Sony's rootkit: an update
Just how little the company has learned can be heard on this NPR interview with SonyBMG manager Thomas Hesse. When asked about the rootkit, Mr. Hesse responded:
As the class-action suits begin to pile up, and as even Microsoft feels the need to create a Sonyware removal tool, maybe Mr. Hesse will eventually realize that people (who are rapidly learning what a rootkit is) do care.
SonyBMG has claimed that there is no "phone home" capability in this software. Unfortunately for the company, connections back home are relatively easy to detect. Some investigation quickly showed that SonyBMG's software does indeed make a connection back home when the CD is played. Nowhere has SonyBMG alerted its users to this behavior and the associated privacy problems.
For additional amusement, see the EULA which comes with the rootkit software.
SonyBMG has made an uninstaller available for those few users which are capable of understanding what a rootkit does and being upset by it. It turns out, however, that this uninstaller is worse than the original rootkit. Running the uninstaller opens a number of holes - which can be exploited via web pages - in the target system. So victims of SonyBMG's rootkit who care about the security of their systems are in a bind; there is currently no straightforward way to get that software off the system without compromising the system even further.
Yet another ironic twist is the possibility that Sony's rootkit includes some LGPL-licensed code, but does not comply with the license. If this were true (and there are some doubts on this point, though they seem to be getting smaller), the hypocrisy would be complete.
In response to all this, SonyBMG announced that it would "temporarily" stop making CDs with XCP on them. There was no apology, much less an offer to compensate people whose systems have been compromised. Neither was there a recall of the (apparently millions) of malware-infected discs which were still in the retail pipeline. Only on November 15 did SonyBMG finally give in, recall the outstanding XCP-infected CDs, and offer to replace discs in the hands of its customers. Said users are still waiting for the compensation offer, however.
It is also worth noting that Sony is still shipping CDs with Sunncomm's MediaMax DRM code on them. MediaMax may not be quite as bad as XCP, but it is still hostile software which, among other things, phones home.
In the end, SonyBMG appears to have been slapped down fairly hard for its actions. It would be a mistake to assume that this sort of incident will not happen again, however. The entertainment industry has managed to create such a strawman enemy out of "pirates" that any sort of response appears to be justified. In a world where these folks can dictate the design of radios and televisions, attempt to legalize online attacks against "pirates," and file lawsuits against children, the addition of malware to a music disc seems like a small thing. Until such a time as this industry stops seeing its own customers as enemies, it will fail to show those customers any respect.
Linux users should not expect much respect either. Efforts like the broadcast flag already threaten to make the creation of free television and radio receivers impossible. Beyond any doubt, the music industry looks forward to the day when even playing a song on a free system will be disallowed. As Linux users, we are not much impressed by the idea that, in order to play a music track, we must accept the installation of hostile software onto our systems. Unfortunately, we may yet see a day when that is the only choice we have.
(See also: the EFF's open
letter to SonyBMG and the Sony
timeline on BoingBoing).
Posted Nov 15, 2005 18:47 UTC (Tue)
by proski (subscriber, #104)
[Link]
Posted Nov 15, 2005 18:48 UTC (Tue)
by riel (subscriber, #3142)
[Link] (17 responses)
The easiest way to get their attention would probably be to stop buying Sony products, and to let them know in public places (like LWN). I know Sony won't be seeing any of my money any time soon.
Having said that, if they resolve the LGPL violation, and stop shipping rootkits, and release a really cool product, I might buy from them again. I suspect this may never happen though...
Posted Nov 15, 2005 19:17 UTC (Tue)
by danielpf (guest, #4723)
[Link] (9 responses)
Posted Nov 15, 2005 20:24 UTC (Tue)
by gte223j (guest, #6492)
[Link] (8 responses)
http://emperorlinux.com/mfgr/sony/
Posted Nov 16, 2005 13:35 UTC (Wed)
by hazelsct (guest, #3659)
[Link] (7 responses)
I personally will never buy anything from Sony, unless and until there is a total overhaul in corporate philosophy and practice away from both rootkits and proprietary formats, devices, etc. (i.e. no more minidisks or memory sticks, and their hardware should be capable of running an open BIOS). As Londo Mollari might say, "Dishonesty and arrogance in one neat package, how efficient of you."
Posted Nov 16, 2005 13:57 UTC (Wed)
by man_ls (guest, #15091)
[Link] (2 responses)
Not everything from Sony is so bad: e.g. miniDV seems to be a pretty open format, and consumer video cameras are OK. But in many other areas all there is left of Sony is the high pricing.
Posted Nov 17, 2005 12:12 UTC (Thu)
by khim (subscriber, #9252)
[Link]
Not everything from Sony is so bad: e.g. miniDV seems to be a pretty open format, and consumer video cameras are OK. miniDV was never SONY format. Digital8 was. And... as usual: it's gone. Now SONY is trying to show that it had miniDV in mind all along, but that's not the case. It does prove that SONY can develop pretty open devices - when pressured enough. By default SONY will develop something proprietary and closed...
