Forgot your password?
typodupeerror
Security Businesses Media Music Sony

Sony Warned Weeks Ahead of Rootkit Flap 335

Posted by Zonk
from the going-a-little-slowly dept.
pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."
This discussion has been archived. No new comments can be posted.

Sony Warned Weeks Ahead of Rootkit Flap

Comments Filter:
  • by MaskedSlacker (911878) on Tuesday November 29, 2005 @02:26PM (#14139610)
    So Sony was lying its collective arse off when saying it reacted as quickly as it could? This is news how?
    • by bigtallmofo (695287) on Tuesday November 29, 2005 @02:28PM (#14139635)
      So Sony was lying its collective arse off when saying it reacted as quickly as it could?

      That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent.

      • by Vengeance (46019) on Tuesday November 29, 2005 @02:32PM (#14139671)
        That they were lying is one possible explanation. Looking on the bright side, another possibility is that they're just incompetent. OK, OK, let's keep politics out of this discussion.
      • True, and you should never ascribe to malice that which can be explained by incompetence. Though in fun world of corporations, the two seem to go hand in hand.
        • not so much hand-in-hand as that incompitence is used as an excuse.

          which is rediculus because ignorance is NOT (supposed to be) a viable defense in legal actions. I see so many people say "sony probably didn't know blah blah blah" but the truth is, they are responsable for it, so they should make it their duty to know. And if they don't, its (supposed to be) law that they be held accountable.

          However, ignorance seems to get you a pass if it involves technology, <sarcasm>since no-one can possably unde
          • by Yartrebo (690383) on Tuesday November 29, 2005 @03:49PM (#14140368)
            I feel that technology should be a valid excuse under the right circumstances. A mom-and-pop store or a private individual cannot reasonable be expected to do a good faith patent search when choosing an operating system (MS Windows and Mac OS undoubtedly violate hundreds of software patents, and Linux violates thousands of patents if you include software commonly found in distros, like mp3 players - the mplayer project alone has close to 1,000 known patent violations and countless unknown violations). Legally every single user of a halfway modern OS should have injunctions granted against the use of their computer and massive damages be paid out to the dozens or hundreds of patent holders covering some aspect of their OS.

            In the case of operating systems, even Microsoft should be able to invoke ignorance, as the best minds money could buy cannot properly figure out exactly what a patent covers, and even if they could, proper enforcement would result in losses to GDP easily exceeding 20% as companies retool to avoid the use of computers and replace them with typewriters and file cabinets (typing and data storage), servos and relays (industrial processes, automobiles, microwaves, anything else currently built with computers). On top of increased staffing needs for most corporations, energy efficiency will decline as the carbeurator will replace fuel injection in autos and electric power plants retool to manual operations (certain plants, like many solar plants and photovoltaic systems, are likely to be entirely unoperable and mothballed). Efficiency might be maintained by switching to turbine-based engines (say, steam turbines or gas turbines), but such a switch would drastically increase the cost and complexity of automobiles. Telephone companies in particular will have to hire many switchboard operators and we can expect to see call costs rise back to pre-AT&T breakup costs. A modern Cold War-style military such are our own is dependant on computers from everything from remote control drones to fighter planes to secure and rapid communications. And lastly, Slashdot would not be possible without computers.

            That said, I feel that Sony is entirely responsible for what they did as they should have known better. Trojan horses being no-nos is just plain common sense and they serve no legitamite purpose. Sony purposefully wrote or purchased a program to have this function, and as Sony is in the software business they can be expected to be authorities on the subject and act accordingly (as opposed to patents which require substantial knowledge in law just to understand, no less safely navigate - and the cost of compliance is so high that no reasonable corporation can be expected to fully comply with them as it would entail disbanding the corporation in many instances)
            • How do you know mplayer has 'unknown patent violations', if they're unknown. Are they known to you, but not known to us?
              • It's called the law of large numbers. If a little digging unveils 1,000 patent violations, it's likely that a little more digging would have uncovered more. They're unknown because the violations have not actually be found and written into a list. Some patents are even secret and not published until they are issued, and no amount of research (short of industrial espionage) is going to find them. A large program is like playing minesweeper with a blindfold. Each line of a code is a square, which potentially
            • by CowboyBob500 (580695) on Tuesday November 29, 2005 @06:11PM (#14141950) Homepage
              A mom-and-pop store or a private individual cannot reasonable be expected to do a good faith patent search when choosing an operating system (MS Windows and Mac OS undoubtedly violate hundreds of software patents, and Linux violates thousands of patents if you include software commonly found in distros, like mp3 players - the mplayer project alone has close to 1,000 known patent violations and countless unknown violations). Legally every single user of a halfway modern OS should have injunctions granted against the use of their computer and massive damages be paid out to the dozens or hundreds of patent holders covering some aspect of their OS.

              MPlayer, Linux, LAME etc etc, are perfectly legal here in the UK since software patents are not enforcable. The problem is not with the software, it's with the US patent system.

