Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Sony Security

Revisiting the Infamous Sony BMG Rootkit Scandal 10 Years Later (networkworld.com) 188

alphadogg writes: Hackers really have had their way with Sony over the past year, taking down its Playstation Network last Christmas Day and creating an international incident by exposing confidential data from Sony Pictures Entertainment in response to The Interview. Some say all this is karmic payback for what's become known as a seminal moment in malware history: Sony BMG sneaking rootkits into music CDs 10 years ago in the name of digital rights management. 'In a sense, it was the first thing Sony did that made hackers love to hate them,' says Bruce Schneier, CTO for Resilient Systems. Sony's scheme was revealed on Halloween of 2005, and was followed by a botched response, issuing and reissuing of rootkit removal tools, and lawsuits. There are object lessons from the incident which are relevant today.
This discussion has been archived. No new comments can be posted.

Revisiting the Infamous Sony BMG Rootkit Scandal 10 Years Later

Comments Filter:
  • by Anonymous Coward

    I'm currently rocking out with my Sony Minidisc Walkman.

  • Me too! (Score:5, Insightful)

    by fizzer06 ( 1500649 ) on Wednesday October 28, 2015 @06:10PM (#50820999)

    made hackers love to hate them

    I'm not a hacker, but I hate Sony too.

    • Bleh. Wasn't the first time enough?

      • by houstonbofh ( 602064 ) on Wednesday October 28, 2015 @07:19PM (#50821403)

        Bleh. Wasn't the first time enough?

        Not for them. They did it again in a USB drive. http://techreport.com/news/130... [techreport.com]

        • by rtb61 ( 674572 )

          No matter what Sony did it is still not as bad as default windows 10, by far a bigger rooting of your privacy than anything Sony did, the most extreme on record.

          • Yes, but Windows 10 is harder to avoid. Unfortunately.

            • Really? Ubuntu has been called a lot of things, but "hard" is not one of them.
            • Windows 10 is incredibly easy to avoid. I'm doing it right now.

              • by rtb61 ( 674572 )

                Sorry but windows 10 will be impossible to avoid. Next time you walk in a business and they punch in your details on a windows 10 machine, you will have just been probed like it or not and if you do not like it, do something about it (keep in mind whether or not you even use a computer you will be probed and tracked every time you information runs through the windows 10 bot net, absolutely no avoiding unless you become politically active and demand a secure version).

                • The only information most places will have on me is Andrew Jackson. Occasionally Benjamin Franklin to... The can not share data you do not give them.
                • This happens no matter how secure Windows 10 is. If you're giving information to any business whatsoever, it is almost guaranteed that information is being shared or sold to others. That's been the case for many years now.

    • made hackers love to hate them

      I'm not a hacker, but I hate Sony too.

      But do you LOVE the fact that you hate them? See? Bad people love to hate...

    • Re:Me too! (Score:5, Informative)

      by pr0t0 ( 216378 ) on Wednesday October 28, 2015 @08:55PM (#50822007)

      I just posted this the other day, but is relevant and bears repeating:

      More than a few years ago, Sony put rootkits on some of their music CD's. It was abhorrently wrong, they knew it, they did it anyway. That was the last straw for me. It came after SOE released Everquest II incomplete and broken. It came after proprietary audio formats (strong push against MP3) and proprietary media. It was during a time of suing grandmothers for music downloading. It was during a time of Sony's clear (ongoing?) campaign against its customers and fans.

      Since that time, I have not purchased Sony music, will not buy Sony consumer electronics, and won't even see a Sony pictures movie. I boycott ALL Sony related products and services, and have for the last ten years. People need to wake up and exercise the only power they have by voting with their wallets. We have to keep these companies terrified that such missteps will lead to their ruin, or else sleep in the bed we made without complaint.

      FYI - Here's a pretty comprehensive list of Sony's subsidiaries: https://en.wikipedia.org/wiki/... [wikipedia.org]

  • by Anonymous Coward

    Pushing Memory Stick when we already had SD Card which had the same form factor was the first thing.

    Or was it mini-disc?

    Pushing their proprietary formats, was the first thing.