Posted Nov 18, 2005 2:09 UTC (Fri)
by bk (guest, #25617)
[Link]
Very well-to-do tapers use DAT which has widespread use in professional recording. Unfortunately it costs an arm and a leg (although, realistically, not that much more expensive than the high end iPods...) and is somewhat obscure. People who can afford DAT often know people and can get a soundboard feed, the result is basically studio-quality live recordings.
Smart frugal tapers use DAPs that have good built-in recording features (iPods unfortunately have crippled recording with the standard firmware), like (plug!) Rockbox running on an iRiver H1xx. Lossless, high quality recording up to the limits of the built-in 20 or 40GB hard drive.
Posted Nov 16, 2005 15:38 UTC (Wed)
by gte223j (guest, #6492)
[Link] (3 responses)
A bios that can form a packet and initialize the nic and send it down the wire.........sounds rational to me........
not to mention all of the net config stuff.........gateway and route.....and ARP......
and then not only would it have to do all of this...but it would have to gather good info.......hd mbr....or files.....and know how to mount a filesystem to send the really juicy data...........
granted it is possible.....but higly improbable......
paranoia cha cha cha........
--Brian
Posted Nov 16, 2005 20:45 UTC (Wed)
by deater (subscriber, #11746)
[Link] (2 responses)
All of that before any Operating System is ever loaded.
Posted Nov 16, 2005 21:36 UTC (Wed)
by gte223j (guest, #6492)
[Link] (1 responses)
however...... what if it is not a dhcp network??? how will it know how to get out............. and what about wireless......
the use case would be to phone home if there is a nic and there exists a dhcp server........
Again
"granted it is possible.....but highly improbable......"
I am not saying don't worry about it...but there comes a point when rationality is thrown out the window...............
--Brian
Posted Nov 16, 2005 23:26 UTC (Wed)
by clump (subscriber, #27801)
[Link]
Why x86 vendors have never thought to offer a useful preboot layer is beyond me. Sure you can buy expensive systems and add-ons that can possibly give you SPARC-like functionality. Not to badmouth PXE, but please. That is the best standard x86 has to do network booting? x86 clearly leads in performance for the money. But for managability, even a Mac Mini can toast most Dells.
That said, my point is that just because x86 *still* isn't very mature in the BIOS does not mean a vendor couldn't phone home. Since other vendors have had smart preboots for years means the technology exists. I wouldn't put it past Sony to do such a thing.
Posted Nov 15, 2005 19:38 UTC (Tue)
by kh (guest, #19413)
[Link] (5 responses)
Posted Nov 15, 2005 20:15 UTC (Tue)
by proski (subscriber, #104)
[Link] (1 responses)
Sure, having a data disc format unencumbered by Sony patents would punish them, but I don't see how regular LWN readers could help with that.
Posted Nov 16, 2005 14:21 UTC (Wed)
by kh (guest, #19413)
[Link]
Posted Nov 16, 2005 12:02 UTC (Wed)
by csamuel (✭ supporter ✭, #2624)
[Link] (2 responses)
Remember that these silver discs are NOT CD's - they do
not comply with the CD standard and so cannot have the logo.
As this BBC
article from the 4th November says, Philips are quite clear on this
point:
Posted Nov 18, 2005 2:16 UTC (Fri)
by bk (guest, #25617)
[Link] (1 responses)
If not, the EULA is demonstrably false and misleading (bad news for Sony), if they do then it looks like one of the big five has found a way around the standards issue (bad for the public).
Posted Nov 20, 2005 9:20 UTC (Sun)
by Ross (guest, #4065)
[Link]
Posted Nov 21, 2005 18:07 UTC (Mon)
by NRArnot (subscriber, #3033)
[Link]
I will be buying nothing new from Sony in the forseeable future, unless there is no alternative manufacturer of a product that I really cannot do without.
I have a Sony laptop, a Sony DVD recorder, Sony in my car. When these need replacement, the replacements will not be made by Sony. And of course, I'll be buying as little Sony-branded music as I can.
Whatever Sony's paid spin-doctors say, the corporation won't actually listen to us until we, their former or potential customers, make a noticeable hole in the Sony corporation's bottom line. Personally, I'd like that hole to be so large that the corporation sinks -- but that's up to the rest of you.
If anyone from Sony reads this and wonders what they can do to mollify me, the answer is, probably nothing. Would you ever again buy food from a company that had been caught deliberately using urine as an undeclared ingredient? Would it make any difference that you hadn't actually eaten the polluted product?
Buy Sony last. Tell your friends.
Posted Nov 15, 2005 19:09 UTC (Tue)
by pr1268 (guest, #24648)
[Link] (12 responses)
DRM has gotten out of hand. This Sony incident has only brought to light the issue of what lengths companies will go to given a piece of legislation (DMCA) to hide behind. Much kudos to Dr. Russinovich and his wonderful Blog. <snide comment>Resistance is futile. Prepare to have your computer assimilated into the [media company] collective.</snide comment>
Posted Nov 15, 2005 20:55 UTC (Tue)
by NAR (subscriber, #1313)
[Link] (4 responses)
If you buy a ticket for the train/underground/bus/etc., you enter into a contract with the public transport company but I doubt you sign anything.
