President of RIAA Says Sony-BMG Did Nothing Wrong

Zellis writes "In a press conference held on Nov 18 Cary Sherman, the president of the RIAA, stated in reference to Sony BMG's "rootkit" software that "there is nothing unusual about technology being used to protect intellectual property." According to Sherman, the problem with Sony BMG's XCP DRM software was simply that "the technology they used contained a security vulnerability of which they were unaware". He goes on to praise Sony's "responsible" attitude in handling the problem, saying "how many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?" It seems that the latest spin is to portray the Sony rootkit as no more of an issue than a software coding error that unintentionally creates a security hole. Will they get away with it among the non-technical public?" Arguably, Sherman is right -- but I enjoy much more the fact that this whole r00tkit fiasco has set DRM back by years. Gogogo poor implementations!

Fantasyland!

[Anonymous Coward]

the fact that this whole r00tkit fiasco has set DRM back by years.

Hey Hemos! What color is the sky on your planet? Think about it for a minute. Do you truly believe that this minor incident with Sony-BMG will have any significant effect, even with Sony let alone any other label? I guarantee you that Sony_BMG is already scrambling to get the "latest generation" DRMed CDs on the shelves before Christmas. You must live in Fantasyland.

Big Surprise?[ - Radio now]

[saskboy]

"President of RIAA Says Sony-BMG Did Nothing Wrong"

In other news, cows give milk.

Anyone interested in local radio coverage of this story, CJME.com is about to do a show on the Sony rootkit, you can listen live at 10:05AM CST, and again in the evening for a rebroadcast. Sorry, no podcast is made.

If...

[RAMMS+EIN]

If Sony clearly indicated that they were installing a rootkit on the users' systems, than I think indeed they did nothing wrong. It's their product, after all, so if they want to include a rootkit, that's fine. The only reason I say they need to indicate the presence of the rootkit is that it is the kind of software that you would normally expect not to be included (in good faith).

However, I doubt that Sony would have clearly indicated the presence of the rootkit. How do you even begin to clearly indicate the presence of something that most people don't even understand? I haven't been following the case, though, so I can't say anything more about it.

Re:Thank goodness for Konqueror

[forkazoo]

Well, I'm a sys-admin at a company with a few hundred desktops. AFAICT, there isn't any way to scan my whole network for the rootkit, and the only sure fire, safe way to remove it is to reimage the machines that have it. Thankfully, it does phone home, so we have started looking through firewall logs for anything trying to get to the phone-home website. Still, a major PITA.

punish RIAA

[Anonymous Coward]

Every time they say something like this, steal a song. Everytime they Do The Right Thing (tm), buy a song.
An I am such a sissy that I post this AC

Sauce for the Gander

[Nom du Keyboard]

Cary Sherman, the president of the RIAA, stated in reference to Sony BMG's "rootkit" software that "there is nothing unusual about technology being used to protect intellectual property.

I truly, deeply, and sincerely hope all his personal computer systems are rooted by all the DRM flavors out their simultaneously. Then he can live with what he claims is not a problem at all for the rest of us.

Re:Markets always trump cartels eventually

[dada21]

I've seen 2 local bands forgo major label representation because of BAD contracts. Yet most big bands do sign bad deals.

I see a big reason for "major" labels, actually. I look at it as a co-op of bands that distribute the cost of production and marketing across hundreds of "talented" bands.

My problem is with the anti-freedom maneuvers of the labels. They corrupted radio rights, they helped destroy copyright, they subsidized the DMCA and they fostered anti-speech creations like Tipper's parental warning label and other bad ideas. I have no problem with stupid business tactics, it is when the law protects it that I'll call foul.

Re:Commercial rootkit?

