Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Sony Privacy Security Software

Bad Day To Be Sony 812

Not only is Sony no longer selling the RootKit CDs, Arend writes "According to a USAToday article, Sony is to pull their controversial rootkit CDs from store shelves." A nice gesture, but a little late. bos writes "Sony's DRM rootkit has been found by Dan Kaminsky to have infected at least half a million networks, according to an article by Quinn Norton for Wired News. Dan has even put together some pretty pictures of the breadth of the infection." With so many people infected, it's unfortunate that wiredog writes "From The Washington Post comes the news that serious security flaws have been found in the software that Sony is distributing to users who want to remove the Sony rootkit. The article says: 'Because of the way the tool is configured ... it allows any Web page that the user subsequently visits to download, install and run any code that it likes.'" Oops. Even Microsoft is getting into the act. ares284 writes "Microsoft said it would remove controversial copy-protection software that CDs from music publisher Sony BMG install on personal computers, deeming it a security risk to PCs running on Windows."
This discussion has been archived. No new comments can be posted.

Bad Day To Be Sony

Comments Filter:
  • How to boycott? (Score:5, Interesting)

    by dada21 ( 163177 ) * <> on Tuesday November 15, 2005 @03:53PM (#14037254) Homepage Journal
    I'm not a "boycott!!!" kind of guy. When I was younger I used to be, but no one ever stuck to it. This "error in judgement" is definitely something that I am adding to my (really small) short list of company-groups I won't buy from. I already won't buy CDs without the "CD" logo. I won't buy Sony TVs or receivers for the last 4 years because of their terrible support policies. I won't buy anything from Menard's either. And now Sony music CDs are permanently out.

    How do those who are active boycotters stick to it? Do you actively pursue telling others, or is it just a "one person, one dollar, one vote" kind of life lead?

    I could care less if other people want to support Sony artists or Sony products. All mercantilistic (using government to acquire wealth) corporations are bad, but that doesn't mean that every business is bad. Sony has actually been one of the least mercantilistic corporation I've tracked over the years, but their releasing of items without proper quality control is what kills them time and again.

    And I believe that is the problem with this rootkit. Sony didn't test it properly. If they had tested it properly and kept it within its own little world on a customer's PC, I don't think the fallout would have been so excessive. They didn't test the product, they relied on the customers to do so. Luckily for Sony, the customers weren't happy and were vocal about it.

    That is the free market at work. People unhappy about a company or a product have much more of a voice with the web being so readily available. The more the Internet allows billions of citizens to align on different issues, the more we'll see that a free market "democracy" is better than a democracy built around the use of force.

    Vote with your dollars.
    • by Anonymous Coward
      Well, do what I do. First, I get really pissed: then I will have nothing to do with the product or service. For example, I've been boycotting for months now because of my disagreement with the modderation system. So,err, there! That's how you do it!
    • Re:How to boycott? (Score:5, Insightful)

      by jedidiah ( 1196 ) on Tuesday November 15, 2005 @04:00PM (#14037347) Homepage
      Nevermind boycotts. These sorts of shenanigans deserve nothing short of civil litigation and criminal prosecution. People should be showing up to the local DA's office with pitchforks in hand. Nevermind silly little boycotts.
      • by Anonymous Coward on Tuesday November 15, 2005 @04:16PM (#14037531)
        From TFA: "Microsoft said it would remove ... copy-protection software

        That's a clear DMCA violation.

        If DVD John gets in trouble for less, surely whomever at Microsoft decided to do this should suffer the same.

        • Excellent (Score:5, Insightful)

          by Anonymous Brave Guy ( 457657 ) on Tuesday November 15, 2005 @04:37PM (#14037742)

          Blockquoth the AC:

          That's a clear DMCA violation.

          Let's hope so. With a bit of luck, this case will demonstrate the idiocy of both draconian copy protection mechanisms and draconian anti-copying laws. If it becomes Sony vs. Microsoft, there will be a big, high profile case with both sides sending zillions of lawyers at each other and zillions of lobbyists at the government, ultimately with no winning option for either side since any outcome will hurt their corporate interests in the longer term even as it protects them in the short term. The government can't suck up to both parties forever, and public opinion is bound to sway against things like the DMCA, DRM, and so on the longer it goes on.

        • by Sloppy ( 14984 ) on Tuesday November 15, 2005 @05:28PM (#14038253) Homepage Journal
          That's a clear DMCA violation.
          No, it isn't. Sony's malware is not a "technological measure that effectively limits access" to the work, unless using their malware is required for accessing the work. That is, if you are able to play the music CD on a classic audio CD player, read the CD with cdparanoia, etc, then the CD simply doesn't really have access controls. The software in question is simply a bonus feature for MS Windows users, and only MS Windows users.

          Still, it's a great idea, and your perverted thoughts make me like you. :-)

      • Re:How to boycott? (Score:5, Informative)

        by Dammital ( 220641 ) on Tuesday November 15, 2005 @04:24PM (#14037614)
        Oh, I don't know... that smug feeling you get is worth something.

        Two years ago I stopped buying Belkin [] products after their routers started redirecting port 80 queries to their own adservers. Can't say that I miss 'em.

      • by Anonymous Coward on Tuesday November 15, 2005 @04:39PM (#14037767)
        [...] with pitchforks in hand. Nevermind silly little boycotts.
        Although I can quite understand your feeling, I think it's always wrong to resort to violence, and in my mind even to boycotts, if you haven't at least tried to talk to the other party.

        According to the feedback page [] for Sony USA, you should call their Quality Management Department at 800-255-7514 (609-722-8224 in New Jersey) "if you believe a Sony Music product has a manufacturing defect".

        I would seem reasonable to give them the courtesy of doing what they ask for, and phone them before doing anything else.

        • by swillden ( 191260 ) <> on Tuesday November 15, 2005 @04:52PM (#14037882) Homepage Journal

          According to the feedback page for Sony USA, you should call their Quality Management Department at 800-255-7514 (609-722-8224 in New Jersey) "if you believe a Sony Music product has a manufacturing defect". I would seem reasonable to give them the courtesy of doing what they ask for, and phone them before doing anything else.

          Yes, please call them.

          Several times.

          Per day.



        • by TheUnknownCoder ( 895032 ) on Tuesday November 15, 2005 @05:11PM (#14038078)
          Well, you all know how Sony treats its (ex-)customers, and calling them will get you nowhere. So instead of calling or emailing Sony, contact the US Department of Justice [] , and demand an action against Sony. They have never charged a big corporation with a computer crime, but I believe that Sony should be the first one, and let it set an example.
          • by MrNiceguy_KS ( 800771 ) on Tuesday November 15, 2005 @06:32PM (#14038838)
            I just sent them off an email and I'll call tomorrow when the switchboard is open. I'm sure I'm not the only one. Just remember, be polite and reasonable, and if using email, read over your message before you send it. Don't scream that Sony execs should be shot, just point out that Sony is breaking computer crime laws by damaging the security of thousands of computers. Point out their use of a fraudulent EULA that implies their software can be uninstalled. Mention that, even though they have recalled the CDs in question, the crimes have already been commited.

            I don't think it will help a whole lot if the DOJ gets 100,000 emails that all look like typical /. posts.

      • Re:How to boycott? (Score:5, Informative)

        by MisterLawyer ( 770687 ) <> on Tuesday November 15, 2005 @05:11PM (#14038076)
        This DRM trojan horse issue isn't the only reason to call up the militia! Sony has been sh*tting all over its customers for years. Take their EULA, for example:

        Sony's End User License Agreement requires the following things of all consumers who purchase this "content protected" music:

        1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

        2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

        3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

        4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

        5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

        6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

        7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

        8. You have no right to transfer the music on your computer, even along with the original CD.

        9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

        Refer to the following for details:

        (From a Brendan Ribera, Amazon Post)
      • by VENONA ( 902751 ) on Tuesday November 15, 2005 @05:36PM (#14038328)
        It's widely published that legal actions have begun in California, New York, and Italy. The Italian situation is not just some class-action lawsuit. A complaint was filed with a criminal investigation unit last Friday.

        "The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law," he said in an e-mail interview.

        Should police determine that a crime has been committed, prosecutors will be required to begin criminal proceedings against Sony, Monti said."

        Sony has declined to comment.

        From: ty/story/0,10801,106064,00.html?source=NLT_PM&nid= 106064 []

      • by Moofie ( 22272 ) <> on Tuesday November 15, 2005 @05:56PM (#14038501) Homepage
        "Vote with your dollars."

        I don't have enough of them to matter.
    • Re:How to boycott? (Score:3, Insightful)

      by Anonymous Coward
      It's a lot easier to download something from p2p than to go out and buy it. Easy boycott.
    • Re:How to boycott? (Score:5, Insightful)

      by achacha ( 139424 ) on Tuesday November 15, 2005 @04:01PM (#14037354) Homepage
      Have to agree with you, I have added Sony to my very small list of companies not to buy things from. Yesterday I bought a camcorder from Canon even though both Canon and Sony were final runner ups, I put my 800$ on a Canon for one reason... Sony DRM is an insult to consumers and I am sure my miniscule decision will not matter but I feel good that I will not be giving money to a company that thinks it is ok to distribute a rootkit with their music CDs. And I actually checked the music CDs I was buying to make sure they were not from Sony. The only way we can have our voices heard is not by making noise but by not spending money ontheir products... when you affect their profits it hurts a lot more and while I am one person and my immediate actions will not even affect the company, I am hoping there are more people out there that believe in honest practices.
    • buy second hand? (Score:5, Insightful)

      by speedfreak_5 ( 546044 ) on Tuesday November 15, 2005 @04:01PM (#14037364) Homepage Journal
      I'm a music nut. I've tried the boycott thing with mixed results. But what has "worked" for me lately is buying CDs and vinyl second hand. Unfortunately, They may already have the money from the original purchase of the music, but if you buy second hand, someone gets money and you get a CD or record and the RIAA partners get nothing.
    • by saskboy ( 600063 ) on Tuesday November 15, 2005 @04:04PM (#14037404) Homepage Journal
      I just found the website claiming to lead the charge [] in the boycott.

      I've been including information I think is important about the Sony case on my blog too since the story broke, but other sites have much more detail. I just try to break it down so the average joe knows what's going on if their brain turns off at acronyms like DRM.
    • Re:How to boycott? (Score:5, Interesting)

      by enraged78 ( 931288 ) on Tuesday November 15, 2005 @04:12PM (#14037492)
      I myself have been boycotting CD's produced by the any label associated with the RIAA for the last three years. I have not purchased any CD's for myself, or as gifts for others. I do not plan to do so until three conditions are met. First, artists are properly compensated for their music. By properly compensated, I mean more than a nickel a disc, which works out to less than that due to 'questionable' accounting practices. Second, that that RIAA ceases all current lawsuits against users who "illegally" downloaded music, and returns all moneys garnered from users who "settled" with the racketeering, um, I mean consortium. Third, that the RIAA cease to destroy both public domain, and fair use policy. In order for the public to respect the RIAA's property, the RIAA needs to stop illegally extending copyright by purchasing politicians. Oddly enough, all this purchasing power seems to stem from the 12-18 year old market. That same market does not possess the ability to vote, and I find it rather strange that all their hard earned dollars are being redirected towards buying our public officials for the highest dollar. Sony products in general will no longer be purchased by me until these and many other wrongs are rectified. Their policies are criminal, their once good hardware products are now sub-par, and their greed is insurmountable. This is no longer a free market question. This is now a corporation buying legal power to function as a makeshift mob. I for one will not stand for it by purchasing thier products.
    • by Anonymous Coward on Tuesday November 15, 2005 @04:12PM (#14037496)
      If practically every kid who cracks into some network gets jail time; how about some criminal charges against whomever the idiot in Sony that approved this.

      Seriously - if some company hires a hitman to do illegal stuff they get in trouble. Why can Sony hack my network without any repercusions.

    • Re:How to boycott? (Score:5, Interesting)

      by SoCalChris ( 573049 ) on Tuesday November 15, 2005 @04:17PM (#14037542) Journal
      I quit buying Sony crap over a decade ago. I used to buy their products more often than other brands, because they used to be higher quality. Then, I had a string of high end Sony items go bad (Usually within about a month of the warranty expiring).

      I had a Sony cell phone (This was when cell phones were first starting to come out, and were about the size of a brick). It was several hundred dollars. I went through 7 of them before the warranty expired, and I finally replaced it with another brand. I had a laser disc player whose drive motor kept dying. I had a boom box whose tape drive never worked right, even after sending it in for work several times. Then I had a Sony AV receiver, that one day decided not to turn on, unless you picked it up a few inches and dropped it. After that string of bad products, that Sony wouldn't stand behind, it was easy for me to stop buying their crap.

      I don't actively try to dissuade people from buying Sony stuff, but if asked my opinion, I will gladly tell people about my experience with them.
    • Re:How to boycott? (Score:5, Insightful)

      by Zathrus ( 232140 ) on Tuesday November 15, 2005 @04:31PM (#14037686) Homepage
      How do those who are active boycotters stick to it? Do you actively pursue telling others, or is it just a "one person, one dollar, one vote" kind of life lead?

      If you actively pursue telling others you'll just annoy them and get labeled as a wacko. So it's pretty much up to you and your money. If the opportunity presents itself to discuss the topic without having to stretch for relevance (e.g. -- a friend/colleage/random stranger complains about a CD not working on their computer or something), then go for it. Otherwise keep to yourself. The only real exception here is demonstrations -- if you can get a reasonable number of people together then you don't look like quite such a loon; instead you look like a group of loons. But at least then you're in a flock.

      As for boycotting Sony specifically -- first, write them a note telling them why you're boycotting and what they need to do to end your boycott. The second part is extremely important -- if you don't give them a method to regain your money, then why should they even bother? And in that vein, it has to be reasonable. I don't expect Sony to never issue non-CDs with DRM. I do expect them to never use this piece of crap again and to fire/relieve from their existing duties any managers that were involved in the approval of XCD.

      Second, try to make sure you don't give them any money. If you want to be strict about it, then only punish Sony-BMG Music. That means no buying CDs from them. If you want to be more liberal then don't buy anything from any Sony division -- no CDs, no DVDs, no movies, no electronics (including PS2 and so forth), nothing whatsoever directly associated with the company. If you want to be even more liberal then don't buy anything that will funnel money to the company -- all PS2 games are licensed, so none of them. Similarly, many movies may use music that's owned by Sony, so start checking those music credits first! And if you want to be a complete whacko then avoid any thing that funnels money to them through cross-licensing, partnerships, and so forth. Given how big Sony is, if you take this route then I suggest you sit quietly in an open field and hope they break before you die of dehydration or starvation (pray for rain and small, harmless furry animals to wander nearby).

      At least send the letter and try to stick to your boycott, at whatever level you choose. They've already done a lot more than I expected by recalling the defective CDs. Now they need to post a public apology (from a Japanese company that's a big deal), post a non-ActiveX method on their website to completely and utterly remove the DRM (and the decloaking junk), and appropriately punish the management involved in this cock-up. That would make me happy at least.
      • by R3d M3rcury ( 871886 ) on Tuesday November 15, 2005 @10:34PM (#14040553) Journal
        "As for boycotting Sony specifically -- first, write them a note telling them why you're boycotting and what they need to do to end your boycott."

        Dear Sony,

        I am boycotting all Sony products until the following demands have been met.

        1. Give me a tool to remove the spyware from my system.
        2. Remove all infected CDs from stores.
        3. Replace all infected CDs that have been purchased with uninfected CDs free of charge.
        4. A public apology and a promise to never use DRM on CDs again.
        5. Susie Suh []. In a string bikini. At my place. Tonight.
        6. I'm having a little get-together this weekend and it would be great if Santana [] could be there and play a few songs.
        7. Three words: Dump Michael Bolton. []
        8. One...million...dollars.

        Thank you for your time.
    • Re:How to boycott? (Score:5, Insightful)

      by Milican ( 58140 ) on Tuesday November 15, 2005 @04:33PM (#14037713) Journal
      Well, I just bought a 32" TV 2.5-hours ago [] at Circuit City. It was between the Sony and the JVC. Both looked good and were at similar price points. Guess which one I bought? Thats right, I bought the JVC. Thats $500 less for Sony. All because of this XCP fiasco. They better wise up and remember that they are in the business of selling music and electronics. Not treating their computers like thieves and fscking up their computers.

    • Re:How to boycott? (Score:5, Insightful)

      by Esion Modnar ( 632431 ) on Tuesday November 15, 2005 @04:43PM (#14037816)
      People unhappy about a company or a product have much more of a voice

      I recall that a certain popular tax preparation software (TurboTax, that's it!) got into hot water when, in the effort to curb piracy, they started mucking with the customer's boot sector, or some such. (Couple years back.) They ended up retracting their software naughtiness, and doing a profound mea culpa.

      Anyhow, will these companies ever learn that the bad press from borking their customers' computers, will cost them much more than piracy ever will? Sure, they see piracy as a problem to be met with DRM, but they're losing all perspective. Their DRM hammer is leaving holes in the wall.

      Good will is a commodity which is built up slowly over many years, and can be lost overnight.

    • Re:How to boycott? (Score:5, Insightful)

      by Aumaden ( 598628 ) <> on Tuesday November 15, 2005 @05:02PM (#14037980) Journal
      Boycotting Sony BMG will have the same effect as boycotting RIAA.
      "Wah! Our profits aren't humungous!
      No, there's no boycott, its them pirates!
      Find an artist you like who is on one of Sony's labels (there are over 20 labels held by Sony BMG, so you should be able to find something). Take a few minutes to track down contact information for the artist. Now, write them and their agent a nice letter explaining how you really like their music, but are not buying their album because you don't want to risk being infected by Sony's defective copy protection. Let them yell at Sony.
  • Ouch (Score:4, Funny)

    by Anonymous Coward on Tuesday November 15, 2005 @03:55PM (#14037268)
    To have Microsoft call you on your bad business practices...
  • by Rude Turnip ( 49495 ) <[valuation] [at] []> on Tuesday November 15, 2005 @03:56PM (#14037287)
    I'd like to thank the fine folks at Sony for helping me decide which next-generation gaming console to buy (hint: It doesn't begin with the letter "P" or end in a "3"). It's a sad state of affairs when Microsoft has to come to the rescue and un-fsck your security blunders.
    • NOt to change your mind or anything, I would like to point out that at Sony's size, the different divisions have little or nothing to do with each other.
      So the same people who make decisions for the music products are not the same people who make decisions at the playstation divisions .

      From what I hear, there is some pretty intense inside fighting going on between the people who make mop3 players, and the music division.

      • by Guppy06 ( 410832 ) on Tuesday November 15, 2005 @04:20PM (#14037568)
        "I would like to point out that at Sony's size, the different divisions have little or nothing to do with each other."

        They're associated well enough to have the name "SONY" branded on them. Good enough for me.
      • by Rude Turnip ( 49495 ) <[valuation] [at] []> on Tuesday November 15, 2005 @04:31PM (#14037692)
        Let's look at this from the stockholder's point of view, as well as the customer's. If that type of conflict of interest exists between Sony's divisions, then that is telling me that management is *not* maximising shareholder value because the music division is harming the Playstation division by reducing the utility of the Playstation console.

        That tells me that the only way to increase shareholder value is to break Sony into at least two companies: the entertainment division and the electronics division. Each division will then float on its own merits without impeding the other.

        In a nutshell, we can add Sony's own *shareholders* to the list of people that are getting screwed by the management. My prediction? Look for a shareholder suit against the Board of Directors within 3 years to break Sony into two companies.
      • Quite the reverse (Score:5, Insightful)

        by Vainglorious Coward ( 267452 ) on Tuesday November 15, 2005 @04:32PM (#14037696) Journal
        I would like to point out that at Sony's size, the different divisions have little or nothing to do with each other. So the same people who make decisions for the music products are not the same people who make decisions at the playstation divisions . From what I hear, there is some pretty intense inside fighting going on between the people who make mop3 players, and the music division.

