More on Sony's "DRM Rootkit"

A couple of days ago we posted a story about Sony DRM installing a rootkit. Since then we have seen many more stories on the subject that I thought were worth sharing. manno gave us a link to the inquirer and salemnic sent us a page from the washington post. smallfries gave us one from PC Pro. It's nice to see this story not getting lost in the cracks since the implications are gigantic.

Hope it catches on

[Anonymous Coward]

"infected with DRM"

Love it. Great phrase. Maybe it'll catch on.

Re:Sue

[garcia]

So is it or isn't it enough for a lawsuit? Anyone know of any developments in this area?

A lawsuit on what grounds? That you agreed to something and then they installed their software based on your agreement? I have a feeling that the "oh, no one reads those things" isn't really going to work all that well against Sony's legal team.

Here [f-secure.com]is a link to F-secure's "detailed" writeup about what the DRM installer puts on your machine.

Don't buy DRM'd CDs as they don't allow you to exercise fair-use. Sadly, most people don't care anymore.

Simple Solution: Boycott Sony to Death

[snotclot]

Ok sure, so boycotting Sony is not realistic. Or is it...? We can really do without them. Screw their stupid DRM'ed Memorysticks, we have our SD and CompactFlash. Screw their VAIO's, we have Dell and Taiwanese laptops.. Screw their TV's, we have better ones from other brands. Screw PS3, we have XBOX2 and Nintendo Revolution. Screw PSP, we have Nintendo DS. Once they get the collective shaft, well, other companies will think twice before pulling shit like this.

Let us hope:

[Winckle]

That this sets a precedent, and that Sony don't wriggle out of this, at the very best it could point out some of the absurdities of the DMCA.

Re:Sue

[voice_of_all_reason]

Based on the grounds that it re-routes the windows instructions on how to play *all* audio CDs. If you remove the DRM by force, you lose the ability to play other music as well.

Contains LAME code?

[Sulka]

Interesting.. Some reports Finnish reader of this news in Sektori.com [sektori.com] (in Finnish) reports Contents\GO.EXE file seems to contain parts of the LAME player. Can anyone verify this? Is Sony distributing LGPL software on the CDs?

Re:Regardless of where this goes...

[Scoria]

People seem amazed when they learn what DRM technology is capable of. Interestingly, I'm afraid that most casual readers wouldn't understand the implications of DRM, even if it actually received a substantial amount of press. I know that "rootkit" isn't the most commonly used term.

In fact, to a casual reader, it would almost seem as though anything with an acronym such as "Digital Rights Management" would be designed to protect your digital rights. It's entirely misleading.

If all else fails, Sony can always use a scapegoat and proclaim that the managers had no idea any of this was happening. An unknown malicious programmer must have done it all!

Sony is losing it

[shanen]

I still stand by my earlier comments on this topic [slashdot.org], but at this point it's pretty clear it isn't just a /. rumor. I used to have a lot of respect for Sony, but it's been pretty well dissipated over the years. Their decision to dump PDAs greatly saddened and annoyed me, but I've also had too many problems with their hardware to buy any more... They just couldn't handle the pressure of needing to have ever higher profits and being squeezed between their one low-margin hardware-oriented parts of the company and the high-greed software-oriented parts. Now they've completely trashed their own reputation, and I do feel morally constrained to sell my stock, too.

I guess I'll send them a sharply worded letter first, but I really don't see any way that I can do any business with a company like this. Not even as a shareholder.

Re:Sue

[Lonewolf666]

Some lawyers seem to think so.
On Mark Russinovich's Blog, at least one guy claimed to be a lawyer and he asked California residents who were affected to contact him about a lawsuit.

Re:Simple Solution: Boycott Sony to Death

[LilGuy]

What really sucks though, is boycotting a company you don't buy anything from anyway. Honestly I haven't purchased shit of theirs since my last pair of headphones. I'm not really brand conscious though, more of an impulse buyer. I suppose they somewhat rely on the impulse buyer as well, so maybe I'll make a dent if I keep their underhanded tactics in mind before I make it to the register with anything with their logo on it in hand.

Is this necessarily legal?

[hunterx11]

Even if you do agree to give Sony the rights to your first-born child in the EULA, wouldn't this violate laws in some states, such as the Consumer Protection Against Computer Spyware Act in California?

Re:Sue

[LurkerXXX]

There is no way for a normal user to remove the software. It comes with no uninstall program, nor is it listed in the windows add-remove programs.

If you can manage to find the hidden software files and do delete tehm as suggested in the EULA, you will no longer be able to access your CD drive.

