Forgot your password?
typodupeerror
Sony Security

Sony RootKit Still A Problem? 268

Posted by CmdrTaco
from the this-stuff-never-dies dept.
XMilkProject writes "Current research indicates that some "350,000 networks--many belonging to the military and government--contain computers affected by [Sony's rootkit]." This is down from over half a million last month. "The security researcher worked from a list of 9 million domain-name servers.. asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches." Will Sony face future repercussions for this potentially long-term damage?"
This discussion has been archived. No new comments can be posted.

Sony RootKit Still A Problem?

Comments Filter:
  • The first rule of the Sony Rootkit is that we do not talk about the Sony Rootkit.

    The second rule of the Sony Rootkit is that we DO NOT TALK about the Sony Rootkit.
  • Safe.. (Score:5, Funny)

    by seann (307009) <notaku@gmail.com> on Tuesday January 17, 2006 @12:14PM (#14490898) Homepage Journal
    Because new music sucks.
    • Makes you wonder.... (Score:4, Interesting)

      by antek9 (305362) on Tuesday January 17, 2006 @12:22PM (#14490986)
      ... what kind of person takes their Sony CDs to work in order to play them on PCs on a military network. Kinda bizarre that that's even possible.

      Makes me sleep better, on the other hand, to see that there are music lovers even there.
      You know how the saying goes: Where one sings you may sit down and sing along, bad people have no song. ;)
      • by Prophet of Nixon (842081) on Tuesday January 17, 2006 @12:27PM (#14491031)
        Well, the scenario of taking CDs to work to play them on networked military PCs is not implausible at all; there are thousands of GS/staff employees who do that. What is implausible, at least in my experience, is those users having admin access to their machines. Was this rootkit able to install on XP under a user or power user account?
        • by antiMStroll (664213) on Tuesday January 17, 2006 @01:04PM (#14491345)
          What's implausible is the Sony executives responsible for distributing a hidden exploit aren't basking in the Guantanamo sun. Had this been Swedish or Thai teens you can bet your ass their faces would adorn newpapers worldwide and software giants decrying the vandalism.
          • exactly correct (Score:5, Interesting)

            by Anonymous Coward on Tuesday January 17, 2006 @01:22PM (#14491510)
            The sony rootkit fiasco is an example of criminal conduct, not a civil tort matter. Why some high level Sony USA execs aren't in the slammer now is beyond me. Like you said, if some teenage scripter had done this, they would be facing 30 years or something, but because it's a large important company they are facing a few fines.
            • Re:exactly correct (Score:4, Insightful)

              by BVis (267028) on Tuesday January 17, 2006 @01:51PM (#14491771)
              Why some high level Sony USA execs aren't in the slammer now is beyond me.
              Rich people don't go to jail; also, the law hasn't caught up to this kind of crime, especially on this scale. (Martha Stewart went to prison because she was charged and convicted under well-understood and established laws.) Ask the average attorney what the crime is here and you'll get blank stares, not because it isn't blatantly illegal, but because the average person doesn't know or care about this kind of thing.
              Like you said, if some teenage scripter had done this, they would be facing 30 years or something,
              Unless Daddy is loaded. Then he'd get 20 hours community service and six month's probation. OTOH, if the teen in question was middle- or lower- class, its PMITA prison time.
      • by Gonarat (177568) * on Tuesday January 17, 2006 @12:47PM (#14491182)

        .. what kind of person takes their Sony CDs to work in order to play them on PCs on a military network. Kinda bizarre that that's even possible.

        Once upon a time, bringing in the CD would have been the safest way to listen to music. Nothing can be copied to a CD, and nothing could be brought in on a pressed CD other than music. Nothing for Military Security to be worried about. Ipods and other MP3 players could potentially be used to sneak data out.

        Of course now with the DRM crap on the "CD", this is no longer true. The once friendly store bought CD is now a potential risk. Way to go Music Industry! And you wonder why sales are down in 2005 from 2004...besides crappy offerings.

        • IMO the problem is that the labeling restrictions for CDs are not strong enough. You can still put the "CD digital audio" logo on your audio CD if it is a CD-Extra and not just a good old Red Book CD. Without this, there might have been more consumer awareness. The properly paranoid will now note that the CD system was invented by Sony and Philips and Philips is the body behind the logos.
    • But aren't they re-releasing older music on discs using the same scheme? Picking up your classic oldie may not protect you.
    • I steal all my music from the internet
  • by Anonymous Coward on Tuesday January 17, 2006 @12:14PM (#14490903)
    NOSY
  • by Py to the Wiz (905662) on Tuesday January 17, 2006 @12:15PM (#14490911)
    I personally don't buy CDs so I wasn't affected but from what I've heard there are some serious problems with the "patch" Sony provided. I'm just a bit curious... Does the patch keep the rootkit permanently disabled and removed? It seems to me that if we put a deviant Sony CD back into our computer that the rootkit would just be reinstalled. Then do we have to run the patch again? This is rediculous. I've do not intend on purchasing any music that has the SONY lable on it. This to me is just plain stupid. What gives Sony the right to install deviant software on "MY" pc and then make it stealth so that I don't know it's there. As far as I'm concerned I think that's the lowest a company can go. That's stooping to the level of those bastard red headed step children Spammers/Spyware installer/Virus/worm pushing assholes.

    I'm to the point now watching this rediculous attempt from Sony to attach it's controls on something that I purchase the rights to use/listen/backup and trying to enforce through deviant means. What is this rootkit supposed to do!? They just wanted to install it for the Hell Of It? Nope, it's supposed to reinforce their stupid DRM bullshit and keep me from listening to the music that I paid for. I'm to the end of my rope. I think that there needs to be a group or mutiple groups put together that should purposefully break what Sony is trying to do. I've been years out of the programming/Computer industry and thus lack the skills to do it, but I think that we should form Anti-DRM, anti-Sony groups to demolish the protection that they put on their stupid CD's. I will not from this day forward purchase anymore music from Sony until they drop their Bullshit practices. I call for a Boycot of Sony's Music. I'm not sure what one man can start, but I'll be damned if I'm going to stand around any longer and watch Sony impose itself on me! They want me to buy their shit, then they want to enforce by deviance their policy, and after all that they hijack my PC for WHo knows what! Ahhh! Time for a Revolution. I love my PS2, but am refusing to play it again until SONY stops all this Bullshit! No more video games purchased either. Damn you Sony! Leave me the Hell alone! Stay off of my Computer and my CD's! Damn you!

    With that said, I feel somewhat better, but am still disturbed deep inside that they would have to stoop to that level to try and enforce their protection. Maybe they don't realize that as the sound comes out of the speakers it can be recorded with a MIC and pirated that way, or through LINE OUT. Damn them. Rant Over.
    • by Luke PiWalker (946528) on Tuesday January 17, 2006 @12:20PM (#14490969) Homepage Journal
      Better yet, you could take in an old box and drop it on the front desk and go "Excuse me, you've installed a virus on my PC via a Sony CD. Will you be removing it or should I charge by the hour at £X00(add as many 0s as you likee, but 2 sounds about right) for having to remove it via a repair guy (don't say you, it seems supicious).

      Demand compensation (for petrol to get there), the money to fix it and if they refuse tell them you'll take them to court for the damages (claim the box was used for something important like hosting websites and the rootkit has not passed some safety tests that all servers must pass at your company).

      Aww the fun of being a sick little geek :D
      • "Security!"

        And that would be that. And threatening to sue would only get you laughed at; their lawyers can beat up your lawyers. Besides, the EULA makes them immune from that kind of liability. (Yes, I know XCP gets installed even if you decline the EULA, but try explaining that to 12 morons off the street.)
    • We were a Sony-less household this Christmas -- no slim Sony digital camera for my college student and no PSP for my high schooler. They were not all that pleased until I explained what a rootkit was and why it was so bad. They were still pissed, but at least understood I wasn't just being a cheapskate.
    • So... you're going to boycott Sony by not playing the PS2 that you already paid for? How is that hurting Sony? Why not sell your PS2? Then you've at least possibly deprived Sony of purchase.

      But then, the division that makes the PS2 is fairly disparate within the company from the one you're attempting to hurt. But then you've already admitted that you don't buy CD's, the record company couldn't really care less about you. Still- why attempt to harm the folks within the company who make a cool product for th
  • by Anonymous Coward on Tuesday January 17, 2006 @12:17PM (#14490937)

    "While the security issues related to the copy-protection software have apparently affected U.S. government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.

    "I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."

  • Apology? (Score:5, Interesting)

    by omeg (907329) on Tuesday January 17, 2006 @12:18PM (#14490940)
    By the way, regardless of the magnitude of this problem currently, has Sony ever formally apologized for their damaging rootkit? They've said that most people "shouldn't care", or that it was their "right" to cripple people's computers, but I've not once heard them say sorry. Can anyone clarify?
    • Re:Apology? (Score:4, Interesting)

      by ai3 (916858) on Tuesday January 17, 2006 @12:24PM (#14491007)
    • I would love for a class action suit to hit Sony regarding this. When I buy a program (i.e. world of warcraft) i know and expect to install stuff on my computer. When I buy music or movies I do not expect for anything to install. Hell when I put a movie in and the Activision (i think that is it) pops up to install itself so it can "play" the movie I just hit the cancel button. It is annoying to see it each time i stick the movie in (actually not really, it doesn't happen that often) but at least they as
    • By the way, regardless of the magnitude of this problem currently, has Sony ever formally apologized for their damaging rootkit?

      I'm not big into apologies. They are worthless. Especially when the person keeps doing the same thing that they apologized for.

      I require 2 things. 1) restitution or compensation for whatever you fucked me over with, and 2) assurance that the person will not do the thing again.

      Sony owes people cash for screwing up people's computers and their time. They screwed up. An apology
  • by Alizarin Erythrosin (457981) on Tuesday January 17, 2006 @12:18PM (#14490943)
    Will Sony face future repercussions for this potentially long-term damage?

    Probably not. They're already getting off somewhat easy for the original hubub.
    • They're already getting off somewhat easy for the original hubub.

      The penalty is less than a slap on the wrist, but is typical of the inconsequential "fines" levied against large companies these days. They can simply afford better lawyers than their opposition.

  • Settled too soon. (Score:5, Insightful)

    by gasmonso (929871) on Tuesday January 17, 2006 @12:19PM (#14490952) Homepage

    If you look at the settlement in the New York District court it is nothing more than a slap on the wrist. Sony knowingly infected computers with what amounts to a trojan horse. In return they have to pay a little money and promise not to do it again. That's insane when you consider the witch hunts that have taken place for 16 year-old kids releasing a virus. Sony needs to pay and pay dearly for their deliberate criminal actions. The government always wants to send hackers a strong message...well then the same applies to corporations!

    http://religiousfreaks.com/ [religiousfreaks.com]
    • Well, a settlement in a civil suit, even if it is a class action, doesn't mean you won't be criminally prosecuted.

      Also, I doubt the US government is included in the action's class.

      Write (not e-mail) your congressman today. Make sure to sign the letter with a real pen, too (politician's like that sort of thing, reminds them of crayons).
    • I would be most curious if a spyware/virus/worm starts using the Sony rootkit as a foundation. Sony actions are not be seen as a "crime" so what happens if the Sony rootkit is then automated and made self-propagating or somebody makes a harmless worm that propagates and hides in the hidden directories.

      The malware coder may be tossed before the courts but I wonder if the (lack of) legal reaction to Sony's rootkit can be used as precedence? And if not, can the malware coder then drag Sony into the picture
    • by TubeSteak (669689) on Tuesday January 17, 2006 @12:54PM (#14491244) Journal
      As part of the settlement, Sony is agreeing not to enforce two key portions of the EULA
      1. A $5 limit on damages
      2. The requirement that you must sue Sony in New York
      Once the settlement is official, Sony will have opened themselves up, such that they can be sued in court anywhere in the United States.

      Small claims court is the most likely venue, because you don't really need a lawyer to represent yourself and if Sony doesn't send a representative, you get a default judgement.

      Collecting might be a bitch, but in this case, it definitely won't be the lawyers making all the money.
      • So long as Sony is the one paying for them. I'll happily represent myself, in a local court (in my case, Canada), and if Sony wants to pay the costs of sending lawyers back and forth from here and a couple-thousand other users who care to sue them... well all the better. Heck, I'll even settle for $25 after we've run it through court a bit.

        At this point, I don't care so much that lawyers are making money, so long as they're costing Sony lots of money for this idiocy.
      • I never understood this. Does US law really permit a blanket restriction on where someone may sue you, and on what damages a court may award if you win?

        What does a judge do if you bring a legitimate grievance against someone to court elsewhere? Will a court really allow the condition to be enforced and invalidate a case with legal merit? Will a judge really say "Ah, well, I know they've lost the case, but I can't award damages of more than two cents because the losing party said so?

      • ...if you clicked 'Don't Agree' to it and the rootkit installs itself anyway.
  • Repurcussions? No. (Score:4, Insightful)

    by mindaktiviti (630001) on Tuesday January 17, 2006 @12:19PM (#14490955)

    "Will Sony face future repercussions for this potentially long-term damage?"

    No they won't because they're a huge multinational corporation who will probably layoff some employees and reward their top execs from the whole ordeal. I'm not trying to be some hippie about this, it's just the way the world works.

  • by digitaldc (879047) * on Tuesday January 17, 2006 @12:20PM (#14490970)
    Robert K. Merton listed [atfreeweb.com] five causes of unanticipated consequences:
    (I have applied them to Sony's decision to use rootkits)

    1. Ignorance (It is impossible for Sony to anticipate everything.)

    2. Error (Incomplete analysis of the rootkit problem, or following habits that worked in the past but may not apply to the current situation.)

    3. Immediate interest in stopping a computer from copying something, may override long-term interests of sustaining their reputation as honest and trustworthy.

    4. Basic values of trusting your customers may require or prohibit certain actions like installing a rootkit, even if the long-term result might be unfavorable. (These long-term consequences may eventually cause changes in those same basic values.)

    5. Installing malware on people's computers is always a self-defeating prophesy (Fear of some consequence drives people to find solutions before the problem occurs, thus the non-occurrence of the problem is unanticipated.)
    • 1. Ignorance (It is impossible for Sony to anticipate everything.)

      2. Error (Incomplete analysis of the rootkit problem, or following habits that worked in the past but may not apply to the current situation.)

      3. Immediate interest in stopping a computer from copying something, may override long-term interests of sustaining their reputation as honest and trustworthy.

      4. Basic values of trusting your customers may require or prohibit certain actions like installing a rootkit, even if the long-term result might
  • Simple answer.. (Score:3, Insightful)

    by ThePatrioticFuck (640185) on Tuesday January 17, 2006 @12:23PM (#14490997)
    Will Sony face future repercussions for this potentially long-term damage?

    Of course not. They may pay a (relatively) small fine or two, but a quick a donation to a politician here and there, and that'll be all she wrote.
    • Uhhhh, not really. Even the CEO of Sony admits that they spent way too much time working on protecting their music recording services, enough that products like the iPod and Panasonic's flat screens and Microsoft's XBox have seriously harmed them. It's called opportunity cost -- more resources spent on one thing mean less resources spent on others.

      Last year they lost money. Yes, negative profit. For a company as established as Sony, that tells you something.

      Sounds to me like the market is handling this root
  • by mendaliv (898932) on Tuesday January 17, 2006 @12:25PM (#14491012)
    The whole concentration on the fact that military and government computers were infected is a tad sensationalist. You hear military or government and see DARPA or CIA.

    In all odds the machines they're talking about are your typical office machines, used mostly for clerical work. Your network admin might not really worry or care about someone screwing it up; in all odds the people using them don't know enough to mess stuff up that badly.

    I think all this is going to entail is the IT divisions of the important branches of the US government running rebuilds a little ahead of schedule...
    • Right. And not to minimize Sony's fault here, but government users (or most corporate users for that matter) should not be able to install (intentionally or not) software on their own PCs. It's a pretty good bet the NSA and DARPA PCs don't.
  • by andreMA (643885)
    Take away the sonybmg.com domain name. Seems a reasonable punishment for domains used in such a way... Yes, I know the problem of infested machines that remain vulnerable thanks to Sony would still exist.
  • by Perl-Pusher (555592) on Tuesday January 17, 2006 @12:28PM (#14491035)
    "Will Sony face future repercussions for this potentially long-term damage?"

    Sony won't be harmed at all. But since this incident an Air Force unit I used to belong to can no play music cd's on computers. Doing so can result in corporal punishment.

    • Doing so can result in corporal punishment.

      They give spankings in the Air Force?
    • corporal punishment???

      They will beat you for playing music on a computer? Hm, I can understand wanting to beat you for playing the Back Street Boys, but just playing music?

      In all seriousness - I am pretty sure the military is not allowed to employ coproral punishment on it's soldiers (at least not officially).
    • That's truly disturbing. First we send these poor kids out to die for some ridiculous power stomp operation in Iraq. Now we don't let people play CDs because our affiliations are not with our own kids but with foreign mega coorporations.

      Fuckin thought America was different than the rest of the world when I moved here. Fuckin everyone's the same, just bullshit people in a bullshit endless shit cycle. Wake up people, you're better than this. Do something about it. Tell your ex-commander or whatever that
    • This damned rootkit certainly continues to be a problem, because 95% of the population has no clue that this fiasco ever occurred, or even cares what label produces their music CDs.

      I had someone call me last week, complaining that Nero wouldn't copy her music CD. "It says I have the wrong CD," she said. I went to her office, looked at the CD box, and saw Sony/BMG. Considering the fact that I e-mailed all of my users two months ago about this problem, this called for an immediate and severe penalty: rep

    • Doing so can result in corporal punishment.

      Typical military! Meanwhile, the sergeants, lieutenants, captains, colonels and generals can do whatever they please.

  • by gbobeck (926553) on Tuesday January 17, 2006 @12:28PM (#14491038) Homepage Journal
    Part of the problem with the Sony Rootkit is the fact that many stores **STILL** are selling the rootkit enhanced CDs.

    I personally have seen this at several Borders stores in my area, and each time I mention this to the management I recieve blank "deer in the headlights" looks.
    • by quokkapox (847798) <quokkapox@gmail.com> on Tuesday January 17, 2006 @12:33PM (#14491075)
      You would receive a similar blank stare if you remarked about mercury levels in the cans of tuna you are buying at the grocery store.

      The retail checkout line is not the place to wage these types of battles.

      • These have been 'recalled' by SONY. The retail level is definitely the place to wage this portion of the battle. If this were Tuna and a recall were out you can be assured the 'tainted' cans would be off the shelf in minutes.

        I wonder how culpable a store becomes when they sell a recalled product AND have been advised of that fact?
      • If you asked for the Manager, and he doesn't know squat, try getting the phone number for the regional/district office.

        They tend to get the memos from Corp. Headquarters.
    • by meringuoid (568297) on Tuesday January 17, 2006 @12:59PM (#14491290)
      rootkit enhanced CDs

      This battle is one of propaganda as much as anything else. If you use the enemy's terminology, you've already lost.

      These are rootkit infected CDs. Use that phrase in conversation with your non-techie friends. 'Damn, I got an infected CD from Sony.' They'll not grasp all the geek details, but they'll get the picture.

      Similarly, call what it is trying to do 'Digital Restrictions Management' whenever you have to explain what 'DRM' is. It's a far truer portrayal of what's going on.

  • by Anonymous Coward on Tuesday January 17, 2006 @12:29PM (#14491045)
    ...I heard somewhere that if you play these new Sony CD(s) backwards, the rootkit data will say, "yur sole iss miiine. yur sole iss miine. Haaaaale Goooooogle! Whaaaaaat issss thigh bidding miii massster? RaaaaaaaaaaAaAaaAaaa!" ...and a plume of blood will shoot out of your CD tray and melt your face like that dude from Raiders of the Lost Ark.

    \\//_
  • End result (Score:5, Insightful)

    by quokkapox (847798) <quokkapox@gmail.com> on Tuesday January 17, 2006 @12:30PM (#14491050)
    These CDs will be out there forever, in users' libraries and bought and sold by used CD shops and flea markets. The end result of this fiasco is that Sony discs are something you watch out for and don't risk sticking in your computer, unless you're running the latest antivirus/antispyware software.

    Sony == Dangerous to my PC

    What a great way to promote a brand.

    • The end result of this fiasco is that Sony discs are something you watch out for and don't risk sticking in your computer, unless you're running the latest antivirus/antispyware software.

      Maybe future OS's will automatically block this. Even firmware in the CD/DVD/HD/??? player can be inoculated against it.

      Vista anyone?

    • Re:End result (Score:2, Insightful)

      by Neillparatzo (530968)
      The end result of this fiasco should just be that people disable Autoplay.
  • Sadly, no. (Score:5, Insightful)

    by sethadam1 (530629) <adam@NOsPaM.firsttube.com> on Tuesday January 17, 2006 @12:37PM (#14491107) Homepage
    Sadly, not only will Sony face no long term damage, but this will be a blockbuster year for them as they release PS3 and millions of quick-to-forget Slashdotters rush out to buy a PS3.

    If consumers were smart, they'd go buy a Nintendo Revolution - or even an Xbox - and intentionally skip the next Playstation. Unfortunately, they won't, because their souls are fueled by acquisition and shiny-new-toy syndrome.

    • Sadly, not only will Sony face no long term damage, but this will be a blockbuster year for them as they release PS3 and millions of quick-to-forget Slashdotters rush out to buy a PS3.

      Not this slashdotter, nor his family nor friends. You neglect the power of the word of mouth. There are a lot of pissed-off consumers out there.

  • No. (Score:2, Insightful)

    by Bob9113 (14996)
    Will Sony face future repercussions for this potentially long-term damage?

    No. Who do you think pays our politicians' wages? Are they going to bite the hand that feeds?
  • Well, second only to Intel's dropping their Pentium brand from their Pentium chips. To quote Weird Al, "It's all about the pentiums, baby"
  • First thing to note - just because a computer belongs to the military or any other branch of the gov't does not mean it is 1) a secured computer 2) a computer with access to sensitive materials. This computer could be the janitors computer.

    What the hell...300,000 people are placing music CDs at work? No wonder our government gets nowhere - they are all busy listening to music and playing games. Get a regular CD player people - they aren't that expensive.
  • I don't know the current government policy on use of computers for non-work use but it used to be very strict. Same thing at many large corporations.

    So does the presence of such a policy weaken any case against Sony?

    Government: You infected our computers.

    Sony: Surely this is not true as your policy clearly forbids personal use of computers. Are you operating in violation of your own policy?
  • by falcon5768 (629591) <Falcon5768@@@comcast...net> on Tuesday January 17, 2006 @12:47PM (#14491183) Journal
    They are a company, and a VERY large one to boot. They honestly can do no wrong unless it involves actually stealing money and getting caught doing it, and even then they would get away with it after they make a big scene to asure the public.

    See Sony does things like this and its called a mistake. A hacker does something much less, and its call terrorism. Go USA!

  • Governement PCs (Score:3, Interesting)

    by ArchAbaddon (946568) on Tuesday January 17, 2006 @12:54PM (#14491247)
    "350,000 networks--many belonging to the military and government..."

    I used to do assistant net admn in the armed forces, and it's amazing how little security there is on most military computer networks. They don't allow DHCP, but as the admin I found that there were no lockdowns on installing software like AIM and such. Only problem was, network security was dictated by higher commands, so I could do nothing but watchdog the system.

    So it's really no suprise to me to so this rootkit affecting so many military and government compys, given their lack of conecern about system security.

    • A few years ago a friend of mine gave me some old hard drives he got from the Army which was going to be tossed out. I tossed one of them in an old 486 I had lying around and after windows 95 bitched about missing hardware etc., up came a notice that THIS IS ARMY DATA BLAH BLAH BLAH. It didn't have any super secret documents but it did have MS Word, some shareware card games, and about 3 different viruses. Any AV software installed? Nah.
  • Have we broken the record yet for Slashdot articles about a single company over a single issue across a limited period of time?
  • Pwned (Score:4, Funny)

    by Nom du Keyboard (633989) on Tuesday January 17, 2006 @01:13PM (#14491428)
    Sony only agreed not to ship more CD's with the existing rootkits. Nothing against improved versions. In fact...

    Your new Sony-BMG non-standards compliant music disc contains the Pwned.exe wonderful pretty music player. Click here to hear the music you've already paid for. Remember, you cannot return opened CD's for any refund. Have a nice day!

  • From the article: "I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."

    I think this is a larger problem - that Sony can do what is clearly an unauthorised incursion into the core of someone's computer without being sued.
    2.1 million cds have been sold. So something of the order of magnitude of 2.1 million computers have been infected by this rogue code. Many viruses don't achieve this level of penet
    • So something of the order of magnitude of 2.1 million computers have been infected by this rogue code.

      I hate to play devil's advocate, but 2.1 million CD's doesn't equate to 2.1 million CD's used in (and thus infecting) computers. Many CD's may just be used in personal CD players etc.

      Doesn't make it any more right, but no sense in pulling a Sony and skewing the stats as well :-)
  • Never made sense (Score:4, Interesting)

    by SiliconEntity (448450) on Tuesday January 17, 2006 @01:44PM (#14491710)
    Those figures reported for the rootkit infections never made sense. Half a million computers? As respected security expert Bruce Schneier noted: [schneier.com]

    "Even more interesting is that there may be at least half a million infected computers... I say 'may be at least' because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business."

    As Schneir notes, these are not big selling CDs. Here is the list from the EFF link above:
    Trey Anastasio, Shine (Columbia)
    Celine Dion, On ne Change Pas (Epic)
    Neil Diamond, 12 Songs (Columbia)
    Our Lady Peace, Healthy in Paranoid Times (Columbia)
    Chris Botti, To Love Again (Columbia)
    Van Zant, Get Right with the Man (Columbia)
    Switchfoot, Nothing is Sound (Columbia)
    The Coral, The Invisible Invasion (Columbia)
    Acceptance, Phantoms (Columbia)
    Susie Suh, Susie Suh (Epic)
    Amerie, Touch (Columbia)
    Life of Agony, Broken Valley (Epic)
    Horace Silver Quintet, Silver's Blue (Epic Legacy)
    Gerry Mulligan, Jeru (Columbia Legacy)
    Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
    The Bad Plus, Suspicious Activity (Columbia)
    The Dead 60s, The Dead 60s (Epic)
    Dion, The Essential Dion (Columbia Legacy)
    Natasha Bedingfield, Unwritten (Epic)
    Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)
    While Dan Kaminsky's methodology seems basically sound, if the results don't add up it suggests that there is something else going on. Maybe somehow each computer queried more than one DNS server, or some similar effect occured to artifically inflate the number of computers he is counting.
    • Never, ever, underestimate the power of Celine Dion and Neil Diamond fans.

    • Re:Never made sense (Score:3, Informative)

      by Effugas (2378) *
      What can I say? I got the data, saw what it said, rubbed my eyes and said...

      No, that's just...not...possible.

      And yet, the data just keeps coming back loud and clear.

      It doesn't do this for all names. Certainly, Sunncomm Mediamaxx is reported on far fewer networks -- 50K, maybe? And as mentioned, I threw out hundreds of thousands of servers for returning values they shouldn't already have cached.

      You know, if I was wrong -- and I'd love to be, it's a rare day in security where things are *better* than you t
  • I find it ludicrous that these supposedly recalled CDs are still on store shelves available for purchase. I bought my daughter a CD of teeny-bopper music the other day and she put it in her computer ... ACK!

    On the plus side, on the front of the application it silently installed was a notice of how to download the uninstaller ... but I thought these CDs were supposed to be recalled and no longer sold?
  • by Micah (278) on Tuesday January 17, 2006 @01:55PM (#14491814) Homepage Journal
    ... for at least a year. That's what I'm doing, even though I didn't buy any affected CDs. Yes, they did make token attempts to make things better for some victims, but they NEED to suffer a while for such a stupid decision. Any company that thinks it's OK to install malware on their paying customers' computers does not deserve my business, and it does not deserve yours.

    Yes, I know that SONY is a huge company with lots of independent decisions. But it's all one corporation, and it needs to feel pain for this stupidity. Its size just gives us more opportunities to boycott it. No Sony tapes, no Sony TVs, no Sony cameras, no SONY nothing until this year is over.

    The boycott needs to be for a limited time; that's why I said a year. If we never start buying from them again, then they lost us no matter what. If the boycott is for a finite time, then they know they can sell to us again ---- as long as they don't repeat this silliness. If they do, they should expect more pain.
    • Boycotts are basically ineffective unless tied to a publicity effort. A good way to get this to work is to volunteer to write consumer electronics articles for a local paper. Anytime a SONY product comes out, volunteer to review it, and call SONY and ask them if they think "accusations that they have violated customers' privacy" and "threats of boycotts" will impact their sales of this product. Include it in a basically favorable review, but close with a line like "Can this product's performance sway the
  • I got the new Leo Kottke / Mike Gordon CD (it's really good, btw) and it has this alleged "copy protection" on it. I never knew about it was on this CD until I read about later. I have autoplay turned off, and I use CDEX to make mp3s (for my iRiver H120). Everything worked just peachy. Rootkit, schmootkit, I can't believe I'm that unusual, especially in the /. crowd. This only affected people who aren't afraid to agree to license agreements.

    Now I understand how Joe computer user could get infected,
  • The right thing: (Score:3, Insightful)

    by jafac (1449) on Tuesday January 17, 2006 @02:03PM (#14491908) Homepage
    I think that what is needed, is an Explorer plugin, to be made freely and widely available, which circumvents this "cloaking" technology (using Mark Russinovich's term).

    If all of this "cloaking" crap were to be made irrelevant, then these kinds of things would no longer be a security issue - it would return administrative control over machines to the machine's owner. Whether that's Symantec's cloaking for their recycle bin, or whether it's Sony's rootkit, or anything else.

    Computer owners don't need a corporate nanny protecting them from shooting themselves in the foot. Good software design does that. Not sneak tactics.

I use technology in order to hate it more properly. -- Nam June Paik

Working...