LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

EFF? Good, maybe

EFF? Good, maybe

Posted Nov 21, 2005 23:11 UTC (Mon) by ncm (subscriber, #165)
Parent article: EFF Files Class Action Lawsuit Against Sony BMG

Most class-action suits result in a big check to the lawyers, and everybody else just gets a coupon for a small discount off the offender's next offending product. Here's hoping the EFF will be more attuned to the actual harm done.

Maybe they can oblige Sony to add software to every future disc that offers to remove whatever was installed by the infected ones (from Sony or from any of the other vendors!). It needn't cost Sony anything, incrementally, so they have no excuse to object. The code involved would have to be produced and signed by somebody appointed by the court, rather than Sony or F4I. EFF should at least ask for this, although they might end up obliged to settle for something less. If they don't ask for it, they'll certainly settle for lots less.

(Log in to post comments)

EFF? Good, maybe

Posted Nov 21, 2005 23:24 UTC (Mon) by fjf33 (subscriber, #5768) [Link]

I think the greater good would be served just by the fact of putting the public at large on notice about some of the risks of DRM, and hopefully some politicians also about the backlash they can suffer by protecting these corporations.

Instead of going after the people that print cheap bootleg CDs and DVDs they go after people that share with friends.

EFF? Good, definitely

Posted Nov 21, 2005 23:40 UTC (Mon) by sandy_pond (guest, #9734) [Link]

Sony should be severely punishing them and $ is the only tool we have. Otherwise, how do we stop them and others from a repeat.

Other tools

Posted Nov 22, 2005 11:02 UTC (Tue) by man_ls (subscriber, #15091) [Link]

What? "$ is the only tool we have"? Man, worshipping the almighty $ is alright, I suppose; but this is too much. What about public outcry, humilliation, jail time; losing their jobs, face, good name and prestige? Sony used to care about their customers, to the point of taking their opponents to court in the famed Betamax case; today Sony stands for poor products and despise for their customers. Let them suffer.

Other tools

Posted Nov 22, 2005 15:14 UTC (Tue) by madscientist (subscriber, #16861) [Link]

Unless there is criminal misconduct, jail is not an option. So far there doesn't seem to be much here other than civil complaints. As for the rest, things like humiliation, face, good name, and prestige only matter to a company insofar as they affect the bottom line: it all comes down to $ in the end, when you're dealing with corporations. That's what capitalism is all about.

Other tools

Posted Nov 22, 2005 23:06 UTC (Tue) by ballombe (subscriber, #9523) [Link]

> Unless there is criminal misconduct, jail is not an option.

Should I remind you that individuals have been jailed for writing virus and
compromising computers ? for copyright infringement ?

Other tools

Posted Nov 22, 2005 23:15 UTC (Tue) by madscientist (subscriber, #16861) [Link]

Writing viruses and compromising computers is considered a form of trespass, and that is criminal. Copyright infringement is only criminal if it's done for economic gain or on a very large scale: assuming you're referring to the LAME, etc. code found on the CD: I seriously doubt that would meet the criteria for criminal copyright infringement. None of the current legal cases against Sony allege any criminal misconduct.

Crimes

Posted Nov 25, 2005 7:36 UTC (Fri) by xoddam (subscriber, #2322) [Link]

> None of the current legal cases against Sony allege any criminal
> misconduct

Certainly the *reporting* does. Installing a rootkit is certainly
'compromising' a computer. Violating the LGPL is copyright infringement.
What exactly is Sony being sued for, if not these two *crimes*?

Crimes

Posted Nov 28, 2005 7:16 UTC (Mon) by madscientist (subscriber, #16861) [Link]

As I said, suing someone is a CIVIL matter, not a CRIMINAL matter. There is (at least in the U.S.) a very big difference. As far as I'm aware, no CRIMINAL charges have been made.

Other tools

Posted Nov 23, 2005 14:09 UTC (Wed) by man_ls (subscriber, #15091) [Link]

That's what capitalism is all about.
The "everything is convertible to and from $" is not a part of capitalism; in fact it is more easily assimilable to a form of religion, not an economic theory.

Prestige is not about money; if anything, it can be related to future money, but earnings are volatile by nature and cannot be predicted. Similarly, a brand can be bought and sold, but in fact a brand without good products is worthless. I think that a corporation that only looks at earnings and losses is a bad corporation.

other tools than $

Posted Nov 22, 2005 11:52 UTC (Tue) by copsewood (subscriber, #199) [Link]

In the UK, once those with compromised computers discover the illegality of what has occurred and complain, we could well see criminal complaints against First4Internet (Computer Misuse Act section 2, preparing for unauthorised modification) and Sony UK (same act section 3: unauthorised modification). I would complain to the police myself if I had a Windows computer that had been modified without my authorisation.

Please, no "good" software to fix the bad software

Posted Nov 22, 2005 0:55 UTC (Tue) by felixfix (subscriber, #242) [Link]

You wrote ... Maybe they can oblige Sony to add software to every future disc that offers to remove whatever was installed by the infected ones ...

No no no! Not only has it become apparent that their original rootkit was buggy, making me doubt they are competent enough to remove it safely, the original sin was installing software without asking. Even if they ask with the new "good" software, that is a terrible precedent to set. They need to provide the fix on an opt-in basis, and since the bad software has been phoning home, they surely know where most of the rootkits are. They need to take care of this the proper way, sending registered letters, sending email, whatever it takes, to get people aware of what Sony has done to them, and the removal fix must NOT come from Sony's web site. Sony is simply untrustworthy at this stage. The fix must come from some well known trusted site, for instance, the EFF itself, or a government agency.

Discovery

Posted Nov 22, 2005 5:16 UTC (Tue) by ncm (subscriber, #165) [Link]

Which part of "offers to remove", or "the code involved would have to be produced and signed by somebody appointed by the court, rather than Sony or F4I" was hard to understand? Nobody suggested that would be the whole of the settlement, just a source of continuing embarrassment for Sony.

Perhaps the real value in the lawsuit is in the discovery, which allows us to find out, e.g., how many machines are actually infected, including how many within the DOD, DOE, CIA FBI, Congress, White House, etc.

Discovery

Posted Nov 22, 2005 6:58 UTC (Tue) by hppnq (subscriber, #14462) [Link]

What exactly would be the point of this rather shady exercise? Really, I see no need to interfere with Sony's own rather succesful approach, let alone by way of forcing them to distribute another piece of malware. (There is also the tiny practical problem that your scheme forces everyone infected to acquire another cd from Sony.)

And are you suggesting that, if machines within US government turned out to be infected, this would really put the icing on the cake?! Things not bad enough as they are?

Discovery

Posted Nov 22, 2005 21:12 UTC (Tue) by ncm (subscriber, #165) [Link]

First, we already know that machines in gov't agencies are infected, we just don't know how many, although the number is probably large. There's nothing like counting them and publicizing that number to put the pols on notice that something criminal happened. Criminal prosecutions would be much better than ordinary lawsuits.

Second, I have no idea what you imagine to be "shady", or what you imagine to be successful about "Sony's approach". There is absolutely no way to communicate directly with all the people whose machines are infected, or to explain to them what it means to be infected. However, they are all known to purchase and (unwisely) install software from music CDs. Software to detect and uninstall an already-installed rootkit is much less tricky to write than to install one more-or-less successfully in the first place. Furthermore, it's much less risky, since the harm -- installing it -- has already been done. The worst that could happen is they need to re-install the OS, which is what they probably ought to do anyhow.

Again, nobody has suggested that this be the whole of the settlement.

Discovery

Posted Nov 22, 2005 22:45 UTC (Tue) by hppnq (subscriber, #14462) [Link]

There's nothing like counting them and publicizing that number to put the pols on notice that something criminal happened.

Uhuh. We haven't noticed anything yet.

Second, I have no idea what you imagine to be "shady", or what you imagine to be successful about "Sony's approach".

How about: distributing music cd's with software that messes up your computer? (You cannot step in the same stream twice. ;-)

There is absolutely no way to communicate directly with all the people whose machines are infected, or to explain to them what it means to be infected. However, they are all known to purchase and (unwisely) install software from music CDs.

I am intrigued now, I can see the Sony marketing department studying this scenario. Let's see, what would be more fun: selling the same cd twice, or finally being able to get rid of the music that nobody would be interested in otherwise? Or an entirely new song? "Shake your rootkit" by Michael Jackson, I would buy that.

Or shall we just stick with the boring old put-the-patch-on-the-website approach, and do it properly this time?

Discovery

Posted Nov 23, 2005 0:22 UTC (Wed) by ncm (subscriber, #165) [Link]

We haven't noticed anything yet.

Of course not. "50000 DOD and FBI computers infected by Sony spyware" would get headlines, but without a count, there's no headline.

Or shall we just stick with the boring old put-the-patch-on-the-website approach...?

That's fine if you want to end up with only one in five infected machines cleaned up. This isn't rocket science. Fortunately, the people at EFF are not uniformly thick.

Automated Fix

Posted Nov 23, 2005 9:11 UTC (Wed) by ncm (subscriber, #165) [Link]

It turns out that at least one of the rootkits involved, when it phones home, checks for updates, so Sony could, in principle, to ordered to "update" it out of existence, no CDs needed -- for machines that are connected to the net, anyhow. That probably means most of them, except of course the more important ones within the DOD, NSA, etc.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds