Revisiting the Infamous Sony BMG Rootkit Scandal 10 Years Later (networkworld.com) 188
alphadogg writes: Hackers really have had their way with Sony over the past year, taking down its Playstation Network last Christmas Day and creating an international incident by exposing confidential data from Sony Pictures Entertainment in response to The Interview. Some say all this is karmic payback for what's become known as a seminal moment in malware history: Sony BMG sneaking rootkits into music CDs 10 years ago in the name of digital rights management. 'In a sense, it was the first thing Sony did that made hackers love to hate them,' says Bruce Schneier, CTO for Resilient Systems. Sony's scheme was revealed on Halloween of 2005, and was followed by a botched response, issuing and reissuing of rootkit removal tools, and lawsuits. There are object lessons from the incident which are relevant today.
Rocking With My Sony (Score:1, Funny)
I'm currently rocking out with my Sony Minidisc Walkman.
Re: (Score:2)
Re: (Score:2)
Likewise. I once had a Sony rep try to get me to buy something at an office store. He couldn't fathom why I would boycott them and I couldn't fathom how to explain why. I think I shrugged and said something about bad behavior by the Sony corporation. He asked if there was anything he could do to make me reconsider. I simply said, "No".
With that attitude it's would be rather hypocritical to purchase products from any manufacturer. I guess you wont's be purchasing any Microsoft, Nintendo or Volkswagen products any time soon.
Re: (Score:3)
Donald where's your dictionary?
Re: (Score:2)
Re: (Score:1)
Re:Rocking With My Sony (Score:4, Insightful)
Actually, yes, there could have been something (and actually, there still is) that Sony could do to make me a customer again. Their products are not bad from a technical point of view. They last. They are well engineered. They still are most of what made me (and I dare say us) customers two decades ago.
There is a simple thing that would have to change to make me a customer again: Treat me like a customer, not like a credit card. Treat me like a partner, not an enemy. The main problem I have with Sony today is that I feel belittled and ridiculed, if not outright offended, by the way they treat me. With vendor lock-in and the deliberate removal of functionality for no other reason than trying to force me to buy again.
It does not work that way.
There is a very simple way to make me buy something from a brand again: Give me what I want. If I know I get what I want from Sony, you need not force me to buy your stuff next time I am in the market for something you make. I'll gladly and willingly actually seek out this brand that I was satisfied with last time.
Just like it was 2-3 decades ago. People are lazy. They don't shop around if they are happy with what they get from a brand. They don't like to experiment, especially when it comes to things that are a considerable investment. Just look at cars. This only changes after bad experiences.
Re: Rocking With My Sony (Score:5, Informative)
Yes, right... Like you made any difference. When you boycott a giant like Sony, you're just one of an incredibly small number who will make no impact whatsoever.
Perhaps you've missed Sony's financial situation. Pre-rootkit I had a Sony TV; camcorder; reciever; digital camera; high end artisan monitor (21 inch - used at 2048x1536 when LCDs were 1024x768); SVHS; 100 disc CD changer... I was the decision maker for purchasing computer equipment at work, and had been buying Sony products in the mix. Since that time? My career has taken off allowing for much greater toy spending. $10k+ in photo gear, but no Sony. There are no Sony TV/entertainment products in the new house, another $10k+ loss for Sony; 65 computer systems at work, with no Sony systems or peripherals. I'm asked for recommendations all the time, and never suggest Sony. Sony's rootkit cost them a minimum of $50k in direct sales, plus lost referrals. I had preferentially bought Sony before then.
There are so many folks doing the same that it has added up, and Sony's bottom line has suffered.
Re: (Score:1)
I'll add to that - I negatively speak about Sony all the time. I merely mention the CD root kit as the start of a long list of bad behavior that caused me to boycott all Sony products. What's funny is that over time, the reaction I get now is "oh yeah, that's right" instead of "wow, you really believe that?".
Sony is a company full of narcissists who thought they were always right and could do no wrong and thought of their customers as chattel. They still are, and now Sony the company is imitating the Tita
Re: (Score:2)
You're only harming yourself, really.
