting PlayfullyClever in your sig.
"While the security issues related to the copy-protection software have apparently affected U.S. government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.
"I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."
By the way, regardless of the magnitude of this problem currently, has Sony ever formally apologized for their damaging rootkit? They've said that most people "shouldn't care", or that it was their "right" to cripple people's computers, but I've not once heard them say sorry. Can anyone clarify?
Will Sony face future repercussions for this potentially long-term damage?
Probably not. They're already getting off somewhat easy for the original hubub.
There are only 10 kinds of people in this world... those who understand binary and those who don't
If you look at the settlement in the New York District court it is nothing more than a slap on the wrist. Sony knowingly infected computers with what amounts to a trojan horse. In return they have to pay a little money and promise not to do it again. That's insane when you consider the witch hunts that have taken place for 16 year-old kids releasing a virus. Sony needs to pay and pay dearly for their deliberate criminal actions. The government always wants to send hackers a strong message...well then the same applies to corporations!
http://religiousfreaks.com/"Will Sony face future repercussions for this potentially long-term damage?"
No they won't because they're a huge multinational corporation who will probably layoff some employees and reward their top execs from the whole ordeal. I'm not trying to be some hippie about this, it's just the way the world works.
Security through Obscurity.
Proof by very large bribes. QED.
Robert K. Merton listed five causes of unanticipated consequences:
(I have applied them to Sony's decision to use rootkits)
1. Ignorance (It is impossible for Sony to anticipate everything.)
2. Error (Incomplete analysis of the rootkit problem, or following habits that worked in the past but may not apply to the current situation.)
3. Immediate interest in stopping a computer from copying something, may override long-term interests of sustaining their reputation as honest and trustworthy.
4. Basic values of trusting your customers may require or prohibit certain actions like installing a rootkit, even if the long-term result might be unfavorable. (These long-term consequences may eventually cause changes in those same basic values.)
5. Installing malware on people's computers is always a self-defeating prophesy (Fear of some consequence drives people to find solutions before the problem occurs, thus the non-occurrence of the problem is unanticipated.)
He who knows best knows how little he knows. - Thomas Jefferson
... what kind of person takes their Sony CDs to work in order to play them on PCs on a military network. Kinda bizarre that that's even possible.
;)
Makes me sleep better, on the other hand, to see that there are music lovers even there.
You know how the saying goes: Where one sings you may sit down and sing along, bad people have no song.
A World in a Grain of Sand / Heaven in a Wild Flower,
Infinity in the Palm of your Hand / And Eternity in an Hour.
Will Sony face future repercussions for this potentially long-term damage?
Of course not. They may pay a (relatively) small fine or two, but a quick a donation to a politician here and there, and that'll be all she wrote.
The whole concentration on the fact that military and government computers were infected is a tad sensationalist. You hear military or government and see DARPA or CIA.
In all odds the machines they're talking about are your typical office machines, used mostly for clerical work. Your network admin might not really worry or care about someone screwing it up; in all odds the people using them don't know enough to mess stuff up that badly.
I think all this is going to entail is the IT divisions of the important branches of the US government running rebuilds a little ahead of schedule...
Take away the sonybmg.com domain name. Seems a reasonable punishment for domains used in such a way... Yes, I know the problem of infested machines that remain vulnerable thanks to Sony would still exist.
Sony won't be harmed at all. But since this incident an Air Force unit I used to belong to can no play music cd's on computers. Doing so can result in corporal punishment.
Part of the problem with the Sony Rootkit is the fact that many stores **STILL** are selling the rootkit enhanced CDs.
I personally have seen this at several Borders stores in my area, and each time I mention this to the management I recieve blank "deer in the headlights" looks.
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
...I heard somewhere that if you play these new Sony CD(s) backwards, the rootkit data will say, "yur sole iss miiine. yur sole iss miine. Haaaaale Goooooogle! Whaaaaaat issss thigh bidding miii massster? RaaaaaaaaaaAaAaaAaaa!" ...and a plume of blood will shoot out of your CD tray and melt your face like that dude from Raiders of the Lost Ark.
\\//_
Sony == Dangerous to my PC
What a great way to promote a brand.
it's a blue bright blue Saturday hey hey
I agree. And consider this: If Sony is NOT prosecuted, then we have "lowered the bar" to the point where nobody can be convicted of hacking anything. They might still prosecute hackers for theft, fraud, phising, etc. but the malicious virus writers will be off the hook. And if the civil class action suits are settled for chump change, then the bad guys could ride on that bandwagon as well. "Your honor, the precendent has been set. Sony deliberately infected millions of PCs. Our research indicates the class action settlement had a net cash value of about $1.00 per class member. Why should my client have to pay any more than Sony did?"
Sadly, not only will Sony face no long term damage, but this will be a blockbuster year for them as they release PS3 and millions of quick-to-forget Slashdotters rush out to buy a PS3.
If consumers were smart, they'd go buy a Nintendo Revolution - or even an Xbox - and intentionally skip the next Playstation. Unfortunately, they won't, because their souls are fueled by acquisition and shiny-new-toy syndrome.
Well, second only to Intel's dropping their Pentium brand from their Pentium chips. To quote Weird Al, "It's all about the pentiums, baby"
See Sony does things like this and its called a mistake. A hacker does something much less, and its call terrorism. Go USA!
"Slashdot, where telling the truth is overrated but lying is insightful."
- A $5 limit on damages
- The requirement that you must sue Sony in New York
Once the settlement is official, Sony will have opened themselves up, such that they can be sued in court anywhere in the United States.Small claims court is the most likely venue, because you don't really need a lawyer to represent yourself and if Sony doesn't send a representative, you get a default judgement.
Collecting might be a bitch, but in this case, it definitely won't be the lawyers making all the money.
