Texas Sues Sony BMG over Rootkit

Mr. Sketch writes "According to Yahoo!, Texas Attorney General Greg Abbott 'filed a civil lawsuit on Monday against Sony BMG Music Entertainment for including "spyware" software on its media player designed to thwart music copying. [...] Texas is seeking civil penalties of $100,000 per violation of the state's Consumer Protection Against Computer Spyware Act, which was enacted earlier this year. "Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," Abbott said in a statement.'"

So, um...

[brilinux (255400)]

Don't mess with Texas?

Re:So, um...

[mattsucks (541950)]

Don't root Texas.

First Prime Factorization Post

[aldeng (804728)]

According to Yahoo!, Texas Attorney General Greg Abbott 'filed a civil lawsuit on Monday against Sony BMG Music Entertainment for including "spyware" software on its media player designed to thwart music copying. [...] Texas is seeking civil penalties of $2 * 2 * 2 * 2 * 2 * 5 * 5 * 5 * 5 * 5 per violation of the state's Consumer Protection Against Computer Spyware Act, which was enacted earlier this year. "Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," Abbott said in a statement.

Scotch Tape

[crabpeople (720852)]

Not the only bit of news worth covering on this today. Aparently someone [informationweek.com] found out how to defeat the copy protection with an ordinary piece of tape.

from the link:

Sony BMG Music's controversial copy-protection scheme can be defeated with a small piece of tape, a research firm said Monday in a demonstration of the futility of digital rights management (DRM).

According to Gartner analysts Martin Reynolds and Mike McGuire, Sony's XCP technology is stymied by sticking a fingernail-size piece of opaque tape on the outer edge of the CD.

Can anyone verify this on their own disks?

Re:Scotch Tape

[Wizarth (785742)]

I believe it can also be bypassed by holding down the shift key while inserting the CD into the drive (temporarily disabling AutoRun), or by permanately disabling AutoRun.

Using a bit of tap to do it is just grandstanding.

Re:Scotch Tape

[by Anonymous Coward]

I believe it can also be bypassed by holding down the shift key while inserting the CD into the drive (temporarily disabling AutoRun)

Congratulations, you just violated the DMCA.

Re:Scotch Tape

[ScrewMaster (602015)]

Frankly, even with autorun disabled and my shift key held down, I'm not putting a disc in my Windows box that I know has a ROOTKIT on it! If Microsoft really wants to follow through on their mantra of improved security, they should turn autorun off by default. The minor convenience of running disc-based programs without having to click on them isn't worth the risk. They've had ten years to figure this out and if they had, this rootkit issue wouldn't have been an issue. Matter of fact, it's unlikely Sony would even have bothered. Let's face it ... the real culprit isn't Sony's rootkit: it's AUTORUN. As you say, allowing removable media of unknown pedigree to execute arbitrary code is just stupid, but there you go. Microsoft left a a security hole so big you could drive a bus through it, and someone finally used it. The only surprise is that it was one of the world's biggest consumer electronics / media companies. I feel sorry for all the people that got rooted and screwed over, but with any luck Sony's penance will mirror their own.

In other news

[daniil (775990)]

EFF has launched a class-action suit against Sony [eff.org].

That takes balls....

[steveshaw (690806)]

which are exceedingly difficult to find in a politician these days.

Unfortunately, his opponent in the next election can back the Brinks truck up to Sony HQ at his convenience.

Attorney General's Press Release

[scottd18 (593645)]

Here's a link to the official Texas AG's press release.

http://www.oag.state.tx.us/oagNews/release.php?id= 1266 [state.tx.us]

They even have an online complaint form. Be the first on your block to get in on the lawsuit!

Civil? Where are the criminal penalties?

[Harodotus (680139)]

IANAL but it seems to me that criminal rather than Civil penalties is the way to go here.

Of course, the correct answer is both.

Call me naive, but I'm just not seeing action on the criminal side of things. Whatever happened to "equal protection under the law" principal where I would face jail time if I did this, even if I did it through my own 1-man consulting corporation?

Summary:

[millennial (830897)]

RIAA: "Sony BMG did nothing wrong. We love Sony BMG. They clean our pool."
Texas Lawyers: "Pardner, yer full o' bull puckey."
Sony BMG: "Can't you sue any better than that?"
Consumers: Yeah, you can all go screw yourselves. Give us some cash.

It's nice to hear...

[georgewilliamherbert (211790)]

...that it's not just geeks getting upset over this.

It's a good feeling when it doesn't even take a month for a major state's state government to sue over a consumer issue that has so many people I know riled up. No, it's not just us getting ourselves worked up, it really was that slimy and abusive a thing for Sony to have done.

Let the floodgates open!

[LeninZhiv (464864)]

Last week there were complaints here and elsewhere that class-action and criminal prosecutions were slow in coming, with only California and I think New York having responded promptly. This is great news* that this is starting to be prosecuted more widely (as it should be), and encouragement to everyone lobbying elsewhere for lawsuits in their own states/countries.

[*] Technically it's not "great news", it's simply the just application of the law. But when a mega-corporation such as Sony is the spyware distributer, it doesn't take a cynic to fear that justice come second to capital, as was the case for a certain monopolist...

Link to the lawsuit & the official press relea

[artifex2004 (766107)]

The PDF is available here [state.tx.us]. The press release is here [state.tx.us].

(cough [slashdot.org] :) )

Word is Spreading

[BigDork1001 (683341)]

One thing I was worried about was that this story would get mostly buried and that word of this would not get out to many people. I've tried explaining the Sony rootkit and DRM in general to a couple co-workers the other day and it didn't go so well. To them it's too technical and so they don't care. Even when I tried to re-explain it less technically they lost interest right away.

Well today I felt a bit better about the situation. First my wife asked me about it which surprised me. She hasn't shown much interest in stuff like this in the past. And then a little later on when I went over to Stars and Stripes to read todays news they had a story [estripes.com] about the rootkit and that they are pulling them out of the BX/PX's.

The more word of this gets out the more DRM will come to light. Eventually most people will know how bad DRM is and maybe, just maybe Sony and the rest will start to feel some pressure to stop trying to push it on us.

Re:Word is Spreading

[paulthomas (685756)]

This was someone else's idea here on slashdot, and it works.

"Sony intentionally infected that CD with DRM. It is infected with DRM. It will take over your computer." I just told this to a friend of mine who is a huge fan of Imogen Heap and was about to buy her recent US release of Speak for Yourself through Sony.

Sony infected this CD with DRM for the Mac, and maybe Windows, too.

My friend has spoken with Immi before and is writing her to tell her why, although he supports her and goes to her shows when possible (the hotel/cafe tour for example), he will not be buying the album.

He will not be buying it because It is INFECTED with DRM.

Whomever came up with this brilliant strategy, please feel free to take credit in a reply here. I can't find the original comment.

Holy shit! - Do the math

[Raul654 (453029)]

$100,000 per rootkit'd CD times 20,000,000 million CDs [eff.org] = $2,000,000,000,000 (2 trillion dollars)

Re:Holy shit! - Do the math

[BigDork1001 (683341)]

Sure, why not? When the RIAA sues people for sharing songs online they sue for a ridiculous amount of money per song. It's only appropriate that they are on the other end of it for a change. $100,000 sounds good to me.

Re:Holy shit! - Do the math

[millennial (830897)]

Maximum penalty for illegally copying and distributing a single song? $150,000. Maximum penalty for installing security-hole-riddled spyware/malware on a person's computer? $100,000. Number of illegally copied songs on the average college student's PC? Estimated at around 3,000. Number of college students in America? Conservatively estimated at 3,000,000. 3,000,000*3,000*$150,000 = $1,350,000,000,000,000. Number of malware-infested CDs? 20,000,000. 100,000*$20,000,000 = $2,000,000,000,000. Let's see... Sony and co. stand to lose $2 trillion, but earn $1,350 trillion. Maximum. Seems the odds are weighted in their favor.

Re:Holy shit! - Do the math

[pegr (46683)]

$100,000 per rootkit'd CD times 20,000,000 million CDs = $2,000,000,000,000 (2 trillion dollars)
 
(Oblig: pinky to mouth...)

Re:Holy shit! - Do the math

[LetterRip (30937)]

[QUOTE]$100,000 per rootkit'd CD times 20,000,000 million CDs = $2,000,000,000,000 (2 trillion dollars)[/QUOTE]

Someone at Arstechnica pointed out that 'per incidence' meant the creation of the master CD, so however many different master CDs had been created with it installed would be the liability number. I think it 16 or so CDs. So 1.6 million.

Canada should sue too

[k00110 (932544)]

In Canada, the levy allows you to make copy of music CDs, even your friends CDs for you own personnal use without restriction. The 3 limit per CD is a clear restriction that goes against what Canadians pay for. I feel another law suit comming.

