User: Password:
Subscribe / Log in / New account

Sony's rootkit: an update

For most companies, simply being caught installing rootkit-like software onto the systems of customers who simply thought they were playing a music CD would be bad enough. Certainly, since the Halloween disclosure that some SonyBMG discs install a rootkit (called "XCP") has been a source of grief for that company, and rightly so. It takes a truly expansive interpretation of the notion of "intellectual property rights" to believe that such rights allow the installation of malware on other peoples' computers. As this event - and those which have come after - have shown, however, SonyBMG appears to have learned little from the whole episode.

Just how little the company has learned can be heard on this NPR interview with SonyBMG manager Thomas Hesse. When asked about the rootkit, Mr. Hesse responded:

Most people, I think, don't even know what a rootkit is, so why should they care about it?

As the class-action suits begin to pile up, and as even Microsoft feels the need to create a Sonyware removal tool, maybe Mr. Hesse will eventually realize that people (who are rapidly learning what a rootkit is) do care.

SonyBMG has claimed that there is no "phone home" capability in this software. Unfortunately for the company, connections back home are relatively easy to detect. Some investigation quickly showed that SonyBMG's software does indeed make a connection back home when the CD is played. Nowhere has SonyBMG alerted its users to this behavior and the associated privacy problems.

For additional amusement, see the EULA which comes with the rootkit software.

SonyBMG has made an uninstaller available for those few users which are capable of understanding what a rootkit does and being upset by it. It turns out, however, that this uninstaller is worse than the original rootkit. Running the uninstaller opens a number of holes - which can be exploited via web pages - in the target system. So victims of SonyBMG's rootkit who care about the security of their systems are in a bind; there is currently no straightforward way to get that software off the system without compromising the system even further.

Yet another ironic twist is the possibility that Sony's rootkit includes some LGPL-licensed code, but does not comply with the license. If this were true (and there are some doubts on this point, though they seem to be getting smaller), the hypocrisy would be complete.

In response to all this, SonyBMG announced that it would "temporarily" stop making CDs with XCP on them. There was no apology, much less an offer to compensate people whose systems have been compromised. Neither was there a recall of the (apparently millions) of malware-infected discs which were still in the retail pipeline. Only on November 15 did SonyBMG finally give in, recall the outstanding XCP-infected CDs, and offer to replace discs in the hands of its customers. Said users are still waiting for the compensation offer, however.

It is also worth noting that Sony is still shipping CDs with Sunncomm's MediaMax DRM code on them. MediaMax may not be quite as bad as XCP, but it is still hostile software which, among other things, phones home.

In the end, SonyBMG appears to have been slapped down fairly hard for its actions. It would be a mistake to assume that this sort of incident will not happen again, however. The entertainment industry has managed to create such a strawman enemy out of "pirates" that any sort of response appears to be justified. In a world where these folks can dictate the design of radios and televisions, attempt to legalize online attacks against "pirates," and file lawsuits against children, the addition of malware to a music disc seems like a small thing. Until such a time as this industry stops seeing its own customers as enemies, it will fail to show those customers any respect.

Linux users should not expect much respect either. Efforts like the broadcast flag already threaten to make the creation of free television and radio receivers impossible. Beyond any doubt, the music industry looks forward to the day when even playing a song on a free system will be disallowed. As Linux users, we are not much impressed by the idea that, in order to play a music track, we must accept the installation of hostile software onto our systems. Unfortunately, we may yet see a day when that is the only choice we have.

(See also: the EFF's open letter to SonyBMG and the Sony timeline on BoingBoing).

(Log in to post comments)

Sony lying about its product?

Posted Nov 15, 2005 18:47 UTC (Tue) by proski (subscriber, #104) [Link]

SonyBMG has claimed that there is no "phone home" capability in this software. Unfortunately for the company, connections back home are relatively easy to detect. Some investigation quickly showed that SonyBMG's software does indeed make a connection back home when the CD is played.
Isn't that a crime? It looks like Sony intentionally mislead the customers while the compromised CDs were still available for sale.

Don't want a rootkit? Stop buying from Sony...

Posted Nov 15, 2005 18:48 UTC (Tue) by riel (subscriber, #3142) [Link]

Complaining makes little sense, since Sony does not appear to be sensitive to the many complaints that have been raised so far.

The easiest way to get their attention would probably be to stop buying Sony products, and to let them know in public places (like LWN). I know Sony won't be seeing any of my money any time soon.

Having said that, if they resolve the LGPL violation, and stop shipping rootkits, and release a really cool product, I might buy from them again. I suspect this may never happen though...

Don't want a rootkit? Stop buying from Sony...

Posted Nov 15, 2005 19:17 UTC (Tue) by danielpf (guest, #4723) [Link]

For example they could sell a laptop powered by a
Cell processor with Linux preinstalled...
Of course knowing their previous reputation about not so
clean software, I would only buy such a laptop if all
the included software were open sourced.

Don't want a rootkit? Stop buying from Sony...

Posted Nov 15, 2005 20:24 UTC (Tue) by gte223j (guest, #6492) [Link]

Don't want a rootkit? Stop buying from Sony...

Posted Nov 16, 2005 13:35 UTC (Wed) by hazelsct (guest, #3659) [Link]

And how sure are we that the BIOS never phones home over the entire lifetime of the laptop? And if it doesn't for current models, what's to say it won't in the future?