              Bob
          • by terrymr (316118) <terrymr@nOSpAm.gmail.com> on Tuesday November 29, 2005 @04:39PM (#14140854)
            Actually it is ignorance of the law that can not be a defense. However ignorance of the harm you are doing would tend to suggest negligence.
        • by fdiskne1 (219834) on Tuesday November 29, 2005 @03:53PM (#14140406)

          True, and you should never ascribe to malice that which can be explained by incompetence. Though in fun world of corporations, the two seem to go hand in hand.

          Any sufficiently advanced incompetence is indistinguishable from malice.

      • "Never ascribe to malice that which can be explained by stupidity"
        Wise words indeed.
    • After this revelation... It was as if millions of geeks cried out in terror and were suddenyl silenced^H^H^H^H^H^H^H^Hvindicated
    • by Anonymous Coward on Tuesday November 29, 2005 @03:15PM (#14140055)
      I tried submiting this to Slashdot but apparently the editors didn't find it newsworthy.

      http://www.benedelman.org/news/112105-1.html [benedelman.org]
      http://www.downloadsquad.com/2005/11/23/sony-could -use-xcp-to-protect-its-customers-but-wont/ [downloadsquad.com]

      Sony could use XCP to protect its customers, but won't

      Spyware researcher Ben Edelman says that XCP, the software at the heart of Sony's rootkit fiasco, could also be used to inform Sony's customers that their computers have been compromised. Sony doesn't know whose computers are infected by their rootkit, but the XCP player software includes code for automatically fetching a banner from Sony's servers. Sony could easily use this to display a recall notice to the rootkit's victims, but are they going to? I seriously doubt it. While the whole affair has been gaining more and more traction with the media, Sony knows that the majority of its customers will never hear about any of it, and they want to keep it that way. While their recall was intended to be viewed as a good-faith gesture (and, indeed, there may be some actual good faith in there somewhere), the last thing Sony wants is for every Switchfoot fan to know how badly their record company screwed up their computer.
  • What a load (Score:5, Insightful)

    by Microlith (54737) on Tuesday November 29, 2005 @02:28PM (#14139628)
    Scramble? To contain the crisis?

    They almost never admitted what they had done, and continually denied the dangers posed by this rootkit.

    They only started the recall after people pointed out repeatedly that their "uninstaller" didn't, and recieved criticism from the government.

    "as quickly as they could" my ass.

    Of course, they could have been smarter and never released it to begin with.
    • by Old Man Kensey (5209) on Tuesday November 29, 2005 @03:17PM (#14140075) Homepage
      Lest we forget, Sony is still shipping CDs with SunnComm's MediaMax [ciocentral.com] DRM on them -- ten times as many as the XCP rootkit, in fact (that's 20 million CDs at last count, for those keeping score at home). It's still just as easy to defeat as it was in 2003 [slashdot.org], but if you make the mistake of letting it install like my wife did, it's fairly nasty. In particular it actually installs before you agree to the EULA -- the only difference between agreeing and declining is that if you decline, the software is not activated (but it remains installed).

      If you have a device driver named Sbcphid.sys (which shows up as a hidden non-plug-and-play device named Sbcphid when active), you've got MediaMax and should remove it [cdfreaks.com].

      Only the EFF [eff.org] has mentioned MediaMax in the various legal claims against Sony, and Sony has remained silent about it in public as well. Obviously they're not sorry about using DRM at all -- they're just sorry they got caught.

      • by Husgaard (858362) on Tuesday November 29, 2005 @03:33PM (#14140232)
        the only difference between agreeing and declining is that if you decline, the software is not activated (but it remains installed).
        Originally it was thought that no matter if the user declined, the software would be activated. The difference was that it was thought that if the user declined the software would not be active after a reboot.

        However, yesterday word came out [freedom-to-tinker.com] that in some cases the software can become permanently activated even though the user declined to have it installed.

      • Seems like the best plan is.
        1. Turn off auto run.
        2. Rip every CD in your Linux box and then make a clean copy.
        3. Don't by broken CDs anymore.
        Just say NO to DRM. The only thing Sony seems to understand is lost sales. Anyone want to bet if Sony will start to "pre install" this DRM crap on their PCs?
        I guess I will not be getting that PS3 as well. I hate it when Microsoft is the lesser of two evils!
        • by Braino420 (896819) on Tuesday November 29, 2005 @04:58PM (#14141060)
          Just say NO to DRM. The only thing Sony seems to understand is lost sales.

          Haven't you learned by now that any lost sales are blamed on piracy? Which means it will probably just lead to more DRM bullshit. I mean, it's gotten to the point where I can no longer justify buying a CD. Why shouldn't I be able to backup a cd I payed 20 bucks for? It will end up with me doing something illegal either way. It's cool because the stuff I download doesn't have DRM!

