Bad Day To Be Sony 812
Not only is Sony no longer selling the RootKit CDs, Arend writes "According to a USAToday article, Sony is to pull their controversial rootkit CDs from store shelves." A nice gesture, but a little late. bos writes "Sony's DRM rootkit has been found by Dan Kaminsky to have infected at least half a million networks, according to an article by Quinn Norton for Wired News. Dan has even put together some pretty pictures of the breadth of the infection." With so many people infected, it's unfortunate that wiredog writes "From The Washington Post comes the news that serious security flaws have been found in the software that Sony is distributing to users who want to remove the Sony rootkit. The article says: 'Because of the way the tool is configured ... it allows any Web page that the user subsequently visits to download, install and run any code that it likes.'" Oops. Even Microsoft is getting into the act. ares284 writes "Microsoft said it would remove controversial copy-protection software that CDs from music publisher Sony BMG install on personal computers, deeming it a security risk to PCs running on Windows."
fp i hate sony (Score:0, Informative)
Not to worry (Score:2, Informative)
The natives are restless.. (Score:5, Informative)
Read the comments for this protected disc by Van Zant on the Sony label [amazon.com].
,br>OUCH.
Today's article of LWN.net about Sony (Score:3, Informative)
No Refund (Score:5, Informative)
Re:How to boycott? Website (Score:5, Informative)
I've been including information I think is important about the Sony case on my blog too since the story broke, but other sites have much more detail. I just try to break it down so the average joe knows what's going on if their brain turns off at acronyms like DRM.
Re:Hey Dan (Score:1, Informative)
Re:[OT] Re:How to boycott? (Score:3, Informative)
This is very prevalent at places like computer shows where they quote cash prices and charge a percentage extra to cover credit cards - American Express will almost always cost you more to use than a Visa or MasterCard in such a situation.
To me, not taking American Express is a way of saying "we're doing everything we can to keep our prices as low as possible and pass the savings along to you!"
Now, I'm sure that someone will point out that Wal-Mart accepts AmEx, but I'd be willing to bet you that someone from Wal-Mart went to AmEx and said "here's the deal - reduce your cost to us or your out" - and I think we can all guess the outcome of that...
Re:LGPL and/or GPL? (Score:2, Informative)
http://www.the-interweb.com/serendipity/index.php
Re:FBI? NSA? Homeland Security? (Score:3, Informative)
Two words: campaign contributions [opensecrets.org].
Re:How to boycott? (Score:2, Informative)
also
If you believe a Sony Music product has a manufacturing defect, please call our Quality Management Department at 800-255-7514; 856-722-8224 in New Jersey).
Re:How to boycott? (Score:5, Informative)
Two years ago I stopped buying Belkin [theregister.co.uk] products after their routers started redirecting port 80 queries to their own adservers. Can't say that I miss 'em.
Just MHO (Score:1, Informative)
Good question.
Work on the assumption that you are going it alone but don't be afraid to have an impact. When your friends ask your advice (and, like it or not, they will) tell them. Don't get evangelical--just point out how that companies policies can or might affect them. In Sony's case it is pretty easy: the best one can say about Sony is that they used to be great. Sony's big ticket items in particular are shoddy compared to what they used to be: I don't know anyone who has bought a Sony TV, stereo or computer in the last five years and been completely satisfied with it. They are also establishing a strong tradition of anti-customer business practices and technologies. Your friends aren't stupid, they can put the dots together and decide what a Sony TV is likely to mean in terms of being able to fully enjoy the next generation of media.
For media, it is a lot harder. Shady businesses with dodgy products don't hesitate to hide behind dozens of brands and Sony/BMG is no exception. The best bet for music is to just assume that all media companies are Sony unless you know otherwise.
Don't be afraid to use the influence you have. If you know lawyers, ask them about the legal ramifications. If you know record store owners, ask how it impacts them. Ditto for artists, politicians and systems architects. Don't tell them, let them tell you. What's more important than the immediate answer is to let them mull on the question.
Finally, don't be afraid to discuss this around the water cooler. Again, don't get evangelical..just express your amusement and disbelief at Sony's actions. You would be surprised what you learn.
