Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Sony Privacy Security Software

Bad Day To Be Sony 812

Not only is Sony no longer selling the RootKit CDs, Arend writes "According to a USAToday article, Sony is to pull their controversial rootkit CDs from store shelves." A nice gesture, but a little late. bos writes "Sony's DRM rootkit has been found by Dan Kaminsky to have infected at least half a million networks, according to an article by Quinn Norton for Wired News. Dan has even put together some pretty pictures of the breadth of the infection." With so many people infected, it's unfortunate that wiredog writes "From The Washington Post comes the news that serious security flaws have been found in the software that Sony is distributing to users who want to remove the Sony rootkit. The article says: 'Because of the way the tool is configured ... it allows any Web page that the user subsequently visits to download, install and run any code that it likes.'" Oops. Even Microsoft is getting into the act. ares284 writes "Microsoft said it would remove controversial copy-protection software that CDs from music publisher Sony BMG install on personal computers, deeming it a security risk to PCs running on Windows."
This discussion has been archived. No new comments can be posted.

Bad Day To Be Sony

Comments Filter:
  • fp i hate sony (Score:0, Informative)

    by Anonymous Coward on Tuesday November 15, 2005 @03:54PM (#14037265)
    sony should die fp
  • Not to worry (Score:2, Informative)

    by Anonymous Coward on Tuesday November 15, 2005 @03:55PM (#14037281)
    I'm sure they'll find some sort of way [scotsman.com] to cheer themselves up...
  • by grub ( 11606 ) <slashdot@grub.net> on Tuesday November 15, 2005 @03:57PM (#14037305) Homepage Journal

    Read the comments for this protected disc by Van Zant on the Sony label [amazon.com].
  • No Refund (Score:5, Informative)

    by rozthepimp ( 638319 ) on Tuesday November 15, 2005 @04:03PM (#14037379)
    From Sony regarding the XCP CD received today in an email: Sony has already addressed the issue of the security concerns via the Service Pack 2 update on our website. According to the terms of the EULA that you agreed to when first installing our software, you agreed to obtain and install any recommended updates. All major security vendors have and Microsoft have announced that the installation of the SP2 update removes their concerns over the original technology used on our CDs. Sony BMG does not offer a refund/return program for this product.
  • by saskboy ( 600063 ) on Tuesday November 15, 2005 @04:04PM (#14037404) Homepage Journal
    I just found the website claiming to lead the charge http://www.boycottsony.us/ [boycottsony.us] in the boycott.

    I've been including information I think is important about the Sony case on my blog too since the story broke, but other sites have much more detail. I just try to break it down so the average joe knows what's going on if their brain turns off at acronyms like DRM.
  • Re:Hey Dan (Score:1, Informative)

    by Anonymous Coward on Tuesday November 15, 2005 @04:06PM (#14037417)
    RTFA. DNS cache is what he said.
  • by Oliver Wendell Jones ( 158103 ) on Tuesday November 15, 2005 @04:14PM (#14037518)
    American Express charges more than most major credit cards and companies that live on thin margins often times will not accept American Express.

    This is very prevalent at places like computer shows where they quote cash prices and charge a percentage extra to cover credit cards - American Express will almost always cost you more to use than a Visa or MasterCard in such a situation.

    To me, not taking American Express is a way of saying "we're doing everything we can to keep our prices as low as possible and pass the savings along to you!"

    Now, I'm sure that someone will point out that Wal-Mart accepts AmEx, but I'd be willing to bet you that someone from Wal-Mart went to AmEx and said "here's the deal - reduce your cost to us or your out" - and I think we can all guess the outcome of that...
  • Re:LGPL and/or GPL? (Score:2, Informative)

    by LilWolf ( 847434 ) on Tuesday November 15, 2005 @04:17PM (#14037533)
  • by Guppy06 ( 410832 ) on Tuesday November 15, 2005 @04:18PM (#14037549)
    "Why hasn't Sony been raided by the Feds, yet?"

    Two words: campaign contributions [opensecrets.org].
  • Re:How to boycott? (Score:2, Informative)

    by Fishstick ( 150821 ) on Tuesday November 15, 2005 @04:23PM (#14037606) Journal


    If you believe a Sony Music product has a manufacturing defect, please call our Quality Management Department at 800-255-7514; 856-722-8224 in New Jersey).
  • Re:How to boycott? (Score:5, Informative)

    by Dammital ( 220641 ) on Tuesday November 15, 2005 @04:24PM (#14037614)
    Oh, I don't know... that smug feeling you get is worth something.

    Two years ago I stopped buying Belkin [theregister.co.uk] products after their routers started redirecting port 80 queries to their own adservers. Can't say that I miss 'em.

  • Just MHO (Score:1, Informative)

    by Anonymous Coward on Tuesday November 15, 2005 @04:28PM (#14037651)
    How do those who are active boycotters stick to it? Do you actively pursue telling others, or is it just a "one person, one dollar, one vote" kind of life lead?

    Good question.

    Work on the assumption that you are going it alone but don't be afraid to have an impact. When your friends ask your advice (and, like it or not, they will) tell them. Don't get evangelical--just point out how that companies policies can or might affect them. In Sony's case it is pretty easy: the best one can say about Sony is that they used to be great. Sony's big ticket items in particular are shoddy compared to what they used to be: I don't know anyone who has bought a Sony TV, stereo or computer in the last five years and been completely satisfied with it. They are also establishing a strong tradition of anti-customer business practices and technologies. Your friends aren't stupid, they can put the dots together and decide what a Sony TV is likely to mean in terms of being able to fully enjoy the next generation of media.

    For media, it is a lot harder. Shady businesses with dodgy products don't hesitate to hide behind dozens of brands and Sony/BMG is no exception. The best bet for music is to just assume that all media companies are Sony unless you know otherwise.

    Don't be afraid to use the influence you have. If you know lawyers, ask them about the legal ramifications. If you know record store owners, ask how it impacts them. Ditto for artists, politicians and systems architects. Don't tell them, let them tell you. What's more important than the immediate answer is to let them mull on the question.

    Finally, don't be afraid to discuss this around the water cooler. Again, don't get evangelical..just express your amusement and disbelief at Sony's actions. You would be surprised what you learn.

  • by Anonymous Coward on Tuesday November 15, 2005 @04:39PM (#14037767)
    [...] with pitchforks in hand. Nevermind silly little boycotts.
    Although I can quite understand your feeling, I think it's always wrong to resort to violence, and in my mind even to boycotts, if you haven't at least tried to talk to the other party.

    According to the feedback page [sonymusic.net] for Sony USA, you should call their Quality Management Department at 800-255-7514 (609-722-8224 in New Jersey) "if you believe a Sony Music product has a manufacturing defect".

    I would seem reasonable to give them the courtesy of doing what they ask for, and phone them before doing anything else.

  • by Anonymous Coward on Tuesday November 15, 2005 @04:40PM (#14037782)
    The war between states is what the southerners like to call the civil war as they viewed things with an emphasis on state rights. Big government did not come in until the 20th century under Theodore Rosevelt. I do not even recall a national income tax before ww1. Lincoln was not a radical liberal like those in the south believed. It was only a justification for the seperatist to declare independance. Most of the big government came during the depression which was 70 years later.

    My macroeconomics class 101 that I learned was that governmental services are public goods. Public goods need to be run by the government since the private sector wont produce a public good if the free rider dilempa hurts profits. Without the public sector we would have a market-failure. How would these free enterprises delivery their goods without roads? What if all we had were toll roads? How would they hurt prices? How about lack of schools since only the rich then could afford private schools? How efficient would your workers be if a third could not read? There is a reason why corporate offices are based in teh us and not india or china even though outsourcing has started there. Its because Americans are more efficient because they are better educated. There is a vast difference in education between the poor and wealthy in china and india.

    The macro economy is inherientantly unstable and classic economic theory as you hold has been proven false time and time again. The market mechanism only magnifies the problem when a crisis hits the economy and government intervention with interest rates and bank regulations mixed with public goods that support business stabilize and help the market. Its a fact.
  • by Animats ( 122034 ) on Tuesday November 15, 2005 @04:46PM (#14037830) Homepage
    If you're a sysadmin cleaning this crap out of a big collection of computers, you're in a good position to file a criminal complaint with the Department of Justice. And you should. A crime has been committed.

    Jennifer Granick, executive director of Stanford University's Center for Internet and Society, sees this as a question of how well written their EULA is, a topic of much conversation in the media lately.

    But either way, she noted over IM, "if the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 usc 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony anytime soon.

    "The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime."

    In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existance back to Sony, along with as yet unknown information about the compromised computers.

  • by kawika ( 87069 ) on Tuesday November 15, 2005 @04:50PM (#14037865)
    The Sony/XCP uninstall process requires you to fill out a web form that uses an ActiveX control. That control has several serious security issues including the ability to run arbitrary code and even a handy built-in reboot function. The ActiveX control gropes around your system and encrypts some information that is submitted in a hidden form field. Their privacy policy does not mention this.

    Feel free to go over there and try it yourself. If you install the ActiveX you can remove it in Tools, Internet Options, Settings, View Objects, "CodeSupport Control". Here's what they send you:

    From: contentprotectionhelp
    Sent: Monday, November 14, 2005 04:22 AM
    To: sony-bmg-sucks@invalid.com
    Subject: Re: ContentProtectionHelp Email Form

    Thank you for contacting Sony BMG Online.

    Sony BMG and First 4 Internet have released a Service Pack 2a update that addresses recent concerns surrounding the cloaking technology component on SONY BMG content protected CDs which use XCP technology. These components are not malicious nor spyware however to alleviate any concerns that users may have about the program posing potential security vulnerabilities the update removes the cloaking component from their computers. Please visit the link below to install the SP2a update.

          http://updates.xcp-aurora.com/ [xcp-aurora.com]

    If you do not want to install the SP2a update and only wish to uninstall the DRM software, visit the form below using IE 5.0 (or higher) from the computer where the software is installed. After submission, you will be emailed a customized uninstall link within 1 business day (M-F).

          http://cp.sonybmg.com/xcp/english/form9.html [sonybmg.com]
          Your "Case ID" is: 9999999.

    TIP: The uninstall request form will require an ActiveX plug-in.
                    Also you may need to temporarily turn off any pop-up blocker
                    software on the PC.

    Thank you for the opportunity to be of assistance.

    The Sony BMG Online Support Team

    This message and any attachments are solely for the use of intended recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated.

    - - - - -
  • by Animats ( 122034 ) on Tuesday November 15, 2005 @04:51PM (#14037880) Homepage
    Sony isn't a Bush contributor. Here are the campaign contributions of Sony's CEO. [opensecrets.org] He donated to Kerry and Hillary Clinton, but not Bush.

    So Sony is in real trouble. Watch this turn into a criminal case.

  • Re:No Refund (Score:4, Informative)

    by Intron ( 870560 ) on Tuesday November 15, 2005 @04:52PM (#14037888)
    All well and good? I downloaded Service Pack 2 and looked at it:

    strings -n 5 Update071105.exe |more

      deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly

    Then I went and took a look at the zlib site http://www.zlib.net/ [zlib.net]

    "zlib 1.2.3

    July 18, 2005

    Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately."

    Sounds like Sony needs to trot back and have a whole nother look at those "security concerns"
  • by bluGill ( 862 ) on Tuesday November 15, 2005 @04:57PM (#14037934)

    A rootkit is any set (which could be one) of software that an attacker uses to attack your (or other) computer and cover his tracks so you don't notice and cannot uninstall.

    This meets both definitions. It covers it tracks, and it allows Sony to prevent you from ripping the disk.

    A rootkit might include software to attack other computers, but the rootkit itself is whatever is used on YOUR computer AFTER it is cracked.

  • by Anonymous Coward on Tuesday November 15, 2005 @04:59PM (#14037955)
    It doesn't say that Microsoft will be circumventing the copy protection software. Just removing it from the PC. The CDs in question will still be copy protected.

    Nice try.

    While that's true, the whole copy protection mechanism can be bypassed by holding down the SHIFT key when inserting CD. That is a clear DMCA violation by Microsoft. Yes it's silly, I know.
  • by OneFix at Work ( 684397 ) on Tuesday November 15, 2005 @05:05PM (#14038019)
    You know, you're right...I don't know what got into me there...they would never do anything like that...

    Always make sure your hardware is within standard civilian specs...wouldn't want to have problems reading that satellite data if you needed to run out to Wal-Mart and replace a drive would you?
  • Re:How to boycott? (Score:5, Informative)

    by MisterLawyer ( 770687 ) <<mikelawyer> <at> <gmail.com>> on Tuesday November 15, 2005 @05:11PM (#14038076)
    This DRM trojan horse issue isn't the only reason to call up the militia! Sony has been sh*tting all over its customers for years. Take their EULA, for example:

    Sony's End User License Agreement requires the following things of all consumers who purchase this "content protected" music:

    1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

    2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

    3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

    4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

    5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

    6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

    7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

    8. You have no right to transfer the music on your computer, even along with the original CD.

    9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

    Refer to the following for details:

    (From a Brendan Ribera, Amazon Post)
  • by TheUnknownCoder ( 895032 ) on Tuesday November 15, 2005 @05:11PM (#14038078)
    Well, you all know how Sony treats its (ex-)customers, and calling them will get you nowhere. So instead of calling or emailing Sony, contact the US Department of Justice [usdoj.gov] , and demand an action against Sony. They have never charged a big corporation with a computer crime, but I believe that Sony should be the first one, and let it set an example.
  • by Daedala ( 819156 ) on Tuesday November 15, 2005 @05:16PM (#14038122)
    The Sony Mac malware, as far as I can tell, required the user to look at the CD in Finder, double-click Start.app, and provide the administrator username and password. This is too much like work, especially since all I do with audio CDs is open iTunes, ping Gracenote (-- am pathetic traitor, conceded), and rip the CD to mp3. I doubt many Mac users go looking for the data track of an audio CD so they can install random unexplained Start.apps.

    I may be wrong in my characterization of the Mac version. I haven't seen it. But that's what the interwebs tell me.
  • by Sloppy ( 14984 ) on Tuesday November 15, 2005 @05:28PM (#14038253) Homepage Journal
    That's a clear DMCA violation.
    No, it isn't. Sony's malware is not a "technological measure that effectively limits access" to the work, unless using their malware is required for accessing the work. That is, if you are able to play the music CD on a classic audio CD player, read the CD with cdparanoia, etc, then the CD simply doesn't really have access controls. The software in question is simply a bonus feature for MS Windows users, and only MS Windows users.

    Still, it's a great idea, and your perverted thoughts make me like you. :-)

  • by VENONA ( 902751 ) on Tuesday November 15, 2005 @05:36PM (#14038328)
    It's widely published that legal actions have begun in California, New York, and Italy. The Italian situation is not just some class-action lawsuit. A complaint was filed with a criminal investigation unit last Friday.

    "The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law," he said in an e-mail interview.

    Should police determine that a crime has been committed, prosecutors will be required to begin criminal proceedings against Sony, Monti said."

    Sony has declined to comment.

    http://www.computerworld.com/securitytopics/securi ty/story/0,10801,106064,00.html?source=NLT_PM&nid= 106064 [computerworld.com]

  • Door in the Face (Score:1, Informative)

    by Anonymous Coward on Tuesday November 15, 2005 @06:04PM (#14038584)
    I think the term is "Door in the Face" - as opposed to "Foot in the Door"

    Interesting synopsis here: http://www.as.wvu.edu/~sbb/comm221/chapters/twoste p.htm [wvu.edu]
  • Re:What will work (Score:5, Informative)

    by SoCalChris ( 573049 ) on Tuesday November 15, 2005 @06:10PM (#14038632) Journal
    Harrass customer service. It is not as effective but if a lot of people start consuming customer service with calls, again this costs them a measureable amount of money and also makes the VP in charge of customer service very angry. You want angry people at the same level in the company as the ones who are putting in things like the rootkit.

    I work for a company that writes software for call centers. Customer support calls cost an average of $3-$30 per call for a company. Lots of upset customers add up quickly.
  • by hazem ( 472289 ) on Tuesday November 15, 2005 @06:26PM (#14038794) Journal
    That would be the case for normal copyright infringement, which is a civil case. But doesn't the DMCA provide for criminal prosecution? In that case, the government could make a case against Microsoft for violating the DMCA by circumventing Sony's DRM system. It would be the US Government vs. Microsoft, not Sony vs. Microsoft.

    If I assault you and put you in the hospital, the DA can still make a case against me, even if you don't want charges pressed. Of course, your refusal to participate weakens the DA's case.
  • REPORT THE CRIME (Score:3, Informative)

    by spoonist ( 32012 ) on Tuesday November 15, 2005 @06:52PM (#14039063) Journal

    I know I'm jumping in WAY late in this conversation, but if just a few people see this and respond, it'll do some good.

    Go to the following sites and complain:

    Department of Homeland Security [dhs.gov] - Select "Security Threats"

    US Secret Service [secretservice.gov] - They do computer fraud cases.

    FBI [fbi.gov]

  • by iambarry ( 134796 ) on Tuesday November 15, 2005 @07:09PM (#14039234) Homepage
    I called 800 255-7514. Turns out its just an answering service. They refused to forward a message about defective CDs.

    However, they gave me another number to call : 212 833-8000 [google.com].
  • by AFCArchvile ( 221494 ) on Tuesday November 15, 2005 @07:20PM (#14039328)
    One now-odious trend that was started around 1995 was the "Enhanced CD", which was a multisession music CD with a primary redbook music session, and a data session that would be recognized as a CD-ROM when inserted into multisession-capable CD-ROM drives. I'm not that versed in how Enhanced CD tells the computer to recognize the data session, but I do know that the CD-ROM drive must be multisession capable (every drive after about 1996 is capable). When you inserted the CD into a Windows 95 computer, the data session would be loaded, and whatever was scripted in AUTORUN.INF would run. I'm inclined to believe that Microsoft had a hand in this by creating autorun, as that would not only make installing software easier, but would create the impression of a hands-free multimedia experience for all the luddites. Some Enhanced CDs contained things like music videos, movie cast interviews, and so on, but much more of this was devoted to promotional advertising.

    One other way to have music and data on the same disc was to have a "mixed-mode CD", which would have track 1 as the data and tracks 2-99 as music. Many PC games from 1996 onward did this, as having the CD play presented less CPU overhead than WAV/MP3/MOD music, and sounded better and more consistent from system to system than MIDI. Of course, these CDs ended up having track 1 used for data, which would sound like either silence or noise when played on a regular CD player, depending on whether the CD player would screen out the data track as noise.

    When the copy protection rush started to develop, music companies used the multisession hole combined with AUTORUN.INF in Windows to present "media players" that would obscure the music track and force the user to agree to a EULA and load some proprietary player to play less-than-CD-quality tracks with a monitored player that would phone home. When combined with a non-redbook CD-audio track that had spurious errors injected, this provided the "ultimate unrippable CD". Well, throw in Linux and Mac users either getting around the autorun hole or having their systems crash due to the protection, along with consumer outrage at not being able to play the "spurious error" CDs in any multi-speed CD player, along with this new debacle, and you have a big conundrum.

    Apple's OS X already has an option to show all sessions on a CD as different CD icons when a disc is loaded. Microsoft still hasn't done anything like this for Windows, nor have they considered ditching the security vulnerability that is Autorun.

    If I remember correctly, Macromedia was responsible for the whole "Enhanced CD" craze.
  • Re:How to boycott? (Score:3, Informative)

    by Koiu Lpoi ( 632570 ) <koiulpoiNO@SPAMgmail.com> on Tuesday November 15, 2005 @09:18PM (#14040173)
    Member of DMusic [dmusic.com] by any chance? If not, it's a great resource for non-RIAA music. And, there's a heated debate on the front page about this very rootkit.
  • by MiliusXP ( 861816 ) on Tuesday November 15, 2005 @09:51PM (#14040352)
    I don't know if this site is serious, but they claim to have a list with more than 20 infected title. Here the link : http://www.idiotabroad.com/2005/11/cds-affected-by -the-sony-bmg-spyware/ [idiotabroad.com]
  • Re:How to boycott? (Score:3, Informative)

    by Lehk228 ( 705449 ) on Tuesday November 15, 2005 @11:32PM (#14040856) Journal
    Sony makes components for lots of companies, however it is nikon who uses sony CCD's Canon rolls their own for DSLR's.
  • by simon_hibbs2 ( 792812 ) on Wednesday November 16, 2005 @08:57AM (#14042659)
    Perhaps you should read some Adam Smith. He's widely regarded as the founding father of capitalist economic theory. He's a bit of a bugbear to socialist, but is often badly misrepresented. In fact he was insistent that regulation by government was vital if capitalist economics was to realise the maximum social good. He believed that capitalism is simply a means to an end, which is the welfare of the general population and the promotion of civil society. Much of the modern terminology we use in this area was 'invented' after his time, but the same ideas are there in his books.

    You are raising a straw man. Yes it's possible for capitalist theory to be taken too far, but in practice you won't find many people actualy promoting such extreme forms of it. Well, outside the White House anyway.

  • by harlequin516 ( 722921 ) on Wednesday November 16, 2005 @05:24PM (#14047320)
    Libertarianism, with a Big "L", has more to do with freedoms of individuals. When Libertarians talk about free markets, rarely are they talking about multinational corporations, they don't belive in them. You are right about all the other stuff.

Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun