|
|
| What About Sony's Downloadable Music? |
 |
|
Saturday, November 19 2005 @ 07:03 PM EST
|
I've been puzzling over how so many people in the UK and all over Europe got infected with Sony's rootkit, when Sony says it doesn't distribute those CDs in the UK. Then I had a thought. Doesn't Sony allow you to download music from its website? Is it possible that they have something rootkitting around in there too? Has anyone checked? I mention it because of the statement made by the Department of Homeland Security official that if the bird flu happened to hit at the same time the rootkit was compromising millions of computers worldwide, it could be very serious indeed: "If we have an avian flu outbreak here and it is even half as bad as the 1918 flu, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is going to be a matter of life and death and we take it very seriously as well."
I couldn't find anyone writing about researching the digital downloads. So I went to Sony's site to buy some music to download, just to see what would happen. Notice you have a drop-down menu under Digital Downloads, where you choose a store. If you choose Sony Connect, there is a note "Must Be Installed." That's true for iTunes too, and Napster, and Real and everything else on the list. You need a player. So, what is in the Sony Connect player? Are we allowed to look? If not, could someone please do something about the DMCA before someone dies needlessly? Seriously. Is that fear why no one caught this rootkit for so long? Sony Connect launched in July of 2004 in France, Germany and the UK, according to this The Register article, with other countries in Europe to follow later that year. That is a long time for a rootkit to be spreading with no one noticing. I understand that the antivirus companies as a group sold us out, and went along with Sony, but what about other security researchers? No one thought to check? Or no one dared to? The article also mentions that Sony Connect is located in Germany. I mention that for the lawyers out there. I am not a lawyer, but I reasoned probably I was allowed to do what Mark Russinovich did, so I decided I'd buy something and download it and see what happened next. Note that this isn't legal advice. I am just explaining what I did, not what anyone else should or shouldn't do. But I hit a wall. You have to have Internet Explorer as your browser. Really. I'm wondering if anyone else has thought of this as another possible source of infection? Obviously there is some kind of tether on the download. This 2003 Wired article on Sony explains what Sony was planning and why: Users of online services are offered only "tethered" downloads, which come with limitations on how files can be copied or burned to a CD, or transferred to a portable player. It's as if Macy's used anti-shoplifting tags to set limits on how many times your pants could be put in a suitcase or where you could go in them....
With OpenMG X, the version being developed, Sony will no longer set blanket rules for its own devices; it's created a digital rights management system that works on any manufacturer's hardware and allows the content owner to set the rules. Sony wants OpenMG X to be accepted across the entertainment industry - an ambition that puts it face-to-face with Microsoft. "The whole security/digital rights management/copyright arena is a critical battlefield," Stringer declares. "We're racing - racing - to get to a solution that has an open standard so that Microsoft doesn't waltz in and develop the audio-video operating system."
A digital rights management system isn't just a traffic cop; it's a powerful tool that gathers all kinds of information about consumers, from credit card numbers to listening habits, and dictates which devices can talk to the PC and how. Microsoft's DRM software, a key feature of its Windows Media platform, promises total flexibility for entertainment companies, and it's designed to work not just on PCs but with consumer gadgets like Sony's. "If it is the de facto standard for all digital rights management," says Stringer, "then at some point it migrates into all the networked devices, including the television set and everything else. Sony's nightmare is that the TV set becomes a monitor."
This puts Sony in a bind. Except for the Xbox, Microsoft doesn't really sell hardware. All it has to do is keep entertainment executives happy and watch them adopt its DRM platform. If Sony fails to offer every bondage option the entertainment folks can imagine for their customers, it opens the door for Microsoft to take control of its hardware.
Isn't that the problem here? That the entire world, not just software companies like Microsoft or hardware companies, like Sony partly is, but legislators too have caved in and have set everything up to satisfy the entertainment industry? And what it takes to satisfy them! We got a peek when the rootkit was revealed. Then in 2004, The Register took a look at Sony Connect: Sony's choice for format restricts consumers to its own hardware - a complaint the paper also makes about Apple, though at least iTunes does permit you to rip CDs to MP3 for transfer to other brands of player. Sony's SonicStage software does not support MP3 and "it defaults to storing music in an invisible, deeply buried sub-directory", the paper warns....
"Connect permits an unlimited number of transfers to portable players - except for songs from Warner Music Group's labels, which are restricted to three transfers. Ever," the paper reveals.
"Similar control-freak behaviour ensues when you move purchased songs to the other two PCs you're allotted at any one time: those copies lose all their transfer and CD-burning permissions. Sony says an upcoming software update will restore transfer rights, but not disc burning, to those copies."
Obviously, if it can do this, it is talking to Sony about you in some manner.
If anyone is researching this, no doubt they'll let us know eventually. I know it's the right question. If you read Bruce Schneier's article on the stunning acing of all the anti-virus companies, their failure to either notice the rootkit (with the exception of F Secure) or to tell us about it, I think we can at least validly ask if this problem is a lot deeper than it originally seemed. And I sincerely hope someone who knows how and is allowed to is looking into more than just Sony's CDs.
|
|
|
|
| Authored by: fettler on Saturday, November 19 2005 @ 07:16 PM EST |
| Corrections et al: [ Reply to This | # ]
|
| |
| Authored by: Mark Levitt on Saturday, November 19 2005 @ 07:37 PM EST |
is the right one.
Lets see, Sony lied about:
1) The number of CDs containing the XCP software (they said 20, it's actually
more than twice that
2) Whether the software sends information back to Sony. They said it doesn't,
but it's been shown to make a request to a Sony website with an ID number.
At the very least, this tells Sony your IP address and that your playing a CD.
3) The severity of the software, telling people it was not a security risk.
Would it really be beyond them to lie about where these CDs were sold?
I think Sony is either unaware of the locations where these CDs were on sale
or they are continuing to lie, hoping to limit the damage.
After reading through the UK's Computer Misuse Act, I can think of a good
reason for Sony to say they didn't sell these disks in the UK... (Like they
don't
like going to jail)[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, November 19 2005 @ 07:40 PM EST |
| check EFF's
Open Letter to Sony as well as some of their other info on this topic. I'm
upset about this because I wrote the liner notes for one of their infected
albums and then recommended it to all my friends. Thank God, the copy I have is
the pre-release one to listen to so I could write the liner notes. I then had
to call and e-mail my friends and tell them NOT to buy the album. At this
point, I don't see a way of putting rootkit software within a media file but,
requiring a special player to play the media is exactly what Sony did on their
CDs. I guess they could do something just as evil with their music download
service.
BC [ Reply to This | # ]
|
| |
| Authored by: John_Doe#1 on Saturday, November 19 2005 @ 07:42 PM EST |
| Clickable links: Like this
HTML
Formatted in the Post Mode drop down box
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, November 19 2005 @ 07:47 PM EST |
To put it as bluntly as one Australian Virus expert.
There will be a pandemic.
It won't be this version of the bird flu.
His reasoning. Pandemic's happen, get over it. This version of bird flu has been
around for 5 years and nothing has happened.
Regards
Crazy Engineer
[ Reply to This | # ]
|
| |
| Authored by: Mark Levitt on Saturday, November 19 2005 @ 07:48 PM EST |
If you read Bruce Schneier's article on the stunning acing of all
the anti-virus companies, their failure to either notice the rootkit (with the
exception of F Secure) or to tell us about it, I think we can at least validly
ask
if this problem is a lot deeper than it originally seemed. And I sincerely
hope
someone who knows how and is allowed to is looking into more than just
Sony's CDs.
Although I enjoyed the article, I think Mr.
Schneier misses something
fairly obvious. He implies that there was some form
of collusion between
Sony and the Anti-virus software vendors. While he may be
right to some
extent, I don't think it's a simply matter of Sony asking nicely
and the anti-
virus companies looking the other way.
Think about it: If
the anti-virus companies had marked Sony's software
as a malicious peice of
code and removed, they would be guilty of breaking
the law. Under the DMCA,
distributing tools designed to circumvent a
technological copy protection
measure is a crime.
Rather than a collusion, I suspect the Anti-virus
companies corporate
lawyers made it clear that removing Sony's software could
possibly land the
company is serious legal trouble.
What really needs to
be pointed out is that Mark Rossinovitch, who broke
the story about Sony's
rootkit, is a criminal under the DMCA. And, all the
companies that are now
releasing removal tools, are breaking the law as well.
Maybe when people
realize that the DMCA makes it a crime to make your
own property safe from
damage the law will be changed.
[ Reply to This | # ]
|
- Copy Protection - Authored by: Anonymous on Saturday, November 19 2005 @ 08:04 PM EST
- Bruce Schneier Misses Something Obvious - Authored by: John Hasler on Saturday, November 19 2005 @ 08:05 PM EST
- Please don't be so dumb in public. - Authored by: Anonymous on Saturday, November 19 2005 @ 09:06 PM EST
- Bruce Schneier Misses Something Obvious - Authored by: Anonymous on Saturday, November 19 2005 @ 09:10 PM EST
- holy cow! this makes my head swim! - Authored by: trick-knee on Saturday, November 19 2005 @ 11:46 PM EST
- Bruce Schneier Misses Something Obvious - Authored by: PJ on Sunday, November 20 2005 @ 01:25 AM EST
- Bruce Schneier Misses Something Obvious - Authored by: Anonymous on Sunday, November 20 2005 @ 03:50 AM EST
- Bruce Schneier does not MISS much, I doubt that he missed anything! - Authored by: Anonymous on Sunday, November 20 2005 @ 06:59 AM EST
- LTSP used here! No CDROM's, Floppy drives, USB ports are allowed anywhere outside a server room - Authored by: Anonymous on Sunday, November 20 2005 @ 07:09 AM EST
- Bruce Schneier Misses Something Obvious - Authored by: alangmead on Sunday, November 20 2005 @ 09:49 AM EST
| |
| Authored by: kawabago on Saturday, November 19 2005 @ 08:15 PM EST |
Why would anyone buy a product with restrictions like that? The quotes from the
article clearly show that the entertainment industry and Microsoft both hate
consumers. Unfortunately for both the entertainment industry and Microsoft, DRM
is not going to be the way of the future. They already have strong hints at how
much people don't want it but they simply refuse to acknowledge them.
Musicians can record and produce their own music at home with pc's and open
source music tools. They can distribute their music directly to fans on the
internet, the music companies are no longer needed.
That is why DRM will not become a new cash cow for either the entertainment
companies or Microsoft. The entertainment industry model is failing and being
replaced with a new paradyme putting the artist in control. Microsoft will be
killed off by open source and DRM will no longer be talked about.
---
TTFN[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, November 19 2005 @ 08:20 PM EST |
| Not forever, just until January 02 /06.
If Sony misses out on the Christmas
rush perhaps they, and the rest of the E!
industry, will figure out that their
customers don't like to be harrassed, lied
to or spied on.
!!! - Arista
Records, BMG Classics, BMG Heritage, BMG International Companies, J Records,
Jive Records, LaFace Records, Provident Music Group, RCA Records, RCA
Victor
Group, RLG - Nashville, Sony Urban Music, So So Def Records, Verity
Records,
Columbia Records, Epic Records, Legacy Recordings, Sony Classical,
Sony
Nashville, Sony Wonder, Sony Ericsson, Sony Music, Sony Pictures,
Sony
Electronics & PlayStation. - !!!
Sony's actions were egregious,
their behaviour is arrogant and their response
has been without remorse.
A
six week consumer action just might have the effect of reaching into
the
corporate boardrooms and making those who approve such actions pause.
A six
week consumer action just might make pension funds and other big
$$
investors smack corporate leaders upside the head and direct them to
'do no
evil'.
A six week consumer action just might tip the balance, for a
little while
anyway, away from unaccountable corporate malfeasance.
Please
keep in mind that while Sony is the target of this boycott; it is
the
insatiable, unconscionable corporate thinking that perverts any
reasonable
interpretation of capitalism that needs to be reformed... My hope is
that Sony can go from loser to leader. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, November 19 2005 @ 09:25 PM EST |
Are DRM type agreements enforceable with regard to minors, or do
parents/guardians need to be a party?
Could we see music, hardware, downloads, and so on, restricted to those over
18?
Ivan[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, November 19 2005 @ 09:27 PM EST |
This topic troubles me greatly, and I've been following the stories here
closely. A few days, ago, PJ wrote:
Time-expiring copies? So they not only want to
prevent sharing music with a friend, what they call "casual copying," now they
want music you buy to evaporate? ...
Seriously though, let's think for
just a minute about the big picture. Fair use is part of copyright law,
is it not? So, if we are all going to be law-abiding, that means that copyright
holders have to abide by the law, too, just like customers do. No? But when DRM
schemes cut off all possibility of fair use, is that lawful?
[emphases mine]
I am not a lawyer, and this is not a troll,
and I certainly don't want to see "rights management" used to do what Sony (and
others) are trying to do. But fair use seems a slender reed to hang our
hopes on.
17
USC 107 specifies four issues that must be considered when
determining whether a particular usage is fair. But neither it nor precedent (as
far as I know) gives a bright-line rule that would let lawyers, much less
laymen, decide what is and isn't, short of taking it to court.
"Casual
copying" arguably fails all four prongs -- at least, let's not debate it now.
What I'm talking about is customary use, what we've become used to doing
with our books and records: reading or playing them where we like, when we like,
as often as we like, for as long as we own them.
The fact is that
copyright has long been enforced, not by law, but by economics: a particular
copy of an expression was inextricably tied to a physical item. It was
physically impossible or (more often) economically infeasible for the end user
to make another copy and thus become the not-the-end user. By the same token,
once that copy passed into the user's control, it was impossible or infeasible
for the publisher to monitor and control the user's use of it.
Whenever
copying or passing-along got easier, publishers got frantic -- first when Bill
Caxton invented moveable-type printing**, later when public libraries were
formed, still later when you could tape a movie off the air on your new Sony
Betamax.
**(Yeah, I know about Gutenberg and the folks he stole his
press from. What Caxton did that scared the vendors was he started making
money from it.)
So here we go again. Only now, the expression is no
longer tied to a physical item and every pass-along copy has complete
fidelity to the legal copy in hand (which is likewise faithful to the original)
and every kid and his cousin has the technology to make those duplicates,
and buy blanks to do so at 10 cents per, down at Fry's.
Is it any wonder
the publishers wanted somehow to tie copies back down to something? Or that
bright techies figured out how to tie use to a software "key"? Or that bright
lawyers and lobbyists figured out how to pass the DMCA to make bypassing that
key (so technically trivial) illegal?
Or that bright capitalists
sat back and said to themselves, "Hey, now that we've lassoed the copies back in
again, do we really have to give away all the stuff we used to?" One man's
looting is another man's "monetizing".
I am afraid that our
customary use is not fair use, in the strict legal sense. It's not
"educational" or "nonprofit"; you copy*** the entire work (who wants half a song
or book or movie?); it affects the "value" of the work (in that the publisher
can't force you to buy another copy). It's not criticism or news reporting or
classroom use or research -- it's entertainment... which isn't
mentioned.
***(I believe there are precedents that reading a digital
image into RAM is "copying", at least in the case of computer programs. If so,
why not a song?)
I fear that customary use is licensed use -- and
what license is granted is up to the owner. Sections 108 through 122 limit the
publisher's restrictions on broadcasters, libraries, disabled folks, etc., but
not much is said about us, the customary customers. The first sale doctrine
would seem to imply that we have some control over the particular copy we have
in hand (since the publisher cannot stop us from disposing of that copy
as we like), but doesn't actually mention using the copy. And that's only
if we actually own the copy, as opposed to merely owning a license to
use the copy, with the publisher retaining ownership -- as every EULA
ever written seems to say.
Today's top Groklaw news link is to
a story of just this sort of thing. I don't want to be limited in the
number of times I can read a book, or where I can read it, or on what kind of
medium, or to have to phone home to E.T., Inc., to get permission (and get
tracked) every time I do. And I predict that publishers who try to force this
down our throats will trigger a customer uprising.
But I'd be very
nervous about depending on the courts to guarantee customary use to
us.
[ Reply to This | # ]
|
| |
| Authored by: blacklight on Saturday, November 19 2005 @ 09:51 PM EST |
I am of two minds whether discovering the root kit only after eight months
benefited Sony:
On one hand, had Mark Russinovich discovered the rootkit on Day 1, Sony's costs
of recall would have been a lot lower.
On the other hand, I am pretty cynical as to whether the costs of recall are
going to be of any significance to Sony if only a small percentage of buyers
takes advantage of the recall. Now that I think about it, the recall may very
well be a cynical attempt by Sony to evade further liability over the rootkit.
"We offered to replace the CD's, and the plaintfiffs simply did not take
advantage of our offer. Therefore, we should not be held liable for any
subsequent virus infestation, Your Honor"
In the meantime, I am not buying any of Sony's videos or music. In fact, Sony
has yet to put out a statement acknowledging that Sony has no right to tamper
with buyers' computers.
---
Know your enemies well, because that's the only way you are going to defeat
them. And know your friends even better, just in case they become your enemies.[ Reply to This | # ]
|
| |
| Authored by: Sneakster on Saturday, November 19 2005 @ 10:19 PM EST |
Ed,
>I'm not yet familiar with the contents of the Sony-BMG
>rootkit. But it is said to contain "cloaking" technology,
>which pretty much requires modification to such system
>programs as "dir". Classic rootkit. Any AV program that
>routinely monitors system file checksums could fail to
>notice such a rootkit only by deliberate design. Hence
>Mr. Scheier's suggestion of collusion.
Best not to make technical speculations if you aren't "familiar with the
contents". Mark Russovitch detailed exactly how the damned thing operates -
it hooks important system calls via a kernel mode driver (the reason you have to
be Administrator to install it).
Once the filesystem calls are hooked, the kernel mode driver simply hides all
files with names beginning with '$sys$' from directory listing system calls.
This will affect *any* program that uses those calls, whether directly or via
the appropriate run-time libraries and *NO* program has to have even one byte of
it's binary modified for this. Therefore, no Tripwire work-a-like is going to
see this rootkit.
"dir" is not a special program on MS Windows, BTW. It's simply a
function internal to the CMD.EXE command line interpreter shell program.
---
Michael A. Hobson
Web Programmer (I am definitely *not* a lawyer)
email: use my yahoo id at yahoo dot com
ICQ: #2186709
Yahoo: warrior_mike2001[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, November 19 2005 @ 10:30 PM EST |
Will Sony gain or loose by these recent events?
Sony's history is in
various stand alone players.
Microsofts history is PC software, they don't
make hardware.
The battleground is the digital home.
Bill Gates believes
that Windoze Vista will become the hub of the digital home.
Sony has just
demonstrated why it won't.
Stand alone players with the the blu-ray disc will
be cheap, internet connected and enforce the DRM that Hollywood and the RIAA
desires without compromising anyone's data.
Vista home won't be so widely
accepted following recent events. Brian S.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Saturday, November 19 2005 @ 10:37 PM EST |
From the help glossary
OpenMG
A copyright protection technology used when importing and managing audio content
from music distribution services or audio CDs.
By using OpenMG compliant applications such as SonicStage, audio content can be
encrypted before being stored on the hard disk of a computer so that the audio
file cannot be played back on any computer other than the one it was created on.
OpenMG is useful in preventing unauthorized distribution of audio content via
the Internet.
MG seems to stand for 'Magic Gate'.
Advanced properties on some albums suggest you can reset the checkout count but
others stay locked. No rootkit detected by RKR, nothing shows in adaware or
spybotsd. Ethereal showed no undue IP packets during opening or playing a
recording.
Tufty
[ Reply to This | # ]
|
- Re: SonicStage 1.5 - Authored by: Anonymous on Sunday, November 20 2005 @ 12:40 AM EST
- SonicStage 1.5 - Authored by: Anonymous on Sunday, November 20 2005 @ 12:45 PM EST
- MG - Authored by: Anonymous on Sunday, November 20 2005 @ 05:20 PM EST
- MG - Authored by: Anonymous on Sunday, November 20 2005 @ 08:40 PM EST
| |
| Authored by: Anonymous on Saturday, November 19 2005 @ 11:26 PM EST |
Yeah, well, umm, they 'noticed' it I guess.
And they said mum about it also!
Mark blogged about it and then about the very same day F-Secure publishes they
have knowledge about it. Which frankly, doesn't make them look better in my eyes
than the ones who didn't know.
F-Secure didn't report a thing or do anything of practical worth that I'm aware
of. They say they were working with Sony on it.
What about their customer base? The people who trust in them and buy their
services. Where exactly do they fit it?
One thing for sure, they didn't have much effect convincing Sony it was a
security risk. Sony was still producing and marketing the software on the day
Mark posted his report. Within a day or so after his report, Sony affirmed that
it is not a security risk.
F-Secure knew about and it was hush, hush. That's how it comes across to me
after I read the words straight from F-Secure.
Also, First 4 Internet reported they were working with the aniti-virus vendors
and specifically mentioned Symantec. If there is any truth to that, I don't know
what to say.
I will say that I've read no reports from Symantec denying what First 4 Internet
reported.
If I were Symantec and accused of supporting or working with what turns out to
be a company producing sleazy rootkits and likely infringing on copyrights to
boot, and it were not true, I'd speak up and call First 4 Internet liars for
naming me.
I seriously doubt we will see denials from Symantec in this area.
[ Reply to This | # ]
|
| |
| Authored by: hamjudo on Sunday, November 20 2005 @ 12:37 AM EST |
| If the DMCA or its ilk may apply to you, consult a lawyer before doing anything
remotely close to publishing details about circumventing the copy protection.
It seems like it should be ok to report on whether a particular software install
is unusually invasive or requires excessive resources.
Some suggested
techniques for measuring the resources used by a questionable software install.
Use the subset for these tests that match the tools and skills that are
available to you. Suggest things that I may have missed.
- Use a
relatively small partition, so you can reasonably copy the whole thing to other
media.
- start with a baseline install of the OS with appropriate patches
installed.
- Measure the performance of the baseline system, how much disk
space is free, and how much memory is free.
- With an external network host
running etherial or something similar, monitor the network activity of the
baseline configuration on a "idle" system for at least 24 hours.
- Use one of
those tools that can save the entire contents of the registry to a regular file.
- Boot your computer with a live CD such as Knoppix or Ubuntu.
-
Recursively copy the whole filesystem to a directory on a Linux host or external
drive.
- Also copy the raw image (the bits from the disk) to the external
storage.
- Reboot under the baseline OS.
- Install the questionable
software.
- Repeat the performance tests, how much, if any, has performance
gone down? How much disk space is available now? How much memory is available
now?
- Monitor the network for another 24 hours, and while running the
questionable software. Is there more network activity? Does it contact
different hosts?
- Copy the registry to a normal file.
- Reboot under the
live CD.
- Once again recursively copy every file to the external host, and
make an image of the disk partition.
- Compare filesystems, how many files
were changed, and in which directories?
- Compare the registry copies, how
many existing registry settings were changed? How many registry settings were
added? Were all the new registry settings in the registry under the software
vendors company name, or were settings change in other parts of the
registry?
- Does the amount of disk space available and the amount of news
files created add up correctly, or was disk space used outside of the normal
filesystem. How much phantom space did the software use?
- Were any portions
of the disk altered that aren't part of the filesystem? ie. boot blocks or
partition tables?
- Reboot to the OS under study.
- Uninstall the
questionable software.
- rerun the performance tests, and measurements. Did
everything return to the baseline configuration?
- Did all of the
questionable software's network activity go away?
- Save the registry to the
filesystem.
- Reboot to the Live CD, and see if any files or registry keys
got left behind.
- Copy the baseline disk image back to your system before
testing other software, or retesting this software.
Write your review.
There is no need to be specific about which system files or registry keys got
changed, or what hosts were contacted. Just report whether any got changed, or
if hosts were contacted.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, November 20 2005 @ 04:04 AM EST |
You can always run rootkit revealer or blacklight. That shouldn't be considered
as a dmca bypass madness as it just signals the illegal method of hiding files.
Also, you might catch a keylogger unrelated to Sony :)
[ Reply to This | # ]
|
| |
| Authored by: cybervegan on Sunday, November 20 2005 @ 04:47 AM EST |
In another post here, Blacklight reminded me of an observation I made when
discussing S0ny's response to their cover being blown. My colleagues and I had
been talking about how S0ny were obviously in hot water, what with the Italian
Polizia taking it seriously, and three consumer class action suits in the US,
and the probability that the kit is probably illegal here in the UK under the
Computer Misuse Act.
My comment was "That's why S0ny are recalling the CD - simply to mitigate
damages if they lose any one of those cases in the States! If they lose, they'll
just resume production, and carry on as if nothing ever happened".
So, I don't think it's about admitting they were wrong - its more about damage
limitation, in the courtroom. They are still in denial; they still don't
believe what they did was wrong, and they just can't admit to themselves that
this is the wrong approach to copyright infringement.
Assuming I am correct (big assumption) I wonder if, considering the backlash,
they are still considering this course of action.
-cybervegan
---
Software source code is a bit like underwear - you only want to show it off in
public if it's clean and tidy. Refusal could be due to embarrassment or shame...[ Reply to This | # ]
|
| |
| Authored by: hauva on Sunday, November 20 2005 @ 04:54 AM EST |
Sony BMG may not distribute their malware but that does not mean that those
"CD"s are not found outside of US.
The public library of Espoo (a city just west of Helsinki, Finland) found a copy
in their collection. The "CD" was probably bought from some US
wholesaler.
Also, there seems to be network traffic from rooted systems in Finland although
Sony claims that the DRM "CD"s have not been distributed in Finland.
Some people are forgetting that web shops exist.
---
Ari Makela, Helsinki, Finland
My name is Ari and I am a grokholic.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, November 20 2005 @ 05:05 AM EST |
| the Australian age
Crazy
Engineer
[ Reply to This | # ]
|
- Sony's root kit - Authored by: Anonymous on Sunday, November 20 2005 @ 10:06 AM EST
| |
| Authored by: Jonathan Bryce on Sunday, November 20 2005 @ 07:18 AM EST |
The short answer is that CDs are generally priced the same in $ in the US as
they are in £ in the UK. The exchange rate is currently $1.72/£, so even after
international shipping and import taxes, it is cheaper to buy your CDs from
amazon.com than amazon.co.uk[ Reply to This | # ]
|
| |
| Authored by: darkonc on Sunday, November 20 2005 @ 09:12 AM EST |
| Has anybody written to Sony asking for a copy of their source code under the
GPL? ---
Powerful, committed communication. Touching the jewel within each
person and bringing it to life.. [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, November 20 2005 @ 10:20 AM EST |
Sony trial this XCP on a few (?number) musci reviewers pre release. They try it
out on the radio shows to check the music quality. No problems for about a year.
They next run it on the internet download sites. This is more complex and risky
as the antivrus companies might pick it up. These guys normally do contact the
vendor if they are large before stating that there is a security problem. But
not a delay this long.
Independ security people - there are a lot of bugs out there - just look at the
bug list for the Linux kernel for example and only so many eyes. Who would have
though some like Sony could be so stupid to try this? At least we know for the
future.
Now F Secure claim to have picked this up 30 days before the blog reveals it to
the world. They like the bigger firms were 'in talks' with Sony.
The blog that revealed the existance of the root kit was by a chap with long
standing connections to MS. He is also a genuien expert on Windows so any
connection here is not clear.
The number of networks seems to exceed 500,000 and the number of machines is
probbaly > 2 million - we dont know this yet. Sony have this XCP on 50+
titles.
This XCP contains unlicenced code. This is copyright infringement. Thanks to
Sony and thier pals in the RIAA et al this is now a criminal acttion in many
countries.
This means that the retailers involved are facing criminal charges as well. It
seems extremely likely that they have acted innocently and all they will be
forced to do is disgorge thier profits from the sale.
Consequences:
Sony are facing or will face both civil and criminal actions in several
jurisdictions for copyright theft, damage to computers, violation of privacy
laws and others. F4I may or may not be facing criminal and civil actions.
The retailers are facing both criminal and civil actions for participating in
possibly the widest ever copyright infringement event ever.
Sony are facing law suits from the retailers for damage to thier business (tort
claims), from their artists from loss of sales, damage to repuation etc, from
thier shareholders for damage to the share price. The directors in particular
are in trouble because E&O insurance (Error and Omissions) does not normally
insure you against criminal actions. (The law does not normally uphold a
contract for criminal such actions.)
Moving on - are there still others in the firing line?
I think the answer is possibly yes.
Consider the RICO requirements:
Enterprise - tick that.
Pattern of related activities - tick that.
Continutiy - tick that.
Interstate commerce - tick that.
Conduct exceeding one year - tick that.
Directly injured third parties - tick that.
Federal offense - tick that.
Criminal activity - tick that.
Involving more than one party - looks like that wih Symantec to me.
Do I think a sucessful RICO action can be brought here?
Sucessful civil RICO actions are rare. There are loads of facts we dont know
yet. But if I was an antivirus firm in the US that knew about this root kit
(this includes MS here) I would be waving this past my lawyers - just in case.
--
MadScientist[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, November 20 2005 @ 10:28 AM EST |
Part of the SONY empire, in addition to Sony-BMG, are Sony Pictures et al. (See
below)
I just looked to see if by chance there were any Sony DVD in my very small
collection. I was going to use a Linux based forensic tool kit to see what I
could find. No joy, however, as I seem to be a Sony media free zone.
So the question; has anyone look at other Sony media?
agriffin
-----------
Sony Corporation of America (SCA)
Outline of Principal Operations
Sony Pictures Entertainment (SPE)
Columbia TriStar Motion Picture Group
- Columbia Pictures
- Sony Pictures Classics
- Screen Gems
- TriStar Pictures
Sony Pictures Home Entertainment
Sony Pictures Television Group
- Sony Pictures Television
- Sony Pictures Television International
Sony Pictures Consumer Products
Sony Pictures Digital
- Sony Pictures Imageworks
- Sony Pictures Animation
- Sony Online Entertainment
- Sony Pictures Digital Networks
- SPiN
- SoapCity®
- Sony Pictures Mobile
Sony Pictures Studios
- Sony Pictures Studios Post Production Facilities
- DVD Authoring Center
- Worldwide Product Fulfillment
Game Show Network
Movielink
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, November 20 2005 @ 11:07 AM EST |
| N/T [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, November 20 2005 @ 11:36 AM EST |
To me it's simple.
If it were me or any private individual, or small company news of the the arrest
would be old news by now.
Why should a deep pocket or two make a difference, they broke the law(s), they
should pay the price, in time not only $$$[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Sunday, November 20 2005 @ 07:22 PM EST |
I am at times an information security professional, at other times a
professional reverse engineer. Finding, dissecting, neutralizing, and
sometimes *creating* DRM systems and rootkits (or, when I build them,
"remote administration and security audit systems") is a large part of
my day job as well as a hobby and a passion.
I haven't bothered to investigate what these DRM systems do because frankly I've
just assumed that they do everything the Sony rootkit does, and much worse;
hence, determining the specific details of what they do is too much like real
work, and I've never bothered. Actually, I assume *all* proprietary software
these days phones home, hides bits of itself in the dark places in the OS that
I've never heard of, and weakens or entirely defeats security measures. It
doesn't matter to me if these things are done maliciously or just due to
incompetence--both will ruin my day, so I behave in ways that give me blanket
protection from the lot.
If anything, I've been startled to see how *liberal* some of these DRM systems
in the field are--all the data I've seen protected with strong enough encryption
to notice has typically offered no rights to the consumer whatsoever. Granted,
I mostly deal with software and video, not music or books.
If someone absolutely insists that I install some particular piece of
DRM-encumbered software to hear a song, watch a movie, or read a book, I'll
usually just target the weak points of the DRM's encryption system instead of
trying to live within its restrictions, or even bothering to understand what
those restrictions are. I'll capture the data as the DRM system decrypts it,
then keep the data and throw the DRM system away. If I'm unwilling or unable to
break the DRM system, then I'll hear, watch, or read something else. If the
data in question is software, I'll write my own if I can't find something
suitable.
It does take several hours to break these systems, so I'm often motivated to
save my own time by getting the material from a non-DRM-encumbered source, and
to save the time of others by contributing DRM-stripped material back to the
same sources. Ironically, I would not trouble myself to do either of these
things if the original vendor would just sell me a standards-compliant, non-DRM
file in the first place. If the vendors want to treat consumers as the enemy,
then they should not be surprised when consumers cooperate to defeat them. Duh![ Reply to This | # ]
|
| |
| Authored by: ExcludedMiddle on Sunday, November 20 2005 @ 08:41 PM EST |
One of the parts of this discussion needs to be clarified. DRM software is not
equivalent to rootkits, they are distinct concepts. It is the rootkit in Sony's
XCP protection that is the most egregious part of their strategy. While I
dislike DRM, it is less likely to cause system instability, although it can
certainly do so if poorly coded.
The discussion about phoning home and other things that it does are also
troubling, and should be investigated, but unless SonyConnect does something to
modify the operating system to hide itself, or exhibit other rootkit behaviors,
it can only be called DRM software (which is certainly bad enough).
PJ seems to be calling for folks to take a peek at SonyConnect. I would second
that motion, and see what they've been up to.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Monday, November 21 2005 @ 05:36 AM EST |
Over here in the UK, it is common practice to import the American versions of
CDs, and sell them alongside our locally-produced versions of the same stuff.
(Of course, people in the USA won't realise this, since all media of importance
or interest are created in Hollywood, and imports to the USA are
therefore superfluous. But I digress...)
For example, see Amazon UK's
listing for Get Right with the Man. This is
clearly marked as an import, although the reviews also clearly mark it as the
spawn of evil, etc.
That's how so many people over here got rooted. No
need to posit additional draconian measures. However, that doesn't mean they
don't exist... [ Reply to This | # ]
|
| |
| Authored by: philc on Monday, November 21 2005 @ 09:56 AM EST |
Send a message with your money. If you believe that privacy is important and
should be protected (and should be treated like protection from "illegal
search and seisure"), don't buy their products. There is plenty of content
and software from companies and organizations that don't infringe your privacy.
Mpaa, riaa, and Microsoft no longer get my money.[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Monday, November 21 2005 @ 11:16 AM EST |
| The story to pay attention to here is the collusion between big media
companies who try to control what we do on our computers and computer-security
companies who are supposed to be protecting us.
This makes me thing of
something else: there has been an argument going on for some time in the Open
Source world about binary device drivers for Open Source operating systems. On
one side, the pragmatists (Linus and others in the mostly Linux camp), thinking
that they are at least a necessary evil, and on the other hand those,
exemplified by OpenBSD's position, that they cannot be tolerated.
Most of
the arguments have centered around IP issues, and while the argument has been
made that the problem with binary drivers is that you can't inspect the code and
therefore must trust the hardware vendor (who shouldn't be trusted), it is my
impression that this has always been a secondary argument, coming after the
arguments about right to access the hardware.
But this collusion between the
security firms and Sony (even if it's only apparent collusion), should be a wake
up call. If you wish a secure system, all of the system must be open
source. The idea that a vendor might deliberately compromise security for its
own ends was a prudent thought based on possibility. But it's clear now that it
is not a matter of possibility, but is inevitable -- simply a matter of time.
[ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, November 22 2005 @ 01:56 PM EST |
I am sitting in my house in Viet Nam. Several people out of 70,000,000+ living
in Viet Nam have died over the last few years from the Bird Flu. More people die
every day here from trafic accidents.
How many people actually died from Mad Cow? Or does anyone remember back that
far? [ Reply to This | # ]
|
| |
| Authored by: Anonymous on Tuesday, November 22 2005 @ 06:25 PM EST |
Actually, Windows XP has something that uses the techniques of Tripwire to
protect a limited subset of the system files from unauthorised (by Microsoft)
changes. It's called System File Protection, and was also in Windows Me. It
checks a protected file on each access to ensure that its crytographic checksum
is correct, and if it isn't it replaces it from the installation CABs in
realtime, usually without any detectable slowdown.
This, of course, does not protect configuration information in any way, so any
old sort of nastiness can invade the system as long as it doens't try to reqrite
protected library files. The Registry is open for arbitrary rewriting, though.[ Reply to This | # ]
|
|
|
|
|
