Sony Warned Weeks Ahead of Rootkit Flap 335
pdschmid writes "Business Week has an article describing how Sony BMG had been warned by F-Secure on Oct. 4 about the dangers of their rootkit protection, but failed to do anything until Oct. 31 when computer-systems expert Mark Russinovich revealed the rootkit in his blog." From the article: "Sony BMG officials insist that they acted as quickly as they could, and that they expected to be able to go public and offer a software patch at the same time. However, Russinovich posted his blog item first, forcing Sony BMG to scramble to contain the crisis. It recalled millions of CDs recorded by 52 artists, including Van Zant, Celine Dion, and Neil Diamond. Plus, it offered exchanges to customers."
Anyone wonder... (Score:2, Interesting)
One hand stabs and the other doesn't know it (Score:4, Interesting)
That said, I wouldn't be surprised if the people who received this warning never had any contact with the people responsible for the rootkit. Intra-company communication is horrid in large corps, and often the people implementing solutions get little or no real information beyond requirements and specs from those making the decisions above them.
One manager tells another manager who tells a team to hire people to write a DRM. Another manager gets a message about how dangerous these "rootkits" are, and forwards it to another manager who thinks "we're not making a rootkit, we're making a DRM."
Sony's music division cannot reconcile its business with Sony's technology division. They're competing directly, and eventually one of them is going to win. I'm hoping this was another nail in the former's coffin.
"... it offered exchanges to customers." (Score:4, Interesting)
For all the flak that Microsoft gets in regards to security... at least they're bugs, by bad design or not. This is something Sony deliberately put into their products. I want heads to roll.
I wonder... (Score:3, Interesting)
Sony LOVES DRM (Score:1, Interesting)
Buy a Sony music CD produced after Aug 1, 2005 it installs a root kit.
Whats next? Buy a sony Walkman and it won't play anything but a Sony CD? Idiots, time for a boycott.
Re:If this is true... (Score:4, Interesting)
Re:If this is true... (Score:4, Interesting)
Sony is a BIG company, huge enough to be considered a part of The Man. Therefore, there's no way that (1) they will lose any suits, or (2) they will be hit with damages that will have any practical impact whatsoever.
I would love to have to eat these words... here's hoping.
lawsuit season (Score:3, Interesting)
Not only did they put something like this in their cd's, but they were warned by a respected security/anti-virus firm about it... and they did nothing until the public caught on. An example needs to be made of companies that behave like this.
I say, write your state legislator as well as your congressmen and senators, and urge everyone to sue. Let those <sarcasm> lovely </sarcasm> DMCA laws work in our favor, for once.
Re:So corporations still lie.... (Score:1, Interesting)
Re:As quickly as they could? (Score:3, Interesting)
Re:If this is true... (Score:3, Interesting)
Full Disclosure is Hard (Score:5, Interesting)
I think that it would have been much better if the news could have broken with a worken, well-engineered patch. This is always preferable. F-Secure was trying to make this happen. A month is not a long time. Yes, a lot of people were infected in that month; but a lot of people were infected anyway. F-Secure did a right thing.
On the other hand, Russinovich also did a right thing. This software was not a mistake; it was deliberate. People were getting infected and had no idea. Clearly, people should know about this. Clearly, the corporation did not give a rat's ass about their users.
I like responsible full disclosure: give the maker time to fix it, and publish with a patch when possible. But don't allow eternal "patch development," and make sure disclosure happens. There is room for disagreement among people of good will and high ethics.
Sony need not apply to that group,though.
Hesse Is Amazing - Sony needs to promote him (Score:4, Interesting)
How anyone in his position could use the words "rootkit" and "benign" in the same sentence and expect to be taken seriously is beyond me.
How about:
'err, this e-mail seems to be about a routine matter. While it did introduce the notion of 'death and dismemberment', it did not suggest that the actions were anything but benign.
I don't think that any competent techie would consider the word "rookit" as something to ignore in an e-mail ... and if Sony doesn't have techies reviewing things when mgt doesn't understand what they are, then they deserve everything coming to them.
At this time, I'd like to thank Mr. Hesse for doing a world of favour to the anti-DRM community. Keep up the good work!
And when you think of Infected by DRM , think/thank Hesse...
Re:So corporations still lie.... (Score:5, Interesting)
http://www.benedelman.org/news/112105-1.html [benedelman.org]
http://www.downloadsquad.com/2005/11/23/sony-coul
Sony could use XCP to protect its customers, but won't
Spyware researcher Ben Edelman says that XCP, the software at the heart of Sony's rootkit fiasco, could also be used to inform Sony's customers that their computers have been compromised. Sony doesn't know whose computers are infected by their rootkit, but the XCP player software includes code for automatically fetching a banner from Sony's servers. Sony could easily use this to display a recall notice to the rootkit's victims, but are they going to? I seriously doubt it. While the whole affair has been gaining more and more traction with the media, Sony knows that the majority of its customers will never hear about any of it, and they want to keep it that way. While their recall was intended to be viewed as a good-faith gesture (and, indeed, there may be some actual good faith in there somewhere), the last thing Sony wants is for every Switchfoot fan to know how badly their record company screwed up their computer.
Re:2nd chance to buy one (Score:3, Interesting)
But if they are not destroyed, then they will be most likely be given away as a prize to the ninth caller to your local Clear Channel radio station.
Re:Proves public disclosure is the best for securi (Score:5, Interesting)
Nothing like trashing someone else to get modded up.
Aside from that, I guess the Sony case will be nothing like the Mitnick case as he was held without bail and spent time in solitary confinement. It seems a safe assumption that the Sony execs will suffer no similar fate. Not to mention the other poster here who points out that they are only facing a civil suit, not a criminal one.
Consumers NEED to Understand the Threat (Score:3, Interesting)
Perhaps once people really fathom just what a rootkit can do to them and how a properly written rootkit will not be detected by their anti-virus software, they'll take the threat more seriously. And in doing so, demand rightful compensation from Sony in lieu of a new audio CD. Are you comfortable with rootkits installed on the computers of your local financial institution? College records? Law enforcement? Wall Street? The military?
Re:I wonder... (Score:2, Interesting)
Now, nobody buys the bands CD because of "virus" (Joe public). It has nothing to do with artistic stuff or taste of music. Plain technological vandal geeky stuff hitting art.
Want to screw SONY in the courts? Here's how... (Score:3, Interesting)
In California (where I live), we have a thing called "Small Claims" court. It's a civil court where an ordinary citizen can sue another ordinary citizen or a company for monetary damages. Punitive damages are not awarded and neither are "pain and suffering" damages. You actually have to have been damaged in a way that cost you money in order to collect in small claims court. The good thing about small claims court is that lawyers are not allowed. The bad thing is if you're suing a corporation they can send an employee (such as a laywer they have on the payroll). This this is a good thing in a way as you will see.
First of all, you need to be damaged by SONY. That's easy: put one of the XCD music CDs in your PC. Of course, you should not do this knowing about the rootkit. But if it happened before you learned about it or if you happened to get one of those XCD disks and didn't notice it then it's a different matter.
Second, you need to pay someone to clean your PC. Make sure you get a receipt.
Third, you need to follow the rules regarding filing a claim, getting court papers served, making sure you're prepared to present your case, etc. All this is here:
http://www.courtinfo.ca.gov/selfhelp/smallclaims/
The neat thing about small claims court is that if the defendant (SONY in this case) doesn't show up, you are entitled to ask for a summary judgment which means you win your case by default. You can then proceed to collect your damages from SONY. Companies tend to pay such claims because the cost of having assets attached and liquidated (such as one of their bank accounts) exeeds the cost of just paying it.
If they send someone it's an employee of the company which means they are paying wages for someone to be there. If you win your case, you've not only made SONY liable for your damages (plus your court costs) you've also cost them probably more than your damages especially if they send one of their legal department lawyers. If you lose, you've still won a moral victory that cost you no more than the cost of one of SONY's CDs and some of your time.
If enough people did this SONY will take notice. So if you've been damaged go for it. If you know someone whose been hit by the rootkit, perhaps they can be urged to do it. You can even make some money on the side if you're the one cleaning the PCs.
Re:Don't forget Sony's other nasty DRM (Score:3, Interesting)
1. Turn off auto run.
2. Rip every CD in your Linux box and then make a clean copy.
3. Don't by broken CDs anymore.
Just say NO to DRM. The only thing Sony seems to understand is lost sales. Anyone want to bet if Sony will start to "pre install" this DRM crap on their PCs?
I guess I will not be getting that PS3 as well. I hate it when Microsoft is the lesser of two evils!
Re:Another possibility exists... (Score:2, Interesting)
Aside from the irony that Sony were protecting their IP by violating someone else's... is this true? And if so, why are Sony not being prosecuted for breaching that copyright?
----
This Sig is currently out of order. Please try again later.