[Anonymous Coward]

I put Snort sigs in place for the Sony traffic http://www.bleedingsnort.org/ [bleedingsnort.org] and got hits from the following company

I have loaded the Sony DRM sigs but have gotten hits from other products. I am wondering if this is a false alert or another company using this root kit for DRM

000 : 50 4F 53 54 20 68 74 74 70 3A 2F 2F 77 77 77 2E POST http://www./ [www.]
010 : 70 68 6F 74 6F 73 68 6F 77 2E 6E 65 74 2F 4D 50 photoshow.net/MP
020 : 53 4E 41 70 70 53 65 72 76 65 72 2F 73 65 72 76 SNAppServer/serv
030 : 69 63 65 73 2F 6C 6F 67 67 69 6E 67 20 48 54 54 ices/logging HTT
040 : 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 61 P/1.0..Accept: a
050 : 70 70 6C 69 63 61 74 69 6F 6E 2F 2A 2C 20 61 75 pplication/*, au
060 : 64 69 6F 2F 2A 2C 20 69 6D 61 67 65 2F 2A 2C 20 dio/*, image/*,
070 : 6D 65 73 73 61 67 65 2F 2A 2C 20 6D 6F 64 65 6C message/*, model
080 : 2F 2A 2C 20 6D 75 6C 74 69 70 61 72 74 2F 2A 2C /*, multipart/*,
090 : 20 74 65 78 74 2F 2A 2C 20 76 69 64 65 6F 2F 2A text/*, video/*
0a0 : 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Content-Type:
0b0 : 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 55 73 65 72 text/plain..User
0c0 : 2D 41 67 65 6E 74 3A 20 53 65 63 75 72 65 4E 65 -Agent: SecureNe
0d0 : 74 20 58 74 72 61 0D 0A 48 6F 73 74 3A 20 77 77 t Xtra..Host: ww
0e0 : 77 2E 70 68 6F 74 6F 73 68 6F 77 2E 6E 65 74 0D w.photoshow.net.
0f0 : 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length:
100 : 20 31 36 33 0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E 163..Proxy-Conn
110 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali
120 : 76 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 ve..Pragma: no-c
130 : 61 63 68 65 0D 0A 0D 0A 3C 3F 78 6D 6C 20 76 65 ache..........
190 : 3C 69 6E 73 74 61 6C 6C 49 64 3E 35 66 37 35 30 5f750
1a0 : 34 66 36 33 61 66 38 37 38 35 61 39 32 63 36 33 4f63af8785a92c63
1b0 : 63 62 64 38 30 61 38 66 63 63 66 3C 2F 69 6E 73 cbd80a8fccf
1d0 : 3C 2F 73 65 72 76 69 63 65 3E 0D 0D 0A ...

For the non-technical:

[SLot]

"Hey, I know we were found in your house in the middle of the night after breaking in a window, but we've cleaned up the mess and put in a new pane of glass. Aren't we responsible"?

Now, if only the non-technical people could see this....

Justification still stupid

[Bullfish]

Sony has been saying they did nothing wrong all along so it's not a surprise to hear the RIAA chime in. So others do it too, does that mean a burglar should get off because others have broken into your home? Protect their content, they are entitled to that, but not at the expense of our data.

This is another of the RIAA's great stabs at PR by pouring gasoline on a fire.

Makes you wonder of any of their people went to business school.

SonySuit.com - Strike back in Small Claims Court

[marklyon]

What Sony did wasn't responsible, it was, in fact, a crime in many areas. Call and report it to your local police department.

On the civil side, you don't have to wait for the class action lawsuits against Sony BMG Music Entertainment and First 4 Internet to wind their way through the courts -- you can sue on your own in Small Claims Court. For a useful guide to get you started, visit SonySuit.com [sonysuit.com].

Real fallout might be MS and Anti-virus Cos

[ScrewTivo]

It has already been reported that the anti-virus companys helped create the rootkit. The anti-virus companys were paid to protect their customer from these things. Can you ever trust them again? Is it worth paying them an annual fee when all they are doing is keeping out people that do not pay them off! MS may become the biggest loser as governments realize the Windows OS has this bigger then Everest hole in it. As they wake up they may realize they need another solution and FAST! Governments deal in billions of dollars, surely they have the expertise to review the code of FOSS to determine if there are back doors. So when you are protecting the keys to the kingdom who do you choose?

