Forgot your password?
typodupeerror
Sony Your Rights Online

California Class Action Suit Sony Over Rootkit DRM 508

Posted by samzenpus
from the what-else dept.
carre4 writes "Lawyers in California have filed a class-action lawsuit against Sony and a second one may be filed today in New York. The lawsuit was filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, CA attorney Alan Himmelfarb. It asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them. The suit alleges that Sony's software violates at least three California statutes, including the "Consumer Legal Remedies Act," which governs unfair and/or deceptive trade acts; and the "Consumer Protection against Computer Spyware Act," which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law, which allows public prosecutors and private citizens to file lawsuits to protect businesses and consumers from unfair business practices. EFF has released a list of rootkit affected CD's and Slashdot user xtracto also has a list."
This discussion has been archived. No new comments can be posted.

California Class Action Suit Sony Over Rootkit DRM

Comments Filter:
  • by RandoX (828285) on Thursday November 10, 2005 @09:06AM (#13996761)
    But how did Sony's actions prevent people from suing? Was there a clause in the EULA that prohibited it? Since they're getting their asses sued off anyway, can't the judge throw this one right out?
    • by KitesWorld (901626) on Thursday November 10, 2005 @09:12AM (#13996798)
      From the EULA :

      NO SONY BMG PARTY SHALL BE LIABLE FOR ANY LOSS OR DAMAGE, EITHER DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL OR OTHERWISE, ARISING OUT OF THE BREACH OF ANY EXPRESS OR IMPLIED WARRANTY, TERM OR CONDITION, BREACH OF CONTRACT, NEGLIGENCE, STRICT LIABILITY MISREPRESENTATION, FAILURE OF ANY REMEDY TO ACHIEVE ITS ESSENTIAL PURPOSE OR ANY OTHER LEGAL THEORY ARISING OUT OF, OR RELATED TO, THIS EULA OR YOUR USE OF ANY OF THE LICENSED MATERIALS (SUCH DAMAGES INCLUDE, BUT ARE NOT LIMITED TO, LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF DATA, LOSS OF USE OF THE PRODUCT OR ANY ASSOCIATED EQUIPMENT, DOWN TIME AND USER'S TIME), EVEN IF THE SONY BMG PARTY CONCERNED HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, THE ENTIRE LIABILITY OF THE SONY BMG PARTIES, COLLECTIVELY, UNDER THE PROVISIONS OF THIS EULA SHALL BE LIMITED TO FIVE US DOLLARS (US $5.00). SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF DIRECT, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CERTAIN INSTANCES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. THIS ARTICLE WILL NOT APPLY ONLY WHEN AND TO THE EXTENT THAT APPLICABLE LAW SPECIFICALLY REQUIRES LIABILITY DESPITE THE FOREGOING DISCLAIMER, EXCLUSION AND LIMITATION.

      And this little bit too :
      Article 10. GOVERNING LAW AND WAIVER OF TRIAL BY JURY 1. THE VALIDITY, INTERPRETATION AND LEGAL EFFECT OF THIS EULA SHALL BE GOVERNED BY, AND CONSTRUED IN ACCORDANCE WITH, THE LAWS OF THE STATE OF NEW YORK APPLICABLE TO CONTRACTS ENTERED INTO AND PERFORMED ENTIRELY WITHIN THE STATE OF NEW YORK (WITHOUT GIVING EFFECT TO ANY CONFLICT OF LAW PRINCIPLES UNDER NEW YORK LAW). THE NEW YORK COURTS (STATE AND FEDERAL), SHALL HAVE SOLE JURISDICTION OF ANY CONTROVERSIES REGARDING THIS AGREEMENT; ANY ACTION OR OTHER PROCEEDING WHICH INVOLVES SUCH A CONTROVERSY SHALL BE BROUGHT IN THOSE COURTS IN NEW YORK COUNTY AND NOT ELSEWHERE. THE PARTIES WAIVE ANY AND ALL OBJECTIONS TO VENUE IN THOSE COURTS AND HEREBY SUBMIT TO THE JURISDICTION OF THOSE COURTS. 2. YOU HEREBY WAIVE ALL RIGHTS AND/OR ENTITLEMENT TO TRIAL BY JURY IN CONNECTION WITH ANY DISPUTE THAT ARISES OUT OF OR RELATES IN ANY WAY TO THIS EULA OR THE SOFTWARE.

      So yeah, they tried to get out of their corperate liabilities.
      • by Skater (41976) on Thursday November 10, 2005 @09:19AM (#13996827) Homepage Journal
        Yeah, but companies always put that in. Ever go to the hospital and sign a liability waiver saying you won't sue them if the doctor makes a mistake? Malpractice suits still happen (and are won) even though the patient signed that waiver.

        I believe the term is "exculpatory", and the way my legal environment professor explained it was this: "If clauses like that worked, we'd all be driving around with signs on the front of our cars that say, 'Not responsible if I hit you'." (IANAL, of course.)
        • by Libby Liberal (928336) on Thursday November 10, 2005 @10:30AM (#13997268) Journal
          IANAL, but I worked for one for more than seven years. I haven't the training or the interest to provide legal advice, but here we go:

          Exculpatory/Hold Harmless/Indemnity agreement is/are the correct term(s).