Funny how no mention of those points are made in the agreement.

A wild conspiracy theory:

[merc]

Could be that Sony and the major music labels are using this to create intentional fear, uncertainty and doubt. Who ever said the record labels want you to play music CD's on your computer, in fact wasn't there a genuine effort by the RIAA cartel to create CD's that wouldn't work at all on a PC? If they can't get the end user to cease this undesired activity they can always frighten the luser into submission.

Stick that music CD into my computer? No you don't, I'll become infected with malware.

Yes, perhaps it's as the subject suggests, a wild conspiracy theory. It's not as though this industry wanted to create laws to legalize hacking P2P users or anything.

How to beat this...

[ZachPruckowski]

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

Emphasis is mine. Anyways, nothing is the EULA says that I can't just go and delete it. Sure, it may reinstall, but can't we delete it the minute we eject the CD? Can we write a script to do that?

Anti-PC

[vandenh]

Well Sony has all the reasons to mess with PCs stuff. They don't *really* want people to use their PC for any media stuff... Sony wants everybody to use custom hardware solutions made by Sony. PS3, PSP, Memory Stick,.....

So messing with your PC looks like a good thing to do for Sony (especially since it also f*cks with MS).

H.R. 2929

[spurtle15]

Has this passed? Is it applicable?

(4) inducing the user to install a computer software component onto the computer or preventing efforts to block installation of a software component;

http://thomas.loc.gov/cgi-bin/bdquery/z?d108:h.r.0 2929 [loc.gov]:

If they used racketeering laws to go after the RIAA, why not antispyware legislation against this?

Re:Sue

[dangerz]

Sadly, most people don't care anymore.

The other day, I was driving with my fiance when we got on the topic of cd's. She proceeded to tell me that there's this great cd that I need to get because the band is really good. I proceeded to tell her that I haven't purchased a cd for almost 4 years now because of my dislike for the RIAA. After explaining everything to her, she just got all flustered and said that she didn't care about all that crap. She didn't care that even though she paid for the cd, she didn't fully own. She didn't care about all the bully tactics the RIAA uses. She didn't care about any of that, she just wanted the music.

I agree with you that the majority of the people just dont care. As much as I try and inform people of all the crap the RIAA pulls, it just goes in one ear and out the other.

For now, I suppose I'll just continue on with my silent protest.

Re:Yes, this is bad

[Renraku]

People are using Sony's software to violate the ToS of World of Warcraft.

Something that they tried to HIDE on people's computers to RESTRICT them. People are now abusing it against Blizzard. Blizzard has 'just cause' to start a lawsuit.

Re:First4Internet

[Turn-X Alphonse]

I perfer my idea but sure, or you could take in an old box and drop it on the front desk and go "Excuse me, you've installed a virus on my PC via a Sony CD. Will you be removing it or should I charge by the hour at £X00(add as many 0s as you likee, but 2 sounds about right) for having to remove it via a repair guy (don't say you, it seems supicious).

Demand compensation (for petrol to get there), the money to fix it and if they refuse tell them you'll take them to court for the damages (claim the box was used for something important like hosting websites and the rootkit has not passed some safety tests that all servers must pass at your company).

Aww the fun of being a sick little geek :D

Other affected CDs

[vmxeo]

I showed the last to one of my coworkers, who immediately started worried about a recent Switchfoot CD he played on his machine. Sure enough, not only did the CD have DRM on it, but it seems to have installed the same rootkit as the example given in the Sysinternals website. Which of course makes me wonder, how many CDs did Sony put this into?

I'm starting to think it'd be worthwhile to create a domain policy to prevent this malware from running on any of our network machines....

Re:Yes, this is bad

[PhilHibbs]

Blizzard has 'just cause' to start a lawsuit.

Against Sony? No way, that's stretching the point too far. It's as daft as suing P2P software authors because people are using their software to violate copyright. Oh, wait...

My Letter to Sony

[macklin01]

Hello.

I have just learned about the malware that Sony has started to add to "compact disks" (in quotes, because Sony breaks the CD standard) via poorly-written DRM software from First4Internet. It is simply unconscionable that Sony would resort to such unethical lengths to prevent the pirating of a software. In fact, criminal trespass comes to mind, given that the software differs from what is described in the EULA and non-removable.