    • by plover ( 150551 ) on Wednesday October 28, 2015 @06:22PM (#50821091) Homepage Journal

      Amen. Sony has been evil since they introduced DRM at the commercial level. "Copy bits" on DAT, on Minidiscs, CSS, HDCP, the list of shit Sony has secretly shoveled on the public is why I don't buy Sony, and why I recommend friends and family choose anything else.

      • Yep. Sony used to make some really great consumer electronics in the 1980's –like my Walk-Man that was the size of a cassette tape box.

        That suddenly stopped in the mid 1990's. All consumer products nose-dived in usability, durability, customer service. . . I quit buying anything SONY in the mid-1990's, for these reasons alone.

        And I'm glad I did. In the following decades, Sony's love of DRM killed what could have been great platforms (e.g. mini-disc), and then later puled the rootkit stunt with mus

    • ÂPushing Memory Stick when we already had SD Card which had the same form factor was the first thing.Or was it mini-disc? Pushing their proprietary formats, was the first thing.

      Â To be fair MemorySticks and MiniDiscs wern't the worst ar far as proprietary formats go. Talk about XD cards and Digital Compact Cassettes.

    • Mini-discs were pretty popular for recording concerts at one point.
    • Pushing their proprietary formats, was the first thing.

      So wouldn't that be BetaMax if it's the first proprietary format they pushed? The lost that one too... Sony = slow learners.

      Was there anything before BetaMax with Sony's fingerprints on it?

      • Was there anything before BetaMax with Sony's fingerprints on it?

        Umatic. That did pretty well - there's probably even people still using it. Betacam also. It's easy to forget now that up until about the mid 1990s, Sony was the shit - their equipment was in practically every TV studio or production house because it was top-notch. It's been said that merging with big content companies was really when things started to go downhill and the rot set in.

        If I remember right, DAT didn't originally have the copy bits either. It was added because the studios pitched a fit over

        • A lot of people forget the lack of openness in early digital media. In the 90's if you wanted to rip CD audio, you had to have one of the minority of CD-ROM drives that would rip Redbook content. There were websites with lists of the CD-ROM drives that allowed this. Most drives blocked ripping Redbook content in the drive's firmware.

    • And don't forget their special USB drives. http://techreport.com/news/130... [techreport.com]
  • Yup paving the way (Score:5, Interesting)

    by silas_moeckel ( 234313 ) <silasNO@SPAMdsminc-corp.com> on Wednesday October 28, 2015 @06:16PM (#50821053) Homepage

    To show that the government is unwilling to play fairly. The Rootkit should have gotten executives jailed and massive fines. Instead it was a fairly minor lawsuit and move on with business.

    • by khasim ( 1285 )

      Don't forget all the "anti-virus" companies whose products would not detect the rootkit.

      You would think that those companies would be issuing updates to identify and remove the rootkit a day or two after it was discovered.

      You would be wrong.

  • by Anonymous Coward on Wednesday October 28, 2015 @06:16PM (#50821055)

    It contains priceless discussions, too! Often more technical and polite than most forums..

    In case you missed them, here is some coverage of the Sony BMG Rootkit and a few later articles which reference it:

    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/essay... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/essay... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]
    https://www.schneier.com/blog/... [schneier.com]

  • by Noah Haders ( 3621429 ) on Wednesday October 28, 2015 @06:20PM (#50821075)

    I wish it could be made clearer that a lot of the hacking was motivated by rage over the rootkit and the PS3 linux block. If it were more clear, companies may think twice about giving their customers the shaft.

  • The Object lessons (Score:5, Insightful)

    by MrKaos ( 858439 ) on Wednesday October 28, 2015 @06:22PM (#50821089) Journal

    For Sony there is little doubt the object lessons were "Now how do we do this and not get caught?"

    • by whoever57 ( 658626 ) on Wednesday October 28, 2015 @07:29PM (#50821465) Journal

      For Sony there is little doubt the object lessons were "Now how do we do this? "

      FTFY

      Given the tiny fine that Sony was required to pay for the rootkit fiasco, I doubt that they really care about getting caught.

    • Why bother with not getting caught? If the Rootkit verdict tells you anything, it's that getting caught does not matter.

      Whether a law is broken, especially at a corporate level, depends only on the proportion of

      benefit vs. fine * chance of being caught.

      If either fine or chance of being caught is negligible, a law may as well not exist. The same is true if the fine is equal or lower than the benefit, because even if the chance of being caught is 1, you still come out ahead. If the fine for accepting bribes i

  • when the folks that created the standard caught on they SUED because those media discs are NOT CDDA (aka red book)

  • Too easy to exploit (Score:4, Interesting)

    by Xian97 ( 714198 ) on Wednesday October 28, 2015 @06:30PM (#50821149)

    Any file that started with $sys$ was hidden from the OS, so it didn't take long for people to start hiding malicious files if you had the rootkit on your system.

  • by Anonymous Coward

    Sony, Has a bunch of briliant people working away in the engineering sections of the company,,
    but once you peirce the management wall, things change..
    People de-volve into their "HIGH SCHOOL" distilates..

    It's like going back to highshcool with all the social cliqiues, and whos cool, bla bla, but the big difference is they all have money and can action on most if not everything that comes to mind, negative or not..

    to make matters worse, my superior was a very racially charged individual with a focus on Jews a

  • The only BMG you can trust is the M2. On the plus side, Sony has largely stagnated to the point where their formerly-inferior Korean rivals are markedly cheaper and at least as good, so hopefully we won't have to worry about them too much longer.
    • I also wonder if they didn't perhaps learn something, however painfully, from it all, as when Microsoft started talking about all the ridiculous DRM they were going to put on XBox One games, Sony responded by saying "Yeah, we're not doing that, share your games with friends all you like as far as we're concerned", and Microsoft had to quickly backtrack.

      (Alternate lesson: Only Microsoft could wind up turning Sony into the 'good guys' in a situation.)
    • by AHuxley ( 892839 )
      Re "we won't have to worry about"
      The other side is a new legal idea that the brand owns the media, device, software flow and the user is just along for/granted a very limited rental experience.
      "DOJ Claims Apple Should Be Forced To Decrypt iPhones Because Apple, Not Customers, 'Own' iOS" (Oct 26th 2015 )
      https://www.techdirt.com/artic... [techdirt.com]
      Some extra special hidden software might be back in a new way on any device or OS.
  • by BeCre8iv ( 563502 ) on Thursday October 29, 2015 @01:03AM (#50822981)
    Brand new Beastie Boys CD rookits my system.

    Removal SW breaks IDE CDROM driver - inconvenient reinstall

    Beastie Boys CD ripped to MP3 (the old fashioned way) CD made safe.

    Never bought another SONY product (and very few CDS)

    SONY deserves what they get for ever after. (no sympathy)
    • Sounds like a perfect case of Karma to me -- you listen to Beastie Boys, you should be forced to suffer! ;-)
  • There is basically one object lesson:

    Laws are for little people, and companies like Sony are to big to [effectively] prosecute because...reasons...

    Lets face it if you're a teenage kid and you commit some minor mostly harmless act of vandalism with a computer in some way you go to jail. If you make some copies of journals you get relentlessly prosecuted. You make a copy of Sony's IP you get slapped with $100K plus fines on you as an individual. You write jail break for a Sony product they do everything th

  • But I returned the last Sony product I bought 10 years ago and haven't bought anything from them since.
  • Sony makes more profit as an insurance company than it does with all its other subsidiaries combined......

    http://www.nytimes.com/2013/05... [nytimes.com]
    http://www.bloomberg.com/bw/ar... [bloomberg.com]

  • I bought my daughter a Sony MP3 player a few years ago, brought it home, and discovered it would only play MP3's that were wrapped in Sony's proprietary wrapper, and applying the wrapper locked it for a single device so if you lost the device, you had to repurchase the MP3! I took it back to the store and returned it with the explanation that it was defective because it didn't play actual MP3s! Sony abandoned the Sony Soundstage BS shortly after that, apparently enough other people were upset by it that it

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...