President of RIAA Says Sony-BMG Did Nothing Wrong

Zellis writes "In a press conference held on Nov 18 Cary Sherman, the president of the RIAA, stated in reference to Sony BMG's "rootkit" software that "there is nothing unusual about technology being used to protect intellectual property." According to Sherman, the problem with Sony BMG's XCP DRM software was simply that "the technology they used contained a security vulnerability of which they were unaware". He goes on to praise Sony's "responsible" attitude in handling the problem, saying "how many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?" It seems that the latest spin is to portray the Sony rootkit as no more of an issue than a software coding error that unintentionally creates a security hole. Will they get away with it among the non-technical public?" Arguably, Sherman is right -- but I enjoy much more the fact that this whole r00tkit fiasco has set DRM back by years. Gogogo poor implementations!

Markets always trump cartels eventually

[dada21]

Sherman would be correct -- in a free market. Fortunately for us, those who rely on helping create freedom-reducing laws eventually find themselves violating their own creations.

The real dilemma for content creators was their inability to collude together on a newer standard to replace CD, and now it is too late. Wouldn't you be mad if your cartel couldn't react in time to new situations?

The simple fact that any audible signal can be recorded is important, yet the record companies still seem blind that they have a viable MP3 market because most consumers (with jobs) would rather pay $1 (with Jobs) than spend 20 minutes finding a song illegally or even bothering to rip their own CDs. I have more than a few friends who've rebought albums from iTunes that they own on CD. $10, to them, is worth the time.

Does the RIAA need to continue the "piracy is wrong" campaign? Yes! But that should be the limit. Let honest people know they're not reimbursing others for the content they pirate, and I believe you'll see people continue to pay. I believe people are generally good and moral (99% of the time even a thief acts in a good way).

Do record labels need copy protection and lawsuits? Not against consumers, not even the guy seeding a torrent to hundreds of others. They need to re-evaluate their market and see that people will pay and more people are becoming more technologically inclined so even at a lower price they can see bigger profits.

Nonetheless I don't think we need to worry about the RIAA or rootkits or whatever much longer. The new generation (10-16) of kids recording today are already using the next distribution system (PureVolume and MySpace). I know of a few young bands already making decent money selling very professional CDs by promoting their music online for free.

I'm starting to filter the RIAA news (at least mentally) since it isn't news to me. They had a great run of 70 years, and just like gaslamp lighters, their time has come.

RIP A CD, R.I.P. R.I.A.A.

Re:Markets always trump cartels eventually

[endemoniada]

You really hit the spot here. I, myself, have no problem supporting the artists by buying their albums and merchandise. I do, however, have a problem with not being able to give 1 cent to the artist, without HAVING to give $1 to the record company. THIS, ladies and gentlemen, is the theft we should all be discussing.

Re:Markets always trump cartels eventually

[dada21]

I've seen 2 local bands forgo major label representation because of BAD contracts. Yet most big bands do sign bad deals.

I see a big reason for "major" labels, actually. I look at it as a co-op of bands that distribute the cost of production and marketing across hundreds of "talented" bands.

My problem is with the anti-freedom maneuvers of the labels. They corrupted radio rights, they helped destroy copyright, they subsidized the DMCA and they fostered anti-speech creations like Tipper's parental warning label and other bad ideas. I have no problem with stupid business tactics, it is when the law protects it that I'll call foul.

Re:Markets always trump cartels eventually

[endemoniada]

The thing is this, though... If I buy a record from , I don't want to pay for all the advertising going into . Since the record label barely put any money into releasing the unknown bands album, I'm essentially paying for the famous bands album even though I never bought it. I just find that uncomfortable.

Nowadays I only buy records and music-DVDs from artists websites, or webstores run by the musicians themselves. That way I know that _more_ of my money goes to the artist.

Re:Markets always trump cartels eventually

[rizzo420]

there's a problem with the way you buy your records. do you really think that more of the money goes to the artist? is the artist really running the webstore or is the record label? think about that one...

for your parent's argument about major labels having a place... big bands do sign bad contracts all the time. why? advertising. they know they can get somewhere. think about that one. the beatles had a terrible contract, but they made more money afterwards when they did their own thing with apple records. a lot of the bigger bands today make their money through other means, not record sales. record sales means popularity, nothing more, nothing less. the more popular they are, the more poeple go to their concerts (where almost all the revenue goes to to the band). so far, the record labels haven't been able to touch concert revenue (don't you think they would've loved a chunk of the change bands like phish and the grateful dead made from touring alone?). the big label gets them advertisements, that's all (although phish and the dead became popular through word of mouth, the label just got them new fans).

Re:Markets always trump cartels eventually

[endemoniada]

Yes, I do believe that THEY are running the webstore. Several of the bands I listen to run their own labels, and contract few, if any, other bands besides themselves. I also happen to know a few bands that follow this precise strategy. They sell lots of albums at their shows, and 100% of the money goes directly to them. No middleman, no excessive advertising (most of it is for free on the internet) and yet they almost make a living playing music.

If the RIAA are correct, how is this even possible? All RIAA wants is for artists to be dependant on record labels, so that they can cash in more money.

Think about it. If none of the money went to record labels, wouldn't the band be able to finance themselves? With the breakthrough of the internet, advertising is cheap, next to free. You can distribute music without even having to pay for the CD-materials! There is no reason we should give most of our money to record labels anymore. They're as extinct as dinosaurs, as far as I'm concerned. Couple all this with the fact that it's no longer a matter if whether people want to buy, or download. It's now a matter of whether people want to buy-and-also-get-their-computers-taken-over-withou t-having-any-knowledge-of-it, or download it.

Re:Markets always trump cartels eventually

[rizzo420]

Yes, I do believe that THEY are running the webstore. Several of the bands I listen to run their own labels, and contract few, if any, other bands besides themselves. I also happen to know a few bands that follow this precise strategy. They sell lots of albums at their shows, and 100% of the money goes directly to them. No middleman, no excessive advertising (most of it is for free on the internet) and yet they almost make a living playing music.

you're talking about independent artists, i'm not. you can't buy a cd from an artist on a major label who doesn't give a good portion of that money back to the label (mainly because the label owns their webstore).

this is a comment i meant to make in my other reply.

Re:Markets always trump cartels eventually

[arpk4n3]

Advertising is one reason for joining with a major label, but performances and word-of-mouth themselves are better advertisment; in fact, only recently have television commericals or billboards played an important role in advertising. Radio traditionally has been an artist's best medium for advertisment. Advertising, however, means nothing without distribution. Major labels distribute globally through retailers, which independent artists would have a difficult time emulating, unless they have achieved substantial success on the charts (Which is difficult, if not impossible, for indie artists due to the connections between radio--Viacom, Infinity, and Clearchannel--and the labels. Thus indie artists have to find different means of advertising as well). It's not some arcane industry secret that artists typically only make 8-15 points (cents per dollar) from album sales, and from that have to pay for studio time/musicians, managers, lawyers, tours, etc. The label handles manufacturing and distribution.

Interestingly, though, a growing number of artists, including myself, are choosing to survive as 'independent' as its profit margins are higher, and the artists themselves do not forfeit the copyrights to their songs to the labels. When you pirate music, the copyright you are breaching is not of the artist; the copyright for the recording typically is owned by their label.

More on this (and more) is discussed in a paper I wrote, available here [lunavelis.net].

Re:Markets always trump cartels eventually

[Halo-]

(warning this is a bit of a rant)

Okay, I agree the label covers advertising. But what does this really mean? Unless the band already needs no introduction, they aren't getting TV or radio spots. (Let's not get into pay-for-play just yet)...

What are they getting? Posters? Unless you live in a major urban area, you're probally not going to see many of those, and even if you do they are probabally posted illegally. Besides I doubt you move many units based solely on what the album "looks like". Maybe the occasional impluse purchase, but I can't see many people buying the majority of their albums unheard.

That leaves airtime of some sort. The tradional channels are broadcast radio and cable TV. MTV and clones only play videos (or parts of them) and those are a whole 'nother expensive enterprise, which usually doesn't start until the band actually is successful. So we're back to broadcast radio. (We'll get to XM/Sirius in minute) The FM dial is pretty much a small set of genres with the same 12-24 songs in rotation around a slew of blather. Sure there are small indie stations, but those are dying off faster and faster. Probably because the labels would rather advertise the newest Britt Spears single on/to the local ClearChannel/Infinity franchise than spend the bucks to get some unknown played on a tiny little college station.

XM/Sirius is a little better, but you've still got a fairly small number of spots for a really huge number of potential songs/artists.

Where is left for the non-megastars? Pretty much concerts. Concerts get you something, but again, a narrow audience. I'm 29. I have a job, a wife, and a baby on the way. I live 30 minutes from the "hip Austin Music Scene". Even when bands I really like come to town I don't go see them. It's not something that fits into my lifestyle anymore.

Finally there is the internet. The last bands I've checked out where because someone's website said they liked them and I hunted around to find them. (Yes, usually on P2P of some sort). Once I did find them I downloaded a few tracks and looked at what else that user (the P2P one) was sharing and grabbed a handful of other stuff at random. Eventually I get around to listening to them, and delete 90% right off. Out of the remaining 10% I usually find a few tracks I like and then go out and buy the album. (This is pretty rare because I don't have the time to search and download...)

So, the way I see it, the "major labels" have two choices:

1) Not sell me anything, because I don't hear anything I like.
2) Accept the fact that P2P is a reality and produce a physical product which is inticing enough for people to bother buying it

When P2P was easy, I bought more CD's that I ever had at any other point in my life. As it got to be more of a hassle, I've bought less and less, and listen to the same old CDs again and again. I've brought close to 1000 CD's in my lifetime, but no more than 10-15 in the last two years. (And most of those were used)

"The Industry" is cutting itself out of the sweetest parts of the market (25 - 35 adults with 100K+ household income) in the hopes of locking in the 13-24 year old set.

Re:Markets always trump cartels eventually

[Fareq]

You are getting distribution as well.

That is, your album appearing on racks in all the major music stores, and possibly advertised in those stores little ad-magazines that they stick in the Sunday paper.

5 years ago, this was invaluable. You could never afford to stamp enough CDs, nor could you make enough connections to have copies of your album in stores across the country.

Now that a certain reasonable percentage of music is bought online (I've no idea the percentage, but it's not 0 anymore), phyiscal distribution isn't *as* important. Over time, it will become less and less important as the physical music stores become less important. I don't know that we'll ever completely eliminate the need for real music stores and real music CDs, but it will soon be possible to have a huge hit without having CDs in any major retailers -- there will be enough people using the online music stores, and possibly direct-order CDs, to reach critical mass. And at that point, you'll have the resources to produce CDs and acquire good placement in stores without the labels.

Back to the point:

[BrokenHalo]

I wholeheartedly agree that artists in many cases get shafted.

However, that is not really the issue which Sony is attempting to defend. Sony is attempting to defend an action which essentially transfers ownership of _your_ computer to itself. And it is that which prompted the legal slap, and rightly so, for what it's worth.

The fact that Sony seems to be unable to learn that lesson is another issue, and apparently one's only recourse seems to be to boycott their recordings. In my case, that seems incredibly

Parent has a good point

[typical]

However, that is not really the issue which Sony is attempting to defend. Sony is attempting to defend an action which essentially transfers ownership of _your_ computer to itself. And it is that which prompted the legal slap, and rightly so, for what it's worth.

It's easy to lose sight of what the issue is here -- the parent post is very much right.

It doesn't matter whether you like the RIAA, the artists, or whether you use MP3s.

The issue at hand is very simple.

Sony dumps some very low-level software on your system that alters the way the system works in some unexpected ways. The vector that this software is arriving in is not expected -- many sysadmins on corporate networks, for example, allow audio CDs (to help prevent copyright violation from people bringing in MP3s).

Sony has essentially done something to the system that the user does not expect.

This is a very classic case of going behind the user's back to do something that he is not going to want to have happen. The same thing happens with a lot of other software out there, true, but having a Gator or Bonzi Buddy from *Sony* instead of a random shady startup is a little different -- that says that this is an attempt to legitimize doing anything to a user's computer that a software vendor can get away with.

The counterclaim made by Sony when someone pointed out that they were doing something nasty surreptitiously was that "most users don't know what a rootkit even is". Yes, that may well be true. However, the problem is that something is being done to my system at a low level -- I don't know how my car works, but I trust my mechanic not to break it. When I stick an audio CD in a CD drive, I expect it to play music, not to modify the function of my kernel. The fact that the typical user does not have the knowledge necessary to understand how he is being screwed over and what to do to repair the problem is absolutely no defense against this.

Furthermore, they claimed that this was perfectly acceptable, and appear to be ready to do it again. The question is not minor -- this is the first time that I'm aware of that a mass-market company is attempting to do nasty stuff to computer users, and taking advantage of the fact that few users are able to identify what software is causing problems and what might be a bad idea to do to their system. Fortunately, there are a few technically knowledgeable and competent people out there (like the well-respected gentleman at Sysinternals) who are able to bring this up. If Sony can get away with this, it's a green light to any *other* company that sees a perceived advantage in somehow modifying your computer system to do so via any means necessary. Today, Windows boxes are the only ones affected, but what about tomorrow, when Linux and Mac OS boxes are hurt?

If Sony is not slapped down *hard* legally for this action, the floodgates of adware and spyware from major companies will have been opened.

I'm rooting very, very hard for the ambulance-chasers on this one, and it has nothing to do with the fact that this involves DRM. Software is something that Joe Average has to deal with on a daily basis, and his ignorance about how his system works or how to fix damage done to it should not be something that it's okay for every company in the world to exploit.

Sony is *not* going to listen to anything other than legal suits on this one -- if they were going to listen to common ethics, they would have done so by now.

Re:Parent has a good point

[quarkscat]

This response from the RIAA is hardly surprising. Instead of seeing new ways of marketing and distributing the media/content that they control for fun-and-profit(TM), the RIAA (and the MPAA) sees digital format media as an overwhelming threat to their livihood. Since money talks, and more money talks louder, the DMCA was passed (in no small part) in order to strip the right of "fair use" from their customers.

Both the RIAA and the MPAA need to be taught a lesson by consumers -- the only lesson that they can understand: boycott! As SONY is a leading member of both of these organizations, they make the ideal target for consumers to boycott. SONY's DRM "rootkit" is the ideal "line in the sand" issue to organize such a boycott around. Since SONY is in the media hardware and media content business, this company has broad enough consumer exposure to justify a boycott of ALL SONY PRODUCTS.

This boycott should continue IMHO until the more draconian measures of the DMCA are removed or ammended, legislation be passed to make corporations criminally liable for spyware and DRM that abuse computer security, and that consumers' right of "fair use" be restored.

Re:Markets always trump cartels eventually

[dunstan]

No, this is no more theft than is illegal copying. The whole conveyor belt of signing promising bands into hideously restrictive contracts with big labels is very bad, but it is not "theft".

The demise of the RIAA, as referred to in the parent article, is coming about because there is no longer any scarcity value in being able to copy and distribute recorded music. Lots of other things are happening: the public domain is now an effective reality [cpdl.org]. Public registers are now publicy available [houseprices.co.uk]. As the printing press made scholarship available to the many, so we are now seeing the old oligopolies falling.

This is A Good Thing

Re:Markets always trump cartels eventually

[kamapuaa]

I agree! And when I go to a ballgame, I want the money to go directly into the ballplayer's pockets. When I buy a beer, I want the money to go directly to the brewmeister. When I buy "A Catcher in the Rye," I want the money to go directly into J.D. Salinger's molest-a-schoolgirl fund.

What is this whole nonsense about contracts, anyway? It's all a bunch of theft!

Re:Need a new distribution method

[dada21]

Let me start by saying that I hate "market" democracies. DJ radio is the worst form of democracy as it tries to create one group of listeners without thinking about the many subgroups.

MySpace does a MUCH better job. You can see what your friends are listening to, and try it yourself. Rather than buy an album that's nationally loved by 2 dozen promoters, you can buy an album that 2 dozen of your friends love and you're more likely to actually like it.

Mass marketing will be replaced by viral mini-markets. A talented local band can do very w ll in th ir local 2-3 state area.

I'd rather see 500 local bands make $100,000 a year than 5 bands making $10M. $100,000 a year is great money for a part time, easily doable if copyright was gone. 6 shows a year to 500 fans (10% of your fan base) and 5000 albums sold.

Yet radio and mass broadcast marketing (protected by coercive copyright) was our only option due to the radio cartels. Podcasts and MySpace are finally taking own the national promotion scene.

Re:Markets always trump cartels eventually

[dada21]

Yet in my research, farmers do pretty well (we have 5 independent farmers within a 15 minute d ive who net over $1M/year and they're not megacorps but family run). I've been to Asia and many "sweat shop" workers live better lives than all their neighbors combined. The Chinese poor workers save up to 60% of their earnings yet we want them to earn more?

Capitalism creates wealth, but the RIAA recording cartel is NOT capitalism. They are mercantilists -- companies using the monopoly of force of government against their competitors. Capitalism helps the poor and the buying minorities, mercantilism supports the elite.

Re:Markets always trump cartels eventually

[masklinn]

I've been to Asia and many "sweat shop" workers live better lives than all their neighbors combined.

Ah, the good ol' "other people have it even worse, why would you like your situation to be any better?", never ages uh?

And can be used for soo many things.

Hey, you only have AIDS while your neighbour has a cancer, you should feel lucky, now shut the fuck up

You only had bread for dinner? So what? Some people get only water, not even pure! You should feel lucky!

Stop whinning about the fact that a drunk driver hit you and you lost your leg, other people lose their lives in this kind of events, now be happy or I tear you a new one.

How the fuck does the existance of "worse" forgive "bad"?

Does the fact that Hitler killed 6 millions judes mean we should forgive the KKK for "only" killing a few hundred or thousand blacks?

Re:Markets always trump cartels eventually

[Dipster]

"how many times that software applications created the same problem?

The difference being that the users knowingly installed those applications and assumed the risk that comes with it.

Do markets *always* trump cartels?

[NickFortune]

Regarding your subject line - do you have any historical examples of this, or is it more like an article of faith? That's not a dig; this is something I'd like to be true. However, experience tells me that those times when I want to believe something are the times when I most need to check to facts.

I suppose the problem is going to be that all cartels fall in time, and in every case the role played by the market is going to be open to debate.

Anyway, I'm curious as to whether you cite any examples.

Re:Markets always trump cartels eventually

[dada21]

You're probably correct from a 1980 perspective but not from a 2010 one.

How many payola scandals happened over 50 years? 3 or 4? The recording cartel and the radio cartel only grew stronger. I'm firm in my belief that a rotten media cartel is to blame.

Where did all these colluding mercantilists get their power to rob from? The U.S. government, of course. We can't turn back the clock, but it looks like we won't have to.

Every media company is in shambles. Last week's Black indictment is just the beginning as investors audit failing media companies. Congress' powerful arm is dying and the next generation won't even remember it.

That is the light at the end of the tunnel. Our parents didn't know of the recording industry cartel, but supported them financially. Our kids won't know about it because the Internet was the breaking of the levee holding back our rights. Copyright is dying, new methods to earn money will appear.

When I call for the end of copyright, people say that creation would die if the artist couldn't protect their income. How much do artists today get from the cartels? Nearly 0. Thanks to copyright and those who "own" that right.

Re:Markets always trump cartels eventually

[kimvette]

For what it's worth, I think payola is going to die.

No, really. With the media consolidation what's to stop Sony, Capitol, etc. from buying up the radio stations? No payola necessary. The "DJ" (well. teleprompter reader really) will play the queued music from the satellite feed and announce them with a smile, or not keep his job. No payoffs required once the media consolidation process is complete.

There will still be an independent station here and there, but how much would you want to bet that the RIAA an

SCO says, HEY! LOOK AT ME! pleeeease?!!!

[Thud457]

Sony insider: DRM is discredited at Sony [boingboing.net]

A high-placed source at Sony BMG has emailed me with some interesting information about the ongoing rootkit DRM fiasco. My source says,

Some of the top Sony BMG artists who had XCP placed on their CDs are complaining directly to the label heads, furious that it will hurt their relationship to their fans and their sales as they go into the massively important Christmas season. Add that to rising number of anti-DRM voices within in the company who have been against DRM as only hurting "the people that are doing the right thing and buying our music." This all means that some of the label heads are finally starting to believe that DRM is just bad for business.

Now they are starting to stand up to the corporate leaders who are pushing DRM as the solution to their sliding revenue, particularly Thomas Hesse who notoriously said "Most people don't even know what a rootkit is, so why should they care about it?"

At least of the label heads has threatened never to allow another CD to go out with DRM again.

Re:SCO says, HEY! LOOK AT ME! pleeeease?!!!

[OpenGLFan]

Well, yeah -- this is a "get out of contract free" card for artists. If you believe that this software violates laws, and you're an artist whose picture is all over this CD, you'd definitely have a reasonable argument in refusing to work with the label in the future because the label installed illegal software on your work. If a company used my picture to try to promote knowingly defective, say, toothbrushes that would break off and jab you in the gums, then I'd certainly have the right to refuse to do the other two commercials I'd signed with, on the grounds that I didn't know about the last offense, but I'd be knowingly culpable the next time around.

Re:SCO says, HEY! LOOK AT ME! pleeeease?!!!

[uqbar]

This *is* hurting artists, particularly developing ones. There have been at about 20 CD's this year that I've put back in the rack because I was pissed over the SunnComm's attempts to install crap on my work machine (which is against company security policy for reasons which now are obvious to all). I have money, but Sony has chosen to reject the business of honest consumers that don't want to screw up their machines.

Until Sony completely disavows all DRM, I'll buy CD's from other labels with a preference for indy labels, even if it pains me to pass on artists I like (most recently Go! Team, and Kate Bush).

And my next video game console with be the one with the funny new controller...

Cary Sherman speaks truth.

[mcgroarty]

"how many times that software applications created the same problem?"

The comparison is apt and honest. I can't count how many times regular application software has done this to me. For example, the time I put Outkast's Speakerbox CD into my drive, and I found a buggy version of Firefox had installed and masqueraded as a system DLL. Or the time I was listening to William 0rbit's Strange Cargo, all the while the CD was secretly installing an unpatched IIS server and updating the kernel to keep the install from showing. Boy, that sucks every time. :(

Clearly the analogy as apt, and we need a more progresive, less bigoted view: Just because it's a shrouded rootkit doesn't mean it's a security hazard.

Re:Cary Sherman speaks truth.

[Anonymous Coward]

Saying that 'because software you choose to install may lead to security leaks make it okay that software that installs itself without warning opens up security leaks' is like saying 'because sleeping with someone you choose to may give you herpies then it is okay that someone who rapes you gives you herpies'.

Re:Cary Sherman speaks truth.

[karmatic]

The issue being that if you close it without saying yes, it still installs the rootkit anyway.

In Other News...

[Anonymous Coward]

Satan says Hitler did nothing wring!

nothing to wring here....move along

[digitaldc]

It's true, he never did his own laundry.

Commercial rootkit?

[GGardner]

The most surprising thing to me about this whole affair is that there are companies selling rootkits. Which makes me wonder -- who else is buying them? Who knew this was a legal commercial enterprise? Can we get a list of their other customers?

Re:Commercial rootkit?

[Anonymous Coward]

I put Snort sigs in place for the Sony traffic http://www.bleedingsnort.org/ [bleedingsnort.org] and got hits from the following company

I have loaded the Sony DRM sigs but have gotten hits from other products. I am wondering if this is a false alert or another company using this root kit for DRM

000 : 50 4F 53 54 20 68 74 74 70 3A 2F 2F 77 77 77 2E POST http://www./ [www.]
010 : 70 68 6F 74 6F 73 68 6F 77 2E 6E 65 74 2F 4D 50 photoshow.net/MP
020 : 53 4E 41 70 70 53 65 72 76 65 72 2F 73 65 72 76 SNAppServer/serv
030 : 69 63 65 73 2F 6C 6F 67 67 69 6E 67 20 48 54 54 ices/logging HTT
040 : 50 2F 31 2E 30 0D 0A 41 63 63 65 70 74 3A 20 61 P/1.0..Accept: a
050 : 70 70 6C 69 63 61 74 69 6F 6E 2F 2A 2C 20 61 75 pplication/*, au
060 : 64 69 6F 2F 2A 2C 20 69 6D 61 67 65 2F 2A 2C 20 dio/*, image/*,
070 : 6D 65 73 73 61 67 65 2F 2A 2C 20 6D 6F 64 65 6C message/*, model
080 : 2F 2A 2C 20 6D 75 6C 74 69 70 61 72 74 2F 2A 2C /*, multipart/*,
090 : 20 74 65 78 74 2F 2A 2C 20 76 69 64 65 6F 2F 2A text/*, video/*
0a0 : 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 ..Content-Type:
0b0 : 74 65 78 74 2F 70 6C 61 69 6E 0D 0A 55 73 65 72 text/plain..User
0c0 : 2D 41 67 65 6E 74 3A 20 53 65 63 75 72 65 4E 65 -Agent: SecureNe
0d0 : 74 20 58 74 72 61 0D 0A 48 6F 73 74 3A 20 77 77 t Xtra..Host: ww
0e0 : 77 2E 70 68 6F 74 6F 73 68 6F 77 2E 6E 65 74 0D w.photoshow.net.
0f0 : 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A .Content-Length:
100 : 20 31 36 33 0D 0A 50 72 6F 78 79 2D 43 6F 6E 6E 163..Proxy-Conn
110 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 ection: Keep-Ali
120 : 76 65 0D 0A 50 72 61 67 6D 61 3A 20 6E 6F 2D 63 ve..Pragma: no-c
130 : 61 63 68 65 0D 0A 0D 0A 3C 3F 78 6D 6C 20 76 65 ache..........
190 : 3C 69 6E 73 74 61 6C 6C 49 64 3E 35 66 37 35 30 5f750
1a0 : 34 66 36 33 61 66 38 37 38 35 61 39 32 63 36 33 4f63af8785a92c63
1b0 : 63 62 64 38 30 61 38 66 63 63 66 3C 2F 69 6E 73 cbd80a8fccf
1d0 : 3C 2F 73 65 72 76 69 63 65 3E 0D 0D 0A ...

Re:Commercial rootkit?

[KitesWorld]

Likely a false alert. The Rootkit itself doesn't communicate on the internet - the Music player (which is a seperate program, even 'tho it's installed at the same time), however, does.
Given that the two are installed at the same time, you can be fairly sure that any traffic from the player itself is indicative of the rootkit. Hits from other software, on the other hand, don't mean a damned thing.

Well, except that that other software uses the 'net for something. >_>

They did nothing wrong

[JBlaze03]

Never mind that their software contained copyrighted code

Re:They did nothing wrong

[mrchaotica]

Why, of course it did! It contained code copyrighted by First4Internet (or whatever it's called), for one thing. That's not the problem, though, because that code was licensed.

To be accurate, what you need to be complaining about is "that their software contained copyrighted code which they did not have legal permission to distribute."

Big Surprise?[ - Radio now]

[saskboy]

"President of RIAA Says Sony-BMG Did Nothing Wrong"

In other news, cows give milk.

Anyone interested in local radio coverage of this story, CJME.com is about to do a show on the Sony rootkit, you can listen live at 10:05AM CST, and again in the evening for a rebroadcast. Sorry, no podcast is made.

Re:Big Surprise?[ - Radio done]

[saskboy]

Tim from http://www.boycottsony.us/ [boycottsony.us] was the guest on the radio program, and he did a fine job of convincing the radio host John Gormley how bad this DRM infection is. If all technical people were as gifted verbally as Tim is, then we'd see a lot fewer problems from companies trying to exploit consumer ignorance.

The rebroadcast is tonight CST at www.ckom.com

Wrong illegal and unethical

[secondsun]

Sony may not have done anything patently illegal. The EULA does inform the end user that they are making modifications to their system. However this fact is (reportedly) buried in the EULA and there is not any install notification. The fact the program goes so far to hide itself that it reprograms part of the windows core system (and does not implement proper checking which can lead ot deliberate crashing) is definantly unethical.

Re:Wrong illegal and unethical

[multriha]

The parts of the software are installed and activated before the EULA is even displayed to the user.

Re:Wrong illegal and unethical

[_LORAX_]

I can confirm that at least one disk "Chris Botti" the rotkit installed WITH NO EULA. That IS patently illegal in any handbook.

Anyone surprised?

[blindcoder]

Actually, I'm only surprised it took the RIAA so long to stand in line with Sony on this publicly.

This post 0wn3d by s0nY

[mcgroarty]

This post 0wn3d by sOny - Greets go out to Mitsubishi, Toyota... thanks to Toshiba for t3h maths. Secret message to Cary of RIAA: LOL can't believe u said it, now I owe you $5

RIAA Hates its Customers

[Doc Ruby]

"Nothing unusual" != "nothing wrong". Sherman's response that Sony's crimes against its customers aren't unusual makes it worse. He defends the crimes by saying they're standard practice. He should get frogmarched to prison after a RICO case shows he conspires with the media cartel to commit these crimes, and to cover for them.

RIAA is a TERRORIST ORGANIZATION!

[mrchaotica]

By attempting to take over computers with their rootkit, the anti-American, Fascist Sony leadership has committed electronic terrorism against the United States! Therefore, all members of their organization (Al-RIAA) should go directly to Guantanamo Bay, do not pass court, do not collect any more royalties!

(Okay, so I'm only half-serious -- but hey! It could happen, given that we've done it to others for less!)

Re:RIAA Hates its Customers

[Mr. Underbridge]

"Nothing unusual" != "nothing wrong". Sherman's response that Sony's crimes against its customers aren't unusual makes it worse. He defends the crimes by saying they're standard practice. He should get frogmarched to prison after a RICO case shows he conspires with the media cartel to commit these crimes, and to cover for them.

I believe he was stating that this is nothing unusual for the software industry, not specifically the music industry. He's saying that many companies use copyright protection, and

Re:RIAA Hates its Customers

[MindStalker]

RICO requires extortion.. The legal definition of extortion is.

The term "extortion" means the obtaining of property from another, with his consent, induced by wrongful use of actual or threatened force, violence, or fear, or under color of official right.

So any threatening of something fearful will do, as well as pretending to be an official, (ie pretending to be a police officer or court official of some sort). I believe that in some of their early legal threats they crossed that line as well from what I

If...

[RAMMS+EIN]

If Sony clearly indicated that they were installing a rootkit on the users' systems, than I think indeed they did nothing wrong. It's their product, after all, so if they want to include a rootkit, that's fine. The only reason I say they need to indicate the presence of the rootkit is that it is the kind of software that you would normally expect not to be included (in good faith).

However, I doubt that Sony would have clearly indicated the presence of the rootkit. How do you even begin to clearly indicate the presence of something that most people don't even understand? I haven't been following the case, though, so I can't say anything more about it.

It's a freaking rain storm!

[ThatGeek]

We've sold off industry, education and science. Looks like our business leaders are now selling their soul. Sure they've done bad things in the past, but their actions are now so blatant. They don't even try to hide what they do any more; they just "pee on our legs and tell us that it's raining".

At what point can we say that business has gone to far? When PR boys start trying to convince us that it's ok for them to install stuff to spy on us? I'm waiting for the brain implants and mandatory goggles to "protect their intellectual privacy rights".

Yuck.

Sauce for the Gander

[Nom du Keyboard]

Cary Sherman, the president of the RIAA, stated in reference to Sony BMG's "rootkit" software that "there is nothing unusual about technology being used to protect intellectual property.

I truly, deeply, and sincerely hope all his personal computer systems are rooted by all the DRM flavors out their simultaneously. Then he can live with what he claims is not a problem at all for the rest of us.

There is a difference

[Daytona955i]

There is a difference between a software bug that allows an attacker to take over your computer and deliberately installing a backdoor to allow anyone who knows how to take over your computer.

Pretty consistent

[Aceticon]

These are the same guys that believe that lobbying to create laws to protect intelectual property (DCMA) is a good thing.

One can hardly expect them to consider the technology arena as holy and untouchable.

Basically they only care about the bottom line - they'll do whatever it takes as long as they don't loose money by doing it it.

Unaware?

[NexusTw1n]

"the technology they used contained a security vulnerability of which they were unaware".

I assume the next step is suing the software house that produced the DRM for them. Because they, at the very least, should have known they were implementing a standard root kit with all the risks that entails.

Those of us involved with IT security know this attack vector all too well. If you want to really scan for virus and trojans on a crtical PC, you map the administrative shares C$ D$ etc to another PC, and run the virus scanner on that machine.

That way you know for certain that you haven't been rooted, a kit can only hide from the PC it is hidden on, not another machine.

I see rootkits all the time, the main entry is through backup software exploits rather than O/S holes. (Or autorunning CDs). You will regularly see script kiddies taking advantage of a root kit placed there by other hackers.

So anyone who works in IT, especially someone who works in root kit creation, cannot claim that they were unaware of potential security problems.

It was incredibly irresponsible and pleading ignorance is no excuse.

Re:Unaware?

[mrchaotica]

No, no, no -- what they were unaware of was that people would be able to detect the rootkit!

Re:Unaware?

[whoever57]

If you want to really scan for virus and trojans on a crtical PC, you map the administrative shares C$ D$ etc to another PC, and run the virus scanner on that machine. You surely can't think that can you? If you are accessing the shares remotely, you need the kernel on the compromised machine to tell you what files exist. If the kernel doesn't list the files, do you think it will make them available over the share? The only way to be sure is to boot from CD or another, known good, hard disk.

Re:Unaware?

[NexusTw1n]

It's a good point, but I've never seen it happen. All rootkits I've seen are visible over a share.

Rootkits are revealed on the network via firewall logs, and I've always tracked them down via this method. I suppose there may be kits that I may not be seeing, but they don't appear to be phoning home.

Remember that you can hide a file from the API, but you can't hide from NTFS itself otherwise you risk getting overwritten.

It's entirely possible that administrative shares get their file list from the disk volume itself and translate the information when it arrives using the clean kernel rather than the potentially infected API on the remote machine.

I'd be interested to know if anyone knows for certain if this is the case?

Responsible?

[tetrahedrassface]

It took a California lawsuit, the EFF, and a week of bad press on Slashdot for them to pull this..
This is "responsible"?
I tend to agree with a lot of other posters on here that if it were an individual they would be in jail right now.....
How the heck is it responsible?
I really like the part where Sherman says the record industry is really a lot more giving when it comes to allowing the copying of data... :)
The responsible thing would have never put the rootkit on the disks to begin with.......
Piracy is bad, but so is getting rooted...
Where is the middle ground? Id like to find it and sit there.
Jeez.....

Re:Responsible?

[mrchaotica]

Piracy is bad, but so is getting rooted...

Copyright infringement may be bad, but getting rooted is orders of magnitude worse, because it opens your computer to other crackers and malware. Given the hundreds of thousands of computers that are affected, this even has implications for National Security -- terrorists could launch one Hell of a DoS (or otherwise) attack with that many zombie machines!

No, what Sony has done is much worse than copyright infringment; it's very nearly terrorism!

Set back?

[Zocalo]

How can DRM be set back when it's never got off the ground in the first place? As far as I am aware there is yet to be a single form of DRM that has even come close to forcing the use of recording of the output signal(s) in order to make a copy of a digital media file. Even Gartner is apparently now saying [theregister.co.uk] that DRM is a waste of time and predicting that the studios will abandon the idea in favour of enforced DRM controls in the hardware. Personally, I doubt that is going to work out any better given the totally ineffective DVD region coding scheme, but there does seem to be a sharp increase in lobbying going on, so maybe Gartner is on the right track.

Arguably right? WTF ever

[div_2n]

Arguably, Sherman is right

No, he and the others want to pretend that Fair Use doesn't exist. I pray for the day when they all get smacked royally for violating our rights.

Logic

[Experiment 626]

Given that:

1) The Sony rootkit contains pirated open source code, and

2) The RIAA finds nothing wrong about the Sony rootkit

It follows that RIAA does not consider the piracy of copyrighted material wrong... Well, I'm off to go copy a few CDs, with the cartel's blessing this time.

No, no, no, you've got it all wrong!

[RAMMS+EIN]

``It follows that RIAA does not consider the piracy of copyrighted material wrong... Well, I'm off to go copy a few CDs, with the cartel's blessing this time.''

No, no, no, you've got it all wrong!

It's not about breaching copyright.

It's about who harms who. Small folk harming the large corporations? BAD! Large corporations harming the small folk? Standard practice!

The problem isn't the defect

[Digital_Quartz]

"how many times that software applications created the same problem?"

How many times have software applications that were installed on my machine without my knowledge created the same problem? How many times have software applications that were impossible to uninstall from my system created the same problem?

The only instance I can think of are other root kits and spyware, and I do my best to keep my system free of those criminal pieces of software as well.

The problem with Sony BMG's software is not the defect, it's the underhanded way it is delivered to a computer to begin with. Sony BMG has no right to install software on my computer without my knowledge. When inserting a music CD into my computer, there is no expectation that software will be installed. Sony's software SHOULD pop up a big "I'm about to install this software on your machine" dialog, with a big "OK" and "CANCEL" button, like other comercial software from respectable companies.

Attempting to make Broken CD's the standard

[asv108]

As a music lover, I am still forced to purchase CD's in order to get a high quality sound in an uncrippled format. My usual routine is to rip the CD in to FLAC as soon as it arrives and keep the CD has a hard backup copy. When the industry initially pushed copy protected CD's, it seemed that the target market was pop and rap consumers, so it never really affected the music I cared to purchase. Now, I'm starting to see indie, jamband, and jazz CD's with copy protection.

Sure, most of the schemes do not affect ripping on my platform(Linux), but I am unwilling to support a distribution method that unfairly restricts basic fair use. So whenever I see a CD that I would like to purchase but its copy protected, I make sure to give it a 1-start review on amazon stating the reasons why I wont purchase it. Its quite simple, if enough people refuse to buy copy protected content and make it publicly known, the industry will be forced to release real CD's.

What is being sold here

[Nom du Keyboard]

saying "how many times that software applications created the same problem? Lots.

Just what is being sold here? Music, with a 3,000 word EULA -- or software? I think what has been created is an entirely new category of product.

And I, for one, feel this new product is being sold under deceptive marketing practices that have it masquerading as be a product it's not. It pretends to be a regular music CD, with only fine print informing you otherwise. This deserves full investigation by all regulatory authorities with appropriate punishments doled out. In addition. these CDs should be sold in an entirely different section of any store from regular music discs.

For the non-technical:

[SLot]

"Hey, I know we were found in your house in the middle of the night after breaking in a window, but we've cleaned up the mess and put in a new pane of glass. Aren't we responsible"?

Now, if only the non-technical people could see this....

Comment removed

[account_deleted]

Comment removed based on user account deletion

Remarks on Sherman's closing remarks

[digitaldc]

"And for generations, students have spent their hard-earned dollars on the music they love in the local college record store. How many of those stores are left now? Makes you realize just what the impact of illegal downloading can be, and why we've taken the actions we have."

First of all, hard-earned is questionable. I know plenty of college students who never worked before or during college, so maybe he should quantify the statement by adding 'parents' hard-earned money. Also, it would be about one generation that has even dealt with this issue, not 'generations' as if file-sharing was something people did back in the Bronze Age.
Second of all, I highly doubt these college 'record' stores closed because of illegal filesharing, more likely they closed due to big-box retailers offering CDs at highly-discounted rates, thereby making money by overall volume of sales, not individual purchases.
Third of all, it doesn't make me realize anything, except that the music industry are hypocrites for having settle a lawsuit for price-fixing/gouging in 2002 and then claim they are losing money now. Was that price-gouged projected earnings, or actual earnings they are losing? This only leads me to believe that the music recording industry is a very greed-driven industry and they probably don't really care about the low-volume 'college record stores' anyway.
Read more here: http://www.usatoday.com/life/music/news/2002-09-30 -cd-settlement_x.htm [usatoday.com]

Re:Remarks on Sherman's closing remarks

[mborland]

And for those that are too young to remember, blank audio cassettes were probably one of the largest expenses for students back in the 80s and early 90s. Most people had shelves of copied albums and mix tapes.

MP3s (etc.) just add a different medium for the same music sharing impulse.

Justification still stupid

[Bullfish]

Sony has been saying they did nothing wrong all along so it's not a surprise to hear the RIAA chime in. So others do it too, does that mean a burglar should get off because others have broken into your home? Protect their content, they are entitled to that, but not at the expense of our data.

This is another of the RIAA's great stabs at PR by pouring gasoline on a fire.

Makes you wonder of any of their people went to business school.

SonySuit.com - Strike back in Small Claims Court

[marklyon]

What Sony did wasn't responsible, it was, in fact, a crime in many areas. Call and report it to your local police department.

On the civil side, you don't have to wait for the class action lawsuits against Sony BMG Music Entertainment and First 4 Internet to wind their way through the courts -- you can sue on your own in Small Claims Court. For a useful guide to get you started, visit SonySuit.com [sonysuit.com].

All well and good...

[tekiegreg]

However I'd like to see the RIAA's feedback on the (at least alleged) LGPL violation by Sony in this. Would the RIAA (MPAA, BSA, etc.) encourage companies to practice what they preach? As posted previously on Slashdot there was a potential LGPL violation. My suspicion would be that the RIAA takes a "no comment" stance, hehehe....

RIAA and their PR

[sinco]

The thing that intrigues me is the RIAA has the nerve to support this action when Sony clearly suggested (not in a press release but in recalls) they made a mistake. This shows the RIAA does not care about their PR. It seems to me the RIAA views us as consumers who will buy their product at any cost, regardless of how they treat us. Like suggested before, they have a monopoly at hand. I'm hoping in the future that some of the consumers can conform to suggest reasonable methods of distribution and rights to combat the RIAA's evil actions. If not I think the RIAA will keep on pushing for complete control over digital distribution and rights.

Yea right...

[LWATCDR]

"" According to Sherman, the problem with Sony BMG's XCP DRM software was simply that "the technology they used contained a security vulnerability of which they were unaware". He goes on to praise Sony's "responsible" attitude in handling the problem, saying "how many times that software applications created the same problem?".
The difference is that an application give the end user some benefit. This one limits the end users ability to control their own computer. Also an application can only make your system vulnerable while it is running. This root kit gets installed as a service I believe so it is running all the time.
Finally an Application can be uninsulated.
Nope Sony screwed up and we are made as hell. I am not going to buy any CDs from Sony for a while and if I feel the need too I will ripe them on my Linux box first and make new clean CDs ASAP.

FoxTrot tries to educate the Public

[Jaxim]

Did you all see today's FoxTrot? It appears that existence of Sony's rootkit is becoming more and more mainstream.
http://news.yahoo.com/news?tmpl=story&u=/uclickcom ics/20051121/cx_ft_uc/ft20051121 [yahoo.com]

software installs WITHOUT EULA agreement

[Danathar]

The thing thats REALLY bad is that the software installs on your system (disabled) even if you DON'T say "yes" to the EULA.

I'm really hoping that lawsuits brought up with this stuff brings the whole "I can put anything I want into an EULA and it's binding" mantra we hear from certain software and content providers.

No, Sherman is not right

[Dr. Blue]

To pass this off as a bug "of which they were unaware" is horribly inaccurate.

The software hides itself -- by design, not as a bug.

The software makes itself difficult to remove -- by design, not as a bug.

The software places itself in fundamental system areas, like accessing the CD, compromising those areas -- by design, not as a bug.

No, the problem isn't a bug. The problem is a company thinking they have the right to get into places on my system that they have no business being, and then hiding to make it difficult to clean.

A common component of all anti-spyware legislation and attempts that I'm aware of is that everything has to include a reasonable and effective uninstall procedure, that clears out the software. Sony didn't have this -- again by design.

SONY did do something wrong.

[Decius6i5]

The problem with the SonyBMG situation is that the technology they used contained a security vulnerability of which they were unaware.

No, the problem with the SonyBMG situation is that they installed "technology" without the user's consent. How can the user consent in the fine print of an EULA to installing software which is specifically designed to hide itself and to be impossible to uninstall? Obviously, if there was any credibility to the claim that the user consented to installing the software there would be absolutely no reason to hide it! The idea that you can simultaneously get me to consent to something AND keep me from knowing about it is so insane that it would be comical if so many people weren't seriously suggesting that its true.

Furthermore, the "vulnerability" in this program that SONY was "unaware of" is not a typical software bug that developers might be reasonably unaware of. This software is specifically designed to hide any file starting with the $sys$ prefix! The idea that the creators of this software are "unaware" of something they specifically designed this program to do is almost as insane as the fallacy above.

Whats worse, the uninstaller is designed to break security too! If you are putting a remotely accessible ActiveX control on a machine, which has a function called "ExecuteCode," you're allowing any web page to "ExecuteCode" on that machine. This isn't a vulnerability, its a bad design, and the design is so obviously bad that it is impossible to be sympathetic.

If you are savvy enough about computers to be designing DRM software in the first place then obviously you would know that these things are problems!

Evil Pirates! Putting honest people out of work !

[Chaffar]

"And for generations, students have spent their hard-earned dollars on the music they love in the local college record store. How many of those stores are left now? Makes you realize just what the impact of illegal downloading can be, and why we've taken the actions we have."

Causal fallacy.

It's not like he doesn't know it, but why bother building proper arguments when you can get away with absolute b*llshit and still be quoted as a respectable source? I couldn't finish reading the whole article, and to compare file-sharers to bank robbers and shoplifters was just insulting.

Cary Sherman: Obviously, anyone who has stopped downloading (or uploading) illegally will not get sued.

Thank you, Cary Sherman, for your infinite compassion towards us petty thieves, we are not worthy of such.

Oh boy do I disagree

[digitalgimpus]

Maybe it's just a coincidence, but I just blogged earlier this morning [accettura.com] that they should be compensating users financially for the trouble they have caused. And/or face some criminal liability.

Seems like the only way to rid yourself of their blunder is to wipe and reinstall windows. IMHO users should be compensated for that.

There's absolutely no way that Sony didn't realize the risks associated with using a rootkit. It's been covered here before (among many other places, typically regarding spyware). So we can safely say they knew what risk existed.

They were just hoping everyone was to dumb to realize what they were doing.

Am I bias or just looking to attack Sony? No, definately not. I didn't get this garbage, heck I'm not even a real music fan, so the whole thing is a null as far as I'm concerned. To be honest, I like Sony hardware. So I'm not a anti-sony jerk taking advantage.

I just know I hate reformatting my computer because windows got screwed up, and I know what I'm doing and can do it quickly. There's quite a few people out there with this garbage installed on their computer... and some don't even realize what's going on.

Come on Sony... open up your wallets and compensate them for your blunder. You knew what you were doing was wrong. You did it anyway. Now compensate. If it were up to me, your execs would be in jail for a year or two for hacking, since that's effectively what you did.

I really don't want Sony to get off free here. Just think about what the next one is going to try and get away with. Just wait until version 2.0 includes a keylogger to ensure you don't transcribe the lyrics.

Come on Feds... don't back down.

The state of Texas apparently disagrees

[Zygote-IC-]

Just got a press release in our newsroom that the Texas Attorney General Greg Abbott is suing Sony BMG.

Full release can be found at http://www.oag.state.tx.us/oagnews/ [state.tx.us]

Don't mess with Texas.

If Sony were the average virus writer...

[Nom du Keyboard]

...the FBI would have raided them and seized all their computers by now -- even if a court case is yet to be filed and any day in court is months to years away, if ever.

Hey, FBI, there's still time.

I don't think that's right...

[kenthorvath]

Arguably, Sherman is right -- but I enjoy much more the fact that this whole r00tkit fiasco has set DRM back by years. Gogogo poor implementations!

First let's take a look at the claim that Sony was merely trying to add a layer of protection to their IP by using XCP and weren't aware of the potential security flaws.

For starters, if they just wanted to encrypt their data or have a program running in the background that prevented the user from opening a certain application, this is all possible with XCP. In fact, the only reason to use XCP is to bypass the built-in security measures that your computer should have immutably enabled and functioning. That is, they wanted their DRM software to be in a position of ultimate control over your computer. Ordinary security features prevented this, so they install XCP to hijack your computer, to bypass security - and not only that, but they provide that control to any program that prefixes its name with $sys$. That is, XCP is a security flaw by its very nature and it was licensed with just this functionality in mind. There is no other reason to use it, but to circumvent security measures.

Now I'd like to address the seemingly prevalent belief that people are up in arms against this software primarily because it may allow a virus or other undesirable program unfettered access to you system.

People are used to security flaws within windows. They happen all the time and MS releases patches. They are not well loved for it, but for the most part, people continue to use windows and tolerate the seemingly ubiquitous lack of security. Why then, would they make an exception for Sony's case? I believe the answer lies not in the DRM itself, but in Sony's arrogant and anti-consumer attitude that they're right to control their "property" usurps the consumer's right to control the functionality of his or her computer.

One statement that whoever-it-was in this interview made in defense of Sony was that DVD's have been DRMed forever. You can't rip them to disk, you can't copy them, you can't even play them in non-licensed players. CDs, on the other hand, (as manufactured by Sony) are designed not to prevent you from playing them, or copying them, or presumably using them as you see fit, but rather to prevent you from copying in excess and giving too much of Sony's IP away without their consent. The problem with this logic is that for one thing, nobody is giving the movie companies kudos for locking down their DVDs. That I can't legally rip my copy of Spaceballs to my iPod video isn't a fact that gains MGM much love. And secondly, CDs were never designed to be crippled in the first place. When I buy a CD, I expect it to behave like a CD. Sony wants to change the way CDs behave - and the only notice they give you about it is an enigmatic little "CP" icon and the words "content protected". Content protection sounds good to me - does that mean that my CDs will scratch less, or that if I lose the CD, the content will continue to be made available to me, because I paid for the content? I thought not.

Lastly, I'd like to take issue with the notion that the Sony fiasco has set DRM back for years. I don't think it has. In the official release, Sony has only recalled the discs with XCP and has all but promised that future CDs will be released with some form of DRM. As long as the methodology doesn't usurp the functionality of the computer or provide in any egregious way a security risk, Sony will continue to distribute crippled CDs. That is, after all, the reason for the fiasco in the first place. It wasn't the DRM that got them in hot water, it was the way they went about achieving it. There are still many CDs out there with the "CP" logo that Sony hasn't recalled. Santana's newest CD comes to mind.

This is the way that the future is going to go. DRM has more than a foot in the door, it nearly has a whole leg. The Sony fiasco must serve as a wake-up-call for us, or we risk losing the public domain forever. (DRM + DMCA = unlimited copyright terms) We mu

It's MY Computer, DAMN IT!

[renehollan]

If you want to put software on my computer, you'd better disclose what it does.

If it causes harm intentionally, then you are guilty of fraud and destruction of property, and should be subject to criminal as well as possible civil penalties.

If it causes harm unintentionally, you should still be subject to civil penalties.

There is no excuse for software that causes harm unless I clearly waived my rights to redress and that harm was unintentional.

While this may be reasonable if the software is free (as in either speech or freedom), it is not reasonable if the purpose of the software is to protect someone else's property interests.

The bottom line, is that such untrusted, unvetted code, should only be deployed to dedicated machines where the harm is not likely to be wide-spread (i.e single purpose devices), and particularly where the harm will affect those who would naturally benefit from what the software should do: if a firmware upgrade is sent to my cable box by my cable company, and it kills the box so that I get a refund on not being able to view content, this is likely reasonable. But it should certainly not kill a general purpose computer. If anything, that is an argument for dedicated devices who's sole purpose is the decryption and display of encrypted content.

DRM doomed?

[mgessner]

This article [yahoo.com] on Yahoo! says DRM is doomed. FTA: "The fact that so-called digital rights management might always be a doomed experiment became painfully clear with the fiasco that erupted after Sony BMG Music Entertainment added a technology known as XCP to more than 50 popular CDs."

Let's hope. I always thought this was stupid. I bought the CD. The concept of fair use says I should be able to listen to it when, where and how I want. Fussing about people trading music just goes to show how badly the music industry knows it's wrong and that it's been screwing artists since the beginning. They're not treating their artists nor their customers well.

Texas has just filed suit...

[artifex2004]

I submitted an article, but then edited it. In case the latter fails to see light of day:

In the first enforcement of Texas' new spyware law, the Consumer Protection Against Computer Spyware Act of 2005, Attorney General Greg Abbott filed suit against Sony [state.tx.us] for having "surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems." The suit is seeking US$100,000 per violation. A PDF of lawsuit is available here [state.tx.us].

Re:Thank goodness for Konqueror

[forkazoo]

Well, I'm a sys-admin at a company with a few hundred desktops. AFAICT, there isn't any way to scan my whole network for the rootkit, and the only sure fire, safe way to remove it is to reimage the machines that have it. Thankfully, it does phone home, so we have started looking through firewall logs for anything trying to get to the phone-home website. Still, a major PITA.

Re:Thank goodness for Konqueror

[Zocalo]

There is also another way which might be easier depending on your setup. As you say, the root kitphones home, and that means it has to perform a DNS lookup of the domain. In order to see which, if any, of your hosts have the Sony rootkit installed you could also enable query logging on your DNS server and see which hosts are doing that. Better still, you could also create a dummy zonefile for the zone and redirect the requests to /dev/null while you are at it - I've got a whole list of zones (mostly bann

Re:Thank goodness for Konqueror

[TCM]

Uhh, this is a very, very ugly way to do things. You twist the semantics of the global namespace and potentially redirect all traffic to those domains to 127.0.0.1.

What if your users are developers running a local httpd?

If you want to block HTTP traffic, use an HTTP proxy. The proper way to implement ACLs is to return a code that indicates "denied", not return false information as if it were real. This only leads to headaches later, when noone thinks about this "solution" anymore and tries to debug a real p

Re:Thank goodness for Konqueror

[TheRaven64]

I hope your company sends Sony an invoice for all of the time you spend fixing this problem at your standard charge-out rate (not your salary rate).

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Who installs software from an audio cd?

[Prospero's Grue]

Does everyone have auto-play on for audio cds? If so, don't they kind of deserve whatever they get?

What? "Well, come on judge. She was playing a CD...she was obviously looking to have a rootkit installed on her system."

What kind of elitist nonsense is this? Lots of people auto-play CDs. I autoplay CDs despite the fact I have ripped them, and know my way around the box. (Obviously I have to be more careful, now.)

Yes, ultimately the victims of these DRM-schemes are going to be the average schmucks,

Re:Who installs software from an audio cd?

[everphilski]

The problem is, Windows by default has auto-run enabled upon CD insertion. Most people won't go through the hassle of turning this off (it's not even in a very obvious place to turn it off..)

Windows XP: Go to My Computer. Right click on your CD-ROM drive. Click Properties. Click the "Auto Play tab. Click "Prompt me each time to choose and action" or "Take no action". Done. How much easier or logical can it get?

-everphilski-

Re:Who installs software from an audio cd?

[Prospero's Grue]

How much easier or logical can it get?

Yeah! See how easy it is when you're given the step-by-step procedure? I don't know what's wrong with these people.

Re:Who installs software from an audio cd?

[Rude Turnip]

"How much easier or logical can it get?"

Those steps are neither easy nor logical. You're giving wayyyyyyyyyyy too much credit to the average computer user. Most people will not even make the assumption that they have a choice in disabling any of that stuff. It scares the hell out to me to see the amazement of friends and co-workers when I show them how to do things that the average Slashdot reader takes for granted as easy.

The easiest and most logical thing that can be done is NOTHING WHATSOEVER. Most people seem to forget that "do nothing" should always be the first option. If you're putting a music CD in your CDROM drive to listen to music, you'll know that you need to launch your music player.

Re:No regedit required at all...

[kawika]

everphilski, have you actually checked that with the Sony CDs? Because it doesn't work.

The settings on the AutoPlay tab are for "Autoplay V2" which determines the action based on the content of the CD (mp3 files, image files, etc.). The Sony CDs use "Autoplay V1" which only requires a file named Autorun.exe in the root of the drive. Even if you turn off all the features on the Autoplay tab, it will not disable Autoplay V1.

There are several ways to disable the V1 variety, if you don't want to manually RegEdit just download TweakUI and you can turn it off that way. If you prefer the registry method, Google for DriveTypeAutoRun [google.com] to disable them on a per-drive letter basis or services cdrom autorun [google.com] to turn it off for all CD/DVD drives.

Re:No regedit required at all...

[CosmeticLobotamy]

That'll work in XP Pro, but not in XP Home (at least from what I can tell). Of course, maybe I'm the only person alive that ever encounters XP Home. Google seems to think it's rare.

Re:Giving Consumers What They Want??

[Entropius]

What I would like:

I would like to be able to go download a recording of , and would like at least 80% of the money I pay for it to go to the composer and the performers. They, after all, did the hard work.

I would like this recording to be available as a plain old 192kbps mp3 or 160kbps ogg, or a FLAC encode, at my choice.

Is that really so hard to ask?

Re:Giving Consumers What They Want??

[xtracto]

Then what you like is www.allofmp3.com + mail your favorite band $10 for each record you download (make sure you write a note telling them what you did and why).

After thinking for a while, my conclusion is that that is a fair way to back your artist. You may write them and tell them to give you a PayPal account to make them a deposit.

Why allofmp3 instead of p2p? because in allofmp3 you can download the music in several (mp3, ogg, flac, ape, mpc, wav, mp4... etc) codecs.

Re:Hmmmm......

[BushCheney08]

Otherwise, you risk getting yourself in these situations. Just ask Microsoft.

I called up the Microsoft support line to ask. They told me they've never had any problems with faulty software or security vulnerabilities and that I should contact my hardware manufacturer.

Re:Tape defeats Sony DRM - What World Needs

[Nom du Keyboard]

Last time it was a felt-tip pen, this time it's gaffer tape. I bet a pen will work just as well.

What the PC world needs is a CD driver that comes up and says:

Multi-session disc inserted.
2 sessions detected.
Select session to use (cr for newest): __