I personally will never buy anything from Sony, unless and until there is a total overhaul in corporate philosophy and practice away from both rootkits and proprietary formats, devices, etc. (i.e. no more minidisks or memory sticks, and their hardware should be capable of running an open BIOS). As Londo Mollari might say, "Dishonesty and arrogance in one neat package, how efficient of you."

Minidiscs are pitiful

Posted Nov 16, 2005 13:57 UTC (Wed) by man_ls (guest, #15091) [Link]

Minidisc is the most stupid flop since DAT, at least in the consumer space; in the professional arena the format is alive thanks to other companies. I bought a professional model and got burned: badly thought out, poor battery life and is not so hot recording live audio. And they were supposed to replace walkmen! Meanwhile, Apple, Rio and even obscure outfits like Inovix are selling like crazy to fill the void.

Not everything from Sony is so bad: e.g. miniDV seems to be a pretty open format, and consumer video cameras are OK. But in many other areas all there is left of Sony is the high pricing.

Minidiscs are pitiful

Posted Nov 17, 2005 12:12 UTC (Thu) by khim (subscriber, #9252) [Link]

Not everything from Sony is so bad: e.g. miniDV seems to be a pretty open format, and consumer video cameras are OK.

miniDV was never SONY format. Digital8 was. And... as usual: it's gone. Now SONY is trying to show that it had miniDV in mind all along, but that's not the case.

It does prove that SONY can develop pretty open devices - when pressured enough. By default SONY will develop something proprietary and closed...

Minidiscs are pitiful

Posted Nov 18, 2005 2:09 UTC (Fri) by bk (guest, #25617) [Link]

Minidisc is still alive in the rather small niche of (often clandestine) live recording. Most tapers use MD since it is relatively cheap, available and of decent quality despite the horrid ATRAC format.

Very well-to-do tapers use DAT which has widespread use in professional recording. Unfortunately it costs an arm and a leg (although, realistically, not that much more expensive than the high end iPods...) and is somewhat obscure. People who can afford DAT often know people and can get a soundboard feed, the result is basically studio-quality live recordings.

Smart frugal tapers use DAPs that have good built-in recording features (iPods unfortunately have crippled recording with the standard firmware), like (plug!) Rockbox running on an iRiver H1xx. Lossless, high quality recording up to the limits of the built-in 20 or 40GB hard drive.

Don't want a rootkit? Stop buying from Sony...

Posted Nov 16, 2005 15:38 UTC (Wed) by gte223j (guest, #6492) [Link]

"And how sure are we that the BIOS never phones home over the entire lifetime of the laptop? And if it doesn't for current models, what's to say it won't in the future?"

A bios that can form a packet and initialize the nic and send it down the wire.........sounds rational to me........

not to mention all of the net config stuff.........gateway and route.....and ARP......

and then not only would it have to do all of this...but it would have to gather good info.......hd mbr....or files.....and know how to mount a filesystem to send the really juicy data...........

granted it is possible.....but higly improbable......

paranoia cha cha cha........


Don't want a rootkit? Stop buying from Sony...

Posted Nov 16, 2005 20:45 UTC (Wed) by deater (subscriber, #11746) [Link]

Apparently you've never used PXE to boot Linux off a network. If you had you'd know the BIOS is perfectly capable of initializing the network card, running DHCP to get an IP address, and start making requests onto a network.

All of that before any Operating System is ever loaded.

Don't want a rootkit? Stop buying from Sony...

Posted Nov 16, 2005 21:36 UTC (Wed) by gte223j (guest, #6492) [Link]

You're right.......I haven't used PXE and it slipped my bad...........

however...... what if it is not a dhcp network??? how will it know how to get out............. and what about wireless......

the use case would be to phone home if there is a nic and there exists a dhcp server........


"granted it is possible.....but highly improbable......"

I am not saying don't worry about it...but there comes a point when rationality is thrown out the window...............


Don't want a rootkit? Stop buying from Sony...

Posted Nov 16, 2005 23:26 UTC (Wed) by clump (subscriber, #27801) [Link]

PXE is just one way x86 machines can do "networking" in the BIOS. SPARC machines have had this functionality and much more in their Openprom layer for many years. Very old SparcStations even can boot over NFS.

Why x86 vendors have never thought to offer a useful preboot layer is beyond me. Sure you can buy expensive systems and add-ons that can possibly give you SPARC-like functionality. Not to badmouth PXE, but please. That is the best standard x86 has to do network booting? x86 clearly leads in performance for the money. But for managability, even a Mac Mini can toast most Dells.

That said, my point is that just because x86 *still* isn't very mature in the BIOS does not mean a vendor couldn't phone home. Since other vendors have had smart preboots for years means the technology exists. I wouldn't put it past Sony to do such a thing.

Don't want a rootkit? Stop buying from Sony...

Posted Nov 15, 2005 19:38 UTC (Tue) by kh (subscriber, #19413) [Link]

Instead of complaining or boycotting, I wish we could support some other standard - I wonder if some of the Free Software (and Free Culture) folks could approach the people developing the EVD format.

Don't want a rootkit? Stop buying from Sony...

Posted Nov 15, 2005 20:15 UTC (Tue) by proski (subscriber, #104) [Link]

Actually, the CD format is OK. The problems are the autorun feature implemented unsafely by Microsoft (the user is not informed that the software is going to be run) plus Sony's abuse of the customers' trust (users don't expect bad things from a well known company).

