More on Sony's "DRM Rootkit"

A couple of days ago we posted a story about Sony DRM installing a rootkit. Since then we have seen many more stories on the subject that I thought were worth sharing. manno gave us a link to the inquirer and salemnic sent us a page from the washington post. smallfries gave us one from PC Pro. It's nice to see this story not getting lost in the cracks since the implications are gigantic.

Regardless of where this goes...

[Donniedarkness]

Even if this doesn't go to court, at least this is getting some attention... and ANY bad attention for DRM makes me happy.

The Solution is Simple Folks!

[Anonymous Coward]

Just never buy a cd again.

Me, I think I'll just pirate all my music from now on. That way I don't have to worry about any of this DRM nonsense!

Re:I don't understand the fuss.

[Anonymous Coward]

On the off chance that you're not a troll:

Sony has the key to your computer.
The key is digital, thus an infinite number of copys can be made of the key.
The key is digital, so anyone with enough time can make a copy even if they aren't from sony.

Once someone besides Sony has the key, they can distribute it on the internet, and now EVERYONE will have the key to your computer.

Is it scary now? Do you think your bank plays music from sony CDs? Do you want everyone in the world having keys to your bank?

Re:Sue

[Donniedarkness]

"A lawsuit on what grounds? That you agreed to something and then they installed their software based on your agreement? "

I think the issue here is that Sony does not tell you that they are installing the software ANYWHERE. In addition to them adding the software without your permission, its software that can create a "safe haven for viruses" (the software makes everything that has "$SYS$" in the filename turn invisible), according to the PcPro writeup.

Re:Dupe(s): with a purpose.

[idontgno]

<aol>Me too!</aol>

No seriously, I agree. Sony's inconceivably bad behavior has to be dragged, squealing and flailing, into the sunlight where it can be properly stomped to gory death with hobnailed boots. No mercy, no PR coverup, no plausible deniability. Corps have to understand, with visceral fear-of-agonizing-death understanding, that this kind of crap will not ever be tolerated. This is a trend which must be stopped cold dead. These shenanigans have to be punished with such finality that any observer centuries from now will intuitively know the immediate and unalterable consequences of this kind of crap.

Re:Simple Solution: Boycott Sony to Death

[Donniedarkness]

Honestly, I wish we COULD start a mass boycot against Sony... not even for this, really, but more because of the RIAA. The problem is, most people don't think that it's worth not having the latest crap music, if that's what it takes to send these guys a message :(

Grounds for suit

[Engineer-Poet]

I believe the doctrine of trespass to chattels would apply here.

Of course, IANAL, IAAEE.

Deal with the devil...

[Kjella]

...I did the responsible thing *cough*. I e-mailed Microsoft and expressed my concern about how this mucking about with the kernel stood in the relation to the EULA, support (who the hell wants to support a kernel patched with unknown code supplied by a third party) and future patches and upgrades. This could cause it to fail to validate like a warez'd install, cause breakage because a patch half-overwrites the hack and any other number of wierd things. I also expressed my concern of how this would reflect on the security and userfriendlyness of Windows (read: Windows has enough issues without Sony messing around). I really hope Microsoft comes out and tell Sony what they think.

Re:Sue

[Anonymous Coward]

"Sadly, most people don't care anymore. "

You have got that backwards. Those who know what DRM is cares.
The problem is that not many people know about it.

Re:Contains LAME code?

[idontgno]

Oh, I hope it's so. The delicious, tasty, non-fattening irony. Using an embedded copyright violation to enforce copyrights. I shudder in ecstacy at the thought.

Who'll follow up on this thread? I'm sure we can find enough free-as-in-freedom warriors to do a tech analysis on the software and confirm the report in parent comment? C'mon, hoisting retards [sonymusic.com] on their own petards [wiktionary.org] is just too much fun!

Re:Sue

[ZachPruckowski]

Yes, it says "software", but it doesn't say "I agree to allow Sony to install software commonly associated with hackers that may infringe upon my computer's security". And I think that'll make a bit of a difference.

The security industry

[Anita Coney]

Any news on how Symantec, Mcafee, and the other so called security firms are treating this? I'd certainly expect an up-to-date anti-virus software to stop this from installing.

Re:I don't understand the fuss.

[CoderBob]

You don't perchance work for Sony, do you?

That aside, anything that hooks into the internals of an OS without my clear and informed authorization is a problem.

you've got a piece of code in your computer that only gives Sony access. nobody else.

Please tell me you don't really believe that. Considering how many of MS's products have opened backdoors for people, you're going to trust Sony to "do it better" and leave this software completely secure? It might not suddenly allow crackers "on some IRC network" to get in, but it sure opens up a lucrative bit of research for them- finding the security holes in a DRM rootkit that people don't even know is installed.

Imagine the trouble in fixing that with a patch.

Re:Simple Solution: Boycott Sony to Death

[God'sDuck]

i dont think anyone considers memorysticks to be anything but a useless dead format....

there's nothing wrong with memory sticks! sure they're proprietary - but sony's consumer-grade cameras are currently the best on the market,* simply because their AF system has made several advances in the past three years which make their cameras solidly faster in-use than the competition. canon's following closely; hopefully the situation will reverse in the next year or so (the market was even 3 years ago, such leads rarely last).....but all to say, memory stick, while a dead end, perhaps, is certainly not dead, as most of the best and most popular cameras still demand it. furthermore, with moore's law, EVERY format you buy is dead in two years. my first digicam (kodak) was given a 64 meg card (compact flash), my second (sony - memory stick) a 128, then later a 256, my third (canon - compact flash) a 512, and my fourth (canon) 1 gig. i anticipate a 4 gig card for my next camera.

all to say - people that waste time whining about proprietary memory that-they-can't-take-with-them need to realize that they can't take it with them *anyway*, at least until the megapixel war subsides. storage for serious photographers is more analogous to RAM than floppies - it's just part of the camera system. even if the format is compliant with subsequent models, they'll likely consider it prohibitively small, and they're better off selling it off to pay for half a new one.


ps: and before you say "b4t m1n3z d4 b0mbz!" realize i'm not dissing your camera, i'm just saying that, at this point in time, when you take a consumer down the line in a camera store that carries all brands of cameras, and make them play with each camera uninfluenced by sales rhetoric or concerns for proprietary formats or brand preference, a significant majority gravitate to the Sony's...not all, but most (like 5/6, among people that consult with me). doesn't mean the others aren't good, or don't have specific features that make them more desireable to other people, just means their user interface and general operation speed is slightly less eye-catching. natch?

pps: OT? sorry. just a pet peeve of mine. you can say it's proprietary and we should resist proprietary formats on principle, but don't mix "proprietary" with "technically bad," or underestimate Sony's ability to keep its CompactBetamax in very active use for years to come.

Solution?

[Wessler]

Get a Mac? According to the FAQ [sonybmg.com], the disc appears as a normal CD on a Mac. Anyone know if the content is the same, or are there extras that you get for enabling viruses on your PC?

Re:A wild conspiracy theory:

[Lonewolf666]

Looks more like a fuckup by careless management to me. Because the price in lost reputation will outweigh any benefits from reduced copying.
I'd bet they simply did not understand the implications of their "copy protection".
Or maybe they knew and did not expect it to make much waves.

But I don't think Sony management wanted the kind of publicity they have now.

Re:Deal with the devil...

[Anonymous Coward]

The Microsoft solution would be to install such a thing as part of Vista, and then sell Sony a license to use it.

Re:Sue

[OldeTimeGeek]

Go ahead. Sue. Make some lawyers happy. After years of litigation and after millions of dollars are spent, Sony says 'nolo contendere', settles out of court and you get a free CD for your trouble.

Or, better yet, don't buy a Sony music CD. Sony gets sued all of the time for various reasons - it's part of the cost of doing business. Their stockholders are used to it. A significant drop in sales will be far more likely to get attention.

... until removed or deleted.

[ArsenneLupin]

See that part about "the SOFTWARE will reside on YOUR COMPUTER until removed or deleted"?

... but they conveniently forget to point out that their software can't be removed or deleted by the common user...

So, technically they are in the clear (in the same way that they would be in the clear if they said "the SOFTWARE will reside on YOUR COMPUTER until pigs grow wings"), but what they are doing is still morally very wrong...

As far as being able to uninstall it via "add/remove programs", I wasn't aware that this made software dismissable via legal grounds.

It's just not a matter of failing to supply some user-friendly functionality to make it extra easy to uninstall.

Such functionality might take time to develop, and so a case could be made that the developper just didn't feal it worthwhile to spend the effort...

But in this case, the developers went out of their way to make it extra difficult to detect, let alone remove, their software. Even without Add/remove functionality, you could still remove the files and registry keys manually, if the software was just sloppy, rather than malicious. But in the present case, the software's files and reg keys are hidden, so you can't just remove them. And if you do find the trick how to de-activate the rootkit, removing the resources will break the OS if not done properly (disabled CD driver), meaning that for a normal user the only alternative is to reinstall the OS. Not nice!

Legal Justification for Downloading Music

[Anonymous Coward]

Ok, if they wan to play that, then the reverse play is that you have to download music as data files because music CDs constitute a threat to your computing environment. In effect, they just legitimatized music downloading as a way for consumers to escape injury (in the legal sense) from their crapware.

Re:Solution?

[Sgt_Peppers]

It does seem a bit of a flaw in their copy protection that you can stick the disk in a mac (doesn't say about linux) and rip it to MP3/ogg. Most file sharing networks don't tend to be platform specific so windows users can just download it from there. +1 to the list of copy protection systems that annoy legit customers and don't stop piracy.

Re:Regardless of where this goes...

[Scrameustache]

it would almost seem as though anything with an acronym such as "Digital Rights Management" would be designed to protect your digital rights. It's entirely misleading.

Yes it is.
That's the point, it's got a double plus good word in it's title, so it must be good!
For other examples of this: PATRIOT act and "operation [adjective] freedom"... how could ANYONE oppose them without appearing anti-freedom to the uninformed?

Re:Hope it catches on

[mc900ftjesus]

For god's sake, yes. ./ we are all now responsible for spreading a new term "infected with DRM." A bad publicity spin is a better way to combat DRM than actaully explaing it to Joe Sixpack. The word infected implies that it's bad, christ I've met people who think viruses are like human viruses (no one makes them they just happen). Leave the tech speak at home, just dumb it down to three words: infected with DRM.

Re:Sue

[i_am_not_a_bomba]

Don't buy DRM'd CDs as they don't allow you to exercise fair-use.

If 'fair use' is a natural right then any entity that attempts to crush that is criminal.

Your attitude is lazy, here's some fun with it; don't like not being able to sit up the front of the bus, then dont ride on the bus.

Don't like the cancer from the toxic waste dump in your town, then leave.

Don't like to have the police perform secret searches on your home, don't buy a home, dont move into that town, state, country, etc.

Facile examples but they are along the same line of thinking. If an entity is actively stamping on peoples natural rights then that entities behaviour can be forcefully stopped by society, through the power of government, one of the things that government is supposed to exist for.

There seems to be some strange thought pattern here that nobody must let the idea even cross their mind that a corporations' behaviour may be wrong and that it is ok to put a stop to it through Government. Somehow a fairly large group of people have decided that corporations should have less responsibility to a country than the citizens that it is supposed to benefit do. That the only thing that lowly citizens should be 'allowed' to do is *absolutely nothing* (which is exactly what a 'boycott' is, total and utter inaction).

Undoubtably this thought process is a mutation of various anti-communist, anti-socialist and pro facist (in the true sense) ideologies coming to their logical end..

Your argument is also objectively pro virus/spyware and malware. Using your argument any virus or malware author, to be safe from prosecution simply has to show some form of EULA, something that has been joked about here often but dismissed as absurd. (You probably didn't make that connection in your rush to promote your ideology).

--Awaiting the flurry of half thought out responses misinterpreting my words.

Re:Never fear, Slashdot is here!

[harrkev]

With Slashdot reporting this 10 times a day I doubt it will get lost :)

This story on /. is preaching to the choir. We all know about this. What IS newsworthy is that this is starting to hit mainstream press (well, at least getting closer to mainstream). If this makes it to Newsweek, it will give Sony a big black eye.

Re:... until removed or deleted.

[Ender Ryan]

I challenge your hypothesis.