        That sounds to me like more reason to boycott, not less - the impact is not compartmentalised, but spreads across their entire business. It also gives ammunition to those on the inside who are fighting against the shenanigans. Sony need to get the message that their actions don't just do damage to their CD sales business, they also create a serious dent in the Sony "brand" as a whole.

      • by anthonyclark ( 17109 ) on Tuesday November 15, 2005 @04:35PM (#14037723)
        I used to work at Sony back in the UK. The divisions are set up semi-autonomously, the thinking being that competition is good for innovation. Problem is, anything you think of that slightly invades the 'territory' of a more politically powerful division will be denied funding or just cancelled without explanation.

        Bitter? Why yes I am, thank you for asking.

        I worked project support for a great team of engineers who had some amazing ideas way ahead of their time. Can they use PS2 hardware? Write DVD related software? Other video related stuff? Nope. All because of inter-division competition. (I was intentionally vague on the those project descriptions) Then there's the snobby attitude towards software; once a project I worked on was forced to use a very expensive piece of hardware to do something they were already doing in software. Quelle Suprise, Sony couldn't sell the software and eventually the project was canned.

        I really can't believe Sony has survived into the 21st century.
      • by swillden ( 191260 ) <> on Tuesday November 15, 2005 @05:23PM (#14038198) Homepage Journal

        I would like to point out that at Sony's size, the different divisions have little or nothing to do with each other.


        Not that the people working in the other divisions, who didn't make such stupid decisions, deserve to be punished, but the way to stop companies from doing crap like this is to hit them where it will hurt the top-level decisionmakers: their stock price. To do that, you have to damage their profits, and the best way to do *that* is to decrease their revenues by not buying their stuff. If Sony's stock takes a 20% drop as a result of some decisions by the entertainment division, the C-level execs will take action, and if they don't then the board of directors will, and if *they* don't, the stockholders will. If it gets nasty enough, no one in Sony will ever again dare to do something that has even the remotest possibility of bringing that sort of shitstorm down on their heads.

        Not that I believe a lot of "boycott Sony" shouting and posturing on slashdot will really affect their revenues noticeably, much less their stock price. But still, the theory is sound, even if follow-through is insufficiently widespread to make any difference.

  • Thank god for Sony (Score:5, Insightful)

    by sedyn ( 880034 ) on Tuesday November 15, 2005 @03:56PM (#14037291)
    I'm all in favour of letting the average person know the truth behind what content distributors are willing to do to protect "their" property.

    Let us hope that people find out about DRMs before they saturate the market any further.
  • by LithiumX ( 717017 ) on Tuesday November 15, 2005 @03:56PM (#14037296)
    The DRM WANTS to be free!
  • by apflwr ( 930636 ) on Tuesday November 15, 2005 @03:57PM (#14037303)
    In the end it probably would have been cheaper and much less hassle to just let us download the damn mp3s.
  • by grub ( 11606 ) <> on Tuesday November 15, 2005 @03:57PM (#14037305) Homepage Journal

    Read the comments for this protected disc by Van Zant on the Sony label [].
  • by jenkin sear ( 28765 ) * on Tuesday November 15, 2005 @03:59PM (#14037321) Homepage Journal
    Looks like Sony crossed the threshold from nuisance to crime. While DOJ is almost certainly going to soft-pedal this, a savvy attorney general with political ambitions from a state unencumbered by Hollywood and the RIAA could probably ride this case into the governor's office....

    "Paging Eliot Spitzer [], Paging Eliot Spitzer, Mr. Spitzer white courtesy phone..."

  • Nooooo! (Score:4, Funny)

    by Anonymous Coward on Tuesday November 15, 2005 @03:59PM (#14037325)
    The Brotherhood of NOD has taken over 75% of the United States!
  • Vulnerability (Score:5, Insightful)

    by Anonymous Coward on Tuesday November 15, 2005 @03:59PM (#14037328)
    So we have a vulnerability on machines that was pushed out intentionally by somebody. We know who that somebody is.

    The question is, will they get punished for this by the authorities? The FBI and police seem to be happy to jail writers of virii or worms or those who spread vulnerabilities to unsuspecting systems. Why shouldn't the product manager responsible for this pay for his crime of making the nations computers even more insecure?

    Considering the rootkit is installed without owners realistically being aware, doesn't that make it equivalent to a form of worm, virus, or other type of nasty?

    I seriously believe that someone should be doing jail time for this. Such a punishment would make any other malfeasants think twice before thinking that they don't have to obey the law.
  • Get 'em good (Score:4, Interesting)

    by Anonymous Coward on Tuesday November 15, 2005 @03:59PM (#14037335)
    Go to [] or []

    Where it asks for the Artists name type in some diatribe

    Where it asks for the Album Title, type in more diatribe

    Where it asks for Store Name, type in yet even more diatribe

    Where it asks for email address try something that will cause them trouble such as or some chronic antispammer advocate.

    This will hopefully force Sony to make the "patch directly downloadable." ...since Sony says over 2 million disks containing the rootkit have been sold, that puts them under the gun for roughly U.S. $150 billion in damages :)

    Perhaps the copyright owners could offer to settle: have Sony repay all of the people who have been extorted for money because of filesharing (double for damages), and promise to stop all such activities in the future. That would only run them about $100 million, so it would be quite a deal.
  • Boycott Big Music (Score:5, Insightful)

    by drdanny_orig ( 585847 ) * on Tuesday November 15, 2005 @03:59PM (#14037337)
    I suggest people consider boycotting _all_ RIAA member labels, not just Sony. They just happened to be the fools who fell for this particular version. It's not hte implementation that's anathema, it's the concept of DRM. When in doubt, consult RIAA Radar []. Don't buy discs produced by RIAA members, it't that simple.
  • by The Rizz ( 1319 ) on Tuesday November 15, 2005 @04:01PM (#14037363)
    Why hasn't Sony been raided by the Feds, yet?

    If this had been an individual, or small business, you know they would already be behind bars awaiting trial for violating some law or another... possibly even being brought up on some sort of national security-related charges.
    ( Someone in a secure/top secret/classified government network has probably stuck one of these CDs into their machine at some point.)

    I want to know why the Feds aren't treating Sony like they would anyone else ... break into their offices, confiscate every single piece of electronics and CD in the place, and never give them back, ever (or at least, not until years after you've replaced everything).
    • by SilverspurG ( 844751 ) * on Tuesday November 15, 2005 @04:08PM (#14037440) Homepage Journal
      Because we live in a democratically elected plutocracy.

      By associating it with democracy, though, that makes it all better. We're all supposed to be happy that corporate profits supersede individual rights and property.
    • "Why hasn't Sony been raided by the Feds, yet?"

      Two words: campaign contributions [].
  • by Dante333 ( 25148 ) on Tuesday November 15, 2005 @04:01PM (#14037365)
    Now that I have already got GTA: Liberty City Stories for my PSP.
  • by Zocalo ( 252965 ) on Tuesday November 15, 2005 @04:03PM (#14037378) Homepage
    When the say "remove the rootkit CDs from the shelves" they mean just that; "rootkit CDs" specifically meaning those with "XCP-Aurora" installed and not with any other kind of DRM they are currently shipping. I wouldn't be at all surprised if they are even going to extend that to the specific version of "XCP-Aurora" people are complaining about on those CDs already known to contain it.

    What a shame that Scott Adams' "Weasel Awards" [] for 2005 have already been awarded. There's always 2006 I suppose, but this will probably have been long since done and dusted by then... unless it's still churning though legal systems in the US and elsewhere of course.

  • No Refund (Score:5, Informative)

    by rozthepimp ( 638319 ) on Tuesday November 15, 2005 @04:03PM (#14037379)
    From Sony regarding the XCP CD received today in an email: Sony has already addressed the issue of the security concerns via the Service Pack 2 update on our website. According to the terms of the EULA that you agreed to when first installing our software, you agreed to obtain and install any recommended updates. All major security vendors have and Microsoft have announced that the installation of the SP2 update removes their concerns over the original technology used on our CDs. Sony BMG does not offer a refund/return program for this product.
    • Re:No Refund (Score:4, Informative)

      by Intron ( 870560 ) on Tuesday November 15, 2005 @04:52PM (#14037888)
      All well and good? I downloaded Service Pack 2 and looked at it:

      strings -n 5 Update071105.exe |more

        deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly

      Then I went and took a look at the zlib site []

      "zlib 1.2.3

      July 18, 2005

      Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately."

      Sounds like Sony needs to trot back and have a whole nother look at those "security concerns"
  • Silver Lining (Score:3, Interesting)

    by happymedium ( 861907 ) on Tuesday November 15, 2005 @04:04PM (#14037393)
    DRM is poised to intrude on our lives even more in the form of the HD-DVD/Blu-ray copy protection, Windows Vista, and the digital TV broadcast flag... isn't it about time Slashdot's least favorite acronym (besides SCO perhaps) got some bad mainstream press?

    This Sony incident could help convince consumers and businesses alike that intrusive DRM is a bad idea.
  • by Daniel Dvorkin ( 106857 ) * on Tuesday November 15, 2005 @04:05PM (#14037406) Homepage Journal
    ... for a political maneuver where you first propose something so outrageous that it's sure to get shot down, and then withdraw the proposal and advance something only slightly less outrageous? Like, let's say Senator Boughtandpaidfor introduces a bill requiring the death penalty for anyone who cracks a copy-protected CD, and when that gets the desired uproar, he says, "Oh, okay, let's compromise and make it fifty years in prison instead" -- and that bill passes because it's more "reasonable."

    Which makes me wonder what Sony's got coming next.
    • by Fnkmaster ( 89084 ) on Tuesday November 15, 2005 @04:42PM (#14037800)
      It seems related to a behavioral finance effect calling anchoring, which I believe was part of Kahneman and Tversky's Nobel-winning work. From Wikipedia:

      As a second example, according to Daniel Kahneman if an audience is asked firstly to memorise the last 4 digits of their social security number and then to estimate the number of physicians in New York the correlation between the two numbers is around 0.4--far beyond what would be expected by chance. The simple act of thinking of the first number strongly influences the second, even though there is no logical connection between them.

      Basically, people often don't have any absolute framework for judging what is reasonable in a particular situation, so their mind subconsciously focuses or anchors on the first number they see, even if there is no rational basis or relationship between the number presented and the judgment call being asked for.
  • Oops. (Score:3, Funny)

    by AWhiteFlame ( 928642 ) on Tuesday November 15, 2005 @04:06PM (#14037415) Homepage
    You know you screwed something up when Microsoft comes in and calls it a threat to the security of windows.
  • by guardiangod ( 880192 ) on Tuesday November 15, 2005 @04:09PM (#14037452)
    this.... []

    Disclaimer: In case those lawyers from Sony is not being work to death right now from all those demage lawsuit- I am joking.
  • Wow (Score:5, Insightful)

    by realmolo ( 574068 ) on Tuesday November 15, 2005 @04:13PM (#14037505)
    Sony really screwed the pooch on this one.

    They actually got the Department of Homeland Security to denounce them. I knew it had to be good for something ;)

    The great thing about all of this is that now that the Feds are aware of this evil DRM bullshit, they will start regulating it a little better. As it stands now, the DMCA basically give all the media companies "carte blanche" with regards to copy-protection schemes.
  • by RedLaggedTeut ( 216304 ) on Tuesday November 15, 2005 @04:14PM (#14037512) Homepage Journal
    Joe Random, hacker, reading slashdot:

    rootkit.. bad
    microsoft.. good
    hacker.. head explodes
  • by ncoder ( 517020 ) on Tuesday November 15, 2005 @04:18PM (#14037547)
    Download them from the net. It's much safer. ;)
  • by Starker_Kull ( 896770 ) on Tuesday November 15, 2005 @04:22PM (#14037596)
    About the only way DRM will be tamed (I think, in the long run, it will be eliminated completely, but that will take people completely rethinking intellectual "property" as a lega concept) is if it intereferes or damages an average person's system. That is perhaps the biggest "problem" with DRM - its many failure modes usually screw you out of your content - or in this case, screw up your system. And it's a great, wonderful problem, because all we need are a few more screw-ups like this, and average people will start to associate "DRM" with "Sucks/Breaks" and avoid it like the plauge.

    Go Sony! Do it again!
  • by threaded ( 89367 ) on Tuesday November 15, 2005 @04:30PM (#14037682) Homepage
    Was not the software used by Sony written by a UK limited company? Is not the commissioning and construction of such software illegal under UK law? (Computer Misuse Act 1990)
  • by Daedala ( 819156 ) on Tuesday November 15, 2005 @04:31PM (#14037695)
    These CDs have been out since mid-2004, according to Sony. Why hasn't this been noticed? Were they all bought off?

    This is what really disturbs me. Not "What was Sony thinking?" -- businesses can be really stupid. Not "How could they do this?" -- businesses can be really evil. Shit happens. Get over it. Bad security happens, whatever.

    However, I did have some trust (not much, but some) for the anti-malware establishment. I'm in infosec; I believe that even in the biggest and stupidest infosec company, there will be people with the hackerish instincts (i.e. lower-than-average sense of self-preservation) to blow the whistle. However, the failure of all the big anti-whatever companies to notice and/or do anything about this, with full year of lead time, demonstrates that they are incompetent at best, unethical at worst.

    I don't care, personally; I use a Mac. It's not a security panacea but it's a pretty darn good line of defense. Professionally, however, I feel downright ill.

    Kudos to F-Secure and Sysinternals. Where the hell were the rest of them?
  • by atomic_toaster ( 840941 ) on Tuesday November 15, 2005 @04:40PM (#14037781)
    Okay, I've fallen for your lines about downloading and not paying for mp3's "taking money away from artists", that downloading is illegal and immoral and God knows what else. Or maybe I've just gotten tired of trying to find a good copy of a song online. Or I might simply prefer to have a high-quality copy of my favorite album(s) so that, if for some reason my computer should crash, I can convert a new copy to MP3 and lose nothing but a little time.

    For whatever reason, I buy one of your CD's, pay the $18 CAD or thereabouts for a new release. But this is the computer age, I don't even own a stereo, so I want to play the CD on my computer.

    The first thing I notice is that the CD is DRM-ed to death so it's a pain in the ass to convert the songs to MP3 format; so much for listening to the music that I've bought on my iPod. (If I live in Canada, I may have also paid for this music twice, once through the purchase of the CD, and a second time through the levy on my iPod as "blank media".) Oh yeah, and for some reason, neither iTunes nor Winamp will play the CD.

    The second thing I notice (because who really reads the EULA?) while researching how to crack the DRM, is that, among other things, if my house is burgled I will have to delete all the mp3's from this disc. (Because, you know, a burglar would spend all that time copying the MP3's from my hard drive instead of stealing the whole damn computer. And man, if I own a laptop, they're just going to leave it on the desk and take my crappy TV instead...) Also, if I don't update the software whenever it prompts me to, I will lose all access to the music that I have purchased. And I can't listen to the music on a work computer, nor can I re-sell the CD that I have just purchased. WTF?

    But then my system crashes, and some virus I can't get rid of keeps me from accessing all the data on my hard drives that I haven't backed up in ages (of course). And how did this virus get on my system? Through a root kit that the Sony CD installed without even telling me it was doing so, thank you very much. ...

    Alright, Sony, now you've shot yourself in the foot. You've basically persuaded millions of CD buyers out there (you know, the people who were actually paying for your product?) that it's easier, safer, and plain old less annoying to yoink MP3's from thier favorite website or file-sharing program.

    Way to go.

  • by anandamide ( 86527 ) on Tuesday November 15, 2005 @04:43PM (#14037811)
    Did anyone look at some of the titles they chose to infect with this thing?

    Bob Brookmeyer - Bob Brookmeyer & Friends
    Horace Silver - Silver?s Blue
    Dexter Gordon - Manhattan Symphonie
    Ahmed Jamal - The Legendary Okeh and Epic Recordings

    Bob Brookmeyer???? Was Sony afraid of the cadre of L33t h4xx0r d00dz pirating their catalog of elderly jazz trombonists?
  • by Animats ( 122034 ) on Tuesday November 15, 2005 @04:46PM (#14037830) Homepage
    If you're a sysadmin cleaning this crap out of a big collection of computers, you're in a good position to file a criminal complaint with the Department of Justice. And you should. A crime has been committed.

    Jennifer Granick, executive director of Stanford University's Center for Internet and Society, sees this as a question of how well written their EULA is, a topic of much conversation in the media lately.

    But either way, she noted over IM, "if the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 usc 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony anytime soon.

    "The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime."

    In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existance back to Sony, along with as yet unknown information about the compromised computers.

  • by kawika ( 87069 ) on Tuesday November 15, 2005 @04:50PM (#14037865)
    The Sony/XCP uninstall process requires you to fill out a web form that uses an ActiveX control. That control has several serious security issues including the ability to run arbitrary code and even a handy built-in reboot function. The ActiveX control gropes around your system and encrypts some information that is submitted in a hidden form field. Their privacy policy does not mention this.

    Feel free to go over there and try it yourself. If you install the ActiveX you can remove it in Tools, Internet Options, Settings, View Objects, "CodeSupport Control". Here's what they send you:

    From: contentprotectionhelp
    Sent: Monday, November 14, 2005 04:22 AM
    Subject: Re: ContentProtectionHelp Email Form

    Thank you for contacting Sony BMG Online.

    Sony BMG and First 4 Internet have released a Service Pack 2a update that addresses recent concerns surrounding the cloaking technology component on SONY BMG content protected CDs which use XCP technology. These components are not malicious nor spyware however to alleviate any concerns that users may have about the program posing potential security vulnerabilities the update removes the cloaking component from their computers. Please visit the link below to install the SP2a update.


    If you do not want to install the SP2a update and only wish to uninstall the DRM software, visit the form below using IE 5.0 (or higher) from the computer where the software is installed. After submission, you will be emailed a customized uninstall link within 1 business day (M-F).

          Your "Case ID" is: 9999999.

    TIP: The uninstall request form will require an ActiveX plug-in.
                    Also you may need to temporarily turn off any pop-up blocker
                    software on the PC.

    Thank you for the opportunity to be of assistance.

    The Sony BMG Online Support Team

    This message and any attachments are solely for the use of intended recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated.

    - - - - -
  • by paj1234 ( 234750 ) on Tuesday November 15, 2005 @05:19PM (#14038150)
    It's an even worse day to be Sony, in the UK. Today's newspapers have headlines like "Sony accused of Internet rip-off" and "End to online bargains as Sony forces prices higher".

    According to The Times, "the practice of charging different prices to Internet retailers and high street stockists -- known as dual pricing -- was started by Sony and has been followed by other manufacturers." Here's the article:,,2-1872549, 00.html []
  • by RichMan ( 8097 ) on Tuesday November 15, 2005 @05:31PM (#14038283)
    If the CD is a valid music CD and will play in a standard player,

    Why is the operating system trying to run a program from the CD?

    You should be able to set the OS to treat music CD's as music CD's and ignore any other content.

    This is all due to MS advanced features messing the user over. Pressure should also be placed on Microsoft to treat music CDs as music CDs.

    Perhaps a configuration to easily switch between
    1. Play Music
    2. Access any Autorun features
    3. Offer option of 1 or 2
  • by Nkwe ( 604125 ) on Tuesday November 15, 2005 @07:39PM (#14039510)
    While everyone is whining (rightly so) about what Sony has done, why is there not obvious and loud whining about what Microsoft has done? How come by simply inserting a disk into a CDROM drive, Windows will read the disk and automatically execute code as a privileged user? The Sony DRM stuff is evil and hooks into and hides at the kernel level. It is more evil that kernel level drivers are automatically installed by Windows by the mere insertion of media with no user interaction or confirmation. There is no excuse for this.

Marvelous! The super-user's going to boot me! What a finely tuned response to the situation!