Sure, having a data disc format unencumbered by Sony patents would punish them, but I don't see how regular LWN readers could help with that.

Don't want a rootkit? Stop buying from Sony...

Posted Nov 16, 2005 14:21 UTC (Wed) by kh (subscriber, #19413) [Link]

Sorry for not spelling it out better... the parent was speaking about boycotting Sony, and I read that as boycotting all of their products, not just their music discs. And where as a straight CD is not a problem format for Linux, DVD, and the upcoming HD-DVD or Blu-Ray I suspect will not be easily accessible in Linux. But perhaps the EVD backers would be easier to work with?

They're not CD's!

Posted Nov 16, 2005 12:02 UTC (Wed) by csamuel (✭ supporter ✭, #2624) [Link]

Remember that these silver discs are NOT CD's - they do not comply with the CD standard and so cannot have the logo.

As this BBC article from the 4th November says, Philips are quite clear on this point:

As far back as 2002, Philips representative Klaus Petri told Financial Times Deutschland that "those are silver discs with music data that resemble CDs, but aren't".

They're not CD's!

Posted Nov 18, 2005 2:16 UTC (Fri) by bk (guest, #25617) [Link]

The Sony EULA claims that the CDs are Red Book, meaning that they do conform to the CD standard as defined by Philips. I would be interested to see if they actually carry the Compact Disc Digital Audio logo.

If not, the EULA is demonstrably false and misleading (bad news for Sony), if they do then it looks like one of the big five has found a way around the standards issue (bad for the public).

They're not CD's!

Posted Nov 20, 2005 9:20 UTC (Sun) by Ross (guest, #4065) [Link]

I believe the other poster was thinking of some other copy prevention schemes pushed by the major record companies which use non-compliant discs. The owner of the CD mark even threatened to take away their right to use it. This scheme uses a Windows misfeature and a rootkit to do its work. There's no reason for it not to be a real CD.

Don't want a rootkit? Stop buying from Sony...

Posted Nov 21, 2005 18:07 UTC (Mon) by NRArnot (subscriber, #3033) [Link]

I can't agree strongly enough.

I will be buying nothing new from Sony in the forseeable future, unless there is no alternative manufacturer of a product that I really cannot do without.

I have a Sony laptop, a Sony DVD recorder, Sony in my car. When these need replacement, the replacements will not be made by Sony. And of course, I'll be buying as little Sony-branded music as I can.

Whatever Sony's paid spin-doctors say, the corporation won't actually listen to us until we, their former or potential customers, make a noticeable hole in the Sony corporation's bottom line. Personally, I'd like that hole to be so large that the corporation sinks -- but that's up to the rest of you.

If anyone from Sony reads this and wonders what they can do to mollify me, the answer is, probably nothing. Would you ever again buy food from a company that had been caught deliberately using urine as an undeclared ingredient? Would it make any difference that you hadn't actually eaten the polluted product?

Buy Sony last. Tell your friends.

Sony's rootkit: an update

Posted Nov 15, 2005 19:09 UTC (Tue) by pr1268 (subscriber, #24648) [Link]

I have a few comments and questions regarding the EFF Sony EULA link:
  • Does the EULA cover the music or the software? After all, isn't the purpose of buying a music CD for the music?
  • If I bought such a CD with the accompanying EULA, and the EULA police came knocking on my door, couldn't I just say, "Sure, I'll relinquish my rights to use the software, but I'd like to keep the music!"
  • Isn't a EULA some kind of legally binding contract? Does that mean that I have to (a) sign somewhere when I purchace into the contract (in many places, a signature is required of such legal documents), or (b) be informed of such a legally-binding agreement at time of purchase? I envision a time in the not-so-distant future when we're going to have to sign our lives away at places like Wal-Mart, Best Buy, Circuit City, etc. whenever we buy a {music CD|movie DVD|any other form of media}, and the retailers are going to keep a stack of paper contracts handy with notaries public standing by the sales registers (Okay, that's a little extreme, but not implausible given the current state of DRM). Imagine how tough it would be for to sell someone a CD or DVD given this restriction.
  • In the meanwhile, how can I abide by the terms of the EULA if I don't have a computer? If I buy the music CD for the sole purpose of playing it on my {home|car|portable} stereo, and I don't ever see the terms of the EULA, does that mean that I have to abide by the terms of a "phantom" contract which I might never see?
  • One final question: Let's assume that the EULA is not a legally binding agreement, due to the sheer complexity (and cost) of implementing the Orwellian society I painted in the third bullet above with respect to DRM, and I never agree to the EULA (or even see such a document). Can [media company] still haul me into court for failing to abide by a legally binding contract to which I never agreed to in the first place if they "catch" me listening to my music CD? Granted, I do realize that the whole thing about DRM is to protect the media companies against me doing something illegal with the music/movie (like file sharing on P2P networks, etc.), but Sony's willingness to use rootkit technology to ensure everyone complies seems a little extreme.

DRM has gotten out of hand. This Sony incident has only brought to light the issue of what lengths companies will go to given a piece of legislation (DMCA) to hide behind. Much kudos to Dr. Russinovich and his wonderful Blog.