      • I have not bought a single music cd since they started puting copy protection on them. I'm sure I'm not the only one. I don't pirate my music, but I imagine some people who want to be able to play their music on their computer find it easier to pirate then to bypass the copy protection. I don't mind copy protection per say, but when it limits what you can do with your media, or spys on your every move, it pisses me off. I buy tons of DVDs and video games, but the music industry isn't going to get a dime out
  • by Winckle (870180) <mark@@@winckle...co...uk> on Tuesday November 29, 2005 @02:28PM (#14139630) Homepage
    Why didn't Slashdot tell us before?!
  • by Anonymous Coward on Tuesday November 29, 2005 @02:28PM (#14139632)
    Until a security hole is widely published (not privately communicated) it's very likely to continue spreading unchecked.


    I think this is great evidence that early public disclosure is very important. At the minimum, the affected users can start using workarounds (turn off insecure systems) until fixes are available.

    • by Concerned Onlooker (473481) on Tuesday November 29, 2005 @02:45PM (#14139781) Homepage Journal
      Until a security hole is widely published

      I don't think this was a security hole so much as breaking and entering. I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.

      • by shawn(at)fsu (447153) on Tuesday November 29, 2005 @03:18PM (#14140079) Homepage
        I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.


        Oh man nothing like sucking up to /. to get a +5 insightful. No it's not Ok . If you would follow the news you would see that several states and contries are consider criminal charges against Sony. A quick news.google search will give you a result like this "Legal threats are now being discussed in some countries, notably the US and Italy, including criminal charges of computer misuse. For example, on 21 November the Texas State Attorney General Greg Abbott filed a civil lawsuit against Sony seeking civil penalties of $100,000 per violation of the state's Consumer Protection Against Computer Spyware Act." from Ovum [ovum.com]

        • by Al Dimond (792444) on Tuesday November 29, 2005 @03:31PM (#14140212) Journal
          I may be in the minority of /. readers: I don't really know the story of Mitnik. But if GP is accurate, he spent time in jail. You can't put a corporation in jail. $100,000 is a slap on the wrist; probably any fine that will be assessed is a slap on the wrist and probably is just a drop in the bucket of all the money that Sony will spend on legal matters in any given year. But if you fine a corporation enough to actually hurt it, a lot of innocent people lose jobs. So what's the solution to this?

          The actual people that did the hacking were working for this "First4Internet" company. Anyone that designed, wrote or approved a part of the software deemed to be inappropriate could face jail time. There were people at Sony that approved this technology for use on CDs; they could face jail time. There were people at Sony that knew that their software included a rootkit and insecure kernel modifications, and yet claimed otherwise; they could face fraud charges (for an individual to say, "I am not a crook," is legal, but to knowingly lie about a product offered for sale is fraud). Anyone with much knowledge of the workings of this product should have known that it was illegal, just as Kevin Mitnik or any other cracker surely knows that whatever he does (like I said, I have no idea what it was that he did) is illegal. That would be equal justice.
          • Mitnik (Score:3, Insightful)

            by nukenerd (172703)
            Yes, Mitnick did time - he got a severe sentence, including solitary. It was out of proportion to his crime because his was an early instance of cracking (the swallow before the summer) and he was made a scapegoat. Also, the press paid great interest partly because of the fascinating story of his pursuit and capture, which the authorities treated as a mission deserving all their energy.

            Looking back now, you can't help wondering why all the fuss. Mitnick did pry around some academic, corporate and military
        • by Concerned Onlooker (473481) on Tuesday November 29, 2005 @03:41PM (#14140294) Homepage Journal
          Oh man nothing like sucking up to /. to get a +5 insightful. No it's not Ok . If you would follow the news you would see that several states and contries are consider criminal charges against Sony.

          Nothing like trashing someone else to get modded up.

          Aside from that, I guess the Sony case will be nothing like the Mitnick case as he was held without bail and spent time in solitary confinement. It seems a safe assumption that the Sony execs will suffer no similar fate. Not to mention the other poster here who points out that they are only facing a civil suit, not a criminal one.

    • Actually, it is my firm belief that you CAN trust a successful company to do things that are in their best interests. Clearly, they seem to think that customer ignorance is good for business. Why would they think that? Perhaps we have trained them to think that. The real lessons here are:
      Be proactive.
      Watch out for yourself.
      The only way to get a corporation to look out for your best interests is to convince it (remind it?) that your interests are their interests (happy customers!).
      Make your interests
  • by Anonymous Coward on Tuesday November 29, 2005 @02:28PM (#14139633)
    ...when a company becomes bigger than its customer base.
  • by Pac (9516) <paulo...candido@@@gmail...com> on Tuesday November 29, 2005 @02:29PM (#14139642)
    Van Zant, Celine Dion, and Neil Diamond

    They should have left the rootkit in place so we could download some good music directly to these misguided buyers' hard drives.
  • Still on the Shelves (Score:5, Informative)

    by Anonymous Coward on Tuesday November 29, 2005 @02:30PM (#14139656)
    Not only is Sony not moving fast, NY AG Elliot Spitzer reports that affected CDs are still being sold at various retail outlets. I'm not sure how much control Sony has over recalling CDs at some Wally World in Drum Nebraska, but this snafu puts them right up there with Adobe in corporate arrogance and stupidity.
  • If this is true... (Score:5, Insightful)

    by julesh (229690) on Tuesday November 29, 2005 @02:31PM (#14139658)
    If this is true, then sony just lost them court cases we've been hearing about. Having been told about it and not issued a product recall at the earliest opportunity (i.e. within a day or two) means that they were intentionally subverting people's computers.

    The only defence available to them was that they didn't realise this was happening. They've just lost that.
    • by BushCheney08 (917605) on Tuesday November 29, 2005 @02:43PM (#14139773)
      They were intentionally subverting people's computers to begin with, hence they were in violation of CA and TX's computer privacy laws anyways. They had very little chance of winning either of those cases as is. Of course, this just bolsters the state's cases.
      • by TheRaven64 (641858)
        Sony could have claimed that they were unaware of exactly how the software worked, since they bought it from an outside company. Since they were notified and still didn't issue a recall (or even stop distributing new copies) then they can be shown to have willfully continued to violate the law. This degree of premeditation will no go over well in a court of law.
        • Very good points. It's pretty clear to anyone paying attention that they only reacted when it became a PR nightmare. It'll be interesting to see how this plays out in court and what their defense is. However, I expect them to settle well before that and, as is the case with settlements, admit to no wrongdoing or malfeasance on their part...
    • by Kevin DeGraaf (220791) on Tuesday November 29, 2005 @02:47PM (#14139801) Homepage
      sony just lost them court cases we've been hearing about

      Sony is a BIG company, huge enough to be considered a part of The Man. Therefore, there's no way that (1) they will lose any suits, or (2) they will be hit with damages that will have any practical impact whatsoever.

      I would love to have to eat these words... here's hoping.

      • by Generic Guy (678542) on Tuesday November 29, 2005 @02:58PM (#14139901)
        Sony is a BIG company, huge enough to be considered a part of The Man.

        Sony is primarily a foreign company, so they won't get a free pass. However, the majority way these things usually work out is one or more politically ladder-climbing motivated Attorney Generals sue Sony "on behalf of the people" or somesuch hollow excuse. The proceedings drag on at a glacial legal-system pace, bad PR fades out of the public eye, and eventually AG announces an out of court "settlement" between company and the State. Said settlement money goes straight into State's coffers, never to be seen or heard about again.

        All in the end, you are still out $18 for a dodgy CD disc and stuck with a rootkit infecting your PC.

    • I think their biggest defense was and still is the EULA. Every user consented to have the virus added to their computer.
      I haven't seen any details on the lawsuits, but I think the real issue will be whether the EULA covers what the program actually installed.

  • Impressions (Score:5, Insightful)

    by A beautiful mind (821714) on Tuesday November 29, 2005 @02:31PM (#14139662)
    When the Sony rootkit case first hit the news, I considered F-Secure to be quite good for an anti-virus company because they were reasonably quick adding the rootkit to their signature file.

    They've just lost that credit for me. They knew for a month and were sitting on it! That is not acceptable. There should have been no warning to Sony, just a public statement from F-Secure at the beginning of October about the rootkit.
    • Re:Impressions (Score:5, Insightful)

      by Tmack (593755) on Tuesday November 29, 2005 @02:51PM (#14139843) Homepage Journal
      Its called proffesional courtesey. If they immediatly notified the public, there would have been an exploit that many days sooner, before ANY action could be taken to fix it. This is the same as any MS or other exploit. Once a firm knows about it, they notify the software's management to fix it and wait a few days to release the news to the public. That gives the developers time to at least create a patch to prevent any further damage. Is it F-Secure's fault Sony did something stupid in the first place? Are you going to blame Semantic on the next exploit they find, tell microsoft about, and wait a few days before alerting the public? How about the IE bug just moved to cirtical status thats been around for many months, is that to be blamed on Secunia? They knew about it since june and waited until this weekend to escalate it to critical, only after a proof of concept was released.

      Its easier to prevent a fire by notifying management to fix the sparking wires than to put one out after notifying a world full of pyros to come dump gasoline on it.

      tm

      • Re:Impressions (Score:5, Insightful)

        by Anonymous Coward on Tuesday November 29, 2005 @03:00PM (#14139922)
        This isn't the equivalent of a bug in IE. Sony deliberately infected their customers' computers with malware. Sure it was buggy malware but that's hardly the main issue. If you see a Sony executive breaking into someone's house, would you let the Sony exec know so that he could have a month to fix the problem before anyone else found out?
        • Re:Impressions (Score:5, Insightful)

          by A beautiful mind (821714) on Tuesday November 29, 2005 @03:20PM (#14140099)
          Someone mod parent up.

          The difference between a Microsoft security issue and the Sony rootkit is earth and sky.

          If F-Secure would have identified a flaw in Microsoft's software, then it's ok if they give the company a grace period to get a patch ready.

          There was no such patch to be prepared in the case of Sony.

          The following things are sensible to be done when someone finds a new rootkit spreading in the wild:
          • Identify it's source [Sony DRM on cd's - CHECK]
          • Find a way to stop the infections/prevent further infections - this can be only done by forcing Sony to stop shipping infected cds - a public disclosure is essential. Also adding the rootkit to the signature file is required. [FAIL]
          • Clean up the infections - most anti-virus companies write even small utilities to remove rootkits/viruses/trojans. [???]


          Let's face it: By telling Sony about it and not going for public disclosure F-Secure accomplished nothing but let even more users get infected by this rootkit. Sony is not a software company, there wasn't a flaw in a software that needed to be fixed, but the software itself removed! That requires no cooperation on behalf of Sony.
      • Re:Impressions (Score:3, Insightful)

        by harrkev (623093)

        Its easier to prevent a fire by notifying management to fix the sparking wires than to put one out after notifying a world full of pyros to come dump gasoline on it.

        It is sad, but these days, nothing gets fixed until AFTER the fire has started, no matter how much notice that you give.

        F-Secure should have made this public 30 days after notifying Sony. This way, at least Sony has a chance to fix this. And if they didn't too bad for them and they deserve what they get.

        Of course, for all we know F-Secure mi

    • Re:Impressions (Score:4, Insightful)

      by pdschmid (916837) on Tuesday November 29, 2005 @03:00PM (#14139923)
      I think F-Secure's response was very appropriate. Imagine the following scenario: A serious flaw that could be exploited by a worm is discovered in Windows. All one needs to write a worm is to know some vague information about the flaw, e.g. where to look for it. A good programmer could write a worm in a day. A patch for the flaw takes longer to create, as it needs to pass some rigorous testing (after all the patch shouldn't break your Windows installation). So, what do you prefer? Immediate public disclose and a day later a worm infects windows installations all around the world? Or public disclosure concurrent with a patch from Microsoft which had been privately warned about it? I know I prefer the latter scenario. F-Secure was acting in the best interest of the people who had been infected by this rootkit. Sony BMG though had no interest in helping those people, because they were more interested in covering up their illegal doings. F-Secure would have gone public eventually. They would have not just sat there and watched Sony get away with it. However, they gave Sony BMG a reasonable chance in fixing the security holes, as they do give any other company rightly so. Patrick Schmid
      • Re:Impressions (Score:4, Insightful)

        by Phanatic1a (413374) on Tuesday November 29, 2005 @04:38PM (#14140852)
        A serious flaw that could be exploited by a worm is discovered in Windows. All one needs to write a worm is to know some vague information about the flaw, e.g. where to look for it.

        This analogy doesn't work.

        This wasn't a flaw being exploited by some immoral third party. This wasn't a bug, this wasn't an unforeseen error in functionality.

        This was malware, doing precisely what it was intended to do.

        F-Secure was acting in the best interest of the people who had been infected by this rootkit.

        No, they weren't. What would have been acting in the best interested of the people who had been infected would be to tell people "You've been infected by a rootkit."

        However, they gave Sony BMG a reasonable chance in fixing the security holes, as they do give any other company rightly so.

        They do?

        They give the authors of viruses and trojans the chance to fix their viruses and trojans before they offer fixes for them?

        Oh, they don't do that? Then why should they do that for Sony when Sony deliberately releases malware into the wild?

        Once again, this was not a bug. This was malware. You don't notify authors of malware that you've found their stuff, and give them an opportunity to rewrite it to be slightly less mal before you go public. You write a fix, and notify the public.
      • by dbIII (701233)
        F-Secure would probably be facing legal action from Sony if they deliberately prevented Sony's software from running. In the land of the DMCA where a guy who plays chess against the Russians is a traitor and a guy who sells weapons to Iran to give money to a drug dealer is a patriot who knows which way it would go? Either way the antivirus companies lose - viruses and malware produced by companies with major legal clout will most likely be a major headache for the antivirus companies from now own.
      • Re:Impressions (Score:3, Insightful)

        by aug24 (38229)
        You can't 'patch' a rootkit to turn it into 'not a rootkit'.

        F-Secure shouldn't have given Sony a chance at all - they should have added a signature so that if I stuck a Sony CD in my machine it would be detected and I would be warned. What the fuck else would I want their product for?

        Justin.
    • by Daedala (819156) on Tuesday November 29, 2005 @03:09PM (#14140007)
      I disagree. I think F-Secure did great. I also think Mark Russinovich did great.

      I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.

      On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.

      I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.

      Sony need not apply to that group,though.
  • recalled? (Score:5, Funny)

    by wazzles (729440) on Tuesday November 29, 2005 @02:31PM (#14139663)
    It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. CDs by these artists should have been recalled anyway, rootkit or not.
  • Obligatory (Score:5, Funny)

    by LilJC (680315) on Tuesday November 29, 2005 @02:36PM (#14139700)
    "I'm a recall coordinator. My job was to apply the formula. It's simple arithmetic. It's a story problem. A new car built by my company leaves Boston traveling at 60 mph. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now: Do we initiate a recall? You take the number of vehicles in the field (A) and multiply it by the probable rate of failure (B), multiply the result by the average out-of-court settlement (C). A times B times C equals X. If X is less than the cost of a recall, we don't do one."
  • by Jerry Coffin (824726) on Tuesday November 29, 2005 @02:37PM (#14139716)
    Sony BMG officials insist that they acted as quickly as they could,

    In this case, "as quickly as they could" seems to really mean "as slowly as they could get away with."

    How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business? Microsoft's "product activation", Sony's rootkit, etc. ad naseum do essentially nothing to stop real hackers from copying software, music, etc., as much as they want, so the only thing they really accomplish is hurting the legitimate customers.

    These lousy business practices are reflected in their (lack of) sales too. I don't mean to say a boycott of Sony would necessarily be a bad thing, but for those who haven't looked, take a look at Sony's stock prices [yahoo.com] -- boycott or no, they're not exactly burning up the charts right now.

    Now, Sony (etc.) will undoubtedly point to Napster and such as the reason they're not doing as well recently. I don't think that's the case. I think what's happened is that Sony is now concentrating more on forcing customers to pay than they are on producing things customers want. As is visible in their stock price, that simply leads to oblivion, not prosperity.

    --
    The universe is a figment of its own imagination.

    • Like the metal detectors I had to go though to leave the production floor when I worked at Dell. They are there as a sign of theft deterent, not to provide real theft deterent. Oddly enough when I worked there the security staff was slipping servers out the backdoor.
    • Microsoft's "product activation", Sony's rootkit, etc. ad naseum

      To the nose? :) (Admittedly, that technically would be "ad nasum", but what you wrote is closer to that than to "ad nauseam". :))

    • How long is it going to be before these companies realize that attacking their customers and treating them like criminals really is NOT a good way to do business?

      When does Sony post its fourth quarter results?
  • Anyone wonder... (Score:2, Interesting)

    by Anonymous Coward
    ..how many other 'DRM kits' that were in development by other music publishers went to the toilet because of this? Or am I the only one? Bravo SONY!!! This is the fist time I saw you doing somehing good for the community.
  • I call b.s. (Score:3, Insightful)

    by akad0nric0 (398141) on Tuesday November 29, 2005 @02:39PM (#14139735)
    It doesn't take that many weeks to recall CD's and tell resellers to take them off of their shelves.

    They're telling the truth, in part: they reacted as fast as they could to the bad press. But not to the real issue - the flawed software.
  • by Schezar (249629) on Tuesday November 29, 2005 @02:41PM (#14139749) Homepage Journal
    Sony, like all megalithic corporations, behaves internally like dozens of smaller, independant companies. They're vying for their shares of the corp's limited resources and trying to justify their continued existence. I work for IBM, and it's the same way.

    That said, I wouldn't be surprised if the people who received this warning never had any contact with the people responsible for the rootkit. Intra-company communication is horrid in large corps, and often the people implementing solutions get little or no real information beyond requirements and specs from those making the decisions above them.

    One manager tells another manager who tells a team to hire people to write a DRM. Another manager gets a message about how dangerous these "rootkits" are, and forwards it to another manager who thinks "we're not making a rootkit, we're making a DRM."

    Sony's music division cannot reconcile its business with Sony's technology division. They're competing directly, and eventually one of them is going to win. I'm hoping this was another nail in the former's coffin.

    • by dwandy (907337) on Tuesday November 29, 2005 @03:15PM (#14140052) Homepage Journal
      C'mon ... I'm debating whether Hesse's new quote should replace his last one on the subject:
      "This e-mail, which we have also reviewed, seems to be about a routine matter," says Hesse. "While it did introduce the notion of a 'rootkit,' it did not suggest that this software was anything but benign."

      How anyone in his position could use the words "rootkit" and "benign" in the same sentence and expect to be taken seriously is beyond me.
      How about:
      'err, this e-mail seems to be about a routine matter. While it did introduce the notion of 'death and dismemberment', it did not suggest that the actions were anything but benign.

      I don't think that any competent techie would consider the word "rookit" as something to ignore in an e-mail ... and if Sony doesn't have techies reviewing things when mgt doesn't understand what they are, then they deserve everything coming to them.

      At this time, I'd like to thank Mr. Hesse for doing a world of favour to the anti-DRM community. Keep up the good work!
      And when you think of Infected by DRM , think/thank Hesse...