Re:Canada should sue too

[Scrameustache (459504)]

I feel another law suit comming.

Or, this being Canada, a stern talking-to.

Everyday I learn something new about r00tkits...

[Chaffar (670874)]

"The MediaMax software also installs files on users' computers even if they decline to accept SunnComm's terms in a licensing agreement. That software allows the company to track customers' listening habits despite denials the company collects such data."

So basically, the rootkit would install itself on your PC even if you clicked NO on the popup that appears after inserting the disk? Wow... Now re-read this (different article, posted on Slashdot earlier):

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" the head of Sony BMG's global digital business, Thomas Hesse, told National Public Radio.

I don't know... So they are counting on tricking gullible PC users into installing something which will ultimately harm their PC, which is heinous in itself, but somewhat legally "murky" enough for them to get away with it. But when your answer to the EULA actually has no effect whatsoever on whether the r00tkit is installed or not, that is beyond words. It shows how much these corporations disrespect their customers. We are sheep. With cash they gave us for working for them... and they want it back.

Re:Everyday I learn something new about r00tkits..

[yeremein (678037)]

"The MediaMax software also installs files on users' computers even if they decline to accept SunnComm's terms in a licensing agreement. That software allows the company to track customers' listening habits despite denials the company collects such data."

So basically, the rootkit would install itself on your PC even if you clicked NO on the popup that appears after inserting the disk? Wow...

No, this sentence refers to SunnComm MediaMax, not First4Internet XCP. MediaMax doesn't use a rootkit, but installs even if you reject the EULA, phones home when you play a CD, does not include a functioning uninstaller--but if you jump through a bunch of hoops, SunnComm will give you an ActiveX uninstaller that opens a huge security hole on your computer, kind of like XCP's.

Sony recalled XCP CDs but didn't say a word about MediaMax. The EFF is pressuring them to recall those CDs as well, which have been on the market for two years and number at least ten times as many as XCP.

Companies disallow CD playing on computers?

[by Anonymous Coward]

Have any companies disallowed playing CD's at work computers because of potential security risks? Can someone be fired for unknowing installing rootkits and can fired employees sue the music distributors for costing them their jobs?

Sony Employee Yule Gift?

[eddy (18759)]

I heard Sony management got a great deal on this book: Rootkits : Subverting the Windows Kernel [amazon.com].

Buy this book with 'Microsoft Windows Internals, Fourth Edition...' by Mark E. Russinovich today!

That recommendation is just... the glazing on the pig

Sweet.

[Ph33r th3 g(O)at (592622)]

I hope the Texas Attorney General extracts hundreds of millions from Sony. And then that the other states' attorneys general smell blood and jump on the bandwagon, just like the tobacco settlement. Imagine Sony forced to fund a foundation that makes commercials warning youth of the dangers of DRM :).

Why no criminal charges?

[deadfly (39238)]

If some college student had pulled this stunt they would be sitting in jail as we speak. Why is Sony getting away with this crap? I also can't believe that they stole code from LAME and violated the LGPL without a second thought. These people are criminals in every sense equally as bad as those they are trying to keep from copying their CDs.

I will never, never ever buy another product that says SONY on it again.

Re:Why no criminal charges?

[syukton (256348)]

That they stole code from LAME and violated the LGPL got like one minute of news airtime before falling into the background. That really isn't important to the average person, which is really a damn shame. I would expect that part to be more important or at least more-covered in the media.

(although since they contracted out the creation of the program, they arguably didn't steal code from LAME but rather encouraged another company to do so. That's really for a lawyer or ten and a judge to decipher...)

The charges

[yeremein (678037)]

The complaint [state.tx.us] is actually quite short. I only see two specific charges:

• Using random or deceptive filenames to make it difficult for the consumer to find and uninstall the program, in violation of CPACSA 48.053(5).
• Inducing the consumer to install software by falsely claiming that it is necessary to play the media, in violation of CPACSA 48.055(1).

Seems pretty weak, but I imagine they'll tack on additional charges once they've had the chance to do some discovery.

Just Say NO to This Crap

[cmacb (547347)]

I had sent a friend information about this Sony [sonybmg.com] thing last week and it got not a lot of attention. However same friend was trying to de-lous another persons PC yesterday and called me for support (Note: I'm not particularly qualified for Windows support at this point, but I can do Google searches and say things like "hang in there" from time to time). I think by that time I was called many of the virus and spyware elements had been cleaned by conventional means, but there seemed to be some persistent problems. Just in case, I asked whether they had played any of those Sony BMG [sonybmg.com] music discs in the machine. Apparently I was on a speakerphone setup, and I heard several denials of the form "We never use our machine for such things" while my friend asked me what I was talking about.

After refreshing his memory, and in turn having the family involved talk among themselves for a while, it turned out that some Sony BMG [sonybmg.com] discs HAD been played in that machine, and some of the remaining questionable files had Sony all over them even though the family didn't own a Sony [sonybmg.com] camera, Sony music player or any other Sony device that they could think of. Finally someone remembered that the little girl in the family HAD played, or ripped, or SOMETHING some music CDs in the machine and off they rushed to find them. In the mean time I was looking for the list [sonybmg.com] of Sony BMG [sonybmg.com] discs affected, originally numbered 20 and widely circulated at that count, but subsequently updated to 50, and listed [sonybmg.com] on a Sony website. I found the list of 50 at about the same time that they found their played/ripped/inserted/whatever CDs and sure enough, several of them had the Sony BMG [sonybmg.com] label on them. Now the catch was that (a) none of the CDs they had found were on the list [sonybmg.com] and (b) none of the CDs they had found had the warning that they contained copyright protection software, and my understanding was that the affected discs did contain such a warning.

Well, by getting rid of the Sony BMG [sonybmg.com] stuff they seemed to be back to a clean machine, and they swore to never insert a music CD into their machine again or to buy a CD from Sony [sonybmg.com]. So, congratulations should go out to Sony BMG [sonybmg.com] and First4Internet [first4internet.com] for accomplishing their objectives. Now to round out the picture:

(1) I suspect that Sony BMG [sonybmg.com], Sony [sonybmg.com] alone, and BMG [sonybmg.com] alone have in the past used other protection schemes and while they haven't been vocal about it, other companies are doing the same experimentation. All of these programs have their own ways and means of hiding themselves and controlling what YOU do with YOUR PC. But NONE of them have exhaustively looked into the legal, much less technical ramifications of what they do. They think that by merely relying on third party companies like First4Internet [first4internet.com] they can claim ignorance of the consequences.

(2) Rumor has it that by the time you are asked for your permission to install software when you insert these disks SOME software has already been installed.

(3) Sony/BMG [sonybmg.com] isn't the only company doing this, they are just the only company that has been caught.

(4) These discs have been out for a year, and some people say two years, or maybe more.

(5) There is no quick and easy way to uninstall these programs, either from Sony BMG [sonybmg.com] or the s

The Proper Punishment

[Nom du Keyboard (633989)]

The proper punishment for Sony out of this must be sufficient that that Sony, and every other record company will absolutely never any use any kind of DRM that changes even one bit on your computer again. Anything less is not enough.

Re:Way to go

[JorDan Clock (664877)]

For $100,000 per violation, I don't know. My guess is that a violation is a provable installation of the software, which can add up fast if they had as many sales as were reported. Even if there is only 100 cases of the rootkit being installed, that's $10,000,000. Add in the image damage and that's a hefty tag. But we all know image damage can be fixed with a few donations to the right charities.

Re:Way to go

[sr180 (700526)]

Judging by the map [nyud.net] of infected computers, theres alot more than 100 infections in the state of texas.

Re:Way to go

[syukton (256348)]

This isn't a scenario regarding a purchase though, it's a scenario involving a hacking incident. If I take my Sony CD to a friend's house and it r00ts their machine, that is an instance of hacking, regardless of who bought the CD.

The proof is in the computers themselves, not in anything on paper. The number of infractions will likely be estimated. I'm not familiar with the details of the rootkit--does it phone home? If it does phone home then they can subpoena the "phone home records" and determine which connections originated from Texas.

Re:Wow, that's gonna be a nice check..

[daVinci1980 (73174)]

I realize--in your rush to post first--that "facts" are irrelevant to you..

But the State of Texas (you know, the State Attorney General, in representation of the State of Texas and its citizens) is suing Sony. If the lawsuit is won, than the money goes into the coffers of the state of Texas, which will result in an increase in public works, which *does* benefit us.

Sometimes /. makes me wish there was an 'idiot' moderation, or at least a 'first post' moderation. In this case, a mere glance at the first sentence of the article would've made it clear that this was an action taken by the state to protect its citizens.

Re:Wow, that's gonna be a nice check..

[kfg (145172)]

It's the AG's office, not a private law firm. The lawyers are public servants on salary, not working for a percentage. They are constrained by law to work in the public's (the people who provide their salaries) interest.

They're prosecutors.

When the NY Attorney General's office nailed Song BMG for "payola" the settelement included a $10 million grant to the Rockefeller Philanthropy Advisors to New York State, a non profit, to promote music education.

The EFF has also filled a rootkit suit against Sony BMG in LA. I guess you can decide for yourself whether these guys are just after a big paycheck.

KFG

Re:Wow, that's gonna be a nice check..

[bassman2k (409481)]

What is the state of Texas going to do with 5 million coupons for a free Sony CD?

Texas law on lethal force in protecting property..

[Frangible (881728)]

Assuming a computer counts as tangible, movable property, and I do believe the rootkit at least counts as "criminal mischief", and the Texas AG has a legal duty to protect people's computers (or people ask him to), the use of lethal force against Sony BMG would be authorized. 9.43. PROTECTION OF THIRD PERSON'S PROPERTY. A person is justified in using force or deadly force against another to protect land or tangible, movable property of a third person if, under the circumstances as he reasonably believes them to be, the actor would be justified under Section 9.41 or 9.42 in using force or deadly force to protect his own land or property and: (1) the actor reasonably believes the unlawful interference constitutes attempted or consummated theft of or criminal mischief to the tangible, movable property; or (2) the actor reasonably believes that: (A) the third person has requested his protection of the land or property; (B) he has a legal duty to protect the third person's land or property; or (C) the third person whose land or property he uses force or deadly force to protect is the actor's spouse, parent, or child, resides with the actor, or is under the actor's care

Re:Texas law on lethal force in protecting propert

[DrEldarion (114072)]

Unfortunately, that only works if killing them will prevent your property from getting damaged/stolen. Inapplicable in this case.

Re:Texas law on lethal force in protecting propert

[kesuki (321456)]

at least we can kill -9 them.

Re:Texas law on lethal force in protecting propert

[griffjon (14945)]

Whoa there cowboy. This is Texas we're talkin' about. Stand down with all that high-falutin' legal talk there. Sony obviously just needs some killin', let it be.

Re:Texan way.....

[Drishmung (458368)]

http://www.deathpenaltyinfo.org/article.php?scid=8 &did=245 [deathpenaltyinfo.org]

Re:Texan way.....

[andreyw (798182)]

OT: Next time your tongue itches to say something stupid about the French, remind yourself why the Statue of Liberty is in New York, again.

Anywho, personally I can't wait to see Sony go down in flames over this. Some part of me is almost disappointed that a couple of adolescents with an axe to grind /haven't/ yet found way to exploit the rootkit and thus come into posession of the first corporate-created zombie botnet (make Windows security jokes all you want, this is for real).

Re:Texan way.....

[by Anonymous Coward]

Why do people think Bush is (1) stupid; (2) evil; and (3) has all sorts of magical powers?

Well, those who believe #1 and #2 must believe in #3, how else would they explain how Bush won in the last election despite #1 and #2?

Re:Texan way.....

[failure-man (870605)]

It got modded as funny! Now that's ironic . . . . . . . .

Re:Texan way.....

[by Anonymous Coward]

Read the entire article, not just the highlighted quotes. The police pressured an undocumented alien to try to get him to id the culprit.

So we can blame the state for:

• Using this case to get at a defendant they wanted for something else (the police botched that case).
• Pursuing a capital case with only a single eyewitness and no physical evidence.
• Pressuring the one eyewitness.
• Having a death penalty, which makes the result in the inevitable cases of abuse and errors completely irreversible.

You can blame the one guy for refusing to stand in their way - are you sure you would have had that courage ?

Re:The EFF Suit

[thesandtiger (819476)]

Sony claims that they are unaware of any case where their rootkit caused damages to customers.

Which is irrelevant. If I were to get my rootkit installed on Sony's machines, even if I didn't do any damage, I can't imagine they wouldn't go after me like Star Jones after the last Snackwell.

The Sony executives responsible for releasing this thing into the wild should get the exact same punishment any other criminal would get for distributing millions of copies of a trojan into the wild. Maybe if that were to happen (dream on!) - maybe if a few corporate execs were put in Federal Pound Me In The Ass Prison, forbidden from using a phone or a computer - treated like the criminals they are - people would rethink this crap...

Nah. They have money. Money > Justice.