Slashdot Log In
Sony DRM Installs a Rootkit?
Posted by
ScuttleMonkey
on Mon Oct 31, 2005 06:04 PM
from the slice-of-privacy-pie dept.
from the slice-of-privacy-pie dept.
An anonymous read writes "SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It's installed with a DRM-encumbered music CD, Van Zant's "Get Right with the Man". (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with '$sys$'. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to 'exorcise the daemon' from his system." This house is clear.
Related Stories
[+]
Your Rights Online: EFF Pushes Consumers to Claim Rootkit Compensation 189 comments
An anonymous reader writes "'It's time for music fans who bought Sony BMG CDs loaded with harmful XCP or MediaMax copy protection to claim their settlement benefits', says the EFF's Derek Slater in an awareness campaign that is urging those inflicted with one of Sony BMG's rootkit infected CDs to collect what is due to them. The compensation is a DRM-free version of the original CD, $7.50, and album downloads from iTunes, Sony Connect, and others."
[+]
Your Rights Online: Sony Rootkit Settlement Gets Judge's Approval 187 comments
Lewis Clarke wrote to mention a ZDNet story about Monday's final approval of the rootkit settlement in the case brought against Sony BMG Music. From the article: "The agreement covers anyone who bought, received or used CDs containing what was revealed to be flawed digital rights management (DRM) software after Aug. 1, 2003. Those customers can file a claim and receive certain benefits, such as a nonprotected replacement CD, free downloads of music from that CD and additional cash payments ... At least 15 different lawsuits were filed by class action lawyers against the record label, and the New York cases were eventually consolidated into one proceeding. The parties reached a preliminary settlement with Sony BMG in December, leaving it up to a judge in a U.S. District Court in New York to make it official. "
[+]
Your Rights Online: Sony Settles With FTC Over Rootkits 133 comments
The FTC has struck a deal with Sony punishing Sony for the rootkits it included on millions of CDs in 2005. The deal is exactly like the Texas and California settlements — $150 a rootkit. The settlement isn't final yet. There will be a 30-day public consultation. American citizens who read Slashdot might want to put in their two cents. Comments will be accepted through March 1 at: FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580 (snail mail only). Here is the FTC page announcing the settlement.
This discussion has been archived.
No new comments can be posted.
Sony DRM Installs a Rootkit?
|
Log In/Create an Account
| Top
| 801 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
My question: (Score:5, Interesting)
Re:My question: (Score:5, Interesting)
(http://ryanlrussell.blogspot.com/ | Last Journal: Friday February 09 2007, @12:09PM)
Mark didn't get into a lot of detail about all of the functions, but he didn't mention any backdoors or phone home functionality.
Re:My question: (Score:5, Interesting)
(http://www.networkboy.net/)
-nB
Sony is protected by the DMCA (Score:5, Interesting)
(http://slashdot.org/)
If you do this, then you are deliberately disabling a copy protection system, which is illegal under the DMCA. So Sony can sue you.
[Note: this varies with your jurisdiction. No DMCA in Canada, yet.]
Doug Moen.
Re:Sony is protected by the DMCA (Score:5, Insightful)
(Last Journal: Tuesday October 19 2004, @06:57AM)
I can disable a copy protection system on my own computer - specifically removing it. They didn't have permission to put it there, and I think it would be a tough case to prosecute me for repairing my own computer. My computer is not Sony's medium to do with as they please - it's MINE - I paid for it, and I licensed the software.
Now, removing the protection from their media - or extracing the content and freeing it from the DRM, yes, that's circumvention, and probably prosecutable under the DMCA.
But my computer is MINE and they don't have the right to secretly fuck with it.
Re:Sony is protected by the DMCA (Score:4, Informative)
(Last Journal: Sunday December 03 2006, @11:20PM)
I'm not sure what jurisdiction -you're- in, but the last I checked anywhere, those general "not our fault" clauses don't mean a thing against something done intentionally. If you are with full awareness doing something malicious, that is a totally different animal then accidentally releasing bugged software, and "not our fault" won't even begin to protect them.