          Exculpatory agreements are those contracts that attempt to create a pretext of blamelessness when a party might otherwise be typically held liable for damages in the event of some sort of failing on their part.

          They're generally challenged at a state level and taken before the state supreme court. Generally speaking, the track record of such agreements is dismal. Wisconsin, for example, has recently heard some six or so cases involving exculpatory agreements, including the one provided along with Atkins. In each case, the court ruled that the agreements were unenforcable. Here's the Supreme Court's overturn of the trial court's finding of indemnity:

          http://www.gklaw.com/publication.cfm?publication_i d=360 [gklaw.com]

          They're not always ruled unenforceable, but because they tend to be so overbroad, they're highly subject to being ruled that way. Generally speaking, this type of agreement is used mainly to frighten people away from lawsuits. The handful of people who will actually challenge them and the cost they create for a company is usually much smaller than if the company actually had to pay out when they did some harm.
        • by Shakrai (717556) on Thursday November 10, 2005 @10:34AM (#13997310) Journal

          I believe the term is "exculpatory", and the way my legal environment professor explained it was this: "If clauses like that worked, we'd all be driving around with signs on the front of our cars that say, 'Not responsible if I hit you'." (IANAL, of course.)

          So what your telling me is that my bumper sticker that says "If you can read this I'm about to lock my brakes" won't shield me from legal liability?

          God damn it!

      • Hahaha, yeah right! I'm sure if you leave them up to their own accords they will say they're not liable for anything. And if a person signs a sheet saying I can kill them and not be liable for it is that legal too? I can't wait till Sony is bled dry.
      • by MECC (8478) * on Thursday November 10, 2005 @09:37AM (#13996908)
        I had a law prof once who pointed out that waivers from liability are very limited in their ability to protect from litigation. If Sony broke the law, they broke the law. No EULA will protect them from being hauled into court.

      • Oh, to be a lawyer (Score:5, Interesting)

        by hey! (33014) on Thursday November 10, 2005 @10:50AM (#13997485) Homepage Journal
        IANAL, but I would love to be the one kicking the shit of out this EULA.

        Suppose you sign a contract with me in which for $100 I promise to fix things so your neighbors stop complaining about your dog barking at night. We agree in our contract that you will limit my liability from anything resulting from my attempts to stop Fido from barking to $50. I then drive up to your house and put a bullet through Fido's head.

        Now, does any person reasonably believe that you authorized me to shoot your dog, even if it's the most convenient way to accomplish what I said I'd do? Does any person reasonably beleive that consumers authorized Sony to completely undermine the security of their systems?

        Or how about this: I agreed to limit any damage due to my use of Sony's software, but my system crashed as a result of my placing a Deustche Grammaphone CD in the drive. That wasn't my use of Sony's software, that was Sony's use of Sony's software to check up on me. Or my system is compromised by a hacker. That wasn't my use of Sony's software, that was the hacker's use of Sony's software. And don't say I promised not to hold you responsible for negligence. This isn't negligence it's misrepresentation. This is not "YOUR USE OF ANY OF THE LICENSED MATERIALS"; nor is it "THIS EULA" (see point above).

        Sony should just own up to the fact this was incredibly stupid and irresponsible rather than bulling ahead and piling up liability for itself. Even at $5.00 a CD, it's going to hurt when the hammer drops. They should offer to replace all existing CDs with this software and provide technical support for one year to users who are affected by it.
    • by canuck57 (662392) on Thursday November 10, 2005 @09:23AM (#13996844)

      can't the judge throw this one right out?

      He probably could throw it out but I hope the opposite happens. Toss a big fine and bad publicity to Sony for this. DRM went too far with a root kit and two wrongs don't make a right. Sony is going to have to learn this. But the worst may yet come for Sony, I for one will no longer buy Sony products.

      And of all things, to remove the root kit you have to run an Active-X control from an untrusted site. Just what we in the security business tell people for good reason not to do.

      So I support dragging Sony through the mud on this.

    • by timeOday (582209) on Thursday November 10, 2005 @11:23AM (#13997822)
      That's right kids, you can't get away with murder simply by granting yourself the right to do so in some fine print legalize.

      I think it's foolish to let companies write (nearly) arbitrary contracts for public commerce. It's widely accepted that non-lawyers are unfit to interpret contracts (that why we make fun of people who ask legal questions on Slashdot), and yet the dozens of different contracts you can't go a day without consenting to are supposed to be binding. It's unworkable. I think everyday commerce with private individuals should be governed by a small, standardized set of contracts established by law. Then allow companies to select which they want for each product or service.

      • I think everyday commerce with private individuals should be governed by a small, standardized set of contracts established by law.

        Come to Germany, we've got something close to that.

        The so-called AGB ("Allgemeine Geschäftsbedingungen", roughly meaning "general terms of doing business with us") are extremely common in Germany and regulate stuff like how to return stuff to claim warranty, how quickly to pay if you don't pay by cash or credit card, that the stuff remains property of the shop until paid in
  • Hell yeah! (Score:3, Funny)

    by Anonymous Coward on Thursday November 10, 2005 @09:06AM (#13996766)
    The man is sticking it to the man!
    • by Dashing Leech (688077) on Thursday November 10, 2005 @09:15AM (#13996808)
      "The man is sticking it to the man!"

      Not that there's anything wrong with that. (=

    • by vivian (156520) on Thursday November 10, 2005 @09:22AM (#13996840)
      I can't believe how appropriate some of the song titles are:

      Our Lady Peace, Healthy in Paranoid Times (Columbia)
      Van Zant, Get Right with the Man (Columbia)
      Switchfoot, Nothing is Sound (Columbia)
      The Coral, The Invisible Invasion (Columbia)
      Acceptance, Phantoms (Columbia)
      Horace Silver Quintet, Silver's Blue (Epic Legacy)
      Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
      The Bad Plus, Suspicious Activity (Columbia)

      almost like they are an extra subliminal warning, given the extra Sony "Bonus" that awaits on the CD.
  • by KitesWorld (901626) on Thursday November 10, 2005 @09:07AM (#13996768)
    bleh.

    Anyway, It's good to see this happening. It's important to make sure that the major labels realise that while DRM is legal, there are limits to what people will tolerate - and damaging peoples machines is not something that people are going to tolerate.

    Heck, with luck they might even water down Blu-Ray as a result. I can dream :)
  • by LaughingCoder (914424) on Thursday November 10, 2005 @09:09AM (#13996778)
    not to buy CDs. Like I needed more reasons. They are already too expensive and they force me to buy tracks I don't want just to get the 1 or 2 I want. I know Sony *thinks* they are *adding value* which will incent me to buy CDs, but obviously they miscalculated.

    If only someone would offer a digital download service with CD quality content.
  • Sony's DRM is Good (Score:3, Informative)

    by rudy_wayne (414635) on Thursday November 10, 2005 @09:10AM (#13996783)

    Install Sony DRM protected CD
    Re-Name your favorite CD ripping program to $SYS$filename.exe
    Now your CD ripper is hidden from Sony's DRM

    It can also be used to hide cheat programs from various games.

    • Install Sony DRM protected CD
      Re-Name your favorite CD ripping program to $SYS$filename.exe
      Now your CD ripper is hidden from Sony's DRM

      Maybe you missed the story [slashdot.org] from a few days ago where it was indicated that Sony's spyware can see through [slashdot.org] veiled attempts to use files whose names begin with $sys$.

      On the other hand, intentionally infecting oneself with this spyware in order to avoid other companies' DRM is simply genius, and is a sweet example of how multiple companies' competing DRM schemes will never be su

    • by Anonymous Coward on Thursday November 10, 2005 @10:03AM (#13997069)
      Actually renaming the ripper does NOT work, at least not consistently, according the original "discoverer" of this. See the last Slashdot story about it.

      Besides, you still have their shitty security-compromising, phone-homing, CPU cycle eating rootkit installed! So what if there's some way of working around it to rip the CD, it needs eradicating completely or better yet to not be installed to begin with.

      Better method :
      - Disable autorun, or hold down shift whilst you insert and explore the CD
      - Run ripper as normal, the rootkit isn't installed so there's nothing it can do

      Best method :
      - Don't buy the "CD" to begin with, write to the artist and Sony telling them why.

      Yeah, it's being used to cloak several cheat programs like the WoW auto-fisher. If I were head of one of their publishers I'd have my team of vicious attack lawyers looking for some legal grounds to sue Sony for loss of earnings / financial harm, I know there probably there aren't any but it's worth a try.
  • by MagicMerlin (576324) on Thursday November 10, 2005 @09:10AM (#13996784)
    Just rename your emailed copy of the lawsuit to $sys$lawsuit.pdf and it will disappear!
  • by psergiu (67614) on Thursday November 10, 2005 @09:11AM (#13996789)
    I used to buy a lot of music CDs. But after this wave of incompatible discs i just resorted to download mp3s as its sure that i can play them on whatever device i want.
  • by Hitto (913085) on Thursday November 10, 2005 @09:11AM (#13996792)
    Before this gets /.ed [eff.org], here's the text.
    Quoth the EFF :
    Now the Legalese Rootkit: Sony-BMG's EULA
    November 09, 2005

    If you thought XCP "rootkit" copy-protection on Sony-BMG CDs was bad, perhaps you'd better read the 3,000 word (!) end-user license agreement (aka "EULA") that comes with all these CDs.

    First, a baseline. When you buy a regular CD, you own it. You do not "license" it. You own it outright. You're allowed to do anything with it you like, so long as you don't violate one of the exclusive rights reserved to the copyright owner. So you can play the CD at your next dinner party (copyright owners get no rights over private performances), you can loan it to a friend (thanks to the "first sale" doctrine), or make a copy for use on your iPod (thanks to "fair use"). Every use that falls outside the limited exclusive rights of the copyright owner belongs to you, the owner of the CD.

    Now compare that baseline with the world according to the Sony-BMG EULA, which applies to any digital copies you make of the music on the CD:

    1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

    2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

    3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

    4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

    5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

    6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

    7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

    8. You have no right to transfer the music on your computer, even along with the original CD.

    9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

    So this is what Sony-BMG thinks we should be allowed to do with the music on the CDs that we purchase from them? No word yet about whether Sony-BMG will be offering a "patch" for this legalese rootkit. I'm not holding my breath.
    Posted by Fred von Lohmann at 12:24 PM | Permalink | Technorati

    Endquote. It's interesting to see just how far Sony will go to alienate the tech-savvy user base. It's been a few years since I religiously started forbidding people to buy Sony products, because I wouldn't be assed to "fix my vaio, please" or to "take a look at my LCD screen, there are, like black dots and stuff on it", but my brother-in-law still got himself a Sony DAP.

    The first thing I thought was, "Wow! The salesman actually managed to sell him something that isn't an iPod.", but come on. What's you /.er's take on this vast DRM-wing conspiracy?
    • I'm really torn on this, because I want to forbid my girlfriend from buying any more Sony products (I personally have been boycotting them for years already -- their hard-on for proprietary formats (e.g. Memory Stick) was enough for me), but I know her family really likes gaming, and buys every console that comes out.

      I hate to do it, but I may have to issue the ultimatum "Do not buy a Playstation 3, because I will be forced to break up with you if you do."
    • by SeattleGameboy (641456) on Thursday November 10, 2005 @03:19PM (#14000387) Journal
      It is even worse than that.

      http://news.com.com/Antivirus+firms+target+Sony+ro otkit/2100-1029_3-5942265.html?part=rss&tag=594226 5&subj=news [com.com]

      Excerpts:

      However, Computer Associates, which has a security division, said on Monday it had found further security risks in the Sony software and was releasing a tool to uninstall it directly.

      According to Computer Associates, the Sony software makes itself a default media player on a computer after it is installed. The software then reports back the user's Internet address and identifies which CDs are played on that computer. Intentionally or not, the software also seems to damage a computer's ability to "rip" clean copies of MP3s from non-copy protected CDs, the security company said.

      "It will effectively insert pseudo-random noise into a file so that it becomes less listenable," said Sam Curry, a Computer Associates vice president. "What's disturbing about this is the lack of notice, the lack of consent, and the lack of an easy removal tool."

      So, not only is it spying on you, it even prevents you from making good copies of the CD's WITHOUT any DRM!!! The BALLS!

  • by BushCheney08 (917605) on Thursday November 10, 2005 @09:11AM (#13996794)
    I know that Sony's actions here will make me think twice about buying a Vaio. I'm getting ready to buy a new laptop, and Sony does have some decent ones out there. However, I have no way of knowing that they're not gonna install this crap on the machine at the factory. Well done Sony. The actions of one arm are negatively affecting sales of another...
    • by vivian (156520)
      Don't do it.
      I bought a high end sony laptop (for £1900 in Aug 2001) and had no end of problems.
      Mobo died after 4 months, and the default warranty didn't cover it. ( I was in Aus, I bought it in the UK. So much for an "international" company, which was one of the reasons I bought the VAIO in the first place.)
      I git it repaired 7 months later on a return trip to the UK, leaving me with 1 month warranty.
      The screen backlight died 3 months later. Sony told me it would cost over AU$1000 to replace the screen
      • by nahdude812 (88157) on Thursday November 10, 2005 @11:03AM (#13997611) Homepage
        Stay away from Dell too. After I was rear-ended in a car accident, my PCMCIA slot was damaged, but the machine worked fine otherwise.

        Of course that damage wasn't covered by my warranty, but the repair was covered by the other guy's insurance company. Their only clause for paying for it was this: any replaced parts needed to be shipped to them by me (I guess they wanted to make sure I wasn't trying to scam them and get myself a new computer).

        When I got the repair authorization from Dell, and fronted the $800 cost, I told the tech on the phone that I needed the replaced parts returned to me (the mobo needed to be replaced). He said no problem, I just needed to attach a note to the laptop, and they'd ship the parts back with the repaired laptop.

        I attached a note to the laptop to the effect (taped it securely to the back of the screen so it would be seen when the box was opened). After the laptop came back, it didn't have the old mobo, and the bill clearly stated that the mobo had been replaced. But there was no old mobo in the box.

        When I called support to ask about it, the first guy I talked to said Dell had a policy of never returning bad parts, but instead they destroy them in an environmentally friendly fashion. I explained I'd been told I could get the parts back, and needed the parts back to get reimbursed for it by insurance, he sent me to level 2. Level 2 said they do have a policy that they'll return those parts, but that I needed to tell the guy who issued my RMA in the first place. I explained I had done so, and he said, "I don't see any note on your RMA for that, you must not have done so, perhaps if you'd attached a note." I explained I had also attached a note, because that's what I was instructed to do by the RMA issuer. He checked the unpacking logs, and said no mention was made of a note.

        In the end I ended up talking to about a dozen different people in the returns area, almost every one had a different idea about how I'd have to have made sure I got the parts back, including some who told me that there's a 25% surcharge on getting the parts back (!).

        They wouldn't provide a partial or full refund for the work completed, they wouldn't ship me another mobo (I told them I didn't care if it was smashed into 100 pieces), and they didn't care that I was out the costs of this repair without the original parts. I climbed all the way up the supervisor chain to the director of out of warranty repairs, and no one cared, and no one was 1) willing to admit that any mistake had been made on their end (I had a PHOTO of the laptop in the shipping package, with my note attached to it, clearly readable, they claimed I could have done that after the fact), nor 2) willing to take any steps to placate me as an unhappy customer.

        So the insurance company wouldn't reimburse me, I spent $800 repairing a laptop that was not really worth that much (guess the insurance company should have totaled it), and it's all Dell's fault. They honestly didn't care.
        • by duffbeer703 (177751) on Thursday November 10, 2005 @11:28AM (#13997857)
          Get an AMEX card, pay with it and dispute any nonsense like this with them, you'll likely get your money back.

          A body shop pulled a similar stunt with my car after I was in an accident. The repairs that they made were of poor quality, and the insurance company refused to do anything since I didn't tow the car 50 miles to the nearest authorized center.

          Fortunately, I charged it to my amex blue card, and wrote them a letter describing the situation in detail. There was some back and forth with the body shop, but the end result was a $3,000 chargeback which allowed me to get the shoddy work replaced.
        • by ad0gg (594412) on Thursday November 10, 2005 @12:44PM (#13998574)
          Umm.. if its not your insurance company, you don't have to follow their rules. Remember it was the others guys fault. Its there responsibility to pay for the damages they caused, they should be the ones calling dell to get the old parts. They want to be dicks about it, i'd say i'm starting to have neck problems and tell them i'm seeing a chiropracter. They'll settle right on the spot.
    • by Feyr (449684)
      a friend in the computer repair business once told me that the vaios are so fragile they literally get hundreds of them to repair. that was about 2 years ago when i was shopping for a laptop.

      in the end i went for an eurocom. it's somewhat heavy, but does a damn good job
    • Wal-Mart and HP are rumored to be coming out with a $399 laptop this holiday season, and it actually sounds sweet (fyi, don't let AMD Sempron scare you, it is the Thoroughbred Athlon XP). You'll probably need to buy Windows seperately. Google has more details.
  • More from Mark (Score:5, Interesting)

    by Spad (470073) <slashdot@NOSpam.spad.co.uk> on Thursday November 10, 2005 @09:12AM (#13996795) Homepage
    Looks like Sony aren't making it easy to get rid of their rootkit [sysinternals.com].

    Most Spyware has fewer hoops to jump through to uninstall it.
  • Serves them right (Score:5, Interesting)

    by Nerdposeur (910128) on Thursday November 10, 2005 @09:13AM (#13996801) Journal
    I'm not sure how Sony arrived at the decision to take over people's computers, but I can't see the morality of it. "People are stealing from us, so let's damage their property."

    In meatspace, this would be called "vigilante justice," but I'm not sure that large corporations qualify for that label.
    • Re:Serves them right (Score:5, Informative)

      by brajesh (847246) <brajesh.sachanNO@SPAMgmail.com> on Thursday November 10, 2005 @09:23AM (#13996845) Homepage
      and they aren't even apologetic about it. From this piece of news [arstechnica.com]-

      Thomas Hesse, President of Sony BMG's global digital business division, showed up on NPR to try and sweep the entire thing under the rug.
      "Most people, I think, don't even know what a rootkit is, so why should they care about it," he asked? "The software is designed to protect our CDs from unauthorized copying, ripping."

      Pathetic
    • by tomcres (925786)
      The California suit is really nothing when you look at the big picture. The reality is that we have surrendered our freedom, in fact, surrendered our supposedly democratic government, to rich people with capital interests in restricting our liberty. A lot of this has to do with the invention of incorporation, the idea that a company can be viewed as a "person" under the law. But just take a look at who makes up our government and what kind of laws they enact. You almost have to be a millionaire political pa
  • by Somatic (888514) on Thursday November 10, 2005 @09:13AM (#13996805) Journal
    You can piss off the consumers, the college kids, the geeks, the nerds, the haxx0rs, the artists, and even other people in the industry itself... but when you put that crap on a country CD, you just know some politician is going to buy it, and then you're screwed.
    • by div_2n (525075)
      You can piss off . . . the geeks

      I know you are being funny, but this is just a REALLY bad idea for a company that produces technology driven products. Who do family members turn to when they are considering dropping money on expensive technology products for advice? I know mine turn to me. Guess what I'm going to say from now on when they ask? "Whatever you do, don't buy a Sony product." Mine listen to me implicitly when I give such direct advice especially if I have suggestions to offer.

      Sony has made a mis
  • by captainktainer (588167) <captainktainer AT yahoo DOT com> on Thursday November 10, 2005 @09:14AM (#13996807)
    Several things are important to point out:

    First, right now it isn't "California" as a whole suing Sony. An attorney has filed a class action lawsuit, and California citizens (and the world as a whole) will benefit. It would be nice if the California Attorney General would lend the government's support in an amicus curiae brief, but in media-rich California that isn't likely to happen. The representatives of the people of California haven't really weighed in on the matter yet, sadly.

    Second, a New York law firm will be next to join the bandwagon. Things are heating up faster than the article summary indicates

    Third, all of these lawsuits are going to hit Sony *hard*, right in the wallet. Any financial benefit they might have gained from their DRM will be lost unless the lawyers involved immediately drop their cases.

    Finally, Sony really doesn't have any solid defense against the charge that they violated the Consumer Protection Against Consumer Spyware Act, *unless* the act specifies that spyware can only be classified as such if it submits personally identifiable information back to the authors or a third party. I'm not too clear on that regard- anyone have information they can add on that count?
    • mod parent up (Score:2, Informative)

      The summary is completely misleading and would have a casual reader believe that the Attorney General of California is suing Sony. This is merely a class action lawsuit by some lawyer on behalf of California citizens.
    • Actually, the sony media player does send back personal information - it checks for the latest lyrics and album art for any CD you play through it. So at the least they can collect CD being played, time of day and IP address of computer playing it. That to me is spyware..
    • Second, a New York law firm will be next to join the bandwagon. Things are heating up faster than the article summary indicates

      This is more important than you think.... Looking back to an earlier post, where the EULA was quoted, we have this:

      THE VALIDITY, INTERPRETATION AND LEGAL EFFECT OF THIS EULA SHALL BE GOVERNED BY, AND CONSTRUED IN ACCORDANCE WITH, THE LAWS OF THE STATE OF NEW YORK APPLICABLE TO CONTRACTS ENTERED INTO AND PERFORMED ENTIRELY WITHIN THE STATE OF NEW YORK (WITHOUT GIVING EFFECT

  • by Chibineko (930024) on Thursday November 10, 2005 @09:15AM (#13996809)
    From the list of Infected CDs:
    Our Lady Peace, Healthy in Paranoid Times

    Hrmmm....
  • by Dekortage (697532) on Thursday November 10, 2005 @09:16AM (#13996813) Homepage

    From the article: "Sony's move is the latest effort by the entertainment companies to rely on controversial 'digital rights management' (DRM) technologies to reverse a steady drop in sales that the industry attributes in large part to piracy facilitated by online music and movie file-sharing networks like Kazaa and Limewire."

    Yeah, because installing secretive, privacy-invading software on your computer is sure to stimulate CD sales.

    And the uninstall process [sysinternals.com] is a privacy invasion too... you gotta fill out an online form, check your email for a URL to ANOTHER online form, then get the uninstaller. And while the uninstaller gets rid of the XCP2 Aurora [xcp-aurora.com], it simultaneously installs another DRM (MediaJam). Nice. Sony, how I love thee. You're so sinister.

  • I wonder if whichever genius Sony/BMG exec did this is fired already... surely the other Sony branches love this publicity. Do people think this will eventually harm or even dent Sony's brand image? As a fellow computer saavy user here on Slashdot I'm already trying to actively, personally boycott Sony and any company that is bent on using DRM. And you guys say, what if Intel and AMD both DRM there chips? Surely, I can't boycott computers in general can I? But there HAS to be a few clever electrical and
  • by Weatherman-au (572907) on Thursday November 10, 2005 @09:16AM (#13996818) Homepage
    I mean, come on, Sony! Celine Dion? Neil Diamond? Ricky Martin??

    If you were really serious about XCP as a means to prevent illicit copying, in order to protect your revenue, how about applying it to music that people would want to download?
    • Sure, you may think that music is really crapastic, but the reallity is that those artists are the ones that get the into the billboard 10 and get the platinium, titanium, uranium etc prizes for disc selling.

      Of course, one could argue that, people which know how to actually copy CD's are the ones that do not listen to that music (i.e. the not average J6Pack). But, some of them use their knowledge to pirate & sell the illegal copies. I presume (*I hope*) those are the persons which sony was aiming when a
  • Serious work issue (Score:3, Insightful)

    by RoboProg (515959) on Thursday November 10, 2005 @09:17AM (#13996822) Homepage
    This poses a potential problem for me, as I like to listen to my CDs at work (ripped to MP3 format, of course). Security is a real issue at work, to their credit. I can't have my music installing spyware on my employer's PC.

    HELLO SONY! You are making your stuff unusable! Cease & desist, and all that.
  • Nice list of CDs.. (Score:2, Informative)

    by Anonymous Coward
    Trey Anastasio, Shine (Columbia)
    Celine Dion, On ne Change Pas (Epic)
    Neil Diamond, 12 Songs (Columbia)
    Our Lady Peace, Healthy in Paranoid Times (Columbia)
    Chris Botti, To Love Again (Columbia)
    Van Zant, Get Right with the Man (Columbia)
    Switchfoot, Nothing is Sound (Columbia)
    The Coral, The Invisible Invasion (Columbia)
    Acceptance, Phantoms (Columbia)
    Susie Suh, Susie Suh (Epic)
    Amerie, Touch (Columbia)
    Life of Agony, Broken Valley (Epic)
    Horace Silver Quintet, Silver's Blue (Epic Legacy)
    Gerry Mulligan, Jeru (Columbi
  • ... against SandStorm [slashdot.org]?
  • DMCA defense? (Score:5, Insightful)

    by hrm (26016) on Thursday November 10, 2005 @09:23AM (#13996847)
    I hope this goes to court and triggers Sony into mounting an DMCA based defense ("this is our copy protection system, and you don't mess with that shit even if does screw your PC"), then maybe people would get a better understanding of what a rotten law the DMCA actually is.
  • in similar news (Score:5, Informative)

    by coredump-0x00001 (922856) on Thursday November 10, 2005 @09:24AM (#13996850)
    Pestpatrol ad/spyware remover now detects and removes [zdnet.com] sony's DRM rootkit [ca.com] hats off to eTrust for that.
  • by Bad to the Ben (871357) on Thursday November 10, 2005 @09:28AM (#13996863)
    - DRM rootkit to stop piracy: $50,000,000
    - Patch to water-down DRM rootkit: $5,000,000
    - Top notch lawyers to sue pirates: $100,000,000
    - Being sued by the only legitimate users you have: Priceless.

    There are some thought processes money can't buy. For everything else there's MasterTard (tm).
  • by Phoenix (2762) on Thursday November 10, 2005 @09:29AM (#13996869)
    And people wonder why I haven't bought a single CD in the past 5 years that didn't come from an independant artist. Sony will just have to lable me as a heathen devil commie mutant anti-social pirating slime bag since I now get all my music from other sources besides the traditional record industry. First it was a copy protection that killed my CD-Rom drive and my Car Stereo, now we have a major company turning into a @#$%ing hacker with intent on screwing up my system just to keep me from using thier music in THIER OWN MP3 PLAYER.

    Yes, I love the fact that Sony wants to sell me a MP3 player and MP3 compatable CD and DVD players, but doesn't want me to actually USE the damn things to listen to thier music.

    Go Figure.

    The other stupid thing is the simple fact that there is no copy protection that has lasted more than 2 weeks before it was cracked, and at times in the most embarrasing way imaginable.

    The one that cost millions to develop and was cracked using a $1.25 Sharpie marker jumps to mind.

    Frankly I hope the music industry dies. I'm just so utterly sick to death about the whole goddamn thing I want it gone.

    Phoenix
  • by OolonColluphid (591237) on Thursday November 10, 2005 @09:31AM (#13996875) Homepage
    ... and the part I love best is that I actually need to rip the thing before it wrecks my CD player. I bought the "DualDisc" version of the Trey Anastasio CD they show in the EFF write-up. Every time I put it in my 10 year old Sony CD player, it makes a horrible racket. One of my friends is having trouble playing it in his portable because it's so thick that it's brushing the lid. I'm afraid to put it in the car disc player for fear that it will get stuck.

    Besides putting a personal ban on buying any more Sony junk, and doing my best to avoid buying any albums on their label, I will also be writing to the artist and urging others to do the same.
  • by swissfondue (819240) <[moc.liamg] [ta] [eudnofssiws]> on Thursday November 10, 2005 @09:31AM (#13996879)
    As linked through other Slashdot posts, the ALCEI (the Italian Electronic Frontiers organization) http://www.alcei.org/index.php/archives/105 [alcei.org], has a different tactic. They refer to F-Secure http://www.f-secure.com/v-descs/xcp_drm.shtml [f-secure.com] in order to sue Sony for propagating a virus named "XCP DRM Software".

    This opens another plan of attack which I think will have more chance of succeeding (at least for public mind-share. I can't judge the legal value of the argument).

  • Two thoughts (Score:3, Interesting)

    by BigPoppaT (842802) on Thursday November 10, 2005 @09:45AM (#13996961) Homepage
    1) In organizations where security/privacy is mandated (due to HIPAA, SOX, and other legislation) I expect the ISOs (Information Security Officers) will begin prohibiting the use of audio CDs in PCs. This will probably help Sony's competitor Apple more than it will help Sony, because it will drive iPod sales.

    2) Here's a link [sonymusic.com] where you can communicate to Sony how you feel about the rootkit situation. I used this link to send the following to Sony:
    I want you know that I will never purchase any Sony product again until: a) the VP who approved your rootkit is fired; and b) Sony promises not to do anything like this again. I have never pirated a CD, and I use Linux (so this rootkit would not affect me), but you have effectively declared war on your customers. So, I will refuse to be one of your customers from now on. I am giving you this feedback because I wanted you know why I am boycotting you. I believe that Sony should be accountable for its actions.
    I didn't submit this anonymously. Here is the email reply they sent me (pretty much a form letter):
    Thanks for visiting Sony Music Online and for your feedback. We appreciate (and encourage) all suggestions and comments. As you can imagine, we receive quite a few email messages every day. While we would like to respond to each of them individually, we often do not have the time and resources to do so. Be assured that I will pass your comments on to the parties most responsible for dealing with them. Have you checked out our FAQ page? Perhaps you will be able to find the answer to your questions there: http://www.sonymusic.com/help/faq/ [sonymusic.com] Thanks again for your note and the time spent on Sony Music Online.
    The most helpful thing about the faq was seeing which record labels are Sony. Unfortunately, Columbia Records is one of them - so I won't be buying the new System of A Down album when it comes out in a couple of weeks. That hurts, but in good conscience I just can't do business with Sony. If people buy Sony products in spite of this, Sony wins. So, no System CD for me, no PS3 for you gamers, no Vaio for you Mac-wannabes, etc. Don't just complain - let them know why you're boycotting, then actually do it.
  • by onkl (930010) on Thursday November 10, 2005 @09:45AM (#13996962)
    In Dutch newslogs, it is mentioned now that the rootkit is using parts of the (LGPL) LAME-encoder. So, should their rootkit be open-source then? "Script kiddies unite, fight for your source code rights" I'd fear. Below some babelfished Dutch. (from Webwereld.nl) Thursday 10 November 2005, 09.59 - the spyware which Sony on the computers of muziekfans install do not seem not only technical, but even also copyright in the hook. In the rootkit pieces code appear sit which is identical to LAME, open source mp3-encoder. The licentie is exceeded. Concerning software exercises the copyright with the so-called Lesser Gnu Public License (LGPL). According to this licentie Sony must satisfy requirements to a number of. Thus they must tell that they use software in a copyright notice. Also the company the source code of open-sourcelibraries must provide or available to make. Finally the tussenvorm between must make source code and feasible code, the so-calledobject traffic-jams, meeleveren or available, with which others can make similar software. Sony have only satisfied to none of these requirements, but provide a feasible programme. A computer expert, of whom the name is confessed at the redactie, discovered that on the cd Get Right With The man of Van Zant strings from the library version.c of Lame sits. This is make up from the string: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95". But the expert has more proof. This way there so-called array largetbl sit at a place in the programme go.exe. This is a part that is used in the module tables.c of libmp3lame. The discovery is possible far-reaching consequences has on the muziekgigant, which themselves claim only protect the copyrights. Rather judges in Germany forced several companies already make the source code public and the required spullen for compiling to provide. Also it is possible claim damageses. Meanwhile details also other become clearly and this way complain the Electronic frontier foundation which the spyware make also legal listening music on iPods impossible. The organisation is busy with a list of cd's which publishes hidden programmatuur meeleveren to make and these on the Internet site. Wouter Rutten of the NVPI emphasise that the commotie for Dutch a ' meaningless tale ' is because the aware cd's are only in the United States and in Mexico available. The organisation offers information on the beveiliging of First 4 Internet to Cdlogo.nl by means of the site, however. Several phone calls to SonyBMG continued call back in spite of promises to unanswered.
    • by Intron (870560) on Thursday November 10, 2005 @11:06AM (#13997638)
      Can I use LAME in my commercial program? [mp3dev.org]

      *** IMPORTANT NOTE ***
      The decoding functions provided in LAME use the mpglib decoding engine which is under the GPL. They may not be used by any program not released under the GPL unless you obtain such permission from the MPG123 project (www.mpg123.de).

      • *sigh*

        As has been pointed out before, the static strings that are compiled into the program are just parts of the program that are LOOKING FOR LAME. It doesn't have any part of lame in it, it's making sure that you don't use lame to encode this CD. It's part of the so-called "protection". It's looking for a whole list of files and applications that it knows about in order to prevent them from being used to extract the audio from this CD.

        No LGPL violation. Move along.
  • by Anonymous Coward on Thursday November 10, 2005 @09:46AM (#13996970)
    According to this [webwereld.nl] article (Dutch) on the CD Get Right With The Man of Van Zant there are strings from the library version.c of Lame [mp3dev.org]. The following strings are found: "http://www.mp3dev.org/", "0.90", "LAME3.95", "3.95", "3.95 ".

    Also in the program go.exe their is an array called "largetbl", which is part of tables.c of libmp3lame. Can anyone confirm these findings?

    LAME is licenced under the LGPL. Could this mean more trouble for Sony because of a license violation?
  • by digitaldc (879047) on Thursday November 10, 2005 @10:01AM (#13997051)
    How ironic that one of the copy-protected CDs is titled 'THE BAD PLUS' by Suspicious Activity.
    And they really mean it!
    Be rest assured Sony, that I will NEVER buy one of your invasive CDs.
  • by Anonymous Coward on Thursday November 10, 2005 @10:40AM (#13997374)
    ...as they have renamed themselves to $sys$Sony...
  • by andyo (109338) on Thursday November 10, 2005 @10:46AM (#13997438) Homepage Journal
    The BitDefender company claims an exploit has already been found that uses the Sony DVD rootkit to gain access to one's system:

    [bitdefender.com]http://www.bitdefender.com/VIRUS-1000058-en--Backd oor.IRC.Snyd.A.html [bitdefender.com]

    Naturally, they are promoting their software as protection.

  • sony hits Macs too! (Score:4, Interesting)

    by Anonymous Coward on Thursday November 10, 2005 @11:57AM (#13998144)
    From Macintouch today:

    A reader followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style "root kit" on their computers via audio CDs:

    I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.
        Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.

    so, Mac users have been safe up 'til now......

  • by computer_redneck (622060) on Thursday November 10, 2005 @12:28PM (#13998411)
    If this is so, isn't the law of the US that Children under 18 are not legally bound or able to enter into a contract with anyone without permission of the parent? If this is so and a EULA is a Contract then technically doesnt that mean that anyone under the age of 18 in the US is not bound by the EULA?

    Just curious.

"Out of register space (ugh)" -- vi

Working...