I'm outraged at this behavior demonstrated by Sony, and I can assure you that I am no longer a Sony customer. In short, although I am a computer enthusiast/technologist who builds his own systems and enjoys gaming, and although I am a scientist who uses high-end computing resources on a daily basis, I won't be purchasing any of the following from Sony in the next few years:

1) Stereos and portable audio equipment
2) Flat screen televisions, plasma TV's, etc
3) High-end computer LCD monitors
4) Laptop computers
5) Computer CD and DVD drives
6) Sony-branded CD, DVD, and floppy disk media
7) PlayStation 2 or 3
8) PlayStation Games
9) PlayStation Portable

and needless to say,

10) Sony and BMG music.

If you break standards on DVD equipment, add Sony and Columbia TriStar movies to that list.

Thank you for making my future purchase decisions so much easier.

Sincerely,

****

CMT.com removing posts about Van Zant rootkit

[Anonymous Coward]

There have been at least 2 posts removed from the Van Zant message board on CMT.com about the insideous DRM rootkit their CD installs. One of these post was mine. http://it.slashdot.org/comments.pl?sid=166915&cid= 13929028 [slashdot.org] I am emailing CMT.com to determine why my post was removed.

Make no mistake, the mebers of Van Zant are just as culpable in this as Sony Music. please let them know at

Vector Management

Ken Levitan and Ross Schilling

P.O. Box 120479

Nashville, TN 37212

Phone: 615-269-6600

Fax: 615-269-6002

Thank you Tapeworm

Re:Maybe Sony Should Print This On Their CD's....

[Jussi K. Kojootti]

They do... This is their Minimum system requirements for content protected discs:

To listen to the music on this disc, you need a PC with the following minimum system requirements:

• One of the following operating systems: Windows 98SE, ME, 2000 SP4, XP Home or XP Pro
• Pentium II or higher with Windows 98SE, Windows ME
• Pentium III or higher with Windows 2000 SP4, Windows XP Home, Windows XP Pro
• at least 64MB RAM above recommended OS memory level
• CD-ROM/DVD-ROM disc drive
• Internet Explorer 5.0 or higher
• Microsoft DirectX 9.0 or higher with non-Windows XP systems (download)
• Logged in with Administrator rights

.. you need to be root to listen to music. Just amazing.

List of affected CDs?

[Timo_UK]

Is there a list of CDs that are affected, except the one Mark Russinovich used.

Re:... until removed or deleted.

[garcia]

The EULA, which you cited, is intentionally vague and misleading, and certainly does not absolve Sony of responsibility for the above problems caused by their SOFTWARE. Also, just because it's in the EULA, sorta(!), does not make it legal. Sony is clearly being deceptive with these products and their EULA, and there are laws on the books to protect consumers from such action.

The DMCA is deceptive and vague but yet it still stands. Welcome to law.

Furthermore, it is not a safe bet to assume an EULA is a binding contract, there is precedent both ways on this, it depends on the EULA and the judge's opinion, and there are all kinds of laws regarding contract validity.

There is yes, but the EULA hasn't been truly tested, thus why it still stands. You know why? Because no one has the time and financial ability to go up against Microsoft, Sony, etc. So, regardless of YOUR opinion on the subject, you can certainly guarantee that this particular EULA will stand until another fails.

It doesn't scale

[Anonymous Coward]

What gets me is this DRM crap is I doubt Sony's given any thought to how this all scales over time. Assume that ALL record companies start using this method and every one is different. You could quickly end up with 8 or 10 different rootkits on your machine - everyone of them trying to manage your CD player - and who knows, maybe your harddrive. Then assume that Sony and the other companies decide that they need update their rootkits over time - with versions that aren't compatible with each other... you could end up with different rootkit for each CD you've ever loaded into your machine. Having several hundred rootkits installed on a machine would probably cause some serious performance and security issues, assuming they could all peacefully co-exist. This is one massively broken idea that Sony has and it has to be stopped NOW.

JR

Re:yes, but is it Mac compatible?

[TheUnknownCoder]

I read the FAQ's yesterday and the just added the following overnight:

• 6. I have heard that the protection software is really malware/spyware. Could this be true?
• How do I uninstall the software?

The uninstalling the doesn't say much, it just points us to a form that asks: Where you purchase the disc, Artist Name, Album Title, Store Name, Email Address. That's it. Now, let's say I want to uninstall this rootkit and I fill out the form. What will they do? Send me the instructions on the e-mail? From what Russinovich wrote, it's not a simple and easy task that the average user could do. So they have to send someone over to my house to uninstall this beast from my computer?

Couldn't Sony foresee the reaction on actual consumers: "I wanna buy this CD, but it has DRM (rootkit or not). Maybe it'll play on my car stereo maybe not. Maybe I'll be able to listen to it on my Discman (made by the same Sony), maybe not [corante.com]. Forget it, I'll get it online."

David Berlind [zdnet.com] has some interesting takes on the whole DRM issue.

Never forget...

[Kamiza Ikioi]

"So, technically they are in the clear..."

In the good ol' USofA, there is no technically clear in civil litigation. All you have to prove is something as simple as your reasonable expectations. Doesn't matter what the EULA says or if they did anything illegal.

IANAL, but it is my impression that in the eyes of the US courts, you not only have to follow the letter of the law, but you have to ensure that you are conveying a reasonable perception about what your product does. That fine print means nothing if the court finds it too difficult to read, or makes unfair claims (ie - By installing this, you transfer ownership of your computer to us... which is what a rootkit comes closest to without physical possession.)

Civil cases aren't really about the law. They're about damages, and a propoderance of evidence (more than 50% in your favor... a lot less than the reasonable doubt standard of a criminal trial). It may not be against the law for you to spraypaint your trees pink. But if I'm your neighbor and plan on selling my home, I have every right to sue you for damaging the property value of my home. Getting a few other neighbors to testify, and it'll win just on proponderance of evidence.

IMHO, I'd sue the hell out of Sony in a class action lawsuit. Look at it this way: you may not win a lot of money each, but it'll probably be enough to repurchase that CD and a few others with no DRM.

Re:Hope it catches on

[fireweaver]

mc900ftjesus (671151) wrote: "DRM." A bad publicity spin is a better way to combat DRM than actaully explaing it to Joe Sixpack. The word infected implies that it's bad, christ I've met people who think viruses are like human viruses (no one makes them they just happen). Leave the tech speak at home, just dumb it down to three words: infected with DRM."

I would tell Joe Sixpack something like this: "Joe, if you try to play one of these CD's that's got that copy-protection or something else called 'Dee-Are-Emm' on it, it will put viruses into your machine that will not only fuck it up completely, but cannot be gotton rid of. That is because the record companies are in cahoots with the hackers and spammers to rip you off. Do you want to take that chance?" You might also want to add a little punch to this by telling somebody's sad tale of woe.

I think he would get that, and I don't think it is misleading.

Re:Hope it catches on

[gerf]

"Infected with DRM"

Again, I must state that whenever I clean a computer with Adaware/Spybot/AVG/Panda Activescan/CWShredder/ect, I'm now going to have to ask one more thing:

"Have you bought and played any music CDs lately?"

How sad is it that doing something so legal can become associated with other computer slow-downs as spyware/malware/adware. This is what is going to irk the general public, and hopefully get people to look at DRM a bit more closely.

Re:Sue

[rishistar]

Can't you sue for the product not technically being an audio CD in the first place? Maybe I'm mistaken (and if I am I'd like to know) but an audio CD meets certain standards detailed in the Red Book [philips.com] that anything with DRM in fails to meet. So some shop is bound to advertise Sony CDs as audio CD's ergo that retailer can be sued perhaps?

Sony in violation of DMCA?

[softcoder]

If SONY circumvents the security I have installed on MY machine with their rootkit are THEY in violation of the DMCA?

Re:Deal with the devil...

[Arcys]

I wonder how ms, mac and winamp feel about this anti-competitive behaviour against music players?

Functions as normal audio CD on Macs

[Cadre]

What happens if a Mac user puts one of these crap Sony disks into their computer?

Nothing. It looks and functions as a normal audio CD on a Mac.

Does the Sony DRM prevent Windows users who legally buy their CDs from playing the songs in their iPod?

Under Windows, yes it will prevent iTunes from ripping it and putting the music on your iPod. Several bands (and I believe even Sony) have instructions for copying music onto the iPod using Windows and they generally involve burning the included WMA files of the music on a regular CD and then reripping it (yes you will lose quality), but the much better solution (that they don't tell you about) is to just hold down the shift key while inserting the CD which will disable the autorun.bat script.

It's actually rather funny looking at their instructions because they'll have several pages of instructions for Windows machines to copy the music onto iPods and for the Mac, they just say "The audio CD will function normally and without restrictions on a Mac.".

Call to anti-virus makers

[elfguygmail.com]

This is reported everywhere as a rootkit, something that can't be uninstalled, and that may compromise your system. It is, in fact, a virus. Personally I hope anti-virus software will start detecting it, reporting it as virus to the user ("Sony DRM virus found!") and remove it.

Re:Hope it catches on

[MilenCent]

Hmm... maybe we should get stickers made and pay a little visit to the local Walmart....