Re:Sony is protected by the DMCA (Score:4, Insightful)
(Last Journal: Wednesday November 14, @02:21PM)
Upon the expiration or termination of this EULA, you shall immediately remove all of the LICENSED MATERIALS from your personal computer system and delete or destroy them, along with any related documentation (and any copies thereof) that you may have received or otherwise may possess
So, pretty much what they want me to do is, if I decide to terminate the agreement I have to re-format my system.
Re:Sony is protected by the DMCA (Score:5, Interesting)
I'd vote for trespass, but I also don't have any content to sell. Mark, how's the adminpak selling? I hope you've got some good DRM on your CD's if you're any indication of the talent that's out there...
Re:Sony is protected by the DMCA (Score:5, Insightful)
He didn't remove the DRM for access to songs.
He removed the DRM from his computer (effectively
a manual uninstall). They did imply in the document that he was allowed to uninstall it.
Re:Sony is protected by the DMCA (Score:5, Informative)
(http://slashdot.org/)
US Law Title 17 section 1201: [cornell.edu]
Circumvention of copyright protection systems
(a) Violations Regarding Circumvention of Technological Measures.--
(1) (A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title.
The act of circumvention itself is indeed criminalized by the DMCA.
Note that the DMCA also says:
(c) Other Rights, Etc., Not Affected.--(1) Nothing in this section shall affect rights, remedies, limitations, or defenses to copyright infringement, including fair use, under this title.
That sounds pretty good, right? Except it's pure bullshit, law literally written by lawyers employed by the publishing industry. It means absolutely ZERO. It says it protects/preserves Fair Use defenses to Copyright Infringment. However CIRCUMVENTION CRIME is not copyright infringment. Circumvention crime has absolutely nothing to do with copyright infringment. There is no Fair Use defence to cricumvention crime. So what that section really says is that a NONEXISTANT defence is not affected. It sure sounded nice though, didn't it?
-
Re:Sony is protected by the DMCA (Score:5, Interesting)
(http://indigoid.net/)
Re:Sony is protected by the DMCA (Score:5, Insightful)
When I buy a CD, I shouldn't have to expect it to install a rootkit, and have to check the included materials to see if it does; it's Sony's responsibility to tell me they're messing with my software, and ask for consent...
Re:Sony is protected by the DMCA (Score:5, Insightful)
They'd better hope it's them, because if it's us, then it's not circumventing their copy protection scheme to hold down shift while I load the CD, is it?
On the other hand, if it's them and they install software on my PC without my permission in the UK, my lawyer would like to talk to them about the Computer Misuse Act.
Oh dear. This sounds like a lose-lose proposition for Sony. That's really, y'know, too bad and all. :-)
Sony is flirting with trouble... (Score:5, Interesting)
(http://www.thebamboogrove.com/ | Last Journal: Wednesday April 06 2005, @03:09PM)
IANAL, however, I believe that contracts that are made in bad faith, or with the intent to decieve a particpant are not binding. If this is the case, I think that I wouldn't be hard to argue in a court that you have no obligation to keep Sony's rootkit (by deffinition an illicit and deceptive tool) on your computer. Moreover, you might also be entitled to damages resulting from said 'bad faith' agreement.
Even if my assessment isn't quite correct, it seems to me that it is probably fuzzy enough of a point to invite litigation. If I were a multimillion(billion?) dollar company I wouldn't be the one to test the legal water on something like this.
Re:Sony is protected by the DMCA (Score:5, Informative)
This isn't the first time Sony's had this idea. Years ago they asked someone to write a virus to subliminally provide marketing to people. This motivated the person they asked to write a book called Coercion.
Re:Sony is protected by the DMCA (Score:5, Insightful)
Furthermore, your argument is simply insane, even if applied to software CDs. Do I give permission to any software vendor to install anything they want when I run the installer executable? Do I give them permission to wipe my hard drive? Install malicious, intentionally uninstallable programs? Monitor my activities when not using their software?
Even the most ardent proponent of EULAs couldn't make the claim that you give such permissions by default. Unless they specifically ask, they don't have permission to do anything that isn't specifically part of the product as a reasonable person would perceive it to be.
Re:Sony is protected by the DMCA (Score:4, Interesting)
And the EULA doesn't mention this rootkit or anything like it, from what I've read. In my opinion, I have the right to create a secure environment for my data, and the rootkit subverts that. Since the EULA doesn't mention it, I'm free to remove unauthorized the unauthorized code.
Bad Sony! No biscuit!
Re:Sony is protected by the DMCA (Score:5, Informative)
(http://slashdot.org/)
See, the problem with this is you did not give them permission. You didn't even run their executable. It happened without your expectation, knowledge, or consent.
You popped in what you thought was a nice little audio CD. Because Microsoft has been configured to run the software on these CDs by default, you end up running it -- that's not permission. When you put in an audio CD, you expect to hear, well, music. Not to have something installed on your computer which compromises its security.
You can't say that someone accepted terms of use when Microsoft, acting in conjunction with these companies, decided that what needs to happen is that any CD with executable code on it needs to be executed blindly and without user confirmation.
For the vast majority of users, playing a CD in their computer is shockingly like playing a CD in their CD player. It is neither a tacit nor an explicit agreement to run any and all software they may have installed on it.
It is a complete mis-representation to claim that you gave permission for them to do anything they wanted to do with it. If I open my door to a solicitor, that doesn't give them the right to enter my home and do anything they damned well please.
This absurbd notion that what is, in effect, trojan software has been accepted by the user simply because they decided to play an audio CD in their computer is complete and utter tripe. And saying that you "should have known better" is a complete cop-out -- we already know that the vast majority of computer users simply lack the knowledge to prevent this sort of thing. Especially when the OS manufacturer has decided a priori for you that is what will happen.
Now, if they put in big honking letters on the CD case that if you play this CD on a Windows machine, software will be installed on your machine, your argument might have merit. But the simple fact that it is NOT spelled out in big font, means that, for all intents and purposes, this is a trojan.
Imagine extending this totally absurd argument to credit cards -- 'by handing your credit card to the waiter to pay your bill, you tacitly agree to paying for the staff trip to Aruba'; Oh, didn't know? How dare you? It's a bullshit argument in either case, because you imply consent where, clearly, none was given.
In either case, you show me where the user has actually agreed to anything, and your point might be valid. Otherwise, it's after-the-fact rationalization based on the absurd notion that the user knew what would happen.
Now, I realize as I'm writing this that your ID lists you as Andrew Tanenbaum -- so I'm forced to conclude one of two things -- 1) It's a popular, but misleading name on Slashdot, or 2) the Great Andrew Tanenbaum has absolutely no clue about what is reasonable for a company to do to the end-users machines. In either case, I'm not impressed. If 2), then you're just a standard Slashdot schmoe, and I expect nothing more, but you're still misinformed. If it truly is 1), then I've lost a great deal of respect for you -- because a professor of this stuff should know better, because you bloody well get paid to be informed about this stuff. Asserting that you somehow gave permission somewhere in that process is utter crap! An agreement I was never shown is null-and-void.
Cheers
_WHAT_ EULA?!?! (Score:5, Insightful)
Re:Sony is protected by the DMCA (Score:4, Funny)
Legal Precedent in other forms (Score:5, Funny)
(Last Journal: Thursday April 18 2002, @07:50PM)
If I kill you to prevent you from killing me, killing you is self defense and not a crime. Seems reasonable that if I kill Sony's process to prevent it from stealing my ID that it's self defense and not a crime. The DMCA is one of those laws that is so out of whack, nevermind the US Constitution. It probably violates Brittish common law, the Magna Carta, and if you look hard enough it probably violates the code of Hammurabai and the social order of primitive hunter-gatherer cultures too.
Re:Sony is protected by the DMCA (Score:4, Interesting)
(http://www.baronams.com/staff/coats/)
Re:My question: (Score:5, Insightful)
(http://venganza.org/)
Re:My question: (Score:5, Interesting)
It'll go like this: Somebody out there with an axe to grind against Sony is going to lift this code intact, with no modifications, and marry it with a worm that goes around and infects peoples machines with some nasty or other that executes with a file that has a name beginning with $sys$ and cause some real trouble with it.
Net result, the infected folks are going to have a SERIOUS beef with Sony over the fact that the "invisible" file was able to install itself and run its merry course completely under the radar. All because of a piece of shit attempt by a fucked up Giant Corporation that was attempting to further line its pockets by installing some ... shall we say, hmm, unsavory code?
Ok script kiddies, you have your assignment. Now get to work!
