Slashdot Mirror
Sony Rootkit may Lead to Regulation
An anonymous reader writes "Computerworld has a story about DHS officials meeting with Sony to read them the riot act, following the rootkit fiasco. From the story: 'A U.S. Department of Homeland Security (DHS) official warned today that if software distributors continue to sell products with dangerous rootkit software, as Sony BMG Music Entertainment recently did, legislation or regulation could follow.'"
Would be a nice thing!
www.weberseite.at
Why are people not in jail for this yet?
(yes, that was a rhetorical question).
smash.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
The world runs on money.
"The recent Sony experience..." This phrase makes me wonder if Sony is going to be a catch phrase.
"I just bought a DVD with rootkit software on it."
"You've been Sony-ed", or,
"That's the Sony experience!"
Sony's root kit disabled the Department of Homeland Security's root kit. I can see why they might be miffed.
So they have not been punished for their crime,
They are not even being told they will get punished if they do it again,
It seems to say, if you do it again, only then will make it illegal so you can't do it a third time.
(Gee, I'll have to try that one next time I get busted by the cops - its only my first offence, officer, you shouldn't lock me up until I've done it at least 3 times)
Ohh, you mean legalization and decriminalization of these behaviors, so that this does not become an issue again. Anything less than a total ban, backed up by some serious time in a federal pound you in the ass facility, means that someone has been bought out.
Wasn't that delivery service Ace Ventura worked for?
All hope abandon ye who enter here.
I suppose the time has finally come when we side with music companies and hope they'll make a new rootkit. :-)
Beware: In C++, your friends can see your privates!
Lets hope the industry learns soon. There are recent products shipping with rootkits on them like the german release of Mr. and Mrs. Smith. http://www.f-secure.com/weblog/archives/archive-02 2006.html#00000810
The government isn't too happy about the corporations stealing their moves.
To cover themselves, they have to make an example of someone, so why not Sony, a brand name everyone knows?
If this sort of thing goes to trial, it'll be settled out of court.
The corporate lobbyists will do their part to ensure that companies won't be held accountable should their DRM contain malware discovered in future products.
Hooray!
I told my senator to tell the RIAA and Sony to go f##k themselves... I guess he listened.
Why merely threaten legislation if it continues to happen? Laws against "products with dangerous rootkit software" wouldn't seem to harm anyone. Enact the legislation now.
Well, when these industries finance these governments, of course you get to make (and break) the rules. There ought to be legislation that prevents career politicians. This "I'll scratch your back if you scratch mine" mentality in government is sickening. And people wonder why the young ones don't go out and vote...
On a related note, I recently sold my Sony home audio equipment. My future upgrades will not be Sony branded.
(OT: my God, why am I up this early?)
From TFA:
I guess that depends on what you mean by malicious. As far as I'm concerned, anyone who distributes trojans is either malicious, or mentally insane — on the same level as the man who thinks he's a poached egg.
You mean this was legal?
Red Leader Standing By!
While Sony's software was distributed without malicious intent, the DHS is worried that a similar situation could occur again, this time with more serious consequences. "It's a potential vulnerability that's of strong concern to the department," Frenkel said.
Would someone please define malicious? I think it WAS malicious.
------------
The American Heritage dictionary:
malicious (m-lsh's) pronunciation
adj.
Having the nature of or resulting from malice; deliberately harmful; spiteful.
-------------
Thompson-Gale Legal Encyclopedia:
Malicious
Involving malice; characterized by wicked or mischievous motives or intentions.
An act done maliciously is one that is wrongful and performed willfully or intentionally, and without legal justification.
--------------
I'd say that given Sony's generally agressive posture with regards to personal/individual fair use and copyright infringement, I think they could easily be characterized using words like "angry" and "vengeful." And regardless of the emotional component, it was certainly wrongful, willfull, intentional and without legal justification.
do as we say, not as we do.
To have the government threaten to enact legislation is like having a parent wave their finger at a naughty child warning him not to break ANY MORE of the neighbor's windows.
Laws have already been broken and all we're seeing is warnings implying this may be made illegal in the future.
Last time I checked, the DHS doesn't work for the Legislature. Their job begins and ends with enforcing the existing laws.
If you were blocking sigs, you wouldn't have to read this.
Should it not read RICO act?
...thinks that DHS would love for this to happen again.
I could almost see them thinking, . o O (...and the best way to do it would be to stringently regulate consumers' computers, so that we can watch for intrusions of this sort in future and prepare for them. Oh, do it again Sony? Ohpleaseohpleaseohpleaseohsnausagesohplease!)
You cannot truly appreciate Dilbert until you read it in the original Klingon.
A 17 year old writing a stupid trojan that does little but spread receives a 2 year sentence in jail and is only safe from compensation since companies didn't want to have the public know their systems are insecure.
... yeahsure) receives... a recommendation not to do anything like this again or else we might have to think about creating laws banning this behaviour (hey, those laws exist, enact them!).
Read: Juvenile dick-waving without commercial interest -> 2 years prison.
A large corporation spreading a rootkit with their product to their paying customer with the intent to cripple their customer's software performance (not being able to use it as intended, by manufacturer or user) that also has the capability of spying on their behaviour (allegedly they didn't use that function, but
Read: Commercial malvolent infiltration of customer's computers -> Nada.
The world sure is changing. When I was still in school, adding "commercial" to a crime sure upped your sentence by some magnitude. Nowadays it seems to be your "get out of jail" card if you commit a crime with financial interest.
Al Capone simply died too early. He'd love these times.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
No mention of Brad Pitt? Has he fallen so far that Jolie is an "American film star" and he isn't? (Not that this has anything to do with the meat of the article, but I thought it a little odd.)
The main bulk of the article is about a recent speech where the director of law enforcement policy talked about how companies should be careful about how they implement copy protection and how it should not damage or surprise users in how it works.
In there is a small paragraph mentioning that DHS and a talk with Sony that what they did "was not a useful thing", which becomes the main thing.
The thing thing that should of been focused on was the message from DHS that companies should not defeat the security measures that people have in place on thier computers.
And Sony profited from it too.
I was about the download the demo for Battle for Middle Earth 2 the other day, only to read that the goddamn DEMO comes with the StarForce malware.
According to Wikipedia, Ubi Soft, Digital Jesters and Codemasters routinely use StarForce on new games. Forget about consoles, THIS is what might kill PC gaming permanently.
Being bitter is drinking poison and hoping someone else will die
If you are looking for a good reference to understand a rootkit I recommend Matt Vea's article "Rootkits: The 'r00t' of Digital Evil." He wrote it back in Novemeber when the Sony fiasco was first revealed. Link: http://www.omninerd.com/2005/11/22/articles/43
Uh, how about prosecution.
Take off every sig. For great justice.
The important thing to keep in mind is that, while SONY may have a software division, the product sold wasn't even a software product at all, and no disclosure of a software product was discussed in any terms of sale, etc. The whole software angle was completely surrepetitious. It's not just "software distributors" that need policing here. When it boils down to it, this SONY division had no business "engineering" software into their product; they had little grasp of the ethics or the technical implications of what they were doing... or at least that's what they tell us now. For all we know, they were fully aware and just did it anyway thinking plausible deniability was all they would need when it came to light. If indeed they thought so, they would seem to have been prescient - nothing has happeded because of it. I for one am a bit surprised at that.
Can I bum a sig? I left mine at the office.
for distributing Celine Dion CDs. I don't mind rootkit (haven't bought "CD" in 10 years), but for Pete's sake, someone feed that woman.
"Don't let fools fool you. They are the clever ones."
The CB App. What's your 20?
it doesn't matter if they do it again.
FTA: if software distributors continue to sell products with dangerous rootkit software, as Sony BMG Music Entertainment recently did, legislation or regulation could follow.
Sony/BMG doesn't have to make another rootkit: if they sell any more CDs with the Win32-$sys$rootkit worm, DHS will introduce the legislation or regulation to stop them. Considering Sony/BMG's slow response to the rootkit's publicity, and that items with the rootkit are still out there getting sold, Sony/BMG is going to get burned.
Besides, I thought willful distribution of computer virii and worms was already illegal.. Why doesn't someone just enforce the existing laws? Isn't there an Act on this?
Interesting. I will wait with interest to see whether any such legislation can be created that does not also force a ruling against the software embedded in new DVD drives that will let remote attackers brick your hardware. In particular, this will be quite fun if there is a system driver that gets installed (r00tkit!) which enforces the process across all copy operations. I think the definition of rootkit is a slippery sliding thing and you could even say Microsoft supplies them if you didn't know about it when purchasing Windows, or if it gets installed in an automated update (e.g. of Media Player).
...is to buy the technology so they can keep an eye on all you terrorists out there ;)
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I recently (about 2 weeks ago) had to buy two new monitors for my office. My business partner mentioned she saw a sale on some Sony LCD -- I said "no way" and we got something else. Had Sony not gone out of its way to be evil, I would've said "sure".
How coincidental! I was recently invited to speak at an anti-war rally in the US, however since I'm boycotting America due to my opinion of her government's recent activities in Iraq I said "No way!". Perhaps we should get together sometime to compare notes on the reconstructive facial surgery we'll both be needing.
I'm sure good things will come of this. :/
You better hide the rootkit better next time so even the geeks can't find it or we might have to make an effort to save face around here. ...Have another of those suitcases filled with hundreds handy?
Given the raft of class action lawsuits launched against Sony, and the subsequent restrictions on TPM (technological protection measures) software they can use, would any company dare risk including root-kit like TPM's? At the end of the day the risk-benefit analysis will rule it out without the need for legal intervention surely?
If the rootkit that was installed take me a few hours to uninstal and/or fix my system, why can't I claim damages? (like any other business hacked into!) My time is worth something.
If everyone who had the rootkit installed, had to call Geeksquad to restore their computer to working order, AND shell out folding green dollars for their service, that is REAL monetary damages.
My Doctor prescribed daily nasal saline irrigation, hehe
On a side note, Sony BMG settled the class action lawsuit filed against them by the EFF. If you want replacement CDs released by Sony BMG that don't have XCP or MediaMax on them, head to http://www.eff.org/sony for more info.
It's your chance to stick it to the man.
In Japan only Old People whine about rootkits
Ubuntu is an African word meaning 'I can't configure Debian'
So why should they not be prosecuted under the Computer Fraud and Abuse Act (US CODE TITLE 18 > PART I > CHAPTER 47 > 1030)? And why shouldn't a of their executives be in jail -- with ten-year terms instead of five, for invading national-security systems?
"My opinions are my own, and I've got *lots* of them!"
I've often wondered why things like this rootkit exist in the first place. Does Sony only employ those who are morally bankrupt? Surely someone at some point in Sony would have said "Hey, this is kinda evil".
That gives me an idea! Let's get a bunch of geeks with a twisted sense of humor together and buy Steve Ballmer a futon shaped as a torpedo!
Why can't the market just dictate that companies can't hide 'root kits' on their music CDs?
If people just stop buying their crap, they will change how they do business or go out of business.
Many state's already have laws that make Unauthorized access to a computer system crime!!!
Check out 18 USC 1030 - Fraud in connection with computers
Subsection (3) states that anyone who "intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States" and causes damage is in deep poop.
Imagine a Department of Defense employee on a secure computer popping in a Sony Rootkit CD - woops!
There is no need to qualify 'dangerous' software. Anything that does things behind your back is dangerous. Look up the word misfeasance.
As there was no means to 'undo' or uninstall completely, the damage was compounted, and the window of exposure undefined.
Maybe they are stupid, and unaware of all the other rootkits, and have not considered that rootkit combinations may lead to other horrible consequences.
Time to make things that don't uninstall, flat out illegal, and triple damages for misrepresentations about same.
How lax can they get?! When you hurt millions of people, you get punished. So, if Sony puts out another rootkit, will they be at all worried about repercussions? Hell no! They just got away with it.
Want to find other gamers to play board and role playing game
It's only been a little over 3 months since the Sony rootkit story was all over the news. It's heartwarming to see the sort of speed at which the Department of Homeland Security operates. I'll bet it makes you feel ever so safe to think that these are the same people in charge of combating terrorism...
My sig is too lon
How many of you have sold your PS2?
Unfortunately all the boycotting us /.'ers partake in won't pay off in the end. It is hard to boycott a company effectively whose business timeline is as follows:
1. Declining Music Sales... Blame Piracy
2. Release Trojan Rootkit to Fight Piracy... (damn kids)
3. Consumers boycott all Sony products
4. Further Declining Music Sales and Now Declining Sales in All Product Lines
5. Blame Piracy
6. Call Government Buddies and Release Series of Laws/Rootkits Opressing Consumers
Damn corporate nation we live in today, and the Bush administration is doing anything but helping.
Cheesy Movie Night
DHS -vs- Sony?!?! I mean, it's kinda like that movie where Freddie Kruger and Jason Voorhees fight each other; which one should we root for?
Disclaimer The comments above should in no way be considered a comparison between the characters in that movie and the parties mentioned in the article. Any similarities are purely coincidental and the reference was made solely to illustrate the relative difficulty of determining a "favorite" in the contest.
In other words: Freddie and Jason, please don't be offended!
This space intentionally left (almost) blank.
Of course this has been discussed before, but I think it's important to set the record straight for the DHS. Sony did indeed have malicious intentions by providing software that fought the fair use rights of a user, and their intentions are further malicious by the fact that they hid their software.
The rootkit problem only came because Sony was acting maliciously (sp?) in the first place.
"And we have seen and do testify that the Father sent the Son to be the Savior of the World"
1 John 4:14
I haven't. It still plays the games that I already own. I just won't buy new games or anything down the road from them.
Or Aliens vs. Predators? Never saw it, but I'd have to pull for the Predators since they, at least, don't lay eggs in your belly. (Or leave rootkits on your HD.)
Hate to say it, but the Sony rootkit fiasco replaced SCO shenannigans as favorite topic on /.
They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
In the future, all corporate root-kits, distributed in the USA must be approved by DHS. To garner this approval, they must include a redily accessable back door:
logon: Agency
password: No Such
"Shareholders" are about as identifiable as "terrorists." Let's cut through the bullshit on this one.
When you count out who the majority VOTING shareholders are, you will find that a vast majority of the time, they are the same decision makers who are citing "will of the shareholders." It's bullshit. A doctor should do no harm regardless of who pays his fees. A corporation should do no evil regardless of shareholder interest or profit-making directives. The decision of HOW to go about making profit was made by people and THOSE people should be held accountable for those decisions.
I mean, there probably isn't legislation that says "Record Companies may not secret install rootkits from music CDs", but it seems like a clear cut case of good ol' fashion fraud to me.
I don't think legislation is going to do anything... if they aren't enforcing the laws against fraud now, what makes us think they will do it with a new law?
All in a long thought out process to force DRM code onto all computers, (Trusted Computing)
'non-approved' thoughts, ideas, or free press will trigger a 'invalid DRM certificate' warning,
so that PC users can not see, can not hear, can not read content that is not approved by the State (and Corporations).
Sony's RootKit was basically a proof of concept - they could attack and compromise corporate and government computers without even trying hard. Where is the report telling how many government, military, and infrastructure systems were infected by the Sony Rootkit Trojan? (How much did the clean up cost U.S. Taxpayers?)
The question is, once Sony/BMG has a list of compromised computers (generated by the RootKit's phone home routines) - who do they sell that information too?
Obviously such information could earn Sony/BMG serious profits - sold to the highest bidders.
The DHS sould see Electronic Warfare as a Threat, not as a naughty little corporate boo boo.
Electronic Warfare - even if you call it DRM copy protection - is STILL - Electronic Warfare.
Rootkits should not only bring serious response from the DHS, but also from the DOD.
Don't Mess with the U.S.
All I want to know is where is the class action lawsuit? I'm glad Sony is being taken to task by DHS, the media, etc. But sue their asses, please.
I'm curious where you read that StarForce was on the Battle for Middle Earth 2 demo. Battle for Middle Earth 2 is EA, which doesn't use StarForce. Plus, based on the way the Wiki says Star Force works, it relies on physical media, which wouldn't be included with a downloaded demo in an active form (no key, no activation, nothing to protect).
So I guess Sony is the new official Slashdot punching bag ... till the PS/3 comes out.
[Insert pithy quote here]
For the last year and half or so, we have been prohibited from bringing music CDs to work due to security concerns. We all thought that was a bit drastic at the time but Sony has proven that the policy is totally warranted. Thanks Sony!
I will be looking to other brands when I need to buy something.
Why is DHS the one that is playing enforcer here? How does policing corporations in private fit into their responsibilities of providing homeland security?
With computer crimes there's some kind of investigation from local and federal law enforcement (FBI maybe?) and maybe a public hearing or two to give the appearance to voters that something is going to be done.
Please point out the obvious here because I'm missing it.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
1. Infect one PC and you are a hacker.
2. Infect thousands and you are a DRM vendor.
3. Infect them all and you are Microsoft.
To paraphrase that quote:
1. Infect thousands of PC's, donate millions to replublicans, and escape with a $7.50 "settlement".
2. Infect thousands of PC' trying to learn "worm programming" in school, and goto jail for 12 months
3. Infect thousands of PC's, from Russia, and escape !
So i guess Sony belongs to the first variety. I guess lawyers should seriously notice this settlement of sony and cite that as a legal precedent when defending legitimate hackers in court.
"Doing what i can, with what i have." ~ Burt Gummer
Because the world doesn't actually work like that. It's as simple as that. Economics is not about claiming how the world SHOULD work and pretending that it does. It's about recognizing how the world DOES work and trying to optimize our decisions and policies to fit that moving target.
Specifically, there are things the consumer cannot be expected to know about or fully understand the implications of. As a good example: India, which has virtually no idodine left in its farmland, and thus in its food products, mandated iodized salt (iodine being absolutely critical to proper mental development in children). The powerful and ancient salt industry in India protested that this was changing the way they had operated for thousands of years, and that consumers should be allowed to choose their own salt. The government caved. So now, there is traditional salt and slightly more expensive iodized salt. The general population has no idea what the benefit of iodized salt is, and buys the cheaper stuff, and India has a veritable epidemic of under and mal-developed mental capacity in their current generation of children as a result. There are things the market fscks up royally, and adherance to either tradition or the great myth of the free market is not to be preferred to the health of a population or the security of a nation's infrastructure.
That, and as has been noted, hiding root kits is, by its very nature, something that people are not intended to be able to base their buying decisions on. It's like claiming that the market should correct for false advertisement.
Could DHS want to branch out into software development, testing and support?
Could you imagine the EULA!
We should however be carefull that the rootkit mess is not used as an excuse to legislate rules into all commercial software, like DHS backdoors and overrides.
It really bugs me that DHS and generally everyone else are looking at this issue as if the security vulnerabilities in the Sony rootkit are the main issue. And perhaps it is to them, but not to me. The real issue is that Sony is installing software on computers without the owner's permission, and it's software that intentionally hobbles hardware/software you paid for. That's like being upset, not because a thief stole your TV, but because he left the back door unlocked when he left.
"The Consumer Product Safety Commisssion today announced a recall for all Sony music CDs produced since 2003. If you have a CD from any of the labels listed below, return it by mailing it to the address below and you will receive a free, safe, replacement. Call 800-BAD-SONY for a free return mailer."
"The Department of Homeland Security announced today that all Sony music CDs shipped into the US will be stopped at customs and destroyed as a hazardous item."
"The Justice Department announced the arrest of five Sony executives for violations of the Computer Fraud and Abuse Act. Sony music CDs with the "trojan horse" were said to violate the "exceeds authorized access" provision of the act. "This is simple hacking and computer crime", said a DOJ spokeman".
"Elliot Spitzer, New York State Attorney General, announced a $1.5 billion lawsuit against Sony for causing damage to computers in New York State. "We have hundreds of firms in New York State trying to get this back door out of their computers. There are confirmed reports that the Brooklyn Mafia has been using this back door to steal credit card numbers. Sony has given organized crime a big boost here, and they're not getting away with it". The Californa and Texas AGs are expected to file similar suits next week."
I wouldn't exactly call doing an informal DDOS on a school web site a terrorist attack on national infrastructure, and I doubt Sony's right to make money comes from God.
Oh, no, the web site of a small school in rural Arkansas is down! Raise the national terrorist alert level!
God shall strike down the heathens of Slashdot for impeding Sony's right to make a profit!
"it's not about aptitude, it's the way you're viewed" - Galinda
Screw my karma, I'm done here. This issue is possibly *the* easiest for regular people to respond to that has ever been on this site. My submission was not a dupe and informative enough to make that point. Sony should be held accountable for their actions and everyone here knows it. So what does the editor do? Rejection. Woohoo! DRMed downloads and empty promises of regulation. Oh sure, that'll make up for thousands of machines being compromised in the United States by foreign nationals. When the president spys without a warrant it's bad, but apparently, when the FUCKING Japanese do it, it's A O FUCKING K.
In summary... Dear Slashdot: How dare you chide any company for kowtowing to China when your editor is too much of a pussy to stick up for the rights of Americans IN AMERICA.
Thank God we have a government that stands up for the rights of the little guy!
The solution is very simple but it requires a strong starchy leader with a backbone.
Strip Sony of it's status as a corporation. Let them starve.
Rest assured there are plenty of other corporations that will pick up the artists.
Corps only act criminally like this because they think they are above the law.
Hang one of them high and the others will fall into line.
-- Howto: Get +5 (1) Whine about M$ (2) Namedrop Gentoo (3) Casually Abuse Mods (4) Namedrop Early Computer Model
The DHS has only limited capabilities in this direction and so is it possible now that they will have to search for/contract out to build another rootkit for their own use in hunting down terrorists/pedophiles/homosexuals/liberals in the US?
I submitted and was rejected again last night.
This probably won't make you feel any better, but I submitted the same story and had it rejected as well (hence my semi-off-topic post above). In the end, no article on this topic was accepted, not even as the customary grossly-overlooked footnote limited to the YRO section. The XCP rootkit was the biggest news story for nerds in quite some time, what with the actual rootkit issues and the GPL violations, yet now that legal action against Sony has been taken and resolved, the Slashdot editors (at least, the ones who happened to see the probably dozens of submissions on this topic) don't want us to talk about it?
I know Rob Malda has refuted past claims that he and/or his editors are on the take (see previous controversies surrounding Roland Piquepaille and Beatles-Beatles), but this makes me wonder (at least a little bit - I'm not really a tin-foil-hat-wearing freak) (a) whether somebody here didn't get paid off by Sony to keep word of the settlement from making it onto popular tech sites, or (b) whether Rob isn't able to maintain full editorial control without interference from Slashdot's parent company.
Sure, it probably isn't true, but not putting up such an important and interesting story, as written by anyone, boggles the mind.