Slashdot Mirror

← Back to Stories (view on slashdot.org)

Revisiting the Infamous Sony BMG Rootkit Scandal 10 Years Later (networkworld.com)

Posted by samzenpus on from the same-as-it-ever-was dept.

alphadogg writes: Hackers really have had their way with Sony over the past year, taking down its Playstation Network last Christmas Day and creating an international incident by exposing confidential data from Sony Pictures Entertainment in response to The Interview. Some say all this is karmic payback for what's become known as a seminal moment in malware history: Sony BMG sneaking rootkits into music CDs 10 years ago in the name of digital rights management. 'In a sense, it was the first thing Sony did that made hackers love to hate them,' says Bruce Schneier, CTO for Resilient Systems. Sony's scheme was revealed on Halloween of 2005, and was followed by a botched response, issuing and reissuing of rootkit removal tools, and lawsuits. There are object lessons from the incident which are relevant today.

18 of 188 comments (clear)

  1. Me too! by fizzer06 · · Score: 5, Insightful

    made hackers love to hate them

    I'm not a hacker, but I hate Sony too.

    1. Re:Me too! by pr0t0 · · Score: 5, Informative

      I just posted this the other day, but is relevant and bears repeating:

      More than a few years ago, Sony put rootkits on some of their music CD's. It was abhorrently wrong, they knew it, they did it anyway. That was the last straw for me. It came after SOE released Everquest II incomplete and broken. It came after proprietary audio formats (strong push against MP3) and proprietary media. It was during a time of suing grandmothers for music downloading. It was during a time of Sony's clear (ongoing?) campaign against its customers and fans.

      Since that time, I have not purchased Sony music, will not buy Sony consumer electronics, and won't even see a Sony pictures movie. I boycott ALL Sony related products and services, and have for the last ten years. People need to wake up and exercise the only power they have by voting with their wallets. We have to keep these companies terrified that such missteps will lead to their ruin, or else sleep in the bed we made without complaint.

      FYI - Here's a pretty comprehensive list of Sony's subsidiaries: https://en.wikipedia.org/wiki/...

      --
      I'm sorry, but your opinion seems to be wrong.
    2. Re:Me too! by bigfinger76 · · Score: 3, Informative

      It's irrelevant to the discussion, however.

    3. Re:Me too! by Stuarticus · · Score: 3, Informative

      Technically the disc is a compact disc, they don't meet the standard of an audio CD-DA which the red book defines.

      --
      If you think someone isn't free to have a different definition of "freedom" you may be a tyrant.
  2. Yup paving the way by silas_moeckel · · Score: 5, Interesting

    To show that the government is unwilling to play fairly. The Rootkit should have gotten executives jailed and massive fines. Instead it was a fairly minor lawsuit and move on with business.

    --
    No sir I dont like it.
  3. Schneier is not just a blog! by Anonymous Coward · · Score: 5, Informative

    It contains priceless discussions, too! Often more technical and polite than most forums..

    In case you missed them, here is some coverage of the Sony BMG Rootkit and a few later articles which reference it:

    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/essay...
    https://www.schneier.com/blog/...
    https://www.schneier.com/essay...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...
    https://www.schneier.com/blog/...

  4. Re:We can all give thanks to... apk by amicusNYCL · · Score: 4, Funny

    Did you just name-drop Mark Russinovich as a "co-worker" based on the two of you having once used the same reseller?

    I need to go tell my esteemed colleague Elon Musk about this, he'll really get a kick out of it.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  5. how to connect cause and effect? by Noah+Haders · · Score: 4, Insightful

    I wish it could be made clearer that a lot of the hacking was motivated by rage over the rootkit and the PS3 linux block. If it were more clear, companies may think twice about giving their customers the shaft.

  6. The Object lessons by MrKaos · · Score: 5, Insightful

    For Sony there is little doubt the object lessons were "Now how do we do this and not get caught?"

    --
    My ism, it's full of beliefs.
    1. Re:The Object lessons by whoever57 · · Score: 5, Insightful

      For Sony there is little doubt the object lessons were "Now how do we do this? "

      FTFY

      Given the tiny fine that Sony was required to pay for the rootkit fiasco, I doubt that they really care about getting caught.

      --
      The real "Libtards" are the Libertarians!
  7. Re:Not the first thing by plover · · Score: 4, Insightful

    Amen. Sony has been evil since they introduced DRM at the commercial level. "Copy bits" on DAT, on Minidiscs, CSS, HDCP, the list of shit Sony has secretly shoveled on the public is why I don't buy Sony, and why I recommend friends and family choose anything else.

    --
    John
  8. Too easy to exploit by Xian97 · · Score: 3, Interesting

    Any file that started with $sys$ was hidden from the OS, so it didn't take long for people to start hiding malicious files if you had the rootkit on your system.

  9. Old Slashdot stories on the topic: by Anonymous Coward · · Score: 4, Informative

    http://it.slashdot.org/story/0...
    http://games.slashdot.org/stor...
    http://yro.slashdot.org/story/...
    http://yro.slashdot.org/story/...
    http://it.slashdot.org/story/0...
    http://yro.slashdot.org/story/...
    http://yro.slashdot.org/story/...
    http://yro.slashdot.org/story/...
    http://yro.slashdot.org/story/...
    http://it.slashdot.org/story/0...
    http://yro.slashdot.org/story/...
    http://news.slashdot.org/story...
    http://yro.slashdot.org/story/...
    http://apple.slashdot.org/stor...

  10. Re:Please: You WISH you were me... apk by bigfinger76 · · Score: 5, Insightful

    No one gives a shit, APK. Not one person here gives a shit about anything you have to "say".

  11. Re:Revisit the Sony Rootkit? by houstonbofh · · Score: 4, Informative

    Bleh. Wasn't the first time enough?

    Not for them. They did it again in a USB drive. http://techreport.com/news/130...

  12. Sony doesn't own Download.com by gweilo8888 · · Score: 4, Informative

    If you're going to snark, it helps to be right. Sony doesn't own Download.com, something you could've confirmed for yourself in seconds.

    Download.com is a C|Net created site owned by C|NET parent company CBS Interactive, which in turn is owned by CBS Corp, which in turn is owned by National Amusements. Finally, National Amusements' majority owner is owned by Sumner Redstone (aka Rothstein) and family.

  13. Re:Rocking With My Sony by Opportunist · · Score: 3, Insightful

    Actually, yes, there could have been something (and actually, there still is) that Sony could do to make me a customer again. Their products are not bad from a technical point of view. They last. They are well engineered. They still are most of what made me (and I dare say us) customers two decades ago.

    There is a simple thing that would have to change to make me a customer again: Treat me like a customer, not like a credit card. Treat me like a partner, not an enemy. The main problem I have with Sony today is that I feel belittled and ridiculed, if not outright offended, by the way they treat me. With vendor lock-in and the deliberate removal of functionality for no other reason than trying to force me to buy again.

    It does not work that way.

    There is a very simple way to make me buy something from a brand again: Give me what I want. If I know I get what I want from Sony, you need not force me to buy your stuff next time I am in the market for something you make. I'll gladly and willingly actually seek out this brand that I was satisfied with last time.

    Just like it was 2-3 decades ago. People are lazy. They don't shop around if they are happy with what they get from a brand. They don't like to experiment, especially when it comes to things that are a considerable investment. Just look at cars. This only changes after bad experiences.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Re: Rocking With My Sony by Spamalope · · Score: 4, Informative

    Yes, right... Like you made any difference. When you boycott a giant like Sony, you're just one of an incredibly small number who will make no impact whatsoever.

    Perhaps you've missed Sony's financial situation. Pre-rootkit I had a Sony TV; camcorder; reciever; digital camera; high end artisan monitor (21 inch - used at 2048x1536 when LCDs were 1024x768); SVHS; 100 disc CD changer... I was the decision maker for purchasing computer equipment at work, and had been buying Sony products in the mix. Since that time? My career has taken off allowing for much greater toy spending. $10k+ in photo gear, but no Sony. There are no Sony TV/entertainment products in the new house, another $10k+ loss for Sony; 65 computer systems at work, with no Sony systems or peripherals. I'm asked for recommendations all the time, and never suggest Sony. Sony's rootkit cost them a minimum of $50k in direct sales, plus lost referrals. I had preferentially bought Sony before then.

    There are so many folks doing the same that it has added up, and Sony's bottom line has suffered.