  • by Giometrix (932993) on Tuesday November 29, 2005 @02:42PM (#14139756) Homepage
    This line makes me so increadibly mad. Wow, they offered to exchange something that could do damage to my finances and business for something that won't... something that they were hiding and SHOULDN'T have been on an AUDIO cd in the first place. Gee, thanks.

    For all the flak that Microsoft gets in regards to security... at least they're bugs, by bad design or not. This is something Sony deliberately put into their products. I want heads to roll.
  • I wonder... (Score:3, Interesting)

    by tkrotchko (124118) * on Tuesday November 29, 2005 @02:43PM (#14139768) Homepage
    I wonder if the artists will be "charged" for recalling their CD's and reissuing them... that would be sadly funny. Maybe it would make a few of these artists strike out on their own.

  • Back in late 80's/early 90's, I worked at HP. Back then, openings in HP woudl take forever to get done. But that was also true of all the other unixes. By '95, the *nixes were cleaning up their acts. So, it was MS that took forever (and many would argue still do).

    So now, we have appliances (cisco comes to mind), and even consumer manftr. that are taking forever.

    Hard lessons are never learned until law suits hit. Too bad that ethics do not seem to matter in business or politics.
  • This is wonderful! (Score:3, Insightful)

    by drinkypoo (153816) <martin.espinoza@gmail.com> on Tuesday November 29, 2005 @02:45PM (#14139783) Homepage Journal
    It's always a lot easier to bust a corporation when there is evidence that they knew they were doing something wrong. Haven't you seen Erin Brockovitch? :D
  • Not forever, just until January 02 /06.

    If Sony misses out on the Christmas rush perhaps they, and the rest of the E! industry, will figure out that their customers don't like to be harrassed, lied to or spied on.

    !!! - Arista Records, BMG Classics, BMG Heritage, BMG International Companies, J Records, Jive Records, LaFace Records, Provident Music Group, RCA Records, RCA Victor Group, RLG - Nashville, Sony Urban Music, So So Def Records, Verity Records, Columbia Records, Epic Records, Legacy Recordings, Sony
    • So, you're going to try to single-handedly start a boycott right during the Christmas shopping season, when all the kids are begging their parents for the PS3 and all those PlayStation games, music CDs, DVDs, TVs, DVD players, headphones, digital cameras, movie tickets, and miscellaneous electronics devices they've been wanting, so that Sony execs will say "Oh, how wrong we have been to value our money so much"? How exactly did you plan for this to work, and who do you think is going to listen that will mak
    • get realistic. it is 100% impossible to get the public to do anything. Hell the lure of a new shiney is enough to make most consumers burn themselves over and over.

      asking for a 6 week boycott? That's like asking for Ohio to swap places with Indiana. It will never EVER happen.
  • by digitaldc (879047) * on Tuesday November 29, 2005 @02:50PM (#14139832)
    Phony Sony put its CDs on a shelf
    Phony Sony had a rootkit which installed itself.
    But all of Sony's lawyers and all of Sony's PR men,
    Could not put the integrity back into Sony again.
  • lawsuit season (Score:3, Interesting)

    by ltwally (313043) on Tuesday November 29, 2005 @02:53PM (#14139853) Homepage Journal
    Normally, I'm not in favor of suing. Seems that there are far too many frivolous lawsuits, these days. In Sony's case, however, I'll go so far as to say that they deserve to get their ass handed to them in court.

    Not only did they put something like this in their cd's, but they were warned by a respected security/anti-virus firm about it... and they did nothing until the public caught on. An example needs to be made of companies that behave like this.

    I say, write your state legislator as well as your congressmen and senators, and urge everyone to sue. Let those <sarcasm> lovely </sarcasm> DMCA laws work in our favor, for once.
  • It doesn't matter. (Score:3, Insightful)

    by gasmonso (929871) on Tuesday November 29, 2005 @02:54PM (#14139861) Homepage

    Until there are devastating consequences for any company that dies this, it just doesn't matter. 90% of the their customers don't even know about this, and the ones that do, don't fully understand it. This can only change once the average consumer is educated on the issue and there are successful lawsuits that punish companies like Sony. Sony knows that this will blow over in a few months and most people will forget about it (except Slashdot readers of course). People will just continue to buy cds like they always have.

    gasmonso http://religiousfreaks.com/ [religiousfreaks.com]
  • From Business Week: That's when F-Secure got into the act. Guarino sent an e-mail to the Finnish company, since it makes the rootkit-detector software that he used to investigate. F-Secure did its own investigation and notified Sony DADC, which manufactures Sony BMG CDs, on Oct. 4. Sony BMG says the e-mail, which was forwarded to it on Oct. 7, didn't signal a serious security issue.

    Let's see: someone tells you that the software you are blithely putting on other people's computers has a security flaw, one

  • by person-0.9a (161545) on Tuesday November 29, 2005 @03:06PM (#14139986)
    This has already been said by Bruce Schneier, but...