Need a new distribution method

[xMilkmanDanx]

I was thinking about this the other day, we need a DJ P2P network. Where radio can play and rate any music on it. Music should have a tag pointing to the band's website where CDs / merchandise can be sold directly benefitting the band.

Cost of entry for a new band would be minimal, just upload your song(s) and convince a DJ to check it out and rate it. Which isn't that hard, most of them are pretty sick of hearing the same old crap 15 times a day. This already happens with tapes but tapes aren't easy to distribute, whereas with this, distribution is automatic (as long as the DJ liked it and others check out the particular DJ's new song list).

Re:Thank goodness for Konqueror

[Zocalo]

There is also another way which might be easier depending on your setup. As you say, the root kitphones home, and that means it has to perform a DNS lookup of the domain. In order to see which, if any, of your hosts have the Sony rootkit installed you could also enable query logging on your DNS server and see which hosts are doing that. Better still, you could also create a dummy zonefile for the zone and redirect the requests to /dev/null while you are at it - I've got a whole list of zones (mostly banner ad companies) /dev/nulled this way, and best of all they can all use the same zone file with BIND. Create an entries in named.conf like this:

zone "spammers.com" in { type master; file "devnull.master"; };
zone "phishers.net" in { type master; file "devnull.master"; };

Then create a zonefile "devnull.master" with records like this:

* IN A 127.0.0.1
@ IN MX 5 127.0.0.1

and none of your users will see any web traffic or be able to "unsubscribe" from them ever again...

All well and good...

[tekiegreg]

However I'd like to see the RIAA's feedback on the (at least alleged) LGPL violation by Sony in this. Would the RIAA (MPAA, BSA, etc.) encourage companies to practice what they preach? As posted previously on Slashdot there was a potential LGPL violation. My suspicion would be that the RIAA takes a "no comment" stance, hehehe....

RIAA and their PR

[sinco]

The thing that intrigues me is the RIAA has the nerve to support this action when Sony clearly suggested (not in a press release but in recalls) they made a mistake. This shows the RIAA does not care about their PR. It seems to me the RIAA views us as consumers who will buy their product at any cost, regardless of how they treat us. Like suggested before, they have a monopoly at hand. I'm hoping in the future that some of the consumers can conform to suggest reasonable methods of distribution and rights to combat the RIAA's evil actions. If not I think the RIAA will keep on pushing for complete control over digital distribution and rights.

Re:Markets always trump cartels eventually

[Scruffeh]

Although I am in no way a fan of record companies or the way they work, this is a sad fact of capitalism rather than simply a problem with the record industry. It's the same if you buy dairy produce from a supermarket, clothes from most multinational companies or coffee from a coffee shop. You can pretty much be sure that the farmer or the guys in the factories are not receiving much money for what is essentially their product. At least successful artists are generally pretty much sorted financially, they are definately a lot better than people in far eastern factories who don't earn enough to eat properly.

Re:Responsible?

[mrchaotica]

Piracy is bad, but so is getting rooted...

Copyright infringement may be bad, but getting rooted is orders of magnitude worse, because it opens your computer to other crackers and malware. Given the hundreds of thousands of computers that are affected, this even has implications for National Security -- terrorists could launch one Hell of a DoS (or otherwise) attack with that many zombie machines!

No, what Sony has done is much worse than copyright infringment; it's very nearly terrorism!

Re:Markets always trump cartels eventually

[kimvette]

For what it's worth, I think payola is going to die.

No, really. With the media consolidation what's to stop Sony, Capitol, etc. from buying up the radio stations? No payola necessary. The "DJ" (well. teleprompter reader really) will play the queued music from the satellite feed and announce them with a smile, or not keep his job. No payoffs required once the media consolidation process is complete.

There will still be an independent station here and there, but how much would you want to bet that the RIAA and Artist Rights Enforcement Corporation won't raise the licensing fees to air major labels' material once the consolidation of mainstream stations is complete?

software installs WITHOUT EULA agreement

[Danathar]

The thing thats REALLY bad is that the software installs on your system (disabled) even if you DON'T say "yes" to the EULA.

I'm really hoping that lawsuits brought up with this stuff brings the whole "I can put anything I want into an EULA and it's binding" mantra we hear from certain software and content providers.

SCO says, HEY! LOOK AT ME! pleeeease?!!!

[Thud457]

Sony insider: DRM is discredited at Sony [boingboing.net]

A high-placed source at Sony BMG has emailed me with some interesting information about the ongoing rootkit DRM fiasco. My source says,

Some of the top Sony BMG artists who had XCP placed on their CDs are complaining directly to the label heads, furious that it will hurt their relationship to their fans and their sales as they go into the massively important Christmas season. Add that to rising number of anti-DRM voices within in the company who have been against DRM as only hurting "the people that are doing the right thing and buying our music." This all means that some of the label heads are finally starting to believe that DRM is just bad for business.

Now they are starting to stand up to the corporate leaders who are pushing DRM as the solution to their sliding revenue, particularly Thomas Hesse who notoriously said "Most people don't even know what a rootkit is, so why should they care about it?"

At least of the label heads has threatened never to allow another CD to go out with DRM again.

Re:Markets always trump cartels eventually

[rizzo420]

there's a problem with the way you buy your records. do you really think that more of the money goes to the artist? is the artist really running the webstore or is the record label? think about that one...

for your parent's argument about major labels having a place... big bands do sign bad contracts all the time. why? advertising. they know they can get somewhere. think about that one. the beatles had a terrible contract, but they made more money afterwards when they did their own thing with apple records. a lot of the bigger bands today make their money through other means, not record sales. record sales means popularity, nothing more, nothing less. the more popular they are, the more poeple go to their concerts (where almost all the revenue goes to to the band). so far, the record labels haven't been able to touch concert revenue (don't you think they would've loved a chunk of the change bands like phish and the grateful dead made from touring alone?). the big label gets them advertisements, that's all (although phish and the dead became popular through word of mouth, the label just got them new fans).

Music CDs are Data STORAGE

[Anonymous Coward]

Music CD's were not intended to contain computer progams. Does your CD player execute windows programs? So how is this the same as a software vendor installing software onto your computer? Music is not Software and there is no implicit agreement that programs will be added to your PC when you play a redbook music cd.

That is the inherent problem with their argument. Its apples to oranges. Games install copy protection, but a game is designed to run on the PC.

This is very much like buying a book, a medium which stores the written word and is replayed by your eyes and brain, and the pages are laced with an invisible substance that is absorbed into your skin and prevents you from repeating the story. A computer is an extension of your brain, and illegally installing protection software and hiding it very much like illegally drugging someone to force them to do your bidding.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Markets always trump cartels eventually

[miller56]

Sony has a new media/digital living center that they are advertising for the Xmas holidays. From their website:

"Consolidate Your Media Library Finally, you can manage all your content - from personal photos and high-definition camcorder video, to downloaded movies and music, to recorded TV shows, to your CD and DVD collection, and more - from the comfort of your couch. With its 200-disc mega-changer, the XL1 Digital Living System(TM) boasts a whopping 1.7TB of CD and DVD disc storage that's easy to access and enjoy with the included remote control or wireless keyboard. It's the player you've been waiting for, and since it's also a PC, you're conveniently connected to the data that will let you keep track of your media and enjoy it to the fullest."

A recent review of this product in a PC World/Mag (one of those) said you could put your entire CD collection in it and set it to rip all your CDs to the hard drive automatically overnight! Except for Sony's own XCP CDs!

The ultimate would be..

[milobloom-ab]

..for someone to bring a lawsuit against Sony under the DMCA for circumventing Windows security or something. Surely the DMCA is ambiguously worded enough to allow for this? :)

Re:No regedit required at all...

[kibbylow]

This is exactly the setting that I have on my XP box. I usually get the pop-up for CDs and DVDs, however some of the recent DVDs somehow circumvent this setting. I put the Star Wars EP3 disc in and it automatically plays.

Do markets *always* trump cartels?

[NickFortune]

Regarding your subject line - do you have any historical examples of this, or is it more like an article of faith? That's not a dig; this is something I'd like to be true. However, experience tells me that those times when I want to believe something are the times when I most need to check to facts.

I suppose the problem is going to be that all cartels fall in time, and in every case the role played by the market is going to be open to debate.

Anyway, I'm curious as to whether you cite any examples.

Re:Unaware?

[NexusTw1n]

It's a good point, but I've never seen it happen. All rootkits I've seen are visible over a share.

Rootkits are revealed on the network via firewall logs, and I've always tracked them down via this method. I suppose there may be kits that I may not be seeing, but they don't appear to be phoning home.

Remember that you can hide a file from the API, but you can't hide from NTFS itself otherwise you risk getting overwritten.

It's entirely possible that administrative shares get their file list from the disk volume itself and translate the information when it arrives using the clean kernel rather than the potentially infected API on the remote machine.

I'd be interested to know if anyone knows for certain if this is the case?

There's all the difference in the world.

[GaryW]

Sherman is wrong. There's an enormous difference between a security hole in DRM software and standard software: normally, any software I install on my machine is running with my permission and knowledge, performing a function that I chose and doing it for my benefit. Sony were trying to get their code onto end users' computers without those users understanding exactly what is was doing, and naturally the software functioned entirely for the benefit of Sony and not the users.

Richard Stallman clearly explained the problem and explained all the issues that Sherman doesn't want us to think about in an essay called Can you trust your computer? [gnu.org]. If Stallman had the marketing clout of the RIAA's members and vice versa, I suspect we wouldn't be in this situation today.

Re:Markets always trump cartels eventually

[Anonymous Coward]

" I've seen 2 local bands forgo major label representation because of BAD contracts. Yet most big bands do sign bad deals."

Thats simply a shame...I've seen too many bands sign bad deals as well (note: I worked in the industry for several years before deciding to go back to school). The fact of the matter is, contacts in the music industry like any other industry are supposed to represent give and take. When my university decided that some of my research was too valuable and took up their right to offer the 'standard' 50% ownership of viable IPs in return for funding my project (after deducting the cost of the office space, percentages of professors above me's salary and a dozen other deductions that would mean that I'd probably owe someone before I saw a single dime -- and the 'scholarship' they offered was included in this) -- I decided to shop the contract around and when my university balked at that, I took my first grant to a former professor now running the sponsored research program of his new school on the west coast. It was a small grant (under $50k) but it got the point across.

The next time I applied for a grant, I was given MUCH better negotiable terms by my university. Both schools are of the same size and stature, so I never had to woodshed in the 'minors' to get my way.

How does this relate to your local bands? At one point I was a signed musician. I think technically I still am and still in contact with my A&R guy who occasionally asks if I can assist on a project. When I was given the contract, I immediately went to a lawyer -- and not the one they suggested -- but not before I read everything myself and made a lot of notes. Almost all of this was common sense when reading this, and my laywer confirmed that most of my concerns were legitimate. The rest of my band signed their rights away immediately (and the label made it sound as though if I didn't sign at the same time, their contracts would be void). I wrote the songs even though I wasn't the lead man, so I had more at stake and didn't give a fuck about their concerns.

Guess what -- without a protest, most of my concerns were addressed and either ammended or stricken. As taught in High School law, contacts are about give and take and the record companies know this. If a stupid metal head or bimbo pop singer is willing to sign anything that it put in front of him or her, they deserve getting screwed on a bad contract. The labels are giving you a contract with everything they could legally hope to attain and nothing more. You should ask for everything you could legally attain and nothing more -- and then an agreement should be struck between the two. And I have no problem with anyone asking for as much as they can get because only an idiot would do so.

So your local bands forgoing major label representation -- so what? They should have hired an entertainment lawyer and had representation from management (starting off -- these should be two seperate items to make certain that no one is out solely for themselves).

Thats more than I wanted to say about the subject.

Re:Markets always trump cartels eventually

[arpk4n3]

Advertising is one reason for joining with a major label, but performances and word-of-mouth themselves are better advertisment; in fact, only recently have television commericals or billboards played an important role in advertising. Radio traditionally has been an artist's best medium for advertisment. Advertising, however, means nothing without distribution. Major labels distribute globally through retailers, which independent artists would have a difficult time emulating, unless they have achieved substantial success on the charts (Which is difficult, if not impossible, for indie artists due to the connections between radio--Viacom, Infinity, and Clearchannel--and the labels. Thus indie artists have to find different means of advertising as well). It's not some arcane industry secret that artists typically only make 8-15 points (cents per dollar) from album sales, and from that have to pay for studio time/musicians, managers, lawyers, tours, etc. The label handles manufacturing and distribution.

Interestingly, though, a growing number of artists, including myself, are choosing to survive as 'independent' as its profit margins are higher, and the artists themselves do not forfeit the copyrights to their songs to the labels. When you pirate music, the copyright you are breaching is not of the artist; the copyright for the recording typically is owned by their label.

More on this (and more) is discussed in a paper I wrote, available here [lunavelis.net].

President of RIAA Says Sony-BMG Did Nothing Wrong

[animale]

Except for violating the license for LAME and DVD-Jon's work? Will developers of both of these products sue Sony blind for stealing (and then trying the public's patience with this PR agency directed campaign to clean up their image?) If Johansen gets a big settlement would it cripple DRM permanently? Will the lawsuits include pressure from governments, who now realize they could leak secrets just because their secretary listened to a music CD at work? And that's only the accidental espionage...

As disturbing as everything about this case is, the scarier part is how Marc stumbled across this rootkit. Are there enough genius-level diagnosticians amoung us to find the dozens of rootkits that are better crafted than this F4I junk? Rootkits used by governments to spy on each other, AND US? Who was it that called the internet the greatest boon to covert intelligence gathering since the submarine cables in the North Atlantic?

Mr Russinovich, PLEASE open a trade craft school to teach the best and brightest how to detect and code for removal of these threats. Corporations and governments will pay for their security experts to learn, professors will seek the knowledge to teach others, and AV companies will pay to send programmers to learn how to code removal tools for a lucrative new market, Ignore pleas by our overlords at MS and the Fed. Hopefully the designers of removal tools will not bow to pressure from the lazy spook types, who won't be able to sit back and snoop PCs for much longer before being found out.

Don't forget the songwriters

[gosand]

a lot of the bigger bands today make their money through other means, not record sales. record sales means popularity, nothing more, nothing less.

Well, it can mean royalties. And it depends on if you are talking about musicians, performers, or writers. Songwriters get money when their songs do well. Think of the song Torn performed by Natalie Imbruglia. It was a cover song made to fit popular radio. But the original band that did it didn't complain, because they were getting songwriting royalties. (BTW, the original song, of which there are several versions, is much better IMO)

Which is safer?

[Anonymous Coward]

Which is safer?

(1) Buying a legitimate music CD and inserting it into my computer, or,

(2) Downloading the same music in MP3 format from eMule, knowing that each file has 50 different sources, all with the same security signature?

The answer to that question has been irrefutably decided this month.

This is a significant turning point in the history of music distribution.

Public Domain/Radio

[Namronorman]

This is why, ladies and gentlemen, I listen to public radio. I do not buy CDs from any label that is under the RIAA, and if I do buy a CD it's for a physical copy of something that is in Public Domain.

Only listening to PD stuff doesn't stop me from being afraid of a large corporation like this though, they're bullies and it's apparent that they'll sue anyone, guilty or not. I honestly don't think I could list a single band that is on the top 40, let alone very many current (as in new) bands!