Sony's rootkit: an update

Posted Nov 15, 2005 19:17 UTC (Tue) by danielpf (subscriber, #4723) [Link]

For example they could sell a laptop powered by a
Cell processor with Linux preinstalled...
Of course knowing their previous reputation about not so
clean software, I would only buy such a laptop if all
the included software were open sourced.

Posted Nov 15, 2005 19:38 UTC (Tue) by kh (subscriber, #19413) [Link]

Instead of complaining or boycotting, I wish we could support some other standard - I wonder if some of the Free Software (and Free Culture) folks could approach the people developing the EVD format.

Posted Nov 21, 2005 18:07 UTC (Mon) by NRArnot (subscriber, #3033) [Link]

I can't agree strongly enough.

I will be buying nothing new from Sony in the forseeable future, unless there is no alternative manufacturer of a product that I really cannot do without.

I have a Sony laptop, a Sony DVD recorder, Sony in my car. When these need replacement, the replacements will not be made by Sony. And of course, I'll be buying as little Sony-branded music as I can.

Whatever Sony's paid spin-doctors say, the corporation won't actually listen to us until we, their former or potential customers, make a noticeable hole in the Sony corporation's bottom line. Personally, I'd like that hole to be so large that the corporation sinks -- but that's up to the rest of you.

If anyone from Sony reads this and wonders what they can do to mollify me, the answer is, probably nothing. Would you ever again buy food from a company that had been caught deliberately using urine as an undeclared ingredient? Would it make any difference that you hadn't actually eaten the polluted product?

Buy Sony last. Tell your friends.

Posted Nov 15, 2005 20:55 UTC (Tue) by NAR (subscriber, #1313) [Link]

Isn't a EULA some kind of legally binding contract? Does that mean that I have to (a) sign somewhere when I purchace into the contract (in many places, a signature is required of such legal documents), or (b) be informed of such a legally-binding agreement at time of purchase?

If you buy a ticket for the train/underground/bus/etc., you enter into a contract with the public transport company but I doubt you sign anything.

Bye,NAR

Posted Nov 15, 2005 21:12 UTC (Tue) by ncm (subscriber, #165) [Link]

First, the EULA is not a legally binding contract. In the U.S., the Uniform Commercial Code (UCC) makes clear that the vendor cannot place any additional restrictions or conditions on you, the buyer, after you have paid your money(*). If it's not on the outside of the box, it's wastepaper. Even if it is on the box, but contradicts local warranty consumer-protection laws, it's wastepaper. Similarly, any sort of "click-through" during installation is void: you already paid, it's too late to demand your acquiescence. If you have to click it to get to what you paid for (i.e., the music), then clicking it doesn't mean anything. It's better, as a policy, not to read it, except perhaps as a warning of what damage they are promising you might suffer, i.e. like the "hazard" warning on your toaster. (Be sure to tell your lawyer about your policy.)

Second, the danger is not Sony breaking down your door to try to enforce their (void) contract. At issue is whether you are owed damages for the harm they have caused you even though they "disclaimed" it. Did you "agree" to be kicked in the nether region, just by clicking on that button? Hell, no! (*) Even if it were a valid contract, any of its provisions that damage your machine are superseded by the warranty, and by any other laws they violated. I doubt a judge would even let them introduce the EULA in evidence, if your own lawyer is on the ball to object.

Third, I don't understand why everybody who writes about this acts as if the EULA had any legal standing. At most, paragraphs might be snipped from it to be introduced as written proof of Sony's malice aforethought.

Fourth, if you were harmed, you will be better off explicitly opting out of any class-action suits. You can sue Sony in your local small-claims court for (e.g.) the time it took to re-install your OS, and probably get treble damages. If your damage was greater -- e.g. local network compromised by worms taking advantage of the holes it installed -- you can still sue, and get treble damages, and Sony still probably won't spare a lawyer to show up and contest it. If you or yours were harmed, then please, please do sue Sony, and then blog all about it. Compete with other bloggers for the side of the damage award extracted. Make it worth your while; your damages (itemized) should include the time it took you to bring the case to court, too.

(*) I'm no lawyer. Also, last I heard, the UCC was rescinded in Maryland. Furthermore, in the U.S. Federal 2nd Circuit (NY, VT, CT), shrink-wrap EULAs were actually determined to be binding, although the decision was widely criticized and is said to be unlikely to be influential elsewhere. If you live in one of those places, you might be screwed -- however, since they broke the law, it might be void anyhow!

Posted Nov 15, 2005 22:18 UTC (Tue) by kms (subscriber, #6679) [Link]

> Isn't a EULA some kind of legally binding contract?

I believe it attempts to be a contract, though in most jurisdictions it is impossible for a minor to enter into such a contract so just get your kids to buy your CDs and you'll be fine :-)

Posted Nov 16, 2005 4:15 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

I was wrong earlier; the GPL is indeed a good example of a license vs. a contract.

Furthermore, I found the actual text of Sony's EULA on Mark Russinovich's Web page here.

I read through all the legal-ese (IANAL), and sure enough this EULA does indeed target the "DIGITAL CONTENT" of the disc. Which means pretty much all the content, since a CD is a 5km-long spiral of microscopic pits and plains that represent binary 0's and 1's. How someone might interpret the music to be part of the digital content could be debated; I realize that once you play the CD on a loudspeaker system, it's no longer digital and therefore not subject to the restrictions of the EULA (although it does fall under the jurisdiction of performance restrictions under copyright law, but that's a whole other topic).

Also, I'd like to thank Mark Russinovich for sharing his experiences. Although I do not use MS Windows (I've been "Windows-Free" since August 2004), I feel that we need people like him with incredibly sharp Windows skills and a Blog to make people aware of the consequences of installing closed-source software (and having to agree to a EULA) for which you have no knowledge of what that software's actually doing to your PC.

But that goes for all licensed software. I feel better about running a piece of licensed software on my computers for which somebody is examining the safety, security, and reliability of that software (thus explains one of the many reasons I like open-source). A college professor told me that the legal issues of running licensed software later found to be intentionally (or negligently) malicious will be very seriously examined in the next few years. Perhaps the "Sony DRM Rootkit incident of 2005" is only a preview of what's to come...

Posted Nov 15, 2005 23:16 UTC (Tue) by pr1268 (subscriber, #24648) [Link]

I think that Sony's (Thomas Hess) above response is, well perhaps, somewhat accurate - I know a lot of people who have no clue what a rootkit is.

But that makes it no less excusable or inappropriate. Sony/BMG's focus is on media (Movies, music, etc.), and has nothing to do with software (except for their desktop/laptop business, and perhaps a bunch of that is also outsourced). As such, I don't get the impression that they knew what First4Internet's XCP technology actually did to users' computers when they inserted the CD and started clicking.

The way I see what unfolded with Sony/First4Internet is:

1. Sony needs some DRM software to curb casual piracy and full-blown P2P file sharing.
2. Since Sony is not in the software business, they contract out to companies whose expertise is writing Windows-based software to create a DRM utility which can be easily included on mass-produced music CD's.
3. First4Internet wins a contract, and they demo their XCP product to a bunch of Sony executives, showing how their software will enable the user to play the CD only with the provided media player, limit ripping to three copies, and send information about the user, his/her computer, and any other pertinent (or not) information across the Internet to some server.
4. The Sony executives, whose focus is on non-software media, are delighted at how well the XCP software thwarts piracy. They order their factories to include the XCP software, not knowing themselves what a rootkit is (much less the naive, unsuspecting consumers to whom they're targeting their media discs).
5. Mark Russinovich discovers the rootkit, traces it to its source, posts his Blog, and the excrement hits the fan all over the Internet.

I suspect that Thomas Hess didn't know what a rootkit was until that excrement hit him in the face. Thus, he might have been speaking more for himself than for all of those media consumers whose PC's are now infected.

Truly a shame...

Posted Nov 16, 2005 16:32 UTC (Wed) by soundray (guest, #688) [Link]

Apart from the rudeness, it's the logic behind the statement that amazes me most. What kind of twisted mind would come up with an argument like this?

• People don't know what X is.
• Therefore, people shouldn't care about it.
• Therefore, we are justified in spreading X throughout the world.

Just imagine replacing "X" with "retrovirus" instead of "rootkit". Hey, we can stop all AIDS prevention campaigns!

Posted Nov 16, 2005 20:27 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

I think Microsoft wasn't all that aware of what Sony/F4I's XCP DRM technology did to users' computers until after the rootkit news hit the Internet. Additionally their motivation to remove the XCP rootkit with their "Windows Defender" anti-malware utility and Windows Update tells me that they at least realize the evils of the XCP software and are addressing PC users' concerns.

As much as I don't care to defend MS, my respect for them did shoot up a few points due to their prompt response on this matter.

But, you make a good point about MS and DRM in general. They're certain to incorporate DRM technology into the core OS kernel of the upcoming Vista operating system. Being closed source and all, they can put stuff into the OS that would essentially disable most media playback unless it was done on their terms. Perhaps MS is actually thinking up new and inventive ways to use the cloaking techniques of XCP to hide all kinds of stuff from the end-user and pretend that we don't really need to care what is really happening to our computers.

Posted Nov 17, 2005 10:03 UTC (Thu) by Duncan (guest, #6647) [Link]

I'm not sure about the LGPL, but the GPL certainly has. I forget the
name, but one of the NetFilter developers has been quite active in
asserting his rights over in Germany. The law there (where he lives)
places a tight timetable on bringing an action to court, something like
four weeks, so once he contacts a company and the clock starts ticking,
they have to decide rather fast (by US standards) whether they will comply
or fight. In a couple of cases, they haven't been fast enough to comply,
and the cases have gone to court. He's won real court injunctions in all
of them, I believe, which after the first couple, he could point to, and
has had less trouble getting the desired response in the time allowed.

He has been somewhat controversial, because the FSF tends toward a more
negotiated approach, which has generally been successful both in
resolution and in keeping it out of court, but can take years. This guy's
assertiveness gets faster results but with the risk of making political
enemies. Still, it's a technique that has been proven to work, and he
argues that the way the German system is setup, he has little choice if he
wants to retain his full range of enforcement rights, due to this clock
ticking thing.

In any case, its no longer true that the GPL hasn't been tested in court,
and IMO the two approaches tend to balance each other out to some extent.

LGPL, however, I haven't any idea.

Duncan

Posted Nov 17, 2005 19:09 UTC (Thu) by tcabot (subscriber, #6656) [Link]

There are two ways to look at this. The first way says "it's never been proven in court", and takes this to mean that the license is somehow weaker as a result. The second way (as explained by Eben Moglen at the FSF annual associate member meeting) is "everyone that's considered challenging it in court has backed down before it got that far" and takes this to mean that the license is so strong that there's no point in challenging it in court.

Remember that the GPL *grants* you rights that you wouldn't otherwise have under copyright law. So let's imagine that you go to court and have the GPL declared legally invalid. Congratulations, you've just sawed off the branch that you were sitting on because then you would have *no* right to distribute GPL'ed code.

Posted Nov 20, 2005 2:34 UTC (Sun) by sweikart (guest, #4276) [Link]

Here's an article about the GPL in court:

http://www.groklaw.net/article.php?story=20050225223848129

-scott

Posted Nov 18, 2005 14:15 UTC (Fri) by smitty_one_each (subscriber, #28989) [Link]

Yes, but that argument plays into a stealth-advertising campaign for 64-bit Windows, too. "psst: upgrade, and yo' booty get no rooty!"

Posted Nov 26, 2005 21:23 UTC (Sat) by finster (guest, #32338) [Link]

The DRM issue is pretty borked. I will stop buying music from the big boys when they infringe on my right to use my computer without problems. I'm not copying CD's or doing any P2P sharing. If the music is good, I buy it. If I can't buy it without having to worry what the s/w attempts to do for DRM, I won't buy it.

Thanks Sony for alerting me to this problem . . . now you know my solution. Your ridiculous way of making your warning of copy-protection's presence on the CD inconspicuous but yet present, will also give people a reason to start sharing. I mean, nice friggin' font on the Foo Fighters' CD. What is that? 3pt? Really glad I don't run an M$ OS.