We live in interesting times indeed when avoiding the products of a company that intentionally and aggressively attacks you is considered "harming yourself".
Me too! (Score:5, Insightful)
made hackers love to hate them
I'm not a hacker, but I hate Sony too.
Revisit the Sony Rootkit? (Score:2)
Bleh. Wasn't the first time enough?
Re:Revisit the Sony Rootkit? (Score:5, Informative)
Bleh. Wasn't the first time enough?
Not for them. They did it again in a USB drive. http://techreport.com/news/130... [techreport.com]
Re: (Score:3)
No matter what Sony did it is still not as bad as default windows 10, by far a bigger rooting of your privacy than anything Sony did, the most extreme on record.
Re: (Score:3)
Yes, but Windows 10 is harder to avoid. Unfortunately.
Re: (Score:2)
Re: (Score:2)
Windows 10 is incredibly easy to avoid. I'm doing it right now.
Re: (Score:2)
Sorry but windows 10 will be impossible to avoid. Next time you walk in a business and they punch in your details on a windows 10 machine, you will have just been probed like it or not and if you do not like it, do something about it (keep in mind whether or not you even use a computer you will be probed and tracked every time you information runs through the windows 10 bot net, absolutely no avoiding unless you become politically active and demand a secure version).
Re: (Score:2)
Re: (Score:2)
This happens no matter how secure Windows 10 is. If you're giving information to any business whatsoever, it is almost guaranteed that information is being shared or sold to others. That's been the case for many years now.
Re: (Score:2)
made hackers love to hate them
I'm not a hacker, but I hate Sony too.
But do you LOVE the fact that you hate them? See? Bad people love to hate...
Re:Me too! (Score:5, Informative)
I just posted this the other day, but is relevant and bears repeating:
More than a few years ago, Sony put rootkits on some of their music CD's. It was abhorrently wrong, they knew it, they did it anyway. That was the last straw for me. It came after SOE released Everquest II incomplete and broken. It came after proprietary audio formats (strong push against MP3) and proprietary media. It was during a time of suing grandmothers for music downloading. It was during a time of Sony's clear (ongoing?) campaign against its customers and fans.
Since that time, I have not purchased Sony music, will not buy Sony consumer electronics, and won't even see a Sony pictures movie. I boycott ALL Sony related products and services, and have for the last ten years. People need to wake up and exercise the only power they have by voting with their wallets. We have to keep these companies terrified that such missteps will lead to their ruin, or else sleep in the bed we made without complaint.
FYI - Here's a pretty comprehensive list of Sony's subsidiaries: https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Sony put rootkits on some of their music CD's
No, they were not CDs. They didn't not meet Red Book standards, and hence were not CDs. IIRC, Phillips made them stop using the CDDA logo.
What happened was that Sony put rootkits on silver disks with music on them.
Re:Me too! (Score:4, Informative)
No, it s not (Score:1)
Because not adhering to the red book standard can be interpreted as being "intentionally defective". Which was the legal way to go until SONY caved in and started to replace the CDs.
Re:Me too! (Score:4, Informative)
Re: (Score:2)
Well he could be holding out for a steambox next month ?
Or maybe he still plays on a WII ?
Re: (Score:1)
Only up to the 360. The Xbone has blu ray.
Not the first thing (Score:1)
Pushing Memory Stick when we already had SD Card which had the same form factor was the first thing.
Or was it mini-disc?
Pushing their proprietary formats, was the first thing.
Re: (Score:2)
You will notice that their successes had a lot to do with them not trying to create a vendor lock-in situation where you may only buy from them and nobody else.
Wonder if Sony got the hint...
Re:Not the first thing (Score:5, Insightful)
Amen. Sony has been evil since they introduced DRM at the commercial level. "Copy bits" on DAT, on Minidiscs, CSS, HDCP, the list of shit Sony has secretly shoveled on the public is why I don't buy Sony, and why I recommend friends and family choose anything else.
Re: (Score:3)
Yep. Sony used to make some really great consumer electronics in the 1980's –like my Walk-Man that was the size of a cassette tape box.
That suddenly stopped in the mid 1990's. All consumer products nose-dived in usability, durability, customer service. . . I quit buying anything SONY in the mid-1990's, for these reasons alone.
And I'm glad I did. In the following decades, Sony's love of DRM killed what could have been great platforms (e.g. mini-disc), and then later puled the rootkit stunt with mus
Re: (Score:2)
ÂPushing Memory Stick when we already had SD Card which had the same form factor was the first thing.Or was it mini-disc? Pushing their proprietary formats, was the first thing.
 To be fair MemorySticks and MiniDiscs wern't the worst ar far as proprietary formats go. Talk about XD cards and Digital Compact Cassettes.
Re: (Score:2)
Re: (Score:3)
Pushing their proprietary formats, was the first thing.
So wouldn't that be BetaMax if it's the first proprietary format they pushed? The lost that one too... Sony = slow learners.
Was there anything before BetaMax with Sony's fingerprints on it?
Re: (Score:2)
Was there anything before BetaMax with Sony's fingerprints on it?
Umatic. That did pretty well - there's probably even people still using it. Betacam also. It's easy to forget now that up until about the mid 1990s, Sony was the shit - their equipment was in practically every TV studio or production house because it was top-notch. It's been said that merging with big content companies was really when things started to go downhill and the rot set in.
If I remember right, DAT didn't originally have the copy bits either. It was added because the studios pitched a fit over
Re: (Score:1)
A lot of people forget the lack of openness in early digital media. In the 90's if you wanted to rip CD audio, you had to have one of the minority of CD-ROM drives that would rip Redbook content. There were websites with lists of the CD-ROM drives that allowed this. Most drives blocked ripping Redbook content in the drive's firmware.
Re: (Score:2)
Yup paving the way (Score:5, Interesting)
To show that the government is unwilling to play fairly. The Rootkit should have gotten executives jailed and massive fines. Instead it was a fairly minor lawsuit and move on with business.
Re: (Score:3)
Don't forget all the "anti-virus" companies whose products would not detect the rootkit.
You would think that those companies would be issuing updates to identify and remove the rootkit a day or two after it was discovered.
You would be wrong.
Re: (Score:2)
Schneier is not just a blog! (Score:5, Informative)
It contains priceless discussions, too! Often more technical and polite than most forums..
In case you missed them, here is some coverage of the Sony BMG Rootkit and a few later articles which reference it:
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/essay... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/essay... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
https://www.schneier.com/blog/... [schneier.com]
how to connect cause and effect? (Score:5, Insightful)
I wish it could be made clearer that a lot of the hacking was motivated by rage over the rootkit and the PS3 linux block. If it were more clear, companies may think twice about giving their customers the shaft.
Re: (Score:2)
The Object lessons (Score:5, Insightful)
For Sony there is little doubt the object lessons were "Now how do we do this and not get caught?"
Re:The Object lessons (Score:5, Insightful)
FTFY
Given the tiny fine that Sony was required to pay for the rootkit fiasco, I doubt that they really care about getting caught.
Re: (Score:2)
Why bother with not getting caught? If the Rootkit verdict tells you anything, it's that getting caught does not matter.
Whether a law is broken, especially at a corporate level, depends only on the proportion of
benefit vs. fine * chance of being caught.
If either fine or chance of being caught is negligible, a law may as well not exist. The same is true if the fine is equal or lower than the benefit, because even if the chance of being caught is 1, you still come out ahead. If the fine for accepting bribes i
and this is why you don't see the CDDA logo on cds (Score:2)
when the folks that created the standard caught on they SUED because those media discs are NOT CDDA (aka red book)
Too easy to exploit (Score:4, Interesting)
Any file that started with $sys$ was hidden from the OS, so it didn't take long for people to start hiding malicious files if you had the rootkit on your system.
Old Slashdot stories on the topic: (Score:4, Informative)
http://it.slashdot.org/story/0... [slashdot.org]
http://games.slashdot.org/stor... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://it.slashdot.org/story/0... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://it.slashdot.org/story/0... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://news.slashdot.org/story... [slashdot.org]
http://yro.slashdot.org/story/... [slashdot.org]
http://apple.slashdot.org/stor... [slashdot.org]
I used to work for SONY,, (Score:2, Interesting)
Sony, Has a bunch of briliant people working away in the engineering sections of the company,,
but once you peirce the management wall, things change..
People de-volve into their "HIGH SCHOOL" distilates..
It's like going back to highshcool with all the social cliqiues, and whos cool, bla bla, but the big difference is they all have money and can action on most if not everything that comes to mind, negative or not..
to make matters worse, my superior was a very racially charged individual with a focus on Jews a
Re: (Score:2)
Re: (Score:2)
xbox?
not sure if being a wiseass or not...
Re: (Score:2)
Moral of the story... (Score:2)
Re: (Score:3)
(Alternate lesson: Only Microsoft could wind up turning Sony into the 'good guys' in a situation.)
Re: (Score:3)
The other side is a new legal idea that the brand owns the media, device, software flow and the user is just along for/granted a very limited rental experience.
"DOJ Claims Apple Should Be Forced To Decrypt iPhones Because Apple, Not Customers, 'Own' iOS" (Oct 26th 2015 )
https://www.techdirt.com/artic... [techdirt.com]
Some extra special hidden software might be back in a new way on any device or OS.
Sony doesn't own Download.com (Score:5, Informative)
Download.com is a C|Net created site owned by C|NET parent company CBS Interactive, which in turn is owned by CBS Corp, which in turn is owned by National Amusements. Finally, National Amusements' majority owner is owned by Sumner Redstone (aka Rothstein) and family.
SONY Removal SW borked my PC (Score:3)
Removal SW breaks IDE CDROM driver - inconvenient reinstall
Beastie Boys CD ripped to MP3 (the old fashioned way) CD made safe.
Never bought another SONY product (and very few CDS)
SONY deserves what they get for ever after. (no sympathy)
Re: (Score:2)
There are object lessons from the incident... (Score:1)
There is basically one object lesson:
Laws are for little people, and companies like Sony are to big to [effectively] prosecute because...reasons...
Lets face it if you're a teenage kid and you commit some minor mostly harmless act of vandalism with a computer in some way you go to jail. If you make some copies of journals you get relentlessly prosecuted. You make a copy of Sony's IP you get slapped with $100K plus fines on you as an individual. You write jail break for a Sony product they do everything th
I'm sure it hasn't hurt them (Score:1)
Its all a matter of risk assesment (Score:2)
Sony makes more profit as an insurance company than it does with all its other subsidiaries combined......
http://www.nytimes.com/2013/05... [nytimes.com]
http://www.bloomberg.com/bw/ar... [bloomberg.com]
Not the only bad thing Sony did (Score:2)
Re:We can all give thanks to... apk (Score:5, Funny)
Did you just name-drop Mark Russinovich as a "co-worker" based on the two of you having once used the same reseller?
I need to go tell my esteemed colleague Elon Musk about this, he'll really get a kick out of it.
Re: (Score:2)
He's not my "god", and neither are you, little man.
I just wanted to clarify that you two were not, in fact, co-workers. But I like how your first post seems very complimentary of him, when he was your "co-worker", and then you turn around and try and tear him down after you "floor" and "shame" him. Have some self-confidence, I'm not trying to attack you any more than I'm trying to elevate Russinovich. I do respect his work though, and I have a hard time respecting what you do based solely on your constan
Re: (Score:2)
You don't have to be a shrink to tell that apk has some issues, any more than you have to be a doctor to tell that the guy without legs has a disability.
There's never any need to enter a discussion with people like apk, Archimedes Plutonium or Ed Conrad - the most you can achieve is goading, and that's kind of cruel.
Re: (Score:2)
APK, why would I want to be you? If I Google your name the first result is a post from someone you threatened to sue and then backed out of, which shows more of your ridiculous behavior [thorschrock.com] and chest-puffing. The second result is you spamming and trolling [arstechnica.com] another forum. The whole first page is littered with examples of you being an idiot. Why would I want that for myself? Why would I want my professional reputation to be that of a belligerent asshole?
You don't know a thing about me, but that doesn't stop y
Re: (Score:2)
Nice schizophrenic reply, I like how you avoided addressing my points and instead decided to just continue pimping yourself as some kind of OCD prodigy.
I have no other accounts on Slashdot, and I don't post anonymously unless I'm providing details on a sensitive topic that I don't want traced to me.
IF you even have a job
Sure do. I even have one of those fancy degrees. 13 years ago I was an intern here, today I'm the CTO making 6 figures. Thanks for asking. If you're curious (you know you are...) I'm buying my second house an
Re: (Score:2)
Look at all of your troll replies, look at all of the child-like thrashing. You've spent 50 years wandering this planet alone, and you have the emotional maturity of a wet tissue to show for it all. Well done. Obviously this kind of self-promotion is your therapy, maybe if you believe that you're a great person then someone else will too, right? Maybe if you declare "victory" enough times, someone else will think you've won something. I highly recommend seeing a well-qualified therapist, at your age yo
Re: (Score:2)
You seem to be having a hard time grasping this APK, so let me spell it out for you.
I already told you I was not interested in proving my claims. The reason I am not interested is because proof of my claims would necessarily require me to personally identify myself to you, and I'm not willing to do that. I'm not willing to identify myself to you for the same reason that I'm not willing to contract herpes voluntarily. Science just doesn't have a cure for that yet. I'm not willing to expose myself, my fam
Re: (Score:2)
Read above, APK. It's not that I can't back anything up, it's just that I won't. Like I said, I don't care about proving anything to you. I don't care if you believe me. My achievements do not require your belief.
A finalist position? Well done. Several years ago we submitted a piece of technology to the organization that runs the awards for our industry, it was a piece that we developed in partnership with the Air Force. We submitted it in a niche category (specialized technology) that didn't have al
Re: (Score:2)
APK, I'm happy for you that you were able to write a piece of software that can read/write to a plain text file. Really, it's fantastic. Those quotes above prove that you are completely capable of being able to write an application that can output to plain text. I don't want to take that away from you. Granted, some of those quotes are talking about using the hosts file in general and nothing that you've actually done yourself, but still, I don't want to take anything away from your achievement of creat
Re: (Score:2)
You're still humping my leg, are you APK?
I'll tell you what this reminds me of. When I was in college I played a lot of a game called Mechwarrior 4. I was good at it, it got to the point where I was consistently ranked as one of the top few scores for each week, if not the first. I just played it a lot and got good at it, that's all. Frequently when I was at my best other people in the matches would accuse me of cheating. I would consistently kill them and they would talk about how I couldn't be doing
Re: (Score:2)
Are you fucking kidding me? How goddamn pathetic are you that you need to anonymously reply as someone sticking up for yourself, and then reply to that agreeing with yourself? Do you have any concept at all about how transparent you are? You might think you're really clever by omitting line breaks and avoiding random punctuation but you clearly can't hide your OCD voice and tone.
This is unreal. This is why people say not to feed the trolls. I'm taking their advice, I'm done with this so-called "convers
Re: (Score:3)
would HOSTS have protected against the rootkit????
Re: (Score:2)
Your shit HOSTs didn't protect my boyfriend from having his Steam hijacked.
Can you even claim effectiveness in your product with truth?
Because 5TB of hosed shit says otherwise.
Re: (Score:2)
Re: (Score:2)
I didn't pay for or do shit.
Especially when I know HOSTs is fucking useless in the first place.
Re: (Score:2)
Re: (Score:3)
Please, don't talk to him. That's worse than saying Beetlejuice thrice.
Re:Please: You WISH you were me... apk (Score:5, Insightful)
Re: (Score:3)
if you put in a FRACTION of the energy your kind does in trolling, you'd be putting us all to shame
You're getting close to a breakthrough. So close...
Re: (Score:1)
tl;dr
Re: (Score:2)
Jesus Christ is perfect.
Everybody's imaginary friend is perfect, buddeh, that's why you have them.