[Fuck Beta]
o0t!
The answer is clear. The U.S. must invade Japan to overthrow the government responsible for this cyber terrorism.
I used to do assistant net admn in the armed forces, and it's amazing how little security there is on most military computer networks. They don't allow DHCP, but as the admin I found that there were no lockdowns on installing software like AIM and such. Only problem was, network security was dictated by higher commands, so I could do nothing but watchdog the system.
So it's really no suprise to me to so this rootkit affecting so many military and government compys, given their lack of conecern about system security.
You do a non-recursive lookup.
[root@kryten pete]# nslookup
> set norecurse
> www.xmob.co.uk
Server: 192.168.0.1
Address: 192.168.0.1#53
Name: www.xmob.co.uk
Address: 217.77.184.55
> www.microsoft.com
Server: 192.168.0.1
Address: 192.168.0.1#53
Non-authoritative answer:
*** Can't find www.microsoft.com: No answer
>
Your new Sony-BMG non-standards compliant music disc contains the Pwned.exe wonderful pretty music player. Click here to hear the music you've already paid for. Remember, you cannot return opened CD's for any refund. Have a nice day!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The sony rootkit fiasco is an example of criminal conduct, not a civil tort matter. Why some high level Sony USA execs aren't in the slammer now is beyond me. Like you said, if some teenage scripter had done this, they would be facing 30 years or something, but because it's a large important company they are facing a few fines.
This damned rootkit certainly continues to be a problem, because 95% of the population has no clue that this fiasco ever occurred, or even cares what label produces their music CDs.
I had someone call me last week, complaining that Nero wouldn't copy her music CD. "It says I have the wrong CD," she said. I went to her office, looked at the CD box, and saw Sony/BMG. Considering the fact that I e-mailed all of my users two months ago about this problem, this called for an immediate and severe penalty: replacement of her computer with The Spare while I cleaned it up.
I have since advised all of my users that if they have any Sony music CDs purchased within the last year, they should take them back where they bought them and demand a refund because of the illegal malware they contain. I don't really expect any action on that request though; rather I expect another few calls like the one last week.
The worst part is that this is my day job, so I can't even bill extra time for it.
Find environmentally and socially responsible products on http://buy-right.net
From the article: "I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."
I think this is a larger problem - that Sony can do what is clearly an unauthorised incursion into the core of someone's computer without being sued.
2.1 million cds have been sold. So something of the order of magnitude of 2.1 million computers have been infected by this rogue code. Many viruses don't achieve this level of penetration!!!! I doubt the combined force of slashdot readers has achieved this level of penetration either! hehe
If an individual had perpetrated this, whether or not he had the best intentions he would be arrested immediately. But Sony because it has such a strong brand, has only been sued in a few US states by a few Attourney Generals. Despite this being without any doubt prosecutable at the highest level.
I hate to whinge on about this but why on earth are coporations less obliged to follow the law of the land than individuals!! Its a joke.
SURELY NOT!!!!!
As opposed to reading /. ?
"Even more interesting is that there may be at least half a million infected computers... I say 'may be at least' because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business."
As Schneir notes, these are not big selling CDs. Here is the list from the EFF link above:While Dan Kaminsky's methodology seems basically sound, if the results don't add up it suggests that there is something else going on. Maybe somehow each computer queried more than one DNS server, or some similar effect occured to artifically inflate the number of computers he is counting.
... for at least a year. That's what I'm doing, even though I didn't buy any affected CDs. Yes, they did make token attempts to make things better for some victims, but they NEED to suffer a while for such a stupid decision. Any company that thinks it's OK to install malware on their paying customers' computers does not deserve my business, and it does not deserve yours.
Yes, I know that SONY is a huge company with lots of independent decisions. But it's all one corporation, and it needs to feel pain for this stupidity. Its size just gives us more opportunities to boycott it. No Sony tapes, no Sony TVs, no Sony cameras, no SONY nothing until this year is over.
The boycott needs to be for a limited time; that's why I said a year. If we never start buying from them again, then they lost us no matter what. If the boycott is for a finite time, then they know they can sell to us again ---- as long as they don't repeat this silliness. If they do, they should expect more pain.
I got the new Leo Kottke / Mike Gordon CD (it's really good, btw) and it has this alleged "copy protection" on it. I never knew about it was on this CD until I read about later. I have autoplay turned off, and I use CDEX to make mp3s (for my iRiver H120). Everything worked just peachy. Rootkit, schmootkit, I can't believe I'm that unusual, especially in the /. crowd. This only affected people who aren't afraid to agree to license agreements.
Now I understand how Joe computer user could get infected, and hey, it's Sony, I can trust them right?
Even though I was able to avoid the copy protection without even knowing about it, I'm still gonna trade it in for a non DRM version, if they are offered.
I think that what is needed, is an Explorer plugin, to be made freely and widely available, which circumvents this "cloaking" technology (using Mark Russinovich's term).
If all of this "cloaking" crap were to be made irrelevant, then these kinds of things would no longer be a security issue - it would return administrative control over machines to the machine's owner. Whether that's Symantec's cloaking for their recycle bin, or whether it's Sony's rootkit, or anything else.
Computer owners don't need a corporate nanny protecting them from shooting themselves in the foot. Good software design does that. Not sneak tactics.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
...if you clicked 'Don't Agree' to it and the rootkit installs itself anyway.
That's Tron, he fights for the users.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
As an administrator of a 80 node (both PC and Mac) campus, I just instituted this security rule with all of my users mainly because of the Sony rootkit exploit. Albeit, the Corporate policy is that Company computer resources should only be used for business purposes, and playing music CDs on your computer isn't a business purpose.
The less problems I can proactively prevent BEFORE I have a problem is less work that I have to do to fix the problem AFTER something sneaks up.