Re:My question: (Score:5, Insightful)
(Last Journal: Wednesday May 11 2005, @11:01PM)
Answer: This is truly evil (Score:5, Insightful)
(http://shanenj.tripod.com/ | Last Journal: Tuesday October 09, @02:14PM)
Seriously speaking, this shows two things. One is yet another demonstration of the fundamental evil of Microsoft's "security" model. Even if you weren't running as root/Administrator (and everyone does, don't they?), then the "reputable" installation from the "reputable" company would just ask you to elevate your privileges.
The other thing is that power is always abused. If not now and by Sony, then tomorrow by some other "reputable" company. (Or put on your tin hat and say "Yesterday by the NSA.")
I hope they track this story, and if it is not another misguided /. rumor, I certainly hope that Sony repudiates the technique and the software. Soon.
Then they should apologize.
Then sack the person responsible.
Then sack the person responsible for not sacking the responsible person earlier.
[Infinite loop warning.]
Re:Answer: This is truly evil (Score:5, Informative)
Offtopic, but..
If you think a stock will move but don't know in which direction, buy get and put options at the current price. They'll be in the money after any significant stock movement. Called a Long Straddle [riskglossary.com].
Re:My question: (Score:5, Informative)
(http://paperlined.org/)
Still, one would hope that Sony would only choose reputable suppliers, ones who wouldn't allow a virus/trojan to be distributed intentially or even through neglect.
Re:My question: (Score:5, Insightful)
I think it's far more likely that Sony knew what this software did, and chose to distribute it anyway. This could have been a result of incompetent testers, poor communication between QA and management, overbearing management anxious to get a product out on a strict deadline, or any number of other things.
Re:My question: (Score:5, Funny)
You never played Star Wars Galaxies, did you?
Re:My question: (Score:5, Insightful)
(http://www.utlemming.org/)
In democratic america... (Score:5, Insightful)
hrm, so much for humor. I don't find it funny at all
Re:In democratic america... (Score:5, Insightful)
i don my tinfoil hat and robe...
Re:In democratic america... (Score:5, Funny)
(http://www.underachievement.org/ | Last Journal: Sunday January 21 2007, @10:58PM)
Wow, a tinfoil hat and robe! When do the pants and underwear come in?
However when you said "hat and robe", my first thought was of Bloodninja's cyber adventures [albinoblacksheep.com].
Re:In democratic america... (Score:5, Interesting)
(http://calum.org/)
Re:In democratic america... (Score:5, Informative)
(http://www.underachievement.org/ | Last Journal: Sunday January 21 2007, @10:58PM)
Insightful indeed.
The thing is that there is more than a corporation here. The artist that chose to sign with Sony is now going to feel the repercussions of this dirty little trick Sony tried to play. Do you think that Sony really cares if they loose a few sales of this one CD because they got caught red-handed? Of course not.
These record labels are not only exploiting the consumer, but they are screwing over the artists that depend on them for advertising and distribution. Here is contact information [thevanzants.com] for Van Zant [thevanzants.com]. Let them know that you're pissed. Let them know you won't be buying their CD. Let them know that they were screwed by Sony. While you're at it, why not let First4Internet [first4internet.com] know that you hate them and hope they burn in Hell for writing malware like this. A few thousand emails will do wonders for these jerks.
If enough artists move away from these corporate labels it can only mean good things for the consumers. It's not impossible for this to happen, just extremely difficult.
Re:In democratic america... (Score:4, Insightful)
iTunes Australia and Japan (Score:5, Interesting)
I'm really starting to hate that company. This BS "DRM" is just the icing on the cake. Sure, iTunes has DRM, but it's quite benign (5 computers, unlimited ipods, unlimited burns per song, 7 burns per album).
They're too big, and have their hands in too many pots. Time for Sony artists to take a stand and go with somebody else (quite difficult, considering the ass-raping contracts they probably had to sign). Essentially, Sony are denying their artists a source of income to satisfy the needs of their consumer electronics department. I'd be pissed.
Re:In democratic america... (Score:5, Insightful)
I've read two relevant quotes.
"Democracy is the theory that the people know what they want and deserve to get it good and hard."
"In communism, man exploits man. In capitalism, it's the other way around."