Sony Warned Weeks Ahead of Rootkit Flap

pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."

Still on the Shelves

[Anonymous Coward]

Not only is Sony not moving fast, NY AG Elliot Spitzer reports that affected CDs are still being sold at various retail outlets. I'm not sure how much control Sony has over recalling CDs at some Wally World in Drum Nebraska, but this snafu puts them right up there with Adobe in corporate arrogance and stupidity.

Re:Sony made a rootkit?

[gg3po]

Surely you jest...

• Sony Rootkit Phones Home [slashdot.org]
• Sony DRM Installs a Rootkit? [slashdot.org]
• Sony Rootkit Allegedly Contains LGPL Software [slashdot.org]
• More on Sony's "DRM Rootkit" [slashdot.org]
• Trojan Using Sony DRM Rootkit Spotted [slashdot.org]
• Sony's EULA Worse Than Its Rootkit? [slashdot.org]
• Sony, Amazon Detail Rootkit CD Buybacks [slashdot.org]
• Bad Day To Be Sony [slashdot.org]

...and that doesn't even count all the Slashbacks. Maybe you should consider adding a </sarcasm> tag :-) . I must admit, however, that this is one case where I don't mind the repeated updates. I hope Sony isn't allowed to forget what they did. This will make an example of them to anyone considering such tactics in the future.

Don't forget Sony's other nasty DRM

[Old Man Kensey]

Lest we forget, Sony is still shipping CDs with SunnComm's MediaMax [ciocentral.com] DRM on them -- ten times as many as the XCP rootkit, in fact (that's 20 million CDs at last count, for those keeping score at home). It's still just as easy to defeat as it was in 2003 [slashdot.org], but if you make the mistake of letting it install like my wife did, it's fairly nasty. In particular it actually installs before you agree to the EULA -- the only difference between agreeing and declining is that if you decline, the software is not activated (but it remains installed).

If you have a device driver named Sbcphid.sys (which shows up as a hidden non-plug-and-play device named Sbcphid when active), you've got MediaMax and should remove it [cdfreaks.com].

Only the EFF [eff.org] has mentioned MediaMax in the various legal claims against Sony, and Sony has remained silent about it in public as well. Obviously they're not sorry about using DRM at all -- they're just sorry they got caught.

Re:Proves public disclosure is the best for securi

[shawn(at)fsu]

I realize the players are different here but didn't Kevin Mitnick spend years in jail for stuff like this? I guess when a corporation hacks a consumer it's OK.

Oh man nothing like sucking up to /. to get a +5 insightful. No it's not Ok . If you would follow the news you would see that several states and contries are consider criminal charges against Sony. A quick news.google search will give you a result like this "Legal threats are now being discussed in some countries, notably the US and Italy, including criminal charges of computer misuse. For example, on 21 November the Texas State Attorney General Greg Abbott filed a civil lawsuit against Sony seeking civil penalties of $100,000 per violation of the state's Consumer Protection Against Computer Spyware Act." from Ovum [ovum.com]

Re:recalled?

[Anonymous Coward]

A recent trip to Best Buy that I took revealed that many contaminated albums are still on the shelves. Some recall.

If it was discovered that one of Ford's vehicles had faulty seat belts, dealers would certainly not continue selling the affected vehicles before having the problem addressed. Why is it permissible for retailers to continue offering these tainted discs? It makes me wonder if retailers could also be held responsible to some degree in the upcommming lawsuits against Sony.

Always remember to look for this logo [wikimedia.org] before purchasing audio compact discs. It ensures that the disc follows the Red Book [wikipedia.org] standard which does not permit anything but music.

Re:Don't forget Sony's other nasty DRM

[Husgaard]

the only difference between agreeing and declining is that if you decline, the software is not activated (but it remains installed).

Originally it was thought that no matter if the user declined, the software would be activated. The difference was that it was thought that if the user declined the software would not be active after a reboot.

However, yesterday word came out [freedom-to-tinker.com] that in some cases the software can become permanently activated even though the user declined to have it installed.

Re:Another possibility exists...

[terrymr]

Actually it is ignorance of the law that can not be a defense. However ignorance of the harm you are doing would tend to suggest negligence.

Re:Don't forget Sony's other nasty DRM

[hords]

I have not bought a single music cd since they started puting copy protection on them. I'm sure I'm not the only one. I don't pirate my music, but I imagine some people who want to be able to play their music on their computer find it easier to pirate then to bypass the copy protection. I don't mind copy protection per say, but when it limits what you can do with your media, or spys on your every move, it pisses me off. I buy tons of DVDs and video games, but the music industry isn't going to get a dime out of me through cd sales.

Re:If this is true...

[yfkar]

If someone sued them for the MediaMax [freedom-to-tinker.com] too, they wouldn't even have the EULA defense as it installs (and in some cases, runs) kernel-level drivers even if the user declines the EULA.