<snide comment>Resistance is futile. Prepare to have your computer assimilated into the [media company] collective.</snide comment>

Sony's rootkit: an update

Posted Nov 15, 2005 20:55 UTC (Tue) by NAR (subscriber, #1313) [Link]

Isn't a EULA some kind of legally binding contract? Does that mean that I have to (a) sign somewhere when I purchace into the contract (in many places, a signature is required of such legal documents), or (b) be informed of such a legally-binding agreement at time of purchase?

If you buy a ticket for the train/underground/bus/etc., you enter into a contract with the public transport company but I doubt you sign anything.


Sony's rootkit: an update

Posted Nov 16, 2005 1:39 UTC (Wed) by phgrenet (guest, #5979) [Link]

For the difference between a license and a contract, no better source than LWN: The GPL is a License, not a Contract

license vs contract

Posted Nov 18, 2005 0:20 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

>For the difference between a license and a contract,
An important difference to know, but not relevant here. We're not talking about a license; we're talking about a EULA - end user license agreement. Agreement is a synonym for contract. This is a contract in which the copyright owner gives you a copyright license in exchange for money and various promises from you.

Sony's rootkit: an update

Posted Nov 16, 2005 10:13 UTC (Wed) by nix (subscriber, #2304) [Link]

In the UK at least there is the concept of `implied contracts', which are what you enter into when e.g. you pull something off the store shelves, and what you are violating if you then walk out of the shop without paying for it; you'd also have one with the public transport company. Intent and mutual understanding are very important here: you probably don't enter into an implied contract with Sony allowing Sony to dump rootkits on your computer merely because you bought a CD that they happened to originally produce!

(Disclaimer: IANAL but I've typed up stuff for lawyers on this subject when critically short of money over a decade ago; info may be terribly inaccurate)

contracts without signing

Posted Nov 18, 2005 0:30 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

In the UK at least there is the concept of `implied contracts', which are what you enter into when e.g. you pull something off the store shelves,

That's not even an implied contract, at least in US terminology. It's an explicit contract. (Technically, it isn't formed when you take the item from the shelf, but when you check out, which is why the price is allowed to change in between). An implied contract would be one defined in law that the two parties didn't actively choose to enter.

There's simply nothing in law that says a signature or piece of paper is required for a contract to be legally binding. The vast majority of contracts don't have that.

There are some laws, called "statutes of frauds" that make contracts of certain kinds unenforceable if not on paper. For example real estate transactions usually require paper, and many loans do. Under the Uniform Commercial Code (which is the law most places in the US), a contract that has elements that will take longer than 3 years to complete must be in writing.

EULA and the UCC

Posted Nov 15, 2005 21:12 UTC (Tue) by ncm (subscriber, #165) [Link]

First, the EULA is not a legally binding contract. In the U.S., the Uniform Commercial Code (UCC) makes clear that the vendor cannot place any additional restrictions or conditions on you, the buyer, after you have paid your money(*). If it's not on the outside of the box, it's wastepaper. Even if it is on the box, but contradicts local warranty consumer-protection laws, it's wastepaper. Similarly, any sort of "click-through" during installation is void: you already paid, it's too late to demand your acquiescence. If you have to click it to get to what you paid for (i.e., the music), then clicking it doesn't mean anything. It's better, as a policy, not to read it, except perhaps as a warning of what damage they are promising you might suffer, i.e. like the "hazard" warning on your toaster. (Be sure to tell your lawyer about your policy.)

Second, the danger is not Sony breaking down your door to try to enforce their (void) contract. At issue is whether you are owed damages for the harm they have caused you even though they "disclaimed" it. Did you "agree" to be kicked in the nether region, just by clicking on that button? Hell, no! (*) Even if it were a valid contract, any of its provisions that damage your machine are superseded by the warranty, and by any other laws they violated. I doubt a judge would even let them introduce the EULA in evidence, if your own lawyer is on the ball to object.

Third, I don't understand why everybody who writes about this acts as if the EULA had any legal standing. At most, paragraphs might be snipped from it to be introduced as written proof of Sony's malice aforethought.

Fourth, if you were harmed, you will be better off explicitly opting out of any class-action suits. You can sue Sony in your local small-claims court for (e.g.) the time it took to re-install your OS, and probably get treble damages. If your damage was greater -- e.g. local network compromised by worms taking advantage of the holes it installed -- you can still sue, and get treble damages, and Sony still probably won't spare a lawyer to show up and contest it. If you or yours were harmed, then please, please do sue Sony, and then blog all about it. Compete with other bloggers for the side of the damage award extracted. Make it worth your while; your damages (itemized) should include the time it took you to bring the case to court, too.

(*) I'm no lawyer. Also, last I heard, the UCC was rescinded in Maryland. Furthermore, in the U.S. Federal 2nd Circuit (NY, VT, CT), shrink-wrap EULAs were actually determined to be binding, although the decision was widely criticized and is said to be unlikely to be influential elsewhere. If you live in one of those places, you might be screwed -- however, since they broke the law, it might be void anyhow!

EULA and the UCC

Posted Nov 18, 2005 1:02 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I'm no lawyer. ... Furthermore, in the U.S. Federal 2nd Circuit (NY, VT, CT), shrink-wrap EULAs were actually determined to be binding, although the decision was widely criticized and is said to be unlikely to be influential elsewhere.