    F-Secure warned Sony about the dangers on October 4th, yet still failed to protect any of it's users in a timely manner.
  • "Sony BMG is in a catfight with a well-known computer-security outfit..."

    If I were managing editor of Business Week, I would be wondering now whether the author of the article, Steve Hamm, should be fired or re-trained.

    "Catfight" reads like a P.R. release from Sony.
  • by Murmer (96505) on Tuesday November 29, 2005 @03:16PM (#14140060) Homepage
    Bruce Schneier has covered this already, but I would like to know why F-Secure didn't contact, say, everyone else when they found out that Sony was installing a rootkit on people's machines. I would like to know why nobody else on the long list of companies that get paid protection money to keep this sort of thing from happening saw fit to inform the world about this, instead of having it appear on some guy's weblog. It's not like that little cabal isn't paid what amounts to protection money specifically so that this kind of thing doesn't happen.
  • Yeah... (Score:5, Insightful)

    by penguinbrat (711309) on Tuesday November 29, 2005 @03:19PM (#14140093)
    ""Most people, I think, do not even know what a Rootkit is, so why should they care about it?"

    You can just hear the urgency can't you...
  • by Lead Butthead (321013) on Tuesday November 29, 2005 @03:35PM (#14140249) Journal
    In their mind, the entire fiasco boils down to the following --

    a. How to hide the DRM software better so it will not be detected NEXT TIME.
    b. How to silence the whistle blower so that if line item a fails, the word never leaks out.
    c. How to fabricate pausable deniablity if the word leaked out despite line item b.

    In summary, for the media company, the entire affair isn't about what wrong they inflicted on their PAYING CUSTOMERS, but about how to contain the situtation and continue to "protect THEIR rights."
  • by mvea (158406) on Tuesday November 29, 2005 @03:44PM (#14140323) Homepage
    OmniNerd is carrying a decent article on the nature of rootkits (Rootkit: The "r00t" of Digital Evil) [omninerd.com] that isn't watered down like everything else the media has been using to describe rootkits. I think the principle problem with the legal system, the general public and Sony is that most people just don't understand what a rootkit really is and the capabilities they present to hackers. The media has been lumping them into the malware category as nothing more than the latest virus going around - a misconception that is costly to consumers because the threat has been greatly downplayed.

    Perhaps once people really fathom just what a rootkit can do to them and how a properly written rootkit will not be detected by their anti-virus software, they'll take the threat more seriously. And in doing so, demand rightful compensation from Sony in lieu of a new audio CD. Are you comfortable with rootkits installed on the computers of your local financial institution? College records? Law enforcement? Wall Street? The military?
  • by mendax (114116) on Tuesday November 29, 2005 @04:23PM (#14140691)
    A consumer boycott could possibly make SONY management act responsibly, meaning they actually admit responsibility for the rootkit, but I doubt it unless the boycott spreads outside of geekdom. Well, maybe. But if it doesn't here's what you can do personally: sue them yourself.

    In California (where I live), we have a thing called "Small Claims" court. It's a civil court where an ordinary citizen can sue another ordinary citizen or a company for monetary damages. Punitive damages are not awarded and neither are "pain and suffering" damages. You actually have to have been damaged in a way that cost you money in order to collect in small claims court. The good thing about small claims court is that lawyers are not allowed. The bad thing is if you're suing a corporation they can send an employee (such as a laywer they have on the payroll). This this is a good thing in a way as you will see.

    First of all, you need to be damaged by SONY. That's easy: put one of the XCD music CDs in your PC. Of course, you should not do this knowing about the rootkit. But if it happened before you learned about it or if you happened to get one of those XCD disks and didn't notice it then it's a different matter.

    Second, you need to pay someone to clean your PC. Make sure you get a receipt.

    Third, you need to follow the rules regarding filing a claim, getting court papers served, making sure you're prepared to present your case, etc. All this is here:

    http://www.courtinfo.ca.gov/selfhelp/smallclaims/s cbasics.htm [ca.gov]

    The neat thing about small claims court is that if the defendant (SONY in this case) doesn't show up, you are entitled to ask for a summary judgment which means you win your case by default. You can then proceed to collect your damages from SONY. Companies tend to pay such claims because the cost of having assets attached and liquidated (such as one of their bank accounts) exeeds the cost of just paying it.
    If they send someone it's an employee of the company which means they are paying wages for someone to be there. If you win your case, you've not only made SONY liable for your damages (plus your court costs) you've also cost them probably more than your damages especially if they send one of their legal department lawyers. If you lose, you've still won a moral victory that cost you no more than the cost of one of SONY's CDs and some of your time.

    If enough people did this SONY will take notice. So if you've been damaged go for it. If you know someone whose been hit by the rootkit, perhaps they can be urged to do it. You can even make some money on the side if you're the one cleaning the PCs.

Swap read error. You lose your mind.

Working...