Posted Nov 16, 2005 1:39 UTC (Wed)
by phgrenet (guest, #5979)
[Link] (1 responses)
Posted Nov 18, 2005 0:20 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
Posted Nov 16, 2005 10:13 UTC (Wed)
by nix (subscriber, #2304)
[Link] (1 responses)
(Disclaimer: IANAL but I've typed up stuff for lawyers on this subject when critically short of money over a decade ago; info may be terribly inaccurate)
Posted Nov 18, 2005 0:30 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
That's not even an implied contract, at least in US terminology. It's an explicit contract. (Technically, it isn't formed when you take the item from the shelf, but when you check out, which is why the price is allowed to change in between). An implied contract would be one defined in law that the two parties didn't actively choose to enter.
There's simply nothing in law that says a signature or piece of paper is required for a contract to be legally binding. The vast majority of contracts don't have that.
There are some laws, called "statutes of frauds" that make contracts of certain kinds unenforceable if not on paper. For example real estate transactions usually require paper, and many loans do. Under the Uniform Commercial Code (which is the law most places in the US), a contract that has elements that will take longer than 3 years to complete must be in writing.
Posted Nov 15, 2005 21:12 UTC (Tue)
by ncm (guest, #165)
[Link] (1 responses)
Second, the danger is not Sony breaking down your door to try to enforce their (void) contract. At issue is whether you are owed damages for the harm they have caused you even though they "disclaimed" it. Did you "agree" to be kicked in the nether region, just by clicking on that button? Hell, no! (*) Even if it were a valid contract, any of its provisions that damage your machine are superseded by the warranty, and by any other laws they violated. I doubt a judge would even let them introduce the EULA in evidence, if your own lawyer is on the ball to object.
Third, I don't understand why everybody who writes about this acts as if the EULA had any legal standing. At most, paragraphs might be snipped from it to be introduced as written proof of Sony's malice aforethought.
Fourth, if you were harmed, you will be better off explicitly opting out of any class-action suits. You can sue Sony in your local small-claims court for (e.g.) the time it took to re-install your OS, and probably get treble damages. If your damage was greater -- e.g. local network compromised by worms taking advantage of the holes it installed -- you can still sue, and get treble damages, and Sony still probably won't spare a lawyer to show up and contest it. If you or yours were harmed, then please, please do sue Sony, and then blog all about it. Compete with other bloggers for the side of the damage award extracted. Make it worth your while; your damages (itemized) should include the time it took you to bring the case to court, too.
(*) I'm no lawyer. Also, last I heard, the UCC was rescinded in Maryland. Furthermore, in the U.S. Federal 2nd Circuit (NY, VT, CT), shrink-wrap EULAs were actually determined to be binding, although the decision was widely criticized and is said to be unlikely to be influential elsewhere. If you live in one of those places, you might be screwed -- however, since they broke the law, it might be void anyhow!
Posted Nov 18, 2005 1:02 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
Doesn't that kind of negate your whole first paragraph ("the EULA is not a legally binding contract")? On the left hand, we have someone who is not a lawyer, and some nebulous crowd of people criticizing a court decision. On the right hand, we have a federal appeals court judge in an actual court decision. Seems to me the left hand is all but empty.
I know the case in question quite well, and I haven't heard that people think it won't be influential anywhere else. The decision is solidly reasoned and there aren't conflicting decisions in other circuits.
I'm sure there were the usual statements that a 2nd Circuit decision isn't binding anywhere else, but such decisions are nonetheless usually highly influential.
The judge, incidentally, not only describes why shrink wrap agreements are legally enforceable (giving precedents for well-accepted contracts that aren't complete until some time after money changes hands), but also that it would be bad policy if they weren't -- forcing people to waste packaging space on fine print nobody reads anyway.
I've also read the UCC, though not so recently that I remember every paragraph, and I sure don't remember anything about not being able to add restrictions on the buyer after the buyer has paid. There are plenty of contracts where paying money comes before negotiation is complete. If you have a section number, I'd be interested.
Posted Nov 15, 2005 22:18 UTC (Tue)
by kms (guest, #6679)
[Link]
I believe it attempts to be a contract, though in most jurisdictions it is impossible for a minor to enter into such a contract so just get your kids to buy your CDs and you'll be fine :-)
Posted Nov 16, 2005 4:15 UTC (Wed)
by pr1268 (guest, #24648)
[Link] (3 responses)
I was wrong earlier; the GPL is indeed a good example of a license vs. a contract. Furthermore, I found the actual text of Sony's EULA on Mark Russinovich's Web page here. I read through all the legal-ese (IANAL), and sure enough this EULA does indeed target the "DIGITAL CONTENT" of the disc. Which means pretty much all the content, since a CD is a 5km-long spiral of microscopic pits and plains that represent binary 0's and 1's. How someone might interpret the music to be part of the digital content could be debated; I realize that once you play the CD on a loudspeaker system, it's no longer digital and therefore not subject to the restrictions of the EULA (although it does fall under the jurisdiction of performance restrictions under copyright law, but that's a whole other topic). Also, I'd like to thank Mark Russinovich for sharing his experiences. Although I do not use MS Windows (I've been "Windows-Free" since August 2004), I feel that we need people like him with incredibly sharp Windows skills and a Blog to make people aware of the consequences of installing closed-source software (and having to agree to a EULA) for which you have no knowledge of what that software's actually doing to your PC. But that goes for all licensed software. I feel better about running a piece of licensed software on my computers for which somebody is examining the safety, security, and reliability of that software (thus explains one of the many reasons I like open-source). A college professor told me that the legal issues of running licensed software later found to be intentionally (or negligently) malicious will be very seriously examined in the next few years. Perhaps the "Sony DRM Rootkit incident of 2005" is only a preview of what's to come...
Posted Nov 16, 2005 9:27 UTC (Wed)
by james (subscriber, #1325)
[Link] (2 responses)
Despite reality, the EULA defines DIGITAL CONTENT not to include the music:
This compact disc (CD) product contains standard so-called Red Book-compliant audio files that can be played on any standard CD player, including those contained in many personal home computer systems. As an added feature, this compact disc (CD) product also enables you to convert these audio files into digital music files and/or may also contain other already existing digital content (such files and content, collectively, the DIGITAL CONTENT)
Incidentally, even if you accept the validity of EULAs, this one doesn't come into force until you click "AGREE". If you don't click "AGREE", then presumably normal copyright law is in effect:
By clicking on the AGREE button below, you will indicate your acceptance of these terms and conditions, at which point this EULA will become a legally binding agreement between you and SONY BMG.
Unfortunately, in the USA "normal copyright law" includes the DCMA. A case could be made that if the DRM software was "technical measures", and the technical measures included a mechanism designed, documented and labelled to turn off the technical measures, then you aren't circumventing them. But I wouldn't care to rely on that if I had to defend myself against Sony.
As always, I Am Not A Lawyer. Sorry.
Posted Nov 17, 2005 3:15 UTC (Thu)
by midg3t (guest, #30998)
[Link]
What about if you wrote an application to scan all window elements for the text "I Agree", and any that matched would be sent the appropriate Win32 API "activate" signal.
And what about if somebody else installs that software on your machine.
How about if you wrote a wrapper around the installer that bypassed the entire EULA, beginning execution at the first real install step, were files are decompressed & installed.
Perhaps it's a long shot, but in a world where the law is what is written and not what is intended, who knows what you can get away with.
Posted Nov 17, 2005 8:52 UTC (Thu)
by chad.netzer (subscriber, #4257)
[Link]
What is wierd is that they claim to include software to convert audio-files into digital music files, which further implies that they may have included code from LAME (and probably some CD-Paranoia like application). Ie. they claim to include ripping and conversion software. Hmmmm.
Posted Nov 15, 2005 19:20 UTC (Tue)
by bojan (subscriber, #14302)
[Link] (7 responses)
If this isn't the rudest thing I've read in a long time... Imagine a doctor saying to a patient in hospital: "Don't worry, you wouldn't know what your illness is even if I told you, but you'll die from it nonetheless." Now wouldn't a world like that be grand?
I just hope whoever sues them goes all the way.
Posted Nov 15, 2005 23:16 UTC (Tue)
by pr1268 (guest, #24648)
[Link] (5 responses)
I think that Sony's (Thomas Hess) above response is, well perhaps, somewhat accurate - I know a lot of people who have no clue what a rootkit is. But that makes it no less excusable or inappropriate. Sony/BMG's focus is on media (Movies, music, etc.), and has nothing to do with software (except for their desktop/laptop business, and perhaps a bunch of that is also outsourced). As such, I don't get the impression that they knew what First4Internet's XCP technology actually did to users' computers when they inserted the CD and started clicking. I suspect that Thomas Hess didn't know what a rootkit was until that excrement hit him in the face. Thus, he might have been speaking more for himself than for all of those media consumers whose PC's are now infected.
Posted Nov 16, 2005 0:31 UTC (Wed)
by MarkVandenBorre (subscriber, #26071)
[Link]
Posted Nov 16, 2005 2:44 UTC (Wed)
by bojan (subscriber, #14302)
[Link]
Well it is accurate, all right, that most people don't know what a rootkit is. But what about the "why should they care about it" part? This implies, at least to me, that we are all just a bunch of idiots, mindless drones that don't (or shouldn't) care whether our privacy is invaded and our property damaged by Sony.
He's got obviously no shame if he's capable of saying something as offensive as that.
Posted Nov 16, 2005 15:55 UTC (Wed)
by ikm (guest, #493)
[Link]
Posted Nov 20, 2005 17:24 UTC (Sun)
by ekj (guest, #1524)
[Link]
A person can very well have no idea whatsoever what say HIV is, but still care very much if someone intentionally infects them with it.
A person can very well have no idea whatsoever what a capacitor is, but still care very much if a leaky one turns their expensive computer into a paperweigth.
And a person can very well have no idea whatsoever what a rootkit is, but still care when a malevolent corporation secretly installs software on their computer that limits what they can do and spy on the user.
Knowing the technical term for something is not required for caring about the effects of something.
Posted Nov 23, 2005 2:16 UTC (Wed)
by ronaldcole (guest, #1462)
[Link]
If Sony still has enought assets to afford an attorney after they get their asses handed to them in a (red) hat, then they should sue First4Internet if they misrepresented their product to Sony.
Posted Nov 16, 2005 16:32 UTC (Wed)
by soundray (guest, #688)
[Link]
Posted Nov 15, 2005 21:19 UTC (Tue)
by carey (guest, #19902)
[Link]
Posted Nov 16, 2005 16:56 UTC (Wed)
by fjhieb (guest, #4748)
[Link] (2 responses)
What did Microsoft know about this, before this whole thing got discovered?
It's been my impression that MS has been bedding down with the whole DRM crowd for quite some time. How is it that XCP could have been developed without some critical internal system information being provided to the developers, as well as queries coming back the other way? If that's the case, MS is complicit in this as well. What's been their response to having their installed base of OS's compromised worldwide by one of their significant partners?
Posted Nov 16, 2005 20:27 UTC (Wed)
by pr1268 (guest, #24648)
[Link] (1 responses)
I think Microsoft wasn't all that aware of what Sony/F4I's XCP DRM technology did to users' computers until after the rootkit news hit the Internet. Additionally their motivation to remove the XCP rootkit with their "Windows Defender" anti-malware utility and Windows Update tells me that they at least realize the evils of the XCP software and are addressing PC users' concerns. As much as I don't care to defend MS, my respect for them did shoot up a few points due to their prompt response on this matter. But, you make a good point about MS and DRM in general. They're certain to incorporate DRM technology into the core OS kernel of the upcoming Vista operating system. Being closed source and all, they can put stuff into the OS that would essentially disable most media playback unless it was done on their terms. Perhaps MS is actually thinking up new and inventive ways to use the cloaking techniques of XCP to hide all kinds of stuff from the end-user and pretend that we don't really need to care what is really happening to our computers.
Posted Nov 18, 2005 16:29 UTC (Fri)
by grouch (guest, #27289)
[Link]
Better re-read that XP EULA and take note of the similarities to Sony's XCP EULA. If you run XP, BillG has root access. XCP gives Sony (and now, malicious websites) root access. Both require you to accept future, undeclared and undisclosed installations at their discretion. Each admits to at most $5 in liability. You can check the rest of the similar bullet points for yourself.
Posted Nov 17, 2005 2:37 UTC (Thu)
by smitty_one_each (subscriber, #28989)
[Link] (5 responses)
Posted Nov 17, 2005 10:03 UTC (Thu)
by Duncan (guest, #6647)
[Link] (2 responses)
Posted Nov 24, 2005 8:49 UTC (Thu)
by Wol (subscriber, #4433)
[Link] (1 responses)
So the netfilter guy HAS to contact the infringer, and threaten to sue them (and carry out that threat if necessary), or he loses his right to sue.
I think that on the few occasions it has gone to court, both sides have agreed to ask the judge "please toll this, we're still negotiating". ("toll"ing being "stopping the clock", thanks for the education, PJ.)
Cheers,
Posted Nov 24, 2005 16:51 UTC (Thu)
by Duncan (guest, #6647)
[Link]
Posted Nov 17, 2005 19:09 UTC (Thu)
by tcabot (subscriber, #6656)
[Link]
Remember that the GPL *grants* you rights that you wouldn't otherwise have under copyright law. So let's imagine that you go to court and have the GPL declared legally invalid. Congratulations, you've just sawed off the branch that you were sitting on because then you would have *no* right to distribute GPL'ed code.
Posted Nov 20, 2005 2:34 UTC (Sun)
by sweikart (guest, #4276)
[Link]
http://web.archive.org/web/20191018144227/http://www.groklaw.net/article.php?story=20050225223848129
-scott
Posted Nov 17, 2005 2:53 UTC (Thu)
by kena (subscriber, #2735)
[Link]
Instead, I'm just going to sit back in awe at the incredible signal:noise ratio in these comments. I've seen no fewer than two people unilaterally retract previous statements when they -- of their own volition -- found contradictory information. _How the hell often does *that* happen in 'Netland?_ In addition, all the posts have been wildly informative, insightful, or both. Truly, my LWN money is well-spent. [Sadly, I recently had to go from "got out of LNUX in time" (which I almost did) to "poorer 'n dirt". Child on the way. Once my finances find some sort of equilibrium, I'll take the middle ground.] That aside, LWN is truly a valuable resource, and one we should all spout off about (presumably to those who might be interested) when we have the chance.
Keep up the good work, all!
Oh. And yeah, ummm... "Death to Sony!" or something.
Posted Nov 17, 2005 15:58 UTC (Thu)
by dps (guest, #5725)
[Link]
The word "rootkit" was definitely mentioned, and that rootkits were bad. If Sony has to replace all those CDs with one sans the rootkit, then one hopes the financial impact is enough to discourage the practice in future releases.
I am aware that writing virii is probably illegal under the computer misuse act, so one suspects rootkits might be too. Explaining why you needed a rootkit to implement DRM technology might be a little difficult. M$ will no doubt make DRM a feature of their OS so no rootkits, or other software, is required.
Posted Nov 17, 2005 19:33 UTC (Thu)
by Baylink (guest, #755)
[Link] (1 responses)
Really.
(:-)
I think we all owe Sony a debt of gratitude... for getting the general public up to speed on what rootkits are, and why they're bad. I realize that this is the "uninvited tiger team" argument that crackers (not hackers :-) make, which is rebutted by most of the community whose chapeaux are blanc, but you know what? It works.
(And my thanks to Apple's ad agency...)
Posted Nov 18, 2005 14:15 UTC (Fri)
by smitty_one_each (subscriber, #28989)
[Link]
Posted Nov 24, 2005 12:01 UTC (Thu)
by rabnud (guest, #2839)
[Link] (1 responses)
But!
I do listen to Electronic genres such as trance, tech-step, DnB; Electronica is a genre that no big label would want to traffic on a continuous basis. My methods of getting new tracks are simple: I get indie music direct from the indie artist. No middle men means no DRM, at least for now. That 'direct connection' method could easily serve as a workaround to this rootkit problem (and several similar problems) for ANY consumer, if the consumer mounted considerable efforts to demand a direct connection from each artist. To create the direct connection mechanism, simply get a message through to each artist that this kind of user restriction is not acceptable, tell the artist that you would not accept computer hardware that prevents you ripping tracks (which you have been permitted to download direct from the artist) to another format, tell the artist that you would not accept rootkit software, and so forth. If the artists learn to dislike and hopefully distrust the commercial labels that pull this kind of abuse, then maybe the digital era can resume where it left off.
No, I am not naive... Just be sure to accept and obey the terms which the artist places in the copyrights to the tracks you get from them. The broad, unrestricted distribution of copyrighted tracks over p2p was a consumer error - the consumer did not respect the artists copyright, but the copyright was placed there by the label, the artists get convinced that they need copyrights when some artists could care less. Why would some artists not care? Because the middlemen are getting many times more revenue, per track, than the artist gets.
Posted Nov 26, 2005 21:23 UTC (Sat)
by finster (guest, #32338)
[Link]
Thanks Sony for alerting me to this problem . . . now you know my solution. Your ridiculous way of making your warning of copy-protection's presence on the CD inconspicuous but yet present, will also give people a reason to start sharing. I mean, nice friggin' font on the Foo Fighters' CD. What is that? 3pt? Really glad I don't run an M$ OS.
Sony lying about its product?
SonyBMG has claimed that there is no "phone home" capability in this software. Unfortunately for the company, connections back home are relatively easy to detect. Some investigation quickly showed that SonyBMG's software does indeed make a connection back home when the CD is played.
Isn't that a crime? It looks like Sony intentionally mislead the customers while the compromised CDs were still available for sale.
Complaining makes little sense, since Sony does not appear to be sensitive to the many complaints that have been raised so far.Don't want a rootkit? Stop buying from Sony...
For example they could sell a laptop powered by aDon't want a rootkit? Stop buying from Sony...
Cell processor with Linux preinstalled...
Of course knowing their previous reputation about not so
clean software, I would only buy such a laptop if all
the included software were open sourced.
Don't want a rootkit? Stop buying from Sony...
And how sure are we that the BIOS never phones home over the entire lifetime of the laptop? And if it doesn't for current models, what's to say it won't in the future?Don't want a rootkit? Stop buying from Sony...
Minidisc is the most stupid flop since DAT, at least in the consumer space; in the professional arena the format is alive thanks to other companies. I bought a professional model and got burned: badly thought out, poor battery life and is not so hot recording live audio. And they were supposed to replace walkmen! Meanwhile, Apple, Rio and even obscure outfits like Inovix are selling like crazy to fill the void.
Minidiscs are pitiful
Minidiscs are pitiful
Minidisc is still alive in the rather small niche of (often clandestine) live recording. Most tapers use MD since it is relatively cheap, available and of decent quality despite the horrid ATRAC format.
Minidiscs are pitiful
"And how sure are we that the BIOS never phones home over the entire lifetime of the laptop? And if it doesn't for current models, what's to say it won't in the future?"Don't want a rootkit? Stop buying from Sony...
Apparently you've never used PXE to boot Linux off a network. If you had you'd know the BIOS is perfectly capable of initializing the network card, running DHCP to get an IP address, and start making requests onto a network. Don't want a rootkit? Stop buying from Sony...
You're right.......I haven't used PXE and it slipped my mind....my bad...........Don't want a rootkit? Stop buying from Sony...
PXE is just one way x86 machines can do "networking" in the BIOS. SPARC machines have had this functionality and much more in their Openprom layer for many years. Very old SparcStations even can boot over NFS.Don't want a rootkit? Stop buying from Sony...
Instead of complaining or boycotting, I wish we could support some other standard - I wonder if some of the Free Software (and Free Culture) folks could approach the people developing the EVD format.
Don't want a rootkit? Stop buying from Sony...
Actually, the CD format is OK. The problems are the autorun feature implemented unsafely by Microsoft (the user is not informed that the software is going to be run) plus Sony's abuse of the customers' trust (users don't expect bad things from a well known company).
Don't want a rootkit? Stop buying from Sony...
Sorry for not spelling it out better... the parent was speaking about boycotting Sony, and I read that as boycotting all of their products, not just their music discs. And where as a straight CD is not a problem format for Linux, DVD, and the upcoming HD-DVD or Blu-Ray I suspect will not be easily accessible in Linux. But perhaps the EVD backers would be easier to work with? Don't want a rootkit? Stop buying from Sony...
They're not CD's!
As far back as 2002, Philips representative Klaus Petri told Financial
Times Deutschland that "those are silver discs with music data that
resemble CDs, but aren't".
The Sony EULA claims that the CDs are Red Book, meaning that they do conform to the CD standard as defined by Philips. I would be interested to see if they actually carry the Compact Disc Digital Audio logo. They're not CD's!
I believe the other poster was thinking of some other copy prevention schemes pushed by the major record companies which use non-compliant discs. The owner of the CD mark even threatened to take away their right to use it. This scheme uses a Windows misfeature and a rootkit to do its work. There's no reason for it not to be a real CD.They're not CD's!
I can't agree strongly enough.Don't want a rootkit? Stop buying from Sony...
I have a few comments and questions regarding the EFF Sony EULA link:
Sony's rootkit: an update
Isn't a EULA some kind of legally binding contract? Does that mean that I have to (a) sign somewhere when I purchace into the contract (in many places, a signature is required of such legal documents), or (b) be informed of such a legally-binding agreement at time of purchase?
Sony's rootkit: an update
For the difference between a license and a contract, no better source than LWN:
The GPL is a License, not a Contract
Sony's rootkit: an update
license vs contract
>For the difference between a license and a contract,
An important difference to know, but not relevant here. We're not talking about a license; we're talking about a EULA - end user license agreement. Agreement is a synonym for contract. This is a contract in which the copyright owner gives you a copyright license in exchange for money and various promises from you.
In the UK at least there is the concept of `implied contracts', which are what you enter into when e.g. you pull something off the store shelves, and what you are violating if you then walk out of the shop without paying for it; you'd also have one with the public transport company. Intent and mutual understanding are very important here: you probably don't enter into an implied contract with Sony allowing Sony to dump rootkits on your computer merely because you bought a CD that they happened to originally produce!Sony's rootkit: an update
contracts without signing
In the UK at least there is the concept of `implied contracts', which are what you enter into when e.g. you pull something off the store shelves,
First, the EULA is not a legally binding contract. In the U.S., the Uniform Commercial Code (UCC) makes clear that the vendor cannot place any additional restrictions or conditions on you, the buyer, after you have paid your money(*). If it's not on the outside of the box, it's wastepaper. Even if it is on the box, but contradicts local warranty consumer-protection laws, it's wastepaper. Similarly, any sort of "click-through" during installation is void: you already paid, it's too late to demand your acquiescence. If you have to click it to get to what you paid for (i.e., the music), then clicking it doesn't mean anything. It's better, as a policy, not to read it, except perhaps as a warning of what damage they are promising you might suffer, i.e. like the "hazard" warning on your toaster. (Be sure to tell your lawyer about your policy.)
EULA and the UCC
EULA and the UCC
I'm no lawyer. ... Furthermore, in the U.S. Federal 2nd Circuit (NY, VT, CT), shrink-wrap EULAs were actually determined to be binding, although the decision was widely criticized and is said to be unlikely to be influential elsewhere.
> Isn't a EULA some kind of legally binding contract?Sony's rootkit: an update
I stand corrected about this EULA
I stand corrected about this EULA
Now if you were to press tab a couple of times and press space or enter on the "Agree" button, would you still be accepting the EULA?Tab, enter?
My reading is that they DO include the "audio files" in their definition of "DIGITAL CONTENT", or at the very least, any "digital music files" created from the "audio files". And you can bet that is what they intended.I stand corrected about this EULA
> Most people, I think, don't even know what a rootkit is, so why should they care about it?How rude
No wonder Sony doesn't sell/market software
I suspect that Thomas Hess didn't know what a rootkit was until that excrement hit him in the face.At this level, ignorance == incompetence
From a certain level of responsibility, ignorance equals incompetence.
The people responsible for this debacle are incompetent at best, but most probably just guilty.
> I think that Sony's (Thomas Hess) above response is, well perhaps, somewhat accurate - I know a lot of people who have no clue what a rootkit is.No wonder Sony doesn't sell/market software
Good point, thanks for putting this out! SONY may well be an evil corporation (or, well, maybe not), but this incident does not neccessarily indicate the presence of some intentional malice plotted by some greedy execs. When choosing between malice and stupidity, the latter wins almost always. After all, it is just stupid to plant rootkits onto the consumers and think nobody would ever notice.No wonder Sony doesn't sell/market software
But there's no connection (or very little) about knowing about something, and caring about something.No wonder Sony doesn't sell/market software
Even if your theory is right, Sony still pulled the trigger on that "gun" they bought.No wonder Sony doesn't sell/market software
Apart from the rudeness, it's the logic behind the statement that amazes me most. What kind of twisted mind would come up with an argument like this?
Logic
Just imagine replacing "X" with "retrovirus" instead of "rootkit". Hey, we can stop all AIDS prevention campaigns!
According to Mark Russinovich's blog, the safe way to remove the rootkit is to run this command and reboot:
Removing the rootkit
sc delete $sys$aries
This is more or less equivalent to this, on Debian:
update-rc.d -f '$sys$aries' remove
What I find intriguing is: Sony's rootkit: an update
Microsoft's DRM could be even worse
Microsoft has been courting the MPAA and RIAA all along during their development of Palladium or Longhorn or whatever name they're using this week. It's not a matter of them being unaware. It's a matter of who pays more, the lowly "consumer" or partners.Microsoft's DRM could be even worse
It is my understanding that neither the GPL nor the LGPL have ever enjoyed the scrutiny of a no-kidding court case.LGPL
Could this be the inaugural bout? Go, FSF!
I'm not sure about the LGPL, but the GPL certainly has. I forget the LGPL
name, but one of the NetFilter developers has been quite active in
asserting his rights over in Germany. The law there (where he lives)
places a tight timetable on bringing an action to court, something like
four weeks, so once he contacts a company and the clock starts ticking,
they have to decide rather fast (by US standards) whether they will comply
or fight. In a couple of cases, they haven't been fast enough to comply,
and the cases have gone to court. He's won real court injunctions in all
of them, I believe, which after the first couple, he could point to, and
has had less trouble getting the desired response in the time allowed.
He has been somewhat controversial, because the FSF tends toward a more
negotiated approach, which has generally been successful both in
resolution and in keeping it out of court, but can take years. This guy's
assertiveness gets faster results but with the risk of making political
enemies. Still, it's a technique that has been proven to work, and he
argues that the way the German system is setup, he has little choice if he
wants to retain his full range of enforcement rights, due to this clock
ticking thing.
In any case, its no longer true that the GPL hasn't been tested in court,
and IMO the two approaches tend to balance each other out to some extent.
LGPL, however, I haven't any idea.
Duncan
Bear in mind, that the clock doesn't start ticking when the copyright holder notifies the infringer, it starts ticking when the copyright holder discovers the infringement.LGPL
Wol
Thanks. I didn't remember precisely when the clock started. If it's at LGPL
discovery...
However, depending on how discovery is handled, despite what the law says,
it wouldn't /have/ to start at discovery. For the clock to matter at that
point, there'd have to be some evidence of when discovery happened. As
long as one does their investigation quietly and doesn't mention what
they've discovered right away, there's obviously some flexibility as to
when one was "certain" they had discovered something, not just suspicious
about a /possible/ violation.
As far as the court cases, I remember at least one and I believe two
actual preliminary injunctions. IIRC, the one was a case of win by
default, because the manufacturer hadn't responded. They had very little
presence in Germany anyway, IIRC, so it wasn't much to lose, but that set
the initial court precedent.
However, if you are a Groklaw regular, you may well know more about it
than I.
Duncan
There are two ways to look at this. The first way says "it's never been proven in court", and takes this to mean that the license is somehow weaker as a result. The second way (as explained by Eben Moglen at the FSF annual associate member meeting) is "everyone that's considered challenging it in court has backed down before it got that far" and takes this to mean that the license is so strong that there's no point in challenging it in court.LGPL
Here's an article about the GPL in court:LGPL
I could rant 'n rave about Sony, but others, above, have already done a far more eloquent job than I would.OT. A lot, even.
Sony has been issued a recall of all affected CDs in the UK due to the rootkit issue and it made the national news. I do not know if they jumped before being pushed. Consumers that took a CD home from the US might be affected.Sony's rootkit: an update (UK update)
No.Thank you, Sony!
Yes, but that argument plays into a stealth-advertising campaign for 64-bit Windows, too. "psst: upgrade, and yo' booty get no rooty!"Thank you, Sony!
I have come to avoid all commercial distributors of music. This was easy for me since I already had no interest in the music that was being distributed today (the commercial artist's discs all sound too much alike, the discs cost too much compared to burning my own, the tracks are not in a format that I find useful, etc...).Sony's rootkit: an update
The DRM issue is pretty borked. I will stop buying music from the big boys when they infringe on my right to use my computer without problems. I'm not copying CD's or doing any P2P sharing. If the music is good, I buy it. If I can't buy it without having to worry what the s/w attempts to do for DRM, I won't buy it. Sony's rootkit: an update