The SOFTWARE is designed to hide itself, alters the functionality of the machine to the detriment of its performance and can cause it to malfunction(prevent CD/DVD readers/writers from working properly), opens up the machine to further attack, and finally reduces the stability of the machine. The EULA, which you cited, is intentionally vague and misleading, and certainly does not absolve Sony of responsibility for the above problems caused by their SOFTWARE. Also, just because it's in the EULA, sorta(!), does not make it legal. Sony is clearly being deceptive with these products and their EULA, and there are laws on the books to protect consumers from such action.

Furthermore, it is not a safe bet to assume an EULA is a binding contract, there is precedent both ways on this, it depends on the EULA and the judge's opinion, and there are all kinds of laws regarding contract validity.

Re:Simple Solution: Boycott Sony to Death

[ooze]

So you will rather buy an Xbox than a PS3? Because Sony tries to get control of your computer with a rootkit?

Think again, who has more power over your Windows computer, Sony or Microsoft? Who doesn't even need to install a root kit to do anything on it they want to?

Boycotts are worthless...

[FellowConspirator]

... for stuff like this. If you care enough to REALLY do something about it, there are really only two things to do:

1. File a tip with the US Department of Homeland Security
   
   Intentionally or otherwise, what the program is exploiting a flaw in a popular operating system in a way that not only enables them to control access to the data on the CD -- which itself is illegal, but fat chance the government will help you with that -- but it in so doing opens up the machine to facile infection with illicit software which it will then actively cover up and make detectable only to very knowledgable users. If DHS is serious about cyber terrorism, they shouldn't be letting companies subvert the already weak security of the predominant operating system and prime them for becoming unwitting pawns in terrorist activity.
2. Develop a SafeDupe campaign.
   
   Make a simple flyer explaining what's happened and the implications and see if local record stores would be amenable to helping out. This could be as little as having them stuff an info packet in their bags, to leaving a stack of Live Linux CDs that do nothing but permit a user to duplicate a CD to CD-R without the offending software, or even have a "SafeDupe" day where a few people setup a table where purchasers can show proof of purchase and bring a blank CD to have it "SafeDuped" for them. Obviously, most record stores won't want to rock the boat, but a well-spoken and sincere person (armed with copies of coverage from the mainstream media talking about the problem) ought to be able to find at least one or two store managers with an ethical streak.
   
   It's perfectly legal to make such copies, and if you don't believe me, ask a lawyer or download the Bern Convention on Copyright and read it yourself.

And remember kids, calm, cool, and collected. No name calling, no vitriole. Attribute not malice where stupidty is explanation enough, etc. And do make sure that whatever you do is entirely on the up-and-up, transparent to everyone involved, and that the press and SonyMusic are well informed on the subject.

Re:quite the non-sequitur

[Ender Ryan]

Awesome, moron it is then.

Re:Sue

[Alcilbiades]

You clearly haven't been reading the articles. Others have stated what the EULA was and it wasn't changed to include information about the hidden malware until after these articles started getting out. Furthermore, just because it is in a EULA does not make the EULA valid or legal. A company can put lots of stuff in the EULA it doesn't mean they hold up in court. Most cases in the US regarding EULA's have come down to judges dictating that they are far to restrictive and illegal.

Re:Hope it catches on

[laughing_badger]

Fantastic term!

Me: That CD's infected with DRM

Friend: What's DRM?

Me: Digital Restrictions Management. SONY has infected that CD so that it will alter the way Windows works so that you can't put that CD onto your iPod or make a copy to use in your car player that eats CD's occasionally.

That might finally get through.

One nasty idea

[jonr]

Buy and return.
Buy something from Sony, like PS2 or a camera, and then return it the day after. AFAIK, return items go pretty high up in the supply chain. Tell why you are returning it.
Any problems with this?

Re:Sue

[Pakaran2]

In an ideal world, that would be the case. In this one, the police aren't going to go after a corporation which employs tens of thousands of Americans because they did something to individual users' computers. And if they did, Sony can afford to drag it out in court forever (the same way Exxon is still dragging out the Exxon Valdeze fine - they don't need to pay it until the case is closed).

Re:... until removed or deleted.

[rhetoric]

>The EULA, which you cited, is intentionally vague and misleading, and certainly does not absolve Sony of responsibility for the above problems caused by their SOFTWARE. Also, just because it's in the EULA, sorta(!), does not make it >legal. Sony is clearly being deceptive with these products and their EULA, and >there are laws on the books to protect consumers from such action.

The DMCA is deceptive and vague but yet it still stands. Welcome to law.

>Furthermore, it is not a safe bet to assume an EULA is a binding contract, there is precedent both ways on this, it depends on the EULA and the judge's opinion, and there are all kinds of laws regarding contract validity.

There is yes, but the EULA hasn't been truly tested, thus why it still stands. You know why? Because no one has the time and financial ability to go up against Microsoft, Sony, etc. So, regardless of YOUR opinion on the subject, you can certainly guarantee that this particular EULA will stand until another fails.

Why are you so vehemently opposed to the very IDEA that people could sue Sony? From reading your posts here, I'd guess you are insecure and you want everyone to just give up and feel as weak as you in the face of teh uber Sony...

The post I've quoted essentially says: "you dont have a case because legislation can be vague, and because you can't afford it." Neither of these two "points," has ANY bearing in the arguement over whether or not there is LEGAL justification for a suit. Please stop posting flamebait.

but Sony says it's not malware

[cab15625]

To quote the faq from Sony [sonybmg.com]

6. I have heard that the protection software is really malware/spyware. Could this be true?

Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system.

Also, the protection components are never installed without the consumer first accepting the End User License Agreement.

If at some point you wish to remove the software from your machine simply contact customer service through this link. You will, though, be unable to use the disc on your computer once you uninstall the components.

I call shenanigans. They say it's not designed to be intrusive, yet it hides itself by creating a security hole and it messes with your drivers. They say it's not installed without the consent of the user to the EULA yet the EULA doesn't appear to give sufficient details to make an informed choice as to whether or not you want this on your system. They offer a removal tool; however, once applied, you will not be able to use the CD in your system at all. This last implies that the tool either does an incomplete removal or adds further software to your system (does the removal tool come with an EULA?)

Re:Sue

[KDR_11k]

Moreover, it says when you terminate the agreement you have to remove ALL parts of the software. Sony hides part of the software and makes it hard to impossible for you to fulfill your obligations under the contract. They didn't tell you beforehand and there's most likely a law against that (putting a clause into a contract while actively hindering the signee from fulfilling it, forcing him to commit a breach of contract). Entrapment? Otherwise it'd be too easy to put some impossible (but on first glance harmless) clause into a contract that triggers upon termination and causes the signee to unknowingly violate the contract and be liable under the damages clause. Imagine AOL implemented that into their service contract.

Re:Sue

[HrothgarReborn]

The best music is often the tunes that address social injustice and protest against oppression. Other music extolls the beauties of nature, love and mankind in general. This has always been so.

If this woman just likes to bop to the beat without a thought for the struggles of the human race, with no concern over the protection of the future of the art, then maybe you should question if she even "gets" the music she is recommending.

Maybe you should find someone with a bit more heart than a mindless primate that simply likes to bounce to a thumping bass or gaze at a shiny object.

Personally, I am glad my wife both understands and is passionate about social issues. It's the same passion that bleeds over into everything she does and keeps our marriage strong.

Disclaimer: I speak only to the description in your post. I do not know your fiance, who may have plenty of other positive traits.

Re:Let us /. Sony

[blincoln]

The copy protection on the Velvet Revolver album was a lot less insidious than their new system.

Re:Sue

[m0rph3us0]

Yeah, he just wrote the book on how to detect rootkits, and play with the internals of Windows. Maybe Warner Von Braun isn't the rocket scientist slashdot makes him out to be. I'm sure that cutting and pasting text from a EULA would be beyond him.

Unfortunatly, you made the problem worse.

[Belial6]

By, saying that all audio CDs should not be played, you took the heat off of Sony. You basically told them that audio CDs are inherently a problem. This would lead to the belief that the problem is not Sony's. You also punished the employee. If companies follow your advice, employees that want a little music through the day will now be denied the use of any CDs. You should make sure that you highlight that SONY is the problem, and that they have software on their CDs that infect computers with DRM.