Slashdot Mirror
Revisiting the Infamous Sony BMG Rootkit Scandal 10 Years Later (networkworld.com)
alphadogg writes: Hackers really have had their way with Sony over the past year, taking down its Playstation Network last Christmas Day and creating an international incident by exposing confidential data from Sony Pictures Entertainment in response to The Interview. Some say all this is karmic payback for what's become known as a seminal moment in malware history: Sony BMG sneaking rootkits into music CDs 10 years ago in the name of digital rights management. 'In a sense, it was the first thing Sony did that made hackers love to hate them,' says Bruce Schneier, CTO for Resilient Systems. Sony's scheme was revealed on Halloween of 2005, and was followed by a botched response, issuing and reissuing of rootkit removal tools, and lawsuits. There are object lessons from the incident which are relevant today.
I'm currently rocking out with my Sony Minidisc Walkman.
made hackers love to hate them
I'm not a hacker, but I hate Sony too.
Pushing Memory Stick when we already had SD Card which had the same form factor was the first thing.
Or was it mini-disc?
Pushing their proprietary formats, was the first thing.
To show that the government is unwilling to play fairly. The Rootkit should have gotten executives jailed and massive fines. Instead it was a fairly minor lawsuit and move on with business.
No sir I dont like it.
It contains priceless discussions, too! Often more technical and polite than most forums..
In case you missed them, here is some coverage of the Sony BMG Rootkit and a few later articles which reference it:
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/essay...
https://www.schneier.com/blog/...
https://www.schneier.com/essay...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
https://www.schneier.com/blog/...
Did you just name-drop Mark Russinovich as a "co-worker" based on the two of you having once used the same reseller?
I need to go tell my esteemed colleague Elon Musk about this, he'll really get a kick out of it.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
would HOSTS have protected against the rootkit????
I wish it could be made clearer that a lot of the hacking was motivated by rage over the rootkit and the PS3 linux block. If it were more clear, companies may think twice about giving their customers the shaft.
For Sony there is little doubt the object lessons were "Now how do we do this and not get caught?"
My ism, it's full of beliefs.
Bleh. Wasn't the first time enough?
Irony: Agile development has too much intertia to be abandoned now.
when the folks that created the standard caught on they SUED because those media discs are NOT CDDA (aka red book)
Any file that started with $sys$ was hidden from the OS, so it didn't take long for people to start hiding malicious files if you had the rootkit on your system.
http://it.slashdot.org/story/0...
http://games.slashdot.org/stor...
http://yro.slashdot.org/story/...
http://yro.slashdot.org/story/...
http://it.slashdot.org/story/0...
http://yro.slashdot.org/story/...
http://yro.slashdot.org/story/...
http://yro.slashdot.org/story/...
http://yro.slashdot.org/story/...
http://it.slashdot.org/story/0...
http://yro.slashdot.org/story/...
http://news.slashdot.org/story...
http://yro.slashdot.org/story/...
http://apple.slashdot.org/stor...
He's not my "god", and neither are you, little man.
I just wanted to clarify that you two were not, in fact, co-workers. But I like how your first post seems very complimentary of him, when he was your "co-worker", and then you turn around and try and tear him down after you "floor" and "shame" him. Have some self-confidence, I'm not trying to attack you any more than I'm trying to elevate Russinovich. I do respect his work though, and I have a hard time respecting what you do based solely on your constant trollish flaming and bizarre behavior on this site.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
No one gives a shit, APK. Not one person here gives a shit about anything you have to "say".
Sony, Has a bunch of briliant people working away in the engineering sections of the company,,
but once you peirce the management wall, things change..
People de-volve into their "HIGH SCHOOL" distilates..
It's like going back to highshcool with all the social cliqiues, and whos cool, bla bla, but the big difference is they all have money and can action on most if not everything that comes to mind, negative or not..
to make matters worse, my superior was a very racially charged individual with a focus on Jews and Homosexuals. It was a shame the crap that used to fall out of his mouth.. It got so bad tward the end, they moved his office next to HR, due to the sheer ammounts of complaints being filed.. They finally got rid of him once they found another individual to take his place with a 10% cut in pay for the equivalent work..
I am by no means perfect, but I conduct my self in a professional and business manner every day when interacting with my fellows at the work place..
It seems Sony has not discovered that part of the world yet..
As far as I am concerned, Sony got what they Got, and deserved it.. Although based on the series of events that has unfolded since this incident, its a shame that Sony is unwilling or unable to learn from its past mistakes.. And now various people have cropped up to challenge them on it, as you can see in the press releases over the years chronicling Sony's blunderfucks year after year..
thank you for your time.
The only BMG you can trust is the M2. On the plus side, Sony has largely stagnated to the point where their formerly-inferior Korean rivals are markedly cheaper and at least as good, so hopefully we won't have to worry about them too much longer.
And again 7 years ago. And again 5 years ago... There was the CD rootkit, the USB rootkit, and Xbox Linux removal...
If you're going to snark, it helps to be right. Sony doesn't own Download.com, something you could've confirmed for yourself in seconds.
Download.com is a C|Net created site owned by C|NET parent company CBS Interactive, which in turn is owned by CBS Corp, which in turn is owned by National Amusements. Finally, National Amusements' majority owner is owned by Sumner Redstone (aka Rothstein) and family.
You don't have to be a shrink to tell that apk has some issues, any more than you have to be a doctor to tell that the guy without legs has a disability.
There's never any need to enter a discussion with people like apk, Archimedes Plutonium or Ed Conrad - the most you can achieve is goading, and that's kind of cruel.
Your shit HOSTs didn't protect my boyfriend from having his Steam hijacked.
Can you even claim effectiveness in your product with truth?
Because 5TB of hosed shit says otherwise.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
if you put in a FRACTION of the energy your kind does in trolling, you'd be putting us all to shame
You're getting close to a breakthrough. So close...
Please tell me you didn't pay money for a hosts file.
xbox?
not sure if being a wiseass or not...
Brand new Beastie Boys CD rookits my system.
Removal SW breaks IDE CDROM driver - inconvenient reinstall
Beastie Boys CD ripped to MP3 (the old fashioned way) CD made safe.
Never bought another SONY product (and very few CDS)
SONY deserves what they get for ever after. (no sympathy)
This perpetual motion machine Lisa made is a joke, it just keeps getting faster and faster. - Homer
tl;dr
Please, don't talk to him. That's worse than saying Beetlejuice thrice.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Because not adhering to the red book standard can be interpreted as being "intentionally defective". Which was the legal way to go until SONY caved in and started to replace the CDs.
There is basically one object lesson:
Laws are for little people, and companies like Sony are to big to [effectively] prosecute because...reasons...
Lets face it if you're a teenage kid and you commit some minor mostly harmless act of vandalism with a computer in some way you go to jail. If you make some copies of journals you get relentlessly prosecuted. You make a copy of Sony's IP you get slapped with $100K plus fines on you as an individual. You write jail break for a Sony product they do everything they can to destroy your life.
If you are big company like Sony with media connections, you get a comparatively minor fine and are made to compensate victims to such a minor degree that it won't even cover their costs if they need profession assistance to clean up your hack.
If you or I did what Sony did we'd see the FBI seize or domain, and redirect visitors. Why did Sony get to keep Sony.com? Its fucking bullshit.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Doh! Ooops... Not like there is any difference now since you can't homebrew either one anymore.
I didn't pay for or do shit.
Especially when I know HOSTs is fucking useless in the first place.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
But I returned the last Sony product I bought 10 years ago and haven't bought anything from them since.
Thanks for the gibberish.
APK, why would I want to be you? If I Google your name the first result is a post from someone you threatened to sue and then backed out of, which shows more of your ridiculous behavior and chest-puffing. The second result is you spamming and trolling another forum. The whole first page is littered with examples of you being an idiot. Why would I want that for myself? Why would I want my professional reputation to be that of a belligerent asshole?
You don't know a thing about me, but that doesn't stop you from going around and making baseless claims. I do know some things about you though, so I guarantee that my software has more users than yours. And no, in no way, shape, or form am I interested in even attempting to prove that, I don't need you spamming my boss with random bolding and punctuation to tell him that his CTO is something that I'm not. You don't know me, you don't know anything about me. You're a run-of-the-mill Common Troll, spouting baseless shit and thinking that you somehow scored some points, while making yourself look like an idiot. No, I do not want to be like you.
You're probably a 10lb soaking wet whimp's my guess
Case in point regarding your powers of assumption. I'll give you one thing about me: I'm 6'1", 190lbs. Maybe go for a nice jog today instead of getting yourself worked up online like you do every other day.
Bring him in here. I'll do it again here publicly.
I called Mark Russinovich and asked him if he wanted to come to Slashdot and "debate" you, and he said that, considering the fact that he's the CTO of Microsoft Azure now, he doesn't really have time for that. What have you done in the past 15 years? Oh, you made a utility to manage a flat text file that you spam endlessly? La-de-fucking-da. You want to compare yourself to Russinovich? How about this: he has created a professional reputation for himself wherein he is generally respected, well-liked, and well-regarded. Those are professional qualities that have managed to elude you. Your professional reputation is a troll, nothing more. No one in their right mind would load any binary coming from you on their system.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Sony makes more profit as an insurance company than it does with all its other subsidiaries combined......
http://www.nytimes.com/2013/05...
http://www.bloomberg.com/bw/ar...
--
Time is on my side
I bought my daughter a Sony MP3 player a few years ago, brought it home, and discovered it would only play MP3's that were wrapped in Sony's proprietary wrapper, and applying the wrapper locked it for a single device so if you lost the device, you had to repurchase the MP3! I took it back to the store and returned it with the explanation that it was defective because it didn't play actual MP3s! Sony abandoned the Sony Soundstage BS shortly after that, apparently enough other people were upset by it that it hurt their sales. Since buying a $600 Sony "Dream Machine" DVD player that was a complete piece of crap, I've pretty much been boycotting Sony (Called for warranty repaird of DVD player, it was an automated system that no matter what was said, would respond "I don't understand you!" until you gave up - way to keep those warranty repair costs down, Sony!) Problem is, now for console games we have to choose between two evils: Sony or Microsoft. Which company is worse? (I'm leaning towards buying an Xbox One.)
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Nice schizophrenic reply, I like how you avoided addressing my points and instead decided to just continue pimping yourself as some kind of OCD prodigy.
I have no other accounts on Slashdot, and I don't post anonymously unless I'm providing details on a sensitive topic that I don't want traced to me.
IF you even have a job
Sure do. I even have one of those fancy degrees. 13 years ago I was an intern here, today I'm the CTO making 6 figures. Thanks for asking. If you're curious (you know you are...) I'm buying my second house and have a new Mercedes. I've got a good woman waiting for me at home also so, no, I don't wish that I was an OCD troll trying to convince the world that I'm a prodigy. You obviously believe your own legend, but in all of my years on Slashdot (including before I created my account) I have never seen a single person validate any of your so-called "skills". No one sticks up for you. You appear to be your only believer.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Are you fucking kidding me? How goddamn pathetic are you that you need to anonymously reply as someone sticking up for yourself, and then reply to that agreeing with yourself? Do you have any concept at all about how transparent you are? You might think you're really clever by omitting line breaks and avoiding random punctuation but you clearly can't hide your OCD voice and tone.
This is unreal. This is why people say not to feed the trolls. I'm taking their advice, I'm done with this so-called "conversation". Feel free to rant to yourself, I'll never get a notification that you've responded.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Look at all of your troll replies, look at all of the child-like thrashing. You've spent 50 years wandering this planet alone, and you have the emotional maturity of a wet tissue to show for it all. Well done. Obviously this kind of self-promotion is your therapy, maybe if you believe that you're a great person then someone else will too, right? Maybe if you declare "victory" enough times, someone else will think you've won something. I highly recommend seeing a well-qualified therapist, at your age you should really understand how to connect with people above a third-grade level. There's a therapist right across Oswego, give him a call. The computer isn't going to love you back, you know.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
You seem to be having a hard time grasping this APK, so let me spell it out for you.
I already told you I was not interested in proving my claims. The reason I am not interested is because proof of my claims would necessarily require me to personally identify myself to you, and I'm not willing to do that. I'm not willing to identify myself to you for the same reason that I'm not willing to contract herpes voluntarily. Science just doesn't have a cure for that yet. I'm not willing to expose myself, my family, or my co-workers to abuse from you, and based on the behavior you have exhibited online over the past 15 years, I believe that that is what would happen if you knew who I am.
I know what I've accomplished. You don't. I'm fine with that. I don't care if you believe my claims, your opinion is not important to me. I don't have to prove anything to you. I can see a record of what you've done, all of the little "utilities" you've produced (managing a flat text file, messing with the Windows registry, etc), and I can look at what I've done, and I am confident and secure in my own knowledge that my software has had more of an impact on people than yours. Before becoming the CTO I redesigned and personally developed a brand new version of our 13-year old software, and since then it's gone through another major version change with several additional programmers, and the reach that this system has is enough proof to me that I've surpassed your so-called "contributions". This application is the reason why our 20 year old company is still around, I can look at our servers any day of the week and see hundreds of thousands of people worldwide using it to help them do their jobs. Like I just explained above, I do not feel any need or desire to attempt to prove this to you, I'm not going to identify my account on Slashdot just so I can prove a point to the most notorious man-child on the internet.
Your other taunting is completely hollow. You can post all you want how you've "beaten" me, as if you've won something, or how sad I must feel, or whatever you want to say using numerous posts where you transparently try to make it seem like you have people who support you. I'll tell you what the truth is though, I'll tell you the extent of how I felt about you after our previous "conversation".
The only thing I feel towards you is curiosity. I wonder how you came to be 50 and still behave like this, which is how you were behaving at 35 also. It's obviously a pattern. I wonder why you feel the need to make yourself sound so wonderful, like you go around online winning battles with people who aren't fighting with you. I wonder what your early life was like, your schooling, what friends you had, how people treated you, how your parents handled you, what your brother thinks of you, what your first relationship was like. I wonder if you're even attracted to people the same way others are, or if you only love yourself. Or IF you even love yourself, or if you say the things you do out of a lack of self-confidence, as if you saying those things enough will make them true. I wonder what's going on in your head that makes your behavior so much different than other people I've encountered.
I wonder if you've ever sought therapy, I wonder if you even believe that your behavior is detrimental or if you think it's desirable and beneficial (OCPD maybe?). In short, I would be curious to read a third-party biography of you to try and illuminate the events in your life that have culminated in you wandering the internet, relentlessly self-promoting, and picking fights and claiming victory with anyone that will respond to you. It's interesting to me. That's what I feel about you. I don't feel defeated, I don't feel sad, I don't feel bad about myself, I'm not running anywhere, I'm not foaming at the mouth, I'm not "raging" (I'm not even the tiniest bit angry at you).
I haven't thought about you after I went home last night, I wasn't thinking about you when I woke up this morning, or driving into work, but you're still following me around on Slashdot posting links to your other comments, so obviously you're thinking about me. Hopefully this post clears it up for you.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Read above, APK. It's not that I can't back anything up, it's just that I won't. Like I said, I don't care about proving anything to you. I don't care if you believe me. My achievements do not require your belief.
A finalist position? Well done. Several years ago we submitted a piece of technology to the organization that runs the awards for our industry, it was a piece that we developed in partnership with the Air Force. We submitted it in a niche category (specialized technology) that didn't have all that much competition, and the award organization decided to instead put us in the largest category (general) and then give us the gold award. We beat out teams from companies like Adobe, Microsoft, Cisco, etc, in the most difficult category that we didn't even submit our work to. Am I going to prove that either? Nope. But I know it's true. I can walk into the conference room and look at that award on the wall, and see the picture of me and my team on stage with our Air Force partners and the presenters, and I can look at the awards that the Air Force gave us. Do I care if you believe me? No, I don't. Your lack of belief will not make that award or our achievements disappear.
Are you starting to get the idea, APK? Here, I'll write in all caps and bold letters, I know you enjoy things that way:
I DON'T CARE WHAT YOU THINK ABOUT ME
I'm not willing to prove anything. If you want to throw out all of your so-called achievements from 15 years ago (what have you done lately, by the way?), go ahead buddy. If you want to know why I don't want to prove anything, again, read what I wrote in the previous post.
And enough with the posting referring to yourself in the third person as if you're someone else, it just looks desperate.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
APK, I'm happy for you that you were able to write a piece of software that can read/write to a plain text file. Really, it's fantastic. Those quotes above prove that you are completely capable of being able to write an application that can output to plain text. I don't want to take that away from you. Granted, some of those quotes are talking about using the hosts file in general and nothing that you've actually done yourself, but still, I don't want to take anything away from your achievement of creating an application that outputs to plain text. I'm sorry, read AND write plain text, I don't want to diminish your additional achievement of reading plain text either.
I back myself NO problem, why can't you?
I can. I just won't. What do I gain if I do? Nothing I need. What do I lose? Anonymity.
You're not telling the truth is why I suspect
100% of what I've claimed about myself is true. I'm sorry if you refuse to accept that.
you brought this all on yourself
Yeah, and boy, what a heavy burden. You're really affecting me deeply here.
YOU CAME IN HERE GIVING ME GUFF for things I've actually done
No, I CAME IN HERE GIVING YOU GUFF for trying to claim that you once worked with Mark Russinovich, which was a lie. Putting co-worker in quotes doesn't mean it's not a lie.
but it's simple enough for me to show everyone here just what you are
No it's not, you don't even know who I am, much less what.
I don't see ANYONE on /. prior to this posting EVER speak well of wares you've written, now do they?
I have not identified who I am to anyone on this site. So, no, you won't find anyone here pointing to this account and linking it with anything that I've done outside of Slashdot. You won't find links to my accounts on other programming forums, or any personal website or blog, or a company page, etc. You won't find anyone here linking my account with the work I've done, in either a positive or a negative way. The strength of Slashdot is that people can come together and discuss things without ego getting in the way, what you say here is who you are unless you choose to identify yourself. Assuming you actually bother to register an account, anyway. Without registering an account then you have no accountability at all, you have no post history. I'm choosing to allow people to go back and look at things I've said in order to get an idea about what I believe. You accept no kind of accountability for yourself, people cannot find every post you've made. I understand why, because very shortly you would find yourself always posting at -1, but still, there's no accountability for you.
but I am sure by now with these evasions of yours what OTHERS HERE THINK OF YOU
Saying that you are "sure" doesn't mean anything. If there's one thing I've learned from this episode it is that you are completely delusional. I think that you are willfully delusional, I think that you create your own lies and then invest in them fully. That's part of what makes me so curious about what made you this way. Something in your life happened to make you act like this, because you consistently do it, over and over and over again. It's not a normal way to behave, but you stick to it like stink on shit. It's fascinating.
For an alleged programmer you're not even logical
Coming from you, judging what is and is not logical is pretty rich. The foundation of any post you make is full of random assumptions. Logic has nothing to do with your posts. You're still making assumptions about me. You probably think that you're "winning", or that I'm feeling bad about myself, or ascribing any number of emotions to me that simply aren't true. You're fighting a fight with yourself and claiming victory, you don't even understa
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Jesus Christ is perfect.
Everybody's imaginary friend is perfect, buddeh, that's why you have them.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
You're still humping my leg, are you APK?
I'll tell you what this reminds me of. When I was in college I played a lot of a game called Mechwarrior 4. I was good at it, it got to the point where I was consistently ranked as one of the top few scores for each week, if not the first. I just played it a lot and got good at it, that's all. Frequently when I was at my best other people in the matches would accuse me of cheating. I would consistently kill them and they would talk about how I couldn't be doing that unless I was cheating, you can't aim or fire that fast, etc, whatever the excuse. That was the best compliment I got from anyone while playing that game. I was beating those people so badly that they were absolutely positive that I couldn't just do that myself, I had to be cheating somehow. I've never installed or used a game cheat program in my life.
That's what I see from you now. I've given you claims about my life, and not even that great either. I've got a degree, I went from intern to CTO, our company has won awards for the projects I've developed, we've got hundreds of thousands to millions of people using our software, etc. Those aren't even outlandish claims, I'm sure any number of people on this site have similar stories. I don't consider myself any kind of superstar programmer either. I'm very good at what I do in my role as a CTO, but there are plenty of places I can improve as a programmer. I have books on my shelf like The Art Of Computer Programming or Code Complete that I haven't read yet. I've only been to a small number of programming conferences. I don't do much with open source or Github, etc. There are places where I can and want to improve and just haven't been able to take the time to make that happen yet.
Even so, look at you. You appear to be completely convinced that the things I'm telling you can't possibly be true. I've already told you that I'm not going to identify myself, but here you are, demanding proof of my claims. You can't let it go. You're convinced that the things I'm telling you are lies.
I appreciate the compliments, although it's kind of sad what that says about you and your self-confidence.
As for individual work, if you're going to ask for more claims then I'll be happy to give them to you. The company I work for right now runs all of its bookkeeping and project tracking from a system that I personally designed and developed 12 years ago, and all of our clients interact with the same system. There's another company that I was working with briefly who also runs software that I personally designed and developed to do similar things, to interact with all of their clients. Their clients can log on to their site and have access to all of their records and data that would otherwise stay in another third-party proprietary system running on the servers. My software is a link to that data for the customers, and that company has remarked several times that this system is what sets them apart from all of their competitors. The company that the software interfaces with also was interested in getting my software to bundle with theirs but I didn't have time to try and make that happen. And, like I've said before, the main application that our company sells was in fact originally designed and developed by me. I was working on that version for 3 years supporting 30 corporate/military clients using it all by myself before we got another programmer to start helping me. We currently employ 1 additional programmer other than me (good help is hard to find). I'm in charge of all of the company's internal systems and tools and multiple versions of our major application, personally. And yes, I'm also good at working on a team.
Let me know if you have any other questions that you'd like me to answer, or if you just want to keep spending your time throwing out random insults and otherwise spinning your wheels. Like I said, I'm flattered that you find the reality of my life so unconvincing, but again there are many other people li
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black