Doesn't that kind of negate your whole first paragraph ("the EULA is not a legally binding contract")? On the left hand, we have someone who is not a lawyer, and some nebulous crowd of people criticizing a court decision. On the right hand, we have a federal appeals court judge in an actual court decision. Seems to me the left hand is all but empty.

I know the case in question quite well, and I haven't heard that people think it won't be influential anywhere else. The decision is solidly reasoned and there aren't conflicting decisions in other circuits. I'm sure there were the usual statements that a 2nd Circuit decision isn't binding anywhere else, but such decisions are nonetheless usually highly influential.

The judge, incidentally, not only describes why shrink wrap agreements are legally enforceable (giving precedents for well-accepted contracts that aren't complete until some time after money changes hands), but also that it would be bad policy if they weren't -- forcing people to waste packaging space on fine print nobody reads anyway.

I've also read the UCC, though not so recently that I remember every paragraph, and I sure don't remember anything about not being able to add restrictions on the buyer after the buyer has paid. There are plenty of contracts where paying money comes before negotiation is complete. If you have a section number, I'd be interested.

Sony's rootkit: an update

Posted Nov 15, 2005 22:18 UTC (Tue) by kms (subscriber, #6679) [Link]

> Isn't a EULA some kind of legally binding contract?

I believe it attempts to be a contract, though in most jurisdictions it is impossible for a minor to enter into such a contract so just get your kids to buy your CDs and you'll be fine :-)

I stand corrected about this EULA

Posted Nov 16, 2005 4:15 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

I was wrong earlier; the GPL is indeed a good example of a license vs. a contract.

Furthermore, I found the actual text of Sony's EULA on Mark Russinovich's Web page here.

I read through all the legal-ese (IANAL), and sure enough this EULA does indeed target the "DIGITAL CONTENT" of the disc. Which means pretty much all the content, since a CD is a 5km-long spiral of microscopic pits and plains that represent binary 0's and 1's. How someone might interpret the music to be part of the digital content could be debated; I realize that once you play the CD on a loudspeaker system, it's no longer digital and therefore not subject to the restrictions of the EULA (although it does fall under the jurisdiction of performance restrictions under copyright law, but that's a whole other topic).

Also, I'd like to thank Mark Russinovich for sharing his experiences. Although I do not use MS Windows (I've been "Windows-Free" since August 2004), I feel that we need people like him with incredibly sharp Windows skills and a Blog to make people aware of the consequences of installing closed-source software (and having to agree to a EULA) for which you have no knowledge of what that software's actually doing to your PC.

But that goes for all licensed software. I feel better about running a piece of licensed software on my computers for which somebody is examining the safety, security, and reliability of that software (thus explains one of the many reasons I like open-source). A college professor told me that the legal issues of running licensed software later found to be intentionally (or negligently) malicious will be very seriously examined in the next few years. Perhaps the "Sony DRM Rootkit incident of 2005" is only a preview of what's to come...

I stand corrected about this EULA

Posted Nov 16, 2005 9:27 UTC (Wed) by james (subscriber, #1325) [Link]

Despite reality, the EULA defines DIGITAL CONTENT not to include the music:

This compact disc (“CD”) product contains standard so-called “Red Book”-compliant audio files that can be played on any standard CD player, including those contained in many personal home computer systems. As an added feature, this compact disc (“CD”) product also enables you to convert these audio files into digital music files and/or may also contain other already existing digital content (such files and content, collectively, the “DIGITAL CONTENT”)

Incidentally, even if you accept the validity of EULAs, this one doesn't come into force until you click "AGREE". If you don't click "AGREE", then presumably normal copyright law is in effect:

By clicking on the “AGREE” button below, you will indicate your acceptance of these terms and conditions, at which point this EULA will become a legally binding agreement between you and SONY BMG.

Unfortunately, in the USA "normal copyright law" includes the DCMA. A case could be made that if the DRM software was "technical measures", and the technical measures included a mechanism designed, documented and labelled to turn off the technical measures, then you aren't circumventing them. But I wouldn't care to rely on that if I had to defend myself against Sony.

As always, I Am Not A Lawyer. Sorry.

Tab, enter?

Posted Nov 17, 2005 3:15 UTC (Thu) by midg3t (guest, #30998) [Link]

Now if you were to press tab a couple of times and press space or enter on the "Agree" button, would you still be accepting the EULA?

What about if you wrote an application to scan all window elements for the text "I Agree", and any that matched would be sent the appropriate Win32 API "activate" signal.

And what about if somebody else installs that software on your machine.

How about if you wrote a wrapper around the installer that bypassed the entire EULA, beginning execution at the first real install step, were files are decompressed & installed.

Perhaps it's a long shot, but in a world where the law is what is written and not what is intended, who knows what you can get away with.

I stand corrected about this EULA

Posted Nov 17, 2005 8:52 UTC (Thu) by chad.netzer (subscriber, #4257) [Link]

My reading is that they DO include the "audio files" in their definition of "DIGITAL CONTENT", or at the very least, any "digital music files" created from the "audio files". And you can bet that is what they intended.

What is wierd is that they claim to include software to convert audio-files into digital music files, which further implies that they may have included code from LAME (and probably some CD-Paranoia like application). Ie. they claim to include ripping and conversion software. Hmmmm.

How rude

Posted Nov 15, 2005 19:20 UTC (Tue) by bojan (subscriber, #14302) [Link]

> Most people, I think, don't even know what a rootkit is, so why should they care about it?

