Forgot your password?
typodupeerror
Security Privacy

Sony DRM Installs a Rootkit? 801

Posted by ScuttleMonkey
from the slice-of-privacy-pie dept.
An anonymous read writes "SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It's installed with a DRM-encumbered music CD, Van Zant's "Get Right with the Man". (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with '$sys$'. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to 'exorcise the daemon' from his system." This house is clear.
This discussion has been archived. No new comments can be posted.

Sony DRM Installs a Rootkit?

Comments Filter:
  • My question: (Score:5, Interesting)

    by conJunk (779958) on Monday October 31, 2005 @07:05PM (#13919067)
    Now is that *sony's* rootkit, or a soon-to-be-former-sony-employer's rootkit?
    • Re:My question: (Score:5, Interesting)

      by ryanr (30917) * <ryan@thievco.com> on Monday October 31, 2005 @07:11PM (#13919136) Homepage Journal
      If you read the article, there's a strong implication that this is a purchased commercial rootkit. Presumably, Sony very deliberately licensed and distributed it.

      Mark didn't get into a lot of detail about all of the functions, but he didn't mention any backdoors or phone home functionality.
      • Re:My question: (Score:5, Interesting)

        by networkBoy (774728) on Monday October 31, 2005 @07:14PM (#13919153) Homepage Journal
        Honestly, I see this as a real exposure to a lawsuit. If I accidently install this rootkit on my system, then try to remove it (seeing as it looks like a genuine security breach) and then disable my computer, thus having to bring it in for service what then?. If a malware company uses the rootkits ability to hide $sys$ prefixed files and uses that to steal my identity, costing me thousands of dollars and hundreds of hours of time to get my identity back, can I sue?

        -nB
        • by dmoen (88623) on Monday October 31, 2005 @07:46PM (#13919414) Homepage
          I see this as a real exposure to a lawsuit. If I accidently install this rootkit on my system, then try to remove it...

          If you do this, then you are deliberately disabling a copy protection system, which is illegal under the DMCA. So Sony can sue you.

          [Note: this varies with your jurisdiction. No DMCA in Canada, yet.]

          Doug Moen.

          • by hazem (472289) on Monday October 31, 2005 @07:50PM (#13919451) Journal
            Doug, I think you're wrong.

            I can disable a copy protection system on my own computer - specifically removing it. They didn't have permission to put it there, and I think it would be a tough case to prosecute me for repairing my own computer. My computer is not Sony's medium to do with as they please - it's MINE - I paid for it, and I licensed the software.

            Now, removing the protection from their media - or extracing the content and freeing it from the DRM, yes, that's circumvention, and probably prosecutable under the DMCA.

            But my computer is MINE and they don't have the right to secretly fuck with it.
            • by mrBoB (63135) on Monday October 31, 2005 @09:46PM (#13920200)
              Unfortunately, this is only something that could be dealt with at a trial. Whose rights are more valuable, the content provider, or the paying customer? A person has a reasonable expectation of privacy and security on his or her home computer. Any attempt to circumvent this privacy or security should be construed as trespass. On the flipside, recording artists and the companies that represent them have an expectation that their work is compensated, and that "legal" means to protect their interests be respected. I'm not arguing for the DMCA here, however it _IS_ law. By removing the Sony-installed malware, Mark has broken the law. But so is trespass illegal, so tell me, which is a greater abomination?

                    I'd vote for trespass, but I also don't have any content to sell. Mark, how's the adminpak selling? I hope you've got some good DRM on your CD's if you're any indication of the talent that's out there...
          • by istartedi (132515) on Monday October 31, 2005 @09:36PM (#13920146) Journal

            If I kill you to prevent you from killing me, killing you is self defense and not a crime. Seems reasonable that if I kill Sony's process to prevent it from stealing my ID that it's self defense and not a crime. The DMCA is one of those laws that is so out of whack, nevermind the US Constitution. It probably violates Brittish common law, the Magna Carta, and if you look hard enough it probably violates the code of Hammurabai and the social order of primitive hunter-gatherer cultures too.

          • by coats (1068) on Tuesday November 01, 2005 @08:30AM (#13922460) Homepage
            I'll wager you a Coke against a Pepsi that Mark Russinovich's computer was password-protected. Sony deliberately and surreptitiously evaded that password protection to invade and change settings on Mark's computer. Tell me why he should not sue SONY for DMCA violation!
        • Re:My question: (Score:5, Insightful)

          by slavemowgli (585321) on Monday October 31, 2005 @07:47PM (#13919422) Homepage
          You can always sue. The real question is: will you win? And even though IANAL, I'd say you have a pretty good case here; if the EULA does not even *mention* any of this, then it probably constitutes an illegal act.
          • Re:My question: (Score:5, Interesting)

            by DoraLives (622001) on Monday October 31, 2005 @09:34PM (#13920134)
            Actually this is a major limited access high speed expressway to seriously fuck with Sony.

            It'll go like this: Somebody out there with an axe to grind against Sony is going to lift this code intact, with no modifications, and marry it with a worm that goes around and infects peoples machines with some nasty or other that executes with a file that has a name beginning with $sys$ and cause some real trouble with it.

            Net result, the infected folks are going to have a SERIOUS beef with Sony over the fact that the "invisible" file was able to install itself and run its merry course completely under the radar. All because of a piece of shit attempt by a fucked up Giant Corporation that was attempting to further line its pockets by installing some ... shall we say, hmm, unsavory code?

            Ok script kiddies, you have your assignment. Now get to work!

        • by shanen (462549) on Monday October 31, 2005 @07:50PM (#13919454) Homepage Journal
          So should I sell all of my Sony stock, or buy more?

          Seriously speaking, this shows two things. One is yet another demonstration of the fundamental evil of Microsoft's "security" model. Even if you weren't running as root/Administrator (and everyone does, don't they?), then the "reputable" installation from the "reputable" company would just ask you to elevate your privileges.

          The other thing is that power is always abused. If not now and by Sony, then tomorrow by some other "reputable" company. (Or put on your tin hat and say "Yesterday by the NSA.")

          I hope they track this story, and if it is not another misguided /. rumor, I certainly hope that Sony repudiates the technique and the software. Soon.

          Then they should apologize.

          Then sack the person responsible.

          Then sack the person responsible for not sacking the responsible person earlier.

          [Infinite loop warning.]

    • Re:My question: (Score:5, Informative)

      by interiot (50685) on Monday October 31, 2005 @07:16PM (#13919167) Homepage
      The rootkit is by First 4 Internet [first4internet.co.uk]. It's possible that Sony simply purchased this DRM from this outside company, not realizing that the DRM contained a rootkit.

      Still, one would hope that Sony would only choose reputable suppliers, ones who wouldn't allow a virus/trojan to be distributed intentially or even through neglect.

      • Re:My question: (Score:5, Insightful)

        by eln (21727) on Monday October 31, 2005 @07:36PM (#13919333) Homepage
        And nobody at Sony bothered to vet a piece of software that was destined to be shipped with millions of CDs? It's beyond absurd that a company of Sony's size would allow a piece of software to appear on any of its products without Sony having tested the hell out of it first.

        I think it's far more likely that Sony knew what this software did, and chose to distribute it anyway. This could have been a result of incompetent testers, poor communication between QA and management, overbearing management anxious to get a product out on a strict deadline, or any number of other things.
        • by Anonymous Coward on Monday October 31, 2005 @07:59PM (#13919538)
          > It's beyond absurd that a company of Sony's size would allow a piece of software to appear on any of its products without Sony having tested the hell out of it first.

          You never played Star Wars Galaxies, did you?

      • Re:My question: (Score:5, Insightful)

        by utlemming (654269) on Monday October 31, 2005 @07:39PM (#13919359) Homepage
        However, it might not protect them from a product liability suit. Simply put, if that had happened to me, I would have bought a new hard drive, reinstalled everything and then copied the data that I needed over, and then filed a product liability suit. I would claimed everything from illegal computer trespass, product liability, vandalism, and anything else that might have sounded half-way reasonable. The fact that a root-kit was installed on the computer to protect music shows that privacy now takes a second place seat to some one-else's property rights, when that person isn't even present. In this case one the music industry, if allowed to get away with it is violating privacy and property rights of another person in order to protect their property rights.
  • by Anonymous Coward on Monday October 31, 2005 @07:06PM (#13919071)
    corporations exploit YOU!

    hrm, so much for humor. I don't find it funny at all :/
  • as if (Score:5, Insightful)

    by scenestar (828656) on Monday October 31, 2005 @07:06PM (#13919074) Homepage Journal
    DRM wasn't intrusive in the first place.
  • by jeremy111 (95134) on Monday October 31, 2005 @07:07PM (#13919089) Homepage
    And let me guess, it offers you an EULA and exempts Sony from any liability for damages caused by this thing?
  • Anti-spyware Bill (Score:5, Insightful)

    by AKAImBatman (238306) * <akaimbatman@gmai[ ]om ['l.c' in gap]> on Monday October 31, 2005 @07:08PM (#13919094) Homepage Journal
    We *really* need to get a anti-spyware bill on the books. Something along the lines of, "It shall be a criminal offsense to install non-application software on any computer when the user has not been reasonably notified in advance and/or agreed to have the modifications made. This bill will be reevaluated for its effect in three years."

    Anything running in the background, rootkits, and other forms of spyware (which generally rely on the user not knowing they're there) would immediately become illegal.
    • by queenb**ch (446380) on Monday October 31, 2005 @07:48PM (#13919434) Homepage Journal
      Problem #1 - Mr. Spyware Programmer in Nigeria where such things aren't illegal.

      Problem #2 - Mr. Identity Theif in wierd 3rd world country where such things are illegal but are tactitly condoned by local authority as long as its not someone from their country

      Problem #3 - Mr Corporate Lobbyist - RIAA & MPAA ring any bells????

      Problem #4 - Your privacy has been dead for decades. The sad part is that people are just now starting to smell the rotting corpse.

      Passing a bill here in the USA will only do what CAN-SPAM did - drive them off shore to less regulated places. What's really needed is the ability to establish peering points that co-incide with national borders. Then we can pass a law that says that if we don't like your data integrity laws, we don't pass traffic to/from you.

      See if that doesn't actually accomplish what you're looking for.

      2 cents,

      Queen B

    • by jd (1658) <imipak @ y a h o o .com> on Monday October 31, 2005 @08:00PM (#13919546) Homepage Journal
      ...could probably be used in this way, for this software. The program was unquestionably not authorized by the user, as it is not declared in the EULA. As there is no apparent (yet) "Phone Home" capability, it would not violate the Data Protection Act. It might violate tresspass/break-and-entry laws, as the only reason the hacker of Prince Philip's e-mail account escaped conviction was that a transient tool was not considered a lockpick. This is a permanent tool that permits repeated intrusion, so I would guess the courts would be more sympathetic to the argument that it was breaking and entering. IANAL, but most people in computing in Britain have covered the DPA and CMA to some degree, because these are things IT people need to be careful of. It is possible - though unlikely - that the EU could also prosecute Sony over this, as it may infringe on privacy and computer protection laws in Europe. It's very doubtful the EU would take such action - they barely took any action against Microsoft for anything it did - but if Sony or other companies agravate the situation enough, there ARE elections in Italy coming up and the ruling elite there could do with someone to victimize.


      America - well, there's no privacy in the US of A. The trade in personal information is open and widespread. There is an excellent chance that if anyone tried to prosecute Sony over privacy infringements that it would be laughed out of court. You can't protect what you don't have. Posession is 9/10ths of the law, and Americans posess very little - much as they often like to believe otherwise.


      Sony actually has a much stronger case. Reverse-engineering their DRM scheme is in direct violation of both the letter AND the spirit of the DMCA, which is explicitly intended to prohibit exactly this kind of research (ie: the study of the spyware) and this kind of result (ie: the removal of it, afterwards). Depending on who Sony licensed the rootkit from, there is a possibility it might also violate aspects of the PATRIOT act. (If the rootkit is also used by any law enforcement groups, then this study could compromise wiretapping provisions in the act.)