Phone Sony about the problem (Score:5, Informative)
According to the feedback page [sonymusic.net] for Sony USA, you should call their Quality Management Department at 800-255-7514 (609-722-8224 in New Jersey) "if you believe a Sony Music product has a manufacturing defect".
I would seem reasonable to give them the courtesy of doing what they ask for, and phone them before doing anything else.
Re:[OT] Re:How to boycott? mercantilism (Score:1, Informative)
My macroeconomics class 101 that I learned was that governmental services are public goods. Public goods need to be run by the government since the private sector wont produce a public good if the free rider dilempa hurts profits. Without the public sector we would have a market-failure. How would these free enterprises delivery their goods without roads? What if all we had were toll roads? How would they hurt prices? How about lack of schools since only the rich then could afford private schools? How efficient would your workers be if a third could not read? There is a reason why corporate offices are based in teh us and not india or china even though outsourcing has started there. Its because Americans are more efficient because they are better educated. There is a vast difference in education between the poor and wealthy in china and india.
The macro economy is inherientantly unstable and classic economic theory as you hold has been proven false time and time again. The market mechanism only magnifies the problem when a crisis hits the economy and government intervention with interest rates and bank regulations mixed with public goods that support business stabilize and help the market. Its a fact.
Has anyone filed a criminal complaint yet? (Score:5, Informative)
Jennifer Granick, executive director of Stanford University's Center for Internet and Society, sees this as a question of how well written their EULA is, a topic of much conversation in the media lately.
But either way, she noted over IM, "if the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 usc 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony anytime soon.
"The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime."
In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existance back to Sony, along with as yet unknown information about the compromised computers.
About that uninstaller (Score:5, Informative)
Feel free to go over there and try it yourself. If you install the ActiveX you can remove it in Tools, Internet Options, Settings, View Objects, "CodeSupport Control". Here's what they send you:
From: contentprotectionhelp
Sent: Monday, November 14, 2005 04:22 AM
To: sony-bmg-sucks@invalid.com
Subject: Re: ContentProtectionHelp Email Form
Thank you for contacting Sony BMG Online.
Sony BMG and First 4 Internet have released a Service Pack 2a update that addresses recent concerns surrounding the cloaking technology component on SONY BMG content protected CDs which use XCP technology. These components are not malicious nor spyware however to alleviate any concerns that users may have about the program posing potential security vulnerabilities the update removes the cloaking component from their computers. Please visit the link below to install the SP2a update.
http://updates.xcp-aurora.com/ [xcp-aurora.com]
If you do not want to install the SP2a update and only wish to uninstall the DRM software, visit the form below using IE 5.0 (or higher) from the computer where the software is installed. After submission, you will be emailed a customized uninstall link within 1 business day (M-F).
http://cp.sonybmg.com/xcp/english/form9.html [sonybmg.com]
Your "Case ID" is: 9999999.
TIP: The uninstall request form will require an ActiveX plug-in.
Also you may need to temporarily turn off any pop-up blocker
software on the PC.
Thank you for the opportunity to be of assistance.
The Sony BMG Online Support Team
FKSZ
This message and any attachments are solely for the use of intended recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated.
- - - - -
Sony CEO didn't support Bush in 2004 (Score:5, Informative)
So Sony is in real trouble. Watch this turn into a criminal case.
Re:No Refund (Score:4, Informative)
strings -n 5 Update071105.exe |more
1.2.1
deflate 1.2.1 Copyright 1995-2003 Jean-loup Gailly
Then I went and took a look at the zlib site http://www.zlib.net/ [zlib.net]
"zlib 1.2.3
July 18, 2005
Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately."
Sounds like Sony needs to trot back and have a whole nother look at those "security concerns"
That is what a rootkit does (Score:3, Informative)
A rootkit is any set (which could be one) of software that an attacker uses to attack your (or other) computer and cover his tracks so you don't notice and cannot uninstall.
This meets both definitions. It covers it tracks, and it allows Sony to prevent you from ripping the disk.
A rootkit might include software to attack other computers, but the rootkit itself is whatever is used on YOUR computer AFTER it is cracked.
Re:Criminal charges against Microsoft too. (Score:1, Informative)
Nice try.
While that's true, the whole copy protection mechanism can be bypassed by holding down the SHIFT key when inserting CD. That is a clear DMCA violation by Microsoft. Yes it's silly, I know.
Re:FBI? NSA? Homeland Security? BullSh*** (Score:3, Informative)
Always make sure your hardware is within standard civilian specs...wouldn't want to have problems reading that satellite data if you needed to run out to Wal-Mart and replace a drive would you?
Re:How to boycott? (Score:5, Informative)
Sony's End User License Agreement requires the following things of all consumers who purchase this "content protected" music:
1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."
3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.
4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.
6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.
7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.
8. You have no right to transfer the music on your computer, even along with the original CD.
9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.
Refer to the following for details:
Re:Phone Sony about the problem (Score:5, Informative)
Re:Where the hell were the anti-malware vendors? (Score:3, Informative)
I may be wrong in my characterization of the Mac version. I haven't seen it. But that's what the interwebs tell me.
Re:Criminal charges against Microsoft too. (Score:5, Informative)
Still, it's a great idea, and your perverted thoughts make me like you. :-)
Italian criminal probe requested (Score:5, Informative)
"The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chairman of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law," he said in an e-mail interview.
Should police determine that a crime has been committed, prosecutors will be required to begin criminal proceedings against Sony, Monti said."
Sony has declined to comment.
From:
http://www.computerworld.com/securitytopics/secur
Door in the Face (Score:1, Informative)
Interesting synopsis here: http://www.as.wvu.edu/~sbb/comm221/chapters/twost
Re:What will work (Score:5, Informative)
I work for a company that writes software for call centers. Customer support calls cost an average of $3-$30 per call for a company. Lots of upset customers add up quickly.
Re:Criminal charges against Microsoft too. (Score:3, Informative)
If I assault you and put you in the hospital, the DA can still make a case against me, even if you don't want charges pressed. Of course, your refusal to participate weakens the DA's case.
REPORT THE CRIME (Score:3, Informative)
I know I'm jumping in WAY late in this conversation, but if just a few people see this and respond, it'll do some good.
Go to the following sites and complain:
Department of Homeland Security [dhs.gov] - Select "Security Threats"
US Secret Service [secretservice.gov] - They do computer fraud cases.
FBI [fbi.gov]
Re:Phone Sony about the problem (Score:3, Informative)
However, they gave me another number to call : 212 833-8000 [google.com].
Re:How about an OS that just plays a music CD (Score:3, Informative)
One other way to have music and data on the same disc was to have a "mixed-mode CD", which would have track 1 as the data and tracks 2-99 as music. Many PC games from 1996 onward did this, as having the CD play presented less CPU overhead than WAV/MP3/MOD music, and sounded better and more consistent from system to system than MIDI. Of course, these CDs ended up having track 1 used for data, which would sound like either silence or noise when played on a regular CD player, depending on whether the CD player would screen out the data track as noise.
When the copy protection rush started to develop, music companies used the multisession hole combined with AUTORUN.INF in Windows to present "media players" that would obscure the music track and force the user to agree to a EULA and load some proprietary player to play less-than-CD-quality tracks with a monitored player that would phone home. When combined with a non-redbook CD-audio track that had spurious errors injected, this provided the "ultimate unrippable CD". Well, throw in Linux and Mac users either getting around the autorun hole or having their systems crash due to the protection, along with consumer outrage at not being able to play the "spurious error" CDs in any multi-speed CD player, along with this new debacle, and you have a big conundrum.
Apple's OS X already has an option to show all sessions on a CD as different CD icons when a disc is loaded. Microsoft still hasn't done anything like this for Windows, nor have they considered ditching the security vulnerability that is Autorun.
If I remember correctly, Macromedia was responsible for the whole "Enhanced CD" craze.
Re:How to boycott? (Score:3, Informative)
Site with more than 20 infected titles (Score:2, Informative)
Re:How to boycott? (Score:3, Informative)
Re:[OT] Re:How to boycott? (Score:2, Informative)
You are raising a straw man. Yes it's possible for capitalist theory to be taken too far, but in practice you won't find many people actualy promoting such extreme forms of it. Well, outside the White House anyway.
Simon
Re:[OT] Re:How to boycott? (Score:2, Informative)