If this isn't the rudest thing I've read in a long time... Imagine a doctor saying to a patient in hospital: "Don't worry, you wouldn't know what your illness is even if I told you, but you'll die from it nonetheless." Now wouldn't a world like that be grand?

I just hope whoever sues them goes all the way.

No wonder Sony doesn't sell/market software

Posted Nov 15, 2005 23:16 UTC (Tue) by pr1268 (subscriber, #24648) [Link]

I think that Sony's (Thomas Hess) above response is, well perhaps, somewhat accurate - I know a lot of people who have no clue what a rootkit is.

But that makes it no less excusable or inappropriate. Sony/BMG's focus is on media (Movies, music, etc.), and has nothing to do with software (except for their desktop/laptop business, and perhaps a bunch of that is also outsourced). As such, I don't get the impression that they knew what First4Internet's XCP technology actually did to users' computers when they inserted the CD and started clicking.

The way I see what unfolded with Sony/First4Internet is:
  1. Sony needs some DRM software to curb casual piracy and full-blown P2P file sharing.
  2. Since Sony is not in the software business, they contract out to companies whose expertise is writing Windows-based software to create a DRM utility which can be easily included on mass-produced music CD's.
  3. First4Internet wins a contract, and they demo their XCP product to a bunch of Sony executives, showing how their software will enable the user to play the CD only with the provided media player, limit ripping to three copies, and send information about the user, his/her computer, and any other pertinent (or not) information across the Internet to some server.
  4. The Sony executives, whose focus is on non-software media, are delighted at how well the XCP software thwarts piracy. They order their factories to include the XCP software, not knowing themselves what a rootkit is (much less the naive, unsuspecting consumers to whom they're targeting their media discs).
  5. Mark Russinovich discovers the rootkit, traces it to its source, posts his Blog, and the excrement hits the fan all over the Internet.

I suspect that Thomas Hess didn't know what a rootkit was until that excrement hit him in the face. Thus, he might have been speaking more for himself than for all of those media consumers whose PC's are now infected.

Truly a shame...

At this level, ignorance == incompetence

Posted Nov 16, 2005 0:31 UTC (Wed) by MarkVandenBorre (subscriber, #26071) [Link]

I suspect that Thomas Hess didn't know what a rootkit was until that excrement hit him in the face.

From a certain level of responsibility, ignorance equals incompetence.
The people responsible for this debacle are incompetent at best, but most probably just guilty.

No wonder Sony doesn't sell/market software

Posted Nov 16, 2005 2:44 UTC (Wed) by bojan (subscriber, #14302) [Link]

> I think that Sony's (Thomas Hess) above response is, well perhaps, somewhat accurate - I know a lot of people who have no clue what a rootkit is.

Well it is accurate, all right, that most people don't know what a rootkit is. But what about the "why should they care about it" part? This implies, at least to me, that we are all just a bunch of idiots, mindless drones that don't (or shouldn't) care whether our privacy is invaded and our property damaged by Sony.

He's got obviously no shame if he's capable of saying something as offensive as that.

No wonder Sony doesn't sell/market software

Posted Nov 16, 2005 15:55 UTC (Wed) by ikm (subscriber, #493) [Link]

Good point, thanks for putting this out! SONY may well be an evil corporation (or, well, maybe not), but this incident does not neccessarily indicate the presence of some intentional malice plotted by some greedy execs. When choosing between malice and stupidity, the latter wins almost always. After all, it is just stupid to plant rootkits onto the consumers and think nobody would ever notice.

No wonder Sony doesn't sell/market software

Posted Nov 20, 2005 17:24 UTC (Sun) by ekj (guest, #1524) [Link]

But there's no connection (or very little) about knowing about something, and caring about something.

A person can very well have no idea whatsoever what say HIV is, but still care very much if someone intentionally infects them with it.

A person can very well have no idea whatsoever what a capacitor is, but still care very much if a leaky one turns their expensive computer into a paperweigth.

And a person can very well have no idea whatsoever what a rootkit is, but still care when a malevolent corporation secretly installs software on their computer that limits what they can do and spy on the user.

Knowing the technical term for something is not required for caring about the effects of something.

No wonder Sony doesn't sell/market software

Posted Nov 23, 2005 2:16 UTC (Wed) by ronaldcole (subscriber, #1462) [Link]

Even if your theory is right, Sony still pulled the trigger on that "gun" they bought.

If Sony still has enought assets to afford an attorney after they get their asses handed to them in a (red) hat, then they should sue First4Internet if they misrepresented their product to Sony.


Posted Nov 16, 2005 16:32 UTC (Wed) by soundray (guest, #688) [Link]

Apart from the rudeness, it's the logic behind the statement that amazes me most. What kind of twisted mind would come up with an argument like this?
  • People don't know what X is.
  • Therefore, people shouldn't care about it.
  • Therefore, we are justified in spreading X throughout the world.
Just imagine replacing "X" with "retrovirus" instead of "rootkit". Hey, we can stop all AIDS prevention campaigns!

Removing the rootkit

Posted Nov 15, 2005 21:19 UTC (Tue) by carey (guest, #19902) [Link]

According to Mark Russinovich's blog, the safe way to remove the rootkit is to run this command and reboot:
sc delete $sys$aries
This is more or less equivalent to this, on Debian:
update-rc.d -f '$sys$aries' remove

Sony's rootkit: an update

Posted Nov 16, 2005 16:56 UTC (Wed) by fjhieb (guest, #4748) [Link]

What I find intriguing is:

What did Microsoft know about this, before this whole thing got discovered?

It's been my impression that MS has been bedding down with the whole DRM crowd for quite some time. How is it that XCP could have been developed without some critical internal system information being provided to the developers, as well as queries coming back the other way? If that's the case, MS is complicit in this as well. What's been their response to having their installed base of OS's compromised worldwide by one of their significant partners?

Microsoft's DRM could be even worse

Posted Nov 16, 2005 20:27 UTC (Wed) by pr1268 (subscriber, #24648) [Link]

I think Microsoft wasn't all that aware of what Sony/F4I's XCP DRM technology did to users' computers until after the rootkit news hit the Internet. Additionally their motivation to remove the XCP rootkit with their "Windows Defender" anti-malware utility and Windows Update tells me that they at least realize the evils of the XCP software and are addressing PC users' concerns.

As much as I don't care to defend MS, my respect for them did shoot up a few points due to their prompt response on this matter.

But, you make a good point about MS and DRM in general. They're certain to incorporate DRM technology into the core OS kernel of the upcoming Vista operating system. Being closed source and all, they can put stuff into the OS that would essentially disable most media playback unless it was done on their terms. Perhaps MS is actually thinking up new and inventive ways to use the cloaking techniques of XCP to hide all kinds of stuff from the end-user and pretend that we don't really need to care what is really happening to our computers.

Microsoft's DRM could be even worse

Posted Nov 18, 2005 16:29 UTC (Fri) by grouch (guest, #27289) [Link]

Microsoft has been courting the MPAA and RIAA all along during their development of Palladium or Longhorn or whatever name they're using this week. It's not a matter of them being unaware. It's a matter of who pays more, the lowly "consumer" or partners.

Better re-read that XP EULA and take note of the similarities to Sony's XCP EULA. If you run XP, BillG has root access. XCP gives Sony (and now, malicious websites) root access. Both require you to accept future, undeclared and undisclosed installations at their discretion. Each admits to at most $5 in liability. You can check the rest of the similar bullet points for yourself.


Posted Nov 17, 2005 2:37 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

It is my understanding that neither the GPL nor the LGPL have ever enjoyed the scrutiny of a no-kidding court case.
Could this be the inaugural bout? Go, FSF!


Posted Nov 17, 2005 10:03 UTC (Thu) by Duncan (guest, #6647) [Link]

I'm not sure about the LGPL, but the GPL certainly has. I forget the
name, but one of the NetFilter developers has been quite active in
asserting his rights over in Germany. The law there (where he lives)
places a tight timetable on bringing an action to court, something like
four weeks, so once he contacts a company and the clock starts ticking,
they have to decide rather fast (by US standards) whether they will comply
or fight. In a couple of cases, they haven't been fast enough to comply,
and the cases have gone to court. He's won real court injunctions in all
of them, I believe, which after the first couple, he could point to, and
has had less trouble getting the desired response in the time allowed.

He has been somewhat controversial, because the FSF tends toward a more
negotiated approach, which has generally been successful both in
resolution and in keeping it out of court, but can take years. This guy's
assertiveness gets faster results but with the risk of making political
enemies. Still, it's a technique that has been proven to work, and he
argues that the way the German system is setup, he has little choice if he
wants to retain his full range of enforcement rights, due to this clock
ticking thing.

In any case, its no longer true that the GPL hasn't been tested in court,
and IMO the two approaches tend to balance each other out to some extent.

LGPL, however, I haven't any idea.



Posted Nov 24, 2005 8:49 UTC (Thu) by Wol (guest, #4433) [Link]

Bear in mind, that the clock doesn't start ticking when the copyright holder notifies the infringer, it starts ticking when the copyright holder discovers the infringement.

So the netfilter guy HAS to contact the infringer, and threaten to sue them (and carry out that threat if necessary), or he loses his right to sue.

I think that on the few occasions it has gone to court, both sides have agreed to ask the judge "please toll this, we're still negotiating". ("toll"ing being "stopping the clock", thanks for the education, PJ.)



Posted Nov 24, 2005 16:51 UTC (Thu) by Duncan (guest, #6647) [Link]

Thanks. I didn't remember precisely when the clock started. If it's at

However, depending on how discovery is handled, despite what the law says,
it wouldn't /have/ to start at discovery. For the clock to matter at that
point, there'd have to be some evidence of when discovery happened. As
long as one does their investigation quietly and doesn't mention what
they've discovered right away, there's obviously some flexibility as to
when one was "certain" they had discovered something, not just suspicious
about a /possible/ violation.

As far as the court cases, I remember at least one and I believe two
actual preliminary injunctions. IIRC, the one was a case of win by
default, because the manufacturer hadn't responded. They had very little
presence in Germany anyway, IIRC, so it wasn't much to lose, but that set
the initial court precedent.

However, if you are a Groklaw regular, you may well know more about it
than I.



Posted Nov 17, 2005 19:09 UTC (Thu) by tcabot (subscriber, #6656) [Link]

There are two ways to look at this. The first way says "it's never been proven in court", and takes this to mean that the license is somehow weaker as a result. The second way (as explained by Eben Moglen at the FSF annual associate member meeting) is "everyone that's considered challenging it in court has backed down before it got that far" and takes this to mean that the license is so strong that there's no point in challenging it in court.

Remember that the GPL *grants* you rights that you wouldn't otherwise have under copyright law. So let's imagine that you go to court and have the GPL declared legally invalid. Congratulations, you've just sawed off the branch that you were sitting on because then you would have *no* right to distribute GPL'ed code.


Posted Nov 20, 2005 2:34 UTC (Sun) by sweikart (guest, #4276) [Link]

Here's an article about the GPL in court:


OT. A lot, even.

Posted Nov 17, 2005 2:53 UTC (Thu) by kena (subscriber, #2735) [Link]

I could rant 'n rave about Sony, but others, above, have already done a far more eloquent job than I would.

Instead, I'm just going to sit back in awe at the incredible signal:noise ratio in these comments. I've seen no fewer than two people unilaterally retract previous statements when they -- of their own volition -- found contradictory information. _How the hell often does *that* happen in 'Netland?_ In addition, all the posts have been wildly informative, insightful, or both. Truly, my LWN money is well-spent. [Sadly, I recently had to go from "got out of LNUX in time" (which I almost did) to "poorer 'n dirt". Child on the way. Once my finances find some sort of equilibrium, I'll take the middle ground.] That aside, LWN is truly a valuable resource, and one we should all spout off about (presumably to those who might be interested) when we have the chance.

Keep up the good work, all!

Oh. And yeah, ummm... "Death to Sony!" or something.

Sony's rootkit: an update (UK update)

Posted Nov 17, 2005 15:58 UTC (Thu) by dps (subscriber, #5725) [Link]

Sony has been issued a recall of all affected CDs in the UK due to the rootkit issue and it made the national news. I do not know if they jumped before being pushed. Consumers that took a CD home from the US might be affected.

The word "rootkit" was definitely mentioned, and that rootkits were bad. If Sony has to replace all those CDs with one sans the rootkit, then one hopes the financial impact is enough to discourage the practice in future releases.

I am aware that writing virii is probably illegal under the computer misuse act, so one suspects rootkits might be too. Explaining why you needed a rootkit to implement DRM technology might be a little difficult. M$ will no doubt make DRM a feature of their OS so no rootkits, or other software, is required.

Thank you, Sony!

Posted Nov 17, 2005 19:33 UTC (Thu) by Baylink (guest, #755) [Link]




I think we all owe Sony a debt of gratitude... for getting the general public up to speed on what rootkits are, and why they're bad. I realize that this is the "uninvited tiger team" argument that crackers (not hackers :-) make, which is rebutted by most of the community whose chapeaux are blanc, but you know what? It works.

(And my thanks to Apple's ad agency...)

Thank you, Sony!

Posted Nov 18, 2005 14:15 UTC (Fri) by smitty_one_each (subscriber, #28989) [Link]

Yes, but that argument plays into a stealth-advertising campaign for 64-bit Windows, too. "psst: upgrade, and yo' booty get no rooty!"

Sony's rootkit: an update

Posted Nov 24, 2005 12:01 UTC (Thu) by rabnud (guest, #2839) [Link]

I have come to avoid all commercial distributors of music. This was easy for me since I already had no interest in the music that was being distributed today (the commercial artist's discs all sound too much alike, the discs cost too much compared to burning my own, the tracks are not in a format that I find useful, etc...).


I do listen to Electronic genres such as trance, tech-step, DnB; Electronica is a genre that no big label would want to traffic on a continuous basis. My methods of getting new tracks are simple: I get indie music direct from the indie artist. No middle men means no DRM, at least for now. That 'direct connection' method could easily serve as a workaround to this rootkit problem (and several similar problems) for ANY consumer, if the consumer mounted considerable efforts to demand a direct connection from each artist. To create the direct connection mechanism, simply get a message through to each artist that this kind of user restriction is not acceptable, tell the artist that you would not accept computer hardware that prevents you ripping tracks (which you have been permitted to download direct from the artist) to another format, tell the artist that you would not accept rootkit software, and so forth. If the artists learn to dislike and hopefully distrust the commercial labels that pull this kind of abuse, then maybe the digital era can resume where it left off.

No, I am not naive... Just be sure to accept and obey the terms which the artist places in the copyrights to the tracks you get from them. The broad, unrestricted distribution of copyrighted tracks over p2p was a consumer error - the consumer did not respect the artists copyright, but the copyright was placed there by the label, the artists get convinced that they need copyrights when some artists could care less. Why would some artists not care? Because the middlemen are getting many times more revenue, per track, than the artist gets.

Sony's rootkit: an update

Posted Nov 26, 2005 21:23 UTC (Sat) by finster (guest, #32338) [Link]

The DRM issue is pretty borked. I will stop buying music from the big boys when they infringe on my right to use my computer without problems. I'm not copying CD's or doing any P2P sharing. If the music is good, I buy it. If I can't buy it without having to worry what the s/w attempts to do for DRM, I won't buy it.

Thanks Sony for alerting me to this problem . . . now you know my solution. Your ridiculous way of making your warning of copy-protection's presence on the CD inconspicuous but yet present, will also give people a reason to start sharing. I mean, nice friggin' font on the Foo Fighters' CD. What is that? 3pt? Really glad I don't run an M$ OS.

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds