Sony Settles With FTC Over Rootkits

The FTC has struck a deal with Sony punishing Sony for the rootkits it included on millions of CDs in 2005. The deal is exactly like the Texas and California settlements — $150 a rootkit. The settlement isn't final yet. There will be a 30-day public consultation. American citizens who read Slashdot might want to put in their two cents. Comments will be accepted through March 1 at: FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580 (snail mail only). Here is the FTC page announcing the settlement.

What about OS????/

[threeofnine (813056)]

I am an Aussie, this means nothing to anyone outside the USA, it would be good to see Sony pay US$150 to everyone they infected with their shite.

Re:

[bcraigen (766330)]

I was under the impression that these CD's were only sold in America??

Re:

[grimJester (890090)]

This site [doxpara.com] has maps of the spread of the rootkit. It looks like they were sold in the US and western Europe, with stray copies spread around the wordl.

This gives me an idea!

[grimJester (890090)]

I can't download zips at work, but would the linked application [nyud.net] still work for mapping out how widespread the infection still is more than a year after the initial spread?

If nothing else, it would make for pretty pictures to show in court.

150? If by 150 you mean 150ml

[Cocoshimmy (933014)]

How about 150ml of the Sony CEO's blood per rootkit. If they run out, then start taking blood from the rest of the executives in a hierarchical fashion.

How About...

[by Anonymous Coward]

How About you realise that this is Sony BMG - e.g. a partnership between Sony and Bertelssman. The rootkit would have been 100% BMG's idea. The CEO of Sony has gone on the record as saying he thinks online music sales are too expensive and should be close to the 25c mark.

Re:How About...

[ObsessiveMathsFreak (773371)]

The CEO of Sony has gone on the record as saying he thinks online music sales are too expensive and should be close to the 25c mark.

What a great guy. Going on record saying what he sees as fit instead of actually running the company the way he sees fit.

Why are they even paying this man?

Re:

[Rycross (836649)]

I'm sure Sony's PR department is grinning from ear to ear that people are falling for this shit.

Listen.... it doesn't matter that they're separate departments. Its. The. Same. Company. Saying "Oh its just the music department, all those other departments are ok," is just a cop-out. At least be honest that you don't really care.

Re:

[mpe (36238)]

How about 150ml of the Sony CEO's blood per rootkit. If they run out, then start taking blood from the rest of the executives in a hierarchical fashion.

Since Sony are ment to be in the entertainment business how about a "reality show" where viewers can vote for which executive gets fed to the vampire...

Re:

[GringoCroco (889095)]

From wikipedia

Originally, the only symbol for the litre was l (lowercase letter l), following the SI convention that only those unit symbols that abbreviate the name of a person start with a capital letter.
In many English-speaking countries, the most common shape of a handwritten Arabic digit 1 is just a vertical stroke, that is it lacks the upstroke added in many other cultures. Therefore, the digit 1 may easily be confused with the letter l. On some typewriters, particularly older ones, the l key had to be used to type the numeral 1. Further, in some typefaces the two characters are nearly indistinguishable. This caused some concern, especially in the medical community. As a result, L (uppercase letter L) was accepted as an alternative symbol for litre in 1979. The United States National Institute of Standards and Technology now recommends the use of the uppercase letter L, a practice that is also widely followed in Canada and Australia. In these countries, the symbol L is also used with prefixes, as in mL and L, instead of the traditional ml and l used in Europe. In Britain and Ireland, lowercase l is used with prefixes, though whole litres are often written in full (so, "750 ml" on a wine bottle, but often "1 litre" on a juice carton).
Prior to 1979, the symbol (script small l, U+2113), came into common use in some countries; for example, it was recommended by South African Bureau of Standards publication M33 in the 1970s. This symbol can still be encountered occasionally in some English-speaking countries, but it is not used in most countries and not officially recognised by the BIPM, the International Organization for Standardization, or any national standards body.

so Europeans that use "l" instead if "L" are American, you say ...

Drawing parallels

[rumith (983060)]

According to the FTC, the software also exposed consumers to significant security risks and was unreasonably difficult to uninstall.

Hmm. Perhaps they would fine Microsoft too, based on this exact reason? ;)

Re:

[by Anonymous Coward]

When we'll see malware using Vista DRM "features" so even a user with admin privileges won't be able to get rid of it, maybe we should seriously consider that question.

Could malware use Vista's DRM functionality?

[babbling (952366)]

Most of the Vista DRM that we hear about involves applications requesting from Vista that the quality of audio/video be crippled unless the user has special DRM hardware and special DRM ("signed by microsoft") drivers installed. It's difficult to envisage how that functionality could be useful to malware, but there also must be more to Vista's DRM than just that. If it were nothing more than I just described, someone wanting to crack the system could disassemble the application being used to play DRM-encumb

Save your reciept ?

[Joebert (946227)]

Under the settlement, Sony BMG must allow consumers to exchange affected CDs bought before 31 December 2006, and reimburse them up to $150 (£76) to repair damage to their computers.

I understand why stores require reciepts to return stuff, but when it comes to CDs which are non-returnable once that plastic wrap is taken off, who the hell bothers to save the reciept ?
How are they going to know when the CD was purchased ?

Re:

[zlogic (892404)]

These things could sell pretty well on eBay - buy a $75 rootkit CD and sell it to Sony for $150!

Re:

[jimicus (737525)]

Don't know about the US, but here in the UK if a product is not fit for its purpose, you are entitled to a refund/replacement (at your discretion, though some stores don't know that bit), and it doesn't matter whether or not it's been unwrapped. You just have to return it in a "reasonable" timeframe. Technically you don't even need a receipt, but it can save arguments at the counter.

The biggest problems I've had returning things have been when the item was technically fine - it met the manufacturer's spec

how does this multiply out?

[acidrain (35064)]

Is that $150 per cd "sold through" or $150 per customer who is aware of the lawsuit and actually files to get their cheque? Because I imagine those are entirely different numbers. Also, for those who would like to see Sony hurt worse for this, do remember that that this is more than enough. Any company pulling a stunt like that again will be ignorant, not unconcerned.

So when are desktop OS's going to come installed inside a secure virtual machine OS that is capable of detecting rootkits and possibly doing a little extra scanning on the side? That is long overdue.

Re:how does this multiply out?

[Don_dumb (927108)]

Is that $150 per cd "sold through" or $150 per customer who is aware of the lawsuit and actually files to get their cheque? Because I imagine those are entirely different numbers.

I wonder how many people have these CDs and dont even realise that their CDs are or have been infected? This did make the mainstream media, but wasn't a huge story. I imagine there are thousands of people who still have no idea.

Wouldn't a better punishment be that Sony is made to stand up and publicize (using such mediums as MTV) the particular CDs that were infected and educate people as to how they can protect against malware. - It openly damages them to those who aren't aware about this (thereby acting as a deterant for anyone else thinking about doing somthing like this), informs the masses as to the lengths DRM goes to (generating more widespread disapproval for DRM) and helps to fight malware through educating the yoot.

Re:

[CastrTroy (595695)]

But what about all the other people who don't really follow the tech news. They still have a rootkit on their computer. I remember when the news came out, there was nothing on the news that 98% of the population would listen to. Only stuff on geek sites like slashdot. I bet most people are completely unaware it even happened.

Re:

[Secrity (742221)]

That is $150 per infected computer. I don't even want to get into what you will probably have to do in order to prove that you got infected. How many people won't even know that they have been rooted?

Re:how does this multiply out?

[Professor_UNIX (867045)]

How many people won't even know that they have been rooted?

This sounds like the perfect opportunity for one of those chain e-mail letters to be circulated. "Have you played any of these Sony CDs on your computer? If so you're entitled to $150. Pass this along to 5 other people or you will die tomorrow!"

Re:

[mpe (36238)]

Is that $150 per cd "sold through" or $150 per customer who is aware of the lawsuit and actually files to get their cheque?

The number of infected PCs may well not tally well with the number of customers or the number of CDs. Some customers may have bought more than one infected CD and each CD can infect an arbitraty number of PCs. e.g. if it was bought by a lending library a single CD could have infected hundreds...

Re:how does this multiply out?

[theckhd (953212)]

Is that $150 per cd "sold through" or $150 per customer who is aware of the lawsuit and actually files to get their cheque?

It's not even that simple, FTFA [ftc.gov]:

As part of the settlement, Sony BMG will allow consumers to exchange CDs containing the concealed software purchased before December 31, 2006 for new CDs that are not content-protected, and will be required to reimburse consumers up to $150 to repair damage that resulted directly from consumers' attempts to remove the software installed without their consent. Sony BMG is required to publish notices on its Web site describing the exchange and repair reimbursement programs.

It's a reimbursement for costs incurred while trying to repair the damage done. I presume this means you would need a receipt from a vendor or service company that removed the rootkit for you. I doubt Sony will award the full $150 to you if you removed it yourself.

Meanwhile, RIAA wants $750 per song...

[Zaatxe (939368)]

Isn't that a little unfair?

Re:

[grimJester (890090)]

Yes. The damages of $750 up to 125k per count of infringement were supposed to be that horrendous to discourage the practice. $125k per infringement would be a more reasonable punishment, not only because $150 is probably not worth the trouble of collecting, but because a single user rootkitting a Sony server would never get away with only a $150 fee.

Re:

[SolitaryMan (538416)]

single user rootkitting a Sony server would never get away with only a $150 fee.

Doesn't this set some kind of precedent, so users now can get away with $150 per rootkit too?

IANAL, so I'm asking seriously.

Re:

[mpe (36238)]

if i write a rootkit and distribute it inadvertently (because my GF burned it to CD??), would FTC settle?

The "inadvertently" bit would be tricky, in order for things to work the CD has to be mastered such that Windows automatically executes the malware when someone trys to play the disk. You need to do a few more things that just putting an executable on a data track.

Heck, i would be in Gitmo after being "renditioned" to Syria!

Or your GF or both of you...

Re:

[cdrudge (68377)]

a single user rootkitting a Sony server would never get away with only a $150 fee. Well, you probably could get more money back by firing the admin that was playing a CD on a server.

Re:

[laughingcoyote (762272)]

Actually, the $750 per song is for unintentional infringement. This action was obviously intentional and profit-motivated, the statutory damages in that case are $150,000 per infringement...which would be pretty good, I bet that would actually discourage them from doing this again, as opposed to this garbage settlement, which will have roughly the deterrent effect of fining you or me fifty cents.

Re:

[mpe (36238)]

Actually, the $750 per song is for unintentional infringement.

Even that is a highly inflated figure. Actual "loses" are under 10USD, possibly under one.

This action was obviously intentional and profit-motivated, the statutory damages in that case are $150,000 per infringement

Part of the reason to have such massivly inflated figures is to ensure that the amount of money involved is high enough for law enforcement to take an interest. With something like spamming, even when it involves outright fraud, t

Re:

[Technician (215283)]

Meanwhile, RIAA wants $750 per song... Isn't that a little unfair?

Yes, Sony is getting ripped off big time. Filesharers are simply getting $750 per title shared, not $750 per copy someone else recieved from him.

Sony is not getting charged $750 per song on the DRM CD. They are getting charged $150 for everyone who picked up a copy of the same set of songs from them. How unfair is that? I think they would love to have to pay $750/song for each of the CD titles they distributed regardless of how many copie

Not bad

[by Anonymous Coward]

The terms of the settlement actually seem pretty good for the consumer. You can claim up to 10 times the price of a CD for damages, you can exchange existing CDs for unencumbered ones, and Sony has to deal with the embarrassment of advertising this fiasco on its website. And more importantly, this will hopefully send enough of a message to other DRM providers and users to make them pause before throwing more malware into their products.

The only thing I'd like to see added onto there is a clause requiring So

Re:

[Don_dumb (927108)]

The one change I would like, is for this to be labelled 'Malware' 'adware' or 'virus concealment tools' because barely anyone outside this site has any clue what a 'rootkit' is, to the public, this is just some "techy thing". Mention virus and people will take notice, they might not bother to protect themselves against them but they certainly know what viruses are. This would have had a different reaction form the public if they understood the issue.
Sometimes the IT world just doesn't make its case clear in

By that rationale...

[GapingHeadwound (985265)]

From TFA

The US regulator said the anti-piracy software wrongly limited the devices on which music could be played to those made by Sony or Microsoft.

Hmmm... no mention whether Vista or other Microsoft operating systems will come under fire of the same arguement.

Re:

[EzInKy (115248)]

Hmmm... no mention whether Vista or other Microsoft operating systems will come under fire of the same arguement.


I doubt it. Microsoft has made it pretty clear that their software will be monitoring and controlling its users activities.

Re:

[grimJester (890090)]

Hey, your comment actually made me RTFA. Congratulations!

The proposed settlement requires Sony BMG to clearly disclose limitations on consumers' use of music CDs, bars it from using collected information for marketing, prohibits it from installing software without consumer consent, and requires it to provide a reasonable means of uninstalling that software.

From the summary, I thought this was about the rootkit, not the DRM functionality it was meant to protect. Why does the settlement require things tha

Banning things which are already illegal

[h2g2bob (948006)]

Quite - installing software without consumer consent is pretty much the legal definition of computer hacking. If I was to do that, I'd go to prison. If this is what they did, why isn't Sony's execs in prison?

Send the repair bill in

[scsirob (246572)]

Maybe some folkes can send the invoices for lost time and consultancy hours spent on fixing their systems.

I'm sure that will be just a bit over $150...

If someone in their basement pulled the exact.....

[by Anonymous Coward]

....same thing, their asses would be in the slammer in no time. Sony souldn't be treated any different. This was a computer crime, plain and simple.

Re:If someone in their basement pulled the exact..

[jimicus (737525)]

Yes, but Sony is a company and this is the USA.

All the rights of an individual with hardly any of the responsibilities.

So if I'm reading the settlement site correctly...

[Telephone Sanitizer (989116)]

Without a receipt for repair services the most that you can qualify for is $25 dollars, at their discretion.

If you removed the unlawful hack yourself, no matter how much pain and suffering it caused, there is every probability that they will compensate you exactly nothing.

(I mean nothing but the opportunity to exchange your defective CD for a slightly less defective one or a DRM-laden download.)

I think the kicker is that this is one of those fancy federal consent-decrees -- like the one that was used to "break" the Microsoft monopoly way back when. They agree not to be such meanies and in exchange, they receive total immunity from prosecution on any related federal charges and all state laws that conflict with the federal decision are automatically superseded.

I'm so glad that the feds are looking out for me. With punishment like that, Sony surely KNOWS they've been naughty. It's certain that they won't do anything like THAT again.

The REAL point of a class action lawsuit

[elrous0 (869638)]

Here's a little breakdown of how class action suits *really* work:

• Suing lawyer gets $5 million
• Corporation gets protection from individual lawsuits
• Consumer gets a meaningless coupon

-Eric

Claim form help?

[Kredal (566494)]

The claim form you need to fill out for recompensation is at this link [sonybmg.com].

One of the questions is as follows:

7. Briefly describe the type of harm / damage / problem you experienced and the steps that you
took in response:

What kinds of problems, other than the pain of removing it, did people have? Was any actual damage done? Did anyone's computer get taken over? I'm just curious what a valid response would be to this, for when I fill out the form.

Understatement of the year...

[Panaqqa (927615)]

According to the FTC, the software also exposed consumers to significant security risks and was unreasonably difficult to uninstall.

Huh? "Reasonably difficult"? This damned thing broke Russinovich's [technet.com] machine, and he had to use several utilities he developed himself to get rid of it by looking deeper into the Windows OS than I think Microsoft ever intended (or wanted) anyone to look. How many /. denizens would have looked for this little gem using named pipes [wikipedia.org] to communicate?

"Difficult to uninstall"? Right...

I Chooose a Better Punishment

[N8F8 (4562)]

I'll never buy something from Sony again until they change their anti-consumer practices.

Two cents

[Bob54321 (911744)]

American citizens who read Slashdot might want to put in their two cents.

No, thats all wrong. Sony is supposed to pay out...

Wonder who really gets to pay...

[ray-auch (454705)]

What's the betting that cost of this gets passed onto artists as deductions from royalties ?

Artist monthly statement:

Sales: $$$
Gross royalties (tiny%): $
Deductions:

      [ blah blah blah ] $$
      DRM legal costs $$
      [new this month]

Net Royalties: -$$$

[NB: you won't have to pay us because we're nice like that, we'll just carry it forward]

I have an idea for compensation

[badenglishihave (944178)]

How about a free PS3 instead? Oh wait, that would just introduce more Sony problems into our lives. Whoops.

Damn them anyway!

[by Anonymous Coward]

Sony's rootkit (which my teenaged daughter installed; damn it I had autoplay shut off for a reason!!!) cost me the price of an SB Audigy since I couldn't find sound chip drivers, and XP since my video card mfg didn't have Win 98 drivers for download. Around $200 plus an afternoon of my time; reinstalling W98, then going to Circut City and installing XP (three fucking times - it didn't like my CD burning software and had a popup on boot saying XP had disabled it, but XP wouldn't let me uninstall it because it had disabled it. Then it updated my networking drivers which disabled the internet. Great product that XP).

After being yelled at for ruining my computer, she broke the CD and threw it away, and I've lost the receipts for the SB and XP.

I think a more fair settlement would have been to just have Sony give $500 to every man, woman, and child on the planet, and have its CEO spend as much time in a US federal assrape prison as anybody who would have done this to Sony's corporate computers would have, after being caned in Singapore. Then when he was released from US prison, have the Chinese execute him and bill his family for the bullet.

If you work for Sony in any capacity at all, I hate your fucking guts. Please die and take your God damned company with you.

Sorry for the rant.

Re:

[Technician (215283)]

I put goatse in my hosts file. It doesn't show up anymore.

I know, offtopic.. just feeding the trolls.