      • by Tony Hoyle (11698) <tmh@nodomain.org> on Monday October 31, 2005 @09:06PM (#13919969) Homepage
        The computer misuse act makes the unauthorised alteration of computer data a criminal offence... that's the whole anti-hacking bit that has been used to prosecute a few teenagers (and scare a few thousand others).

        Since I did *not* authorize Sony to install a rootkit (authorisation to play a CD won't stretch that far) they have broken the law, and should be prosecuted.

        Luckily we have corporate legal liability in this country too...
  • by cwtrex (912286) on Monday October 31, 2005 @07:08PM (#13919107) Journal
    I'm downloading RootkitRevealer now. I wonder how long it is going to take for Norton and McAfee to upgrade their Rootkit detection abilities? Next years anti-virus release? The last rootkit that Norton found on a computer at work was well spread and had been out for 6 months. It still was unable to remove/fix the infection. :(
  • OS's fault (Score:3, Interesting)

    by aachrisg (899192) on Monday October 31, 2005 @07:09PM (#13919110)
    Microsfot needs to make it completely impossible for any software to do something like this unless the user runs in some special maintenance mode or logs in as some special account. They can make an exception for windows updates which are signed by them.
  • by KidHash (766864) on Monday October 31, 2005 @07:09PM (#13919111) Homepage
    Not that this makes it better in any way, but I liked how he said

    I hadn't noticed when I purchased the CD from Amazon.com that it's protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known

    followed by a picture of the amazon web page in question with [CONTENT/COPY-PROTECTED CD] clearly visible in massive letters.
  • Is the EULA valid? (Score:5, Insightful)

    by nweaver (113078) on Monday October 31, 2005 @07:09PM (#13919115) Homepage
    Since spyware WITH a proper EULA has been held to be in violation by the FTC, and since this EULA [sysinternals.com] doesn't really mention the rootkit's difficulty of removal, this might be litigatable.

    Of course, Mark Russinovich did (inadvertantly) dissasemble content protected by the EULA.
    • Worse it should not be legal in the first place for such an extreme eula. Many spyware programs from 180networks already do not have an euala and just come bundled.

      If we had an eula where the user agreed to be held as a slave would that be legal too? I think not.

  • by chrispyman (710460) on Monday October 31, 2005 @07:12PM (#13919140)
    It's one thing to copy protect your CDs to make it difficult to rip but it's another thing to install a rootkit that is by definition difficult to remove. Who'se going to clean up this mess when a Microsoft patch or SP comes around and breaks any computer with this installed?
  • Thanks (Score:5, Interesting)

    by BCW2 (168187) on Monday October 31, 2005 @07:13PM (#13919144) Journal
    I am very glad to hear about this. That CD WAS on my birthday list for next week.

    Sony just lost a sale, end of story.
    • Re:Thanks (Score:5, Insightful)

      by Flower (31351) on Monday October 31, 2005 @07:30PM (#13919279) Homepage
      Don't tell Sony. Tell the Brothers that they lost a sale. Let them know that the product they worked so hard on now has poorly written software on it that could damage your computer. And through you want their music you can't buy it and you're going to tell your friends not to risk buying this CD.
  • by Billly Gates (198444) on Monday October 31, 2005 @07:18PM (#13919182) Journal
    What is next? Drm that will rewrite your bios and turn your pc into an expensive doorstop for copyright violation?

    As if spyware itself is miraculiously legal and now we have this? Rootkits and spyware programs that append to windows in the mbr so even a reinstall wont delete thim IS TOO FAR!

    I agree with a previous poster that is should be a criminal offense the same catagory as spypainting someones house or breaking an entry. Why do we allow this crap to be legal?

    Its time we wrote our elected officials and inform them about what is happening and about Sony's drm and demand civil and criminal responsibility for malware makers. I dont care if its the CEO of some company spraypainting my house vs a teenage kid. Its still illegal and Sony should be held accountable.

    I was reading on cnn about the drop of ecommerce even though there is still a rise in internet usage. This is due to all the spyware/scams/malware that is infecting pc's at record rates. This is killing out economy and many companies such as Google, Amazon, and Ebay are already getting hit with their wallets over these scams.

    Lets organize and make a difference. This is a slippery slope and I fear what is coming next.
    • by burnsy (563104) on Monday October 31, 2005 @07:36PM (#13919330)
      "What is next? Drm that will rewrite your bios and turn your pc into an expensive doorstop for copyright violation?"

      Yes, look for it in your next Blu-Ray Disc Player.

      http://www.engadget.com/entry/1234000737057152/ [engadget.com]

      "On top of that, consumers should expect punishment for tinkering with their Blu-ray players, as many have done with current DVD players, for instance to remove regional coding. The new, Internet-connected and secure players will report any "hack" and the device can be disabled remotely."

    • by mcrbids (148650) on Monday October 31, 2005 @08:19PM (#13919664) Journal

      Lets organize and make a difference.


      OK, let's. I assume that this is a call to join a foundation, organization, or movement. What have you decided to call this organization? What's the mission statement? What are the goals of the organization? Meeting times? Rallies?

      Yep, I just might be interested. Really.

      If you're serious, that is - but I don't think you are. See, if you were, you'd have to stretch yourself outside of your current "comfort zone", which currently includes your computer, and quite possibly your mother's basement, but not much else.

      But, if you WERE serious, and you REALLY DID put out enough effort to register a domain name, make a website, put together some business cards, talk to REAL LIVE PEOPLE (instead of your laptop) at real, live events, you'd find out very quickly what real, live people think. You'd grow immensely, as a result. Your skills at working with people, and your earning power would be forever improved, and your understanding of your true role in society would be much, much firmer.

      You would forever be a bigger, better person.

      I dare you to put together an organization of at least 100 members towards your cause. In order to be a "member", they have to have contributed at least $10 in CASH towards your cause's war chest. (And, I know you can do it, because I did)
  • by Shadow Wrought (586631) <[shadow.wrought] [at] [gmail.com]> on Monday October 31, 2005 @07:19PM (#13919191) Homepage Journal
    Man, Sony'll do anything to make sure your system has their Cell in it.
  • TIme to... (Score:4, Informative)

    by heinousjay (683506) on Monday October 31, 2005 @07:19PM (#13919194) Journal
    Turn off autorun [annoyances.org].
  • by BeBoxer (14448) on Monday October 31, 2005 @07:28PM (#13919264)
    I know you can disable auto-run and such to get around this type of crap. But what happens if you just 'disagree' or whatever on the EULA? I assume that Sony will then not install the rootkit and you can rip the CD with whatever tool you normally use? Or does Sony install the rootkit anyway, setting themselves up for criminal prosecution? Does anybody have a copy of this thing to try and answer that question?

    It just seems kind of silly to have DRM which is totally dependant on the user to request it be installed. Or can refusing an EULA be considered a violation of the DMCA?
  • by elgee (308600) on Monday October 31, 2005 @07:29PM (#13919271)
    Getting a cockroach with my just purchased pizza.
  • by sikandril (924466) on Monday October 31, 2005 @07:29PM (#13919273)
    This is exactly the same mentality that brought us the memory stick and the mp3 walkman who could not play mp3's, only ATRAC. Incidentally, Sony profits are down 46% this quarter. I can only add that this is another nail in the coffin of a company once known for its innovation, high standards and uncanny understanding of the consumer's mind. They better hope the Ps3 saves their collective asses
  • by LM741N (258038) on Monday October 31, 2005 @07:30PM (#13919278)
    You can't enter into a contract which violates the law. Thus a "contract killing" is not a valid contract.
  • by cyclocommuter (762131) on Monday October 31, 2005 @07:31PM (#13919287)
    ...after he tried to rip another Sony produced CD "Healthy in Paranoid Times" by the Our Lady Peace:

    Disappointing, to say the least..., October 14, 2005

    A Kid's Review (Amazon.com)

    I tried copying this CD, not knowing that it was protected. So, I ripped it to my hard-drive and burned it. But, when I inserted the burned copy into my computer, the screen froze for a while, and an installer icon appeared on the taskbar in the bottom right. It installed somthing - and now I cannot burn anything, with any program. I've even tried using a different, external CD burner. A disk error comes up during burning, even if I am not not burning audio CDs. This was not a fluke. I've talked to other people this has happened to. Avoid anything with "copy protection." Sony might as well burn viruses onto the CDs they distribute.
  • by Jason1729 (561790) on Monday October 31, 2005 @07:33PM (#13919309)
    I used to buy a lot of CDs but stopped around the time of the napster lawsuit. I would probably still be buying 2-3 discs/month if I didn't consider it immoral to buy CDs.
  • Awesome (Score:5, Insightful)

    by suwain_2 (260792) on Monday October 31, 2005 @07:34PM (#13919315) Journal
    On this CD's product page [amazon.com], there are several negative reviews on account of spyware. My favorite puts into plain English why this is bad: "I am very unhappy, since I now listen to all of my music using my IPod."

    I think this is the way to fight DRM. When we complain about DRM rights, we're fighting a crusade on principle, and few people really get what's wrong. When you say, "This CD that I paid for can't be transferred to my iPod," people will see that it's outrageous. When people see that it's installing spyware on your computer, they'll flip. Cheers to whoever's left this feedback.
  • *phew* (Score:5, Funny)

    by Alan (347) <arcterex AT ufies DOT org> on Monday October 31, 2005 @07:39PM (#13919356) Homepage
    I'm glad I get my music off of p2p networks and don't have to worry about trojans and rootkits and that evil hacker stuff!
  • by SpecBear (769433) on Monday October 31, 2005 @08:05PM (#13919580)
    My refrain to the copyright holders: The people being hurt by this DRM software are people who have already communicated their intent to do the right thing by purchasing the CD. Sony has just guaranteed that a lot of people will never make that mistake again.

    Welcome to a Brave New World: People who pay for their music get viruses, while people who download it at no cost from illegal sources get clean MP3s that they can freely copy and use on whatever devices they own.
  • by DigitalEntropy (146564) on Monday October 31, 2005 @08:49PM (#13919851)
    ... the little guys are more likely to crumble. Why not target the source of this crap? I did. Though, admittedly I'm sure SONY keeps their wallets fat enough to ignore us. See below:

    ===

    Mail-To: info@xcp-aurora.com, info@first4internet.co.uk

    Subject: attn: Mathew, Tony, Peter, Nick; re: Extreme displeasure with your XCP product.

    To Whom it may concern:

    I would like to address the outstanding issue regarding the software your company licensed to SONY BMG here in the United States. This software proposes to be a harmless DRM solution for the corporate customer as a method of protection against malicious users. However, what your software critically FAILS at is conscientiously protecting the end user against exploits of your poorly, shit-house written utilities.
    Personally, I'm glad that your nasty parlour tricks were recently exposed by SysInternals.com (http://www.sysinternals.com/blog/2005/10/sony-roo tkits-and-digital-rights.html [sysinternals.com]) for the disreputable practices they are, and for identifying "First 4 Internet" (sounds like a shoddy store-front operation for a bunch of Black Hat rejects) as the company directly responsible for the most vile intrusion my system has ever received. And the fact that your ill-conceived product leaves my system open to additional intrusions of this nature is unforgivable.
    May whatever sink-hole from whence you rose quickly swallow you back. You have no right to voilate my computer's integrity. You have no right to scan the contents of my computer. You may have the right to hide in the darkness of Windows' subsystem like cowards, but that does not mean you won't be seen. You have no right to abuse the trust garnered by SONY from the citizens it regularly calls customers (or, perhaps more appropriately, "guinea pigs"). I hope the light of truth sends you roaches scurrying.

    With the wretched taste of bile at the back of my throat,

    [my name]
    [my email addy]

    ===

    Personally, I purchased "The Dead 60s" latest album, and sure enough it had the exact same copy-protection crap as described on sysinternals.com. That article sure shed some light on the behavioral difference in my system since I got that CD (significantly slower start up and execution times on a 1.2 GHz, and constant 5 - 10% CPU usage with almost nothing running). Fuck them. Fuck them right in the ear.

    It was stated before, and I'll reinforce it: This kind of DRM ADVOCATES piracy. You are safer without DRM. I intend to zap my Windows machine and go to Debian (as I've been considering, but now have good reason for security purposes), and return this CD by mail to SONY BMG in a thousand tiny pieces, but not before I copy it and distribute out of sheer spite.
  • by Bodhammer (559311) on Monday October 31, 2005 @09:06PM (#13919974)
    Sony, you have gone too far...

    No PSP for Christmas!

    No PS3 next year!

    So you protected a $15 CD by killing ~$700 of hardware purchases plus whatever games I would have purchased.

    No wonder your stock sucks and your revenues are down!

    Your DRM works, I'm exercising my right not to purchase your products any more!
  • by RoffleTheWaffle (916980) on Monday October 31, 2005 @09:16PM (#13920036) Journal
    Cat's out of the bag now. Congratulations, Sony. You fucked up big time.

    I'd like to take this opportunity to dissect the article in question here, to point out just how positively obscene this is. There are a few key points I'd like to highlight that I feel we should all take into consideration.

    It would appear that Sony has deliberately begun shipping rootkits with its DRM protected CDs. According to the article - and this is a pretty good definition, by the way - "Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden." In a nutshell, this means that the program shipped with the CD in question here - and possibly other Sony CDs - is designed to hide itself and other programs from view. In other words, once installed, it will allow Sony and any other interested party familiar with this particular rootkit to operate programs on a compromised system without the user knowing it.

    Let's take a step back here to consider the implications of this. Sony is distributing a rootkit, but what does this have to do with DRM? Well, if you really think about it, it has everything to do with DRM. A DRM program that cannot be seen or easily accessed can operate secretly, monitoring and manipulating the system behind the user's back. Any future DRM software Sony distributes could infiltrate a computer secretly, and burrow deep into the system files of said computer.

    According to the article, the rootkit was produced by First 4 Internet. Upon investigating the company itself and the products and services it offers, the author dredged up this lovely little nugget of joy: "... However, the fact that the company sells a technology called XCP made me think that maybe the files I'd found were part of some content protection scheme. I Googled the company name and came across this article, confirming the fact that they have deals with several record companies, including Sony, to implement Digital Rights Management (DRM) software for CDs." That right there should be proof enough that this is no accident, and anything but legitimate DRM. Not only does having a rootkit handy make the DRM difficult to thwart, but also allows it to operate secretly.

    Now, you'd think that you could just remove this software, right? Wrong. Dead wrong, as a matter of fact. The author of the article had a hell of a time removing the rootkit, actually, and not only that, at any given time, it was consuming between one and two percent of the CPU's power - a small 'penalty' for even having it. (And any programs it's hiding would also have to leech off the CPU and RAM as well.) As he attempted to remove this shit, he discovered even more about the software: "As I was deleting the driver Registry keys under HKLM\System\CurrentControlSet\Services I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLM\System\CurrentControlSet\SafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting." Suddenly, this is more than a performance issue. This software could theoretically disable a system should it break or be manipulated by the software it's hiding. It would appear, however, it is possible to remove, but only after eviscerating a handful of driver files, registry entries and keys, and other lovely goodies from your system. The rootkit and the DRM attached to it do not have an uninstaller, and unless you take the same steps the author took to remove this flaming pile of garbage from your system... Well, he puts it pretty well:

    "The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files wit
  • by swschrad (312009) on Monday October 31, 2005 @09:33PM (#13920130) Homepage Journal
    it's a 5/$5000 penalty, class C felony, to knowingly distribute harmful software to a PC in Minnesota. 1992 law, I believe it was. demonstrating this is a rootkit is prima facie evidence that this would be harmful software.

    somebody with means should get a case opened....

    • by Reziac (43301) * on Tuesday November 01, 2005 @01:45AM (#13921361) Homepage Journal
      If it's a felony, file charges with your local district attorney, and let the DA's office take it from there (you may be called as a witness, but you don't have to defend yourself or hire a lawyer, tho doing so might not hurt). Criminal prosecutions aren't like a civil suits, where you have to finance the operation yourself. In criminal cases, your tax dollars have already funded it, and the other guy is on the defensive by default.

      Interesting thought: what if, propelled by enough such prosecutions, DRM alone became grounds for "reasonable suspicion of criminal activity"??

  • by muzzy (164903) on Monday October 31, 2005 @09:40PM (#13920163) Homepage Journal
    I thought I was ahead of time, when I implemented a rootkit DRM just a few days ago. My rootkit is a part of my project, trying to show how malware and DRM systems can get really close to each others, and both get protected by law. Under EU Copyright Directive, it's going to be illegal to remove this rootkit.

    You can read about my copyright projects here:
    http://muzzy.net/files/copyright_projects_en.txt [muzzy.net]
  • by keraneuology (760918) on Monday October 31, 2005 @10:25PM (#13920382) Journal
    Dear Sony Regarding the rootkit you are attempting to install on the computers of customers who purchase Van Zant's "Get Right with the Man": my relationship with you is over. I will never again purchase -any- CD from Sony Music. Period. Your intentional introduction of security holes and your undisclosed modification of the operating system is simply unacceptable and uncalled for. Your application of excessive, intrusive and unreasonable DRM has ensured that I will -never- purchase any work with the Sony logo. The number of pirated copies this prevents me from downloading or sharing? Zero - I don't pirate. I don't give people copies of my music. The number of future dollars your DRM (which is sure to be broken within weeks anyway) has cost your company? Beyond calculation: my life expectancy has me sticking around - NOT buying Sony music, by the way - for decades to come. Was this worth the trade? If you want my business then I demand nothing short of full public disclosure, an appology, and the very public firing of the executive who gave the green light to this horrible, horrible concept. Please note that I intend to share this letter with others. With luck they too will refuse to purchase Sony music in the future.
  • by cdrguru (88047) on Monday October 31, 2005 @10:32PM (#13920430) Homepage
    Let's review here: someone has found a publicly distributed driver that when properly installed on Windows hides files and folders. It may have some additional and yet unknown functionality and may be coupled with a driver which, under the right circumstances, disables access to a CD drive.

    Sony is distributing this as part of some larger, possibly effective DRM system for music CDs.

    What I see here is an endless amount of whining about how awful this is. You are overlooking the potential of this. The key here is that this is now out in the wild and can be exploited. The contest should be to come up with creative (and possibly destructive) things to do with these drivers when packaged with other software.

    The result of this should be interesting. I think the responsiblity for all of this rests with Sony and First 4 Internet, but I would really like to see something creative done with this, such as an ActiveX control that disables the CD drive of anyone who visits a web site. The point is to make as much use of this as possible. Sony has provided the tool, it is now up to everyone to make as much use of this as possible.

  • by alouts (446764) on Monday October 31, 2005 @11:23PM (#13920738)
    Isn't this something that Microsoft should have issues with? Sony isn't just installing its own software, they're overwriting part of the operating system, and in a sloppy manner such that it will prevent Microsoft from releasing patches to those drivers/services...

    Although I'm sure they'd be noncommital in their official response, I'd love to hear what they think internally about this kind of thing. If "security" really is their #1 corporate focus as they've been so eager to tell us, this should have them screaming at the top of their lungs.

    The chances of us slackers motivating our corporate-owned legislators to smack Sony is comically low, but if we could get a second big player in there on our behalf, there's a real chance to get this awful idea blackholed like it should be.

    Anyone have any high-up connections within the Empire?

  • by thetaco82 (791202) on Tuesday November 01, 2005 @12:27AM (#13920990)
    So you're telling me that if I prepend a file name with "$sys$" it will be nearly undetectable? Finally! An easy and effective way to hide my pr0n. I can't wait to buy this CD
  • by smash (1351) on Tuesday November 01, 2005 @05:33AM (#13922059) Homepage Journal
    Whilst I don't like what sony has done here in the slightest, those calling for them to be sued, etc are missing a cruicial (IMHO) piece of information.

    I am under *NO DOUBT* whatsoever that Sony will simply point the finger at first4internet, and simply say "We simply contracted them to provide a content protection scheme - we are unaware of the implementation" (or words to that effect). Given that the tech has been sold to several other record companies, I'm pretty sure that's close to the mark as to what actually happened, too.

    So, it's first4internet who will take the heat in a criminal case, not Sony, no doubt.

    Sony is evil and all, but I don't think it was Sony who was responsible for the way it works...

    smash.

Gee, Toto, I don't think we're in Kansas anymore.

Working...