Important! Sony's putting the screw to you

[Arkady]

Below is information on Sony's rootkit that is buiried on some of their audio CDs. You should really read the following so that you may understand that it is very likely that your computer is at risk if you listen to Sony Cds.

---------------------------------------------------------------------------------------------------------
Sony (NYSE: SNE - news) has admitted that it included a stealth rootkit on some music CDs shipped in 2005 and has issued an update to remove the hidden software one day after it was discovered. The company had drawn criticism from security experts who warned that the technology could serve as a tool for hackers.


The nearly undetectable monitoring utility, part of the company's digital-rights management (DRM) technology, was aimed at preventing consumers from producing illegal copies of CDs. The software installed itself automatically in Windows systems whenever a CD was inserted. Any files contained in the rootkit are invisible and almost impossible to remove.

Security expert Mark Russinovich of Sysinternals discovered the hidden rootkit and posted his findings on the company blog on November 1st. Russinovich wrote that although he checked in his system's Add or Remove Programs list, as well as on the vendor's site and on the CD itself, he could not find uninstall instructions. Nor, he says, could he find any mention of it in the End User License Agreement (EULA).

Stealth Tactics

A rootkit is a set of tools commonly used by hackers to circumvent antivirus software and control a computer system. Most rootkits are engineered so that common PC monitoring mechanisms cannot detect them. The rootkits are designed to tuck themselves in to the most basic level of the operating system and remain hidden from users.

A Finnish antivirus company, F-Secure, reported that it had spent several weeks recently trying to find the cause of some unknown files reported by a user who suspected an audio CD as the cause.

Mikko Hyppnen, chief research officer at F-Secure, said hackers could use the rootkit to insert their own files by inserting a simple command at the beginning of the file name that would render them undetectable by most antivirus software. On the F-Secure blog, Hyppnen wrote that he heard rumors that Universal is using the same DRM system on its audio CDs.

Privacy? What Privacy?

Although industry analysts said they cannot fault Sony's motives, some saw the company's initial failure to disclose the hidden technology as a violation of U.S. copyright laws. According to Jared Carleton, an analyst at Frost & Sullivan, Sony is overstepping the fair-use clause that gives consumers the right to make backup copies.

"[Sony] is saying, 'No, we are not going to pay attention to U.S. copyright law that's been generally accepted for the past 30 years,' " he said.

Carleton likened the hidden DRM to malware, and said it was no different than adware and spyware. He said that if Sony was shipping DRM-protected CDs, the company needed to put a notice on its packaging. Consumers understand that artists should be paid for their music, he said, but he added that consumers don't like this type of secrecy.

Andrew Jaquith, senior security analyst at Yankee Group, said the company behaved badly and that there could be a backlash. He said that the desire to protect intellectual property is understandable, but that Sony should have been upfront about its DRM technology, and would have been better off using industry-standard software.

"I haven't seen a single positive comment about this and it makes them look at little slimy," Jaquith said. "They should have been above-board and should have used software that they hadn't cobbled together themselves."

On the Web page containing the update, which enables users to detect and remove the rootkit, Sony said its technology did not pose a security risk. "This component is not malicious and does not compromise security," the company's post said. "However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

The "fix" can be downloaded at http://cp.sonybmg.com/xcp/english/updates.html.

But wait, there's more...

http://techdirt.com/articles/20051104/180213_F.shtml

" The Sony rootkit saga continues. While the company released a patch that only took off the cloaking ability, but didn't actually help uninstall the software they surreptitiously installed, it seems that there are plenty of other problems with the "patch" as well. Ed Felten noted yesterday that there's a lot of other stuff in the patch, which Sony doesn't bother to tell anyone about. And, obviously, at this point, hearing Sony say "trust us, it's fine" isn't particularly reassuring. On top of that, the original researcher who discovered the rootkit has found that the patch could crash Windows on some computers. The chances are apparently pretty small, but they're there. The other thing he discovered is that, once again just like spyware products, the copy protection phones home to Sony, potentially passing on information, such as your IP address. To be fair, it doesn't look like it's doing anything bad when it phones home (just checking for updated lyrics and album art), but Sony certainly doesn't reveal anywhere that this action is happening, which should only raise more questions about why anyone should ever feel safe using a SonyBMG CD again. Of course, maybe that's the point. The record labels have regretted for years that CDs now play on computers (it was an afterthought to them), because that's what opened up this whole file sharing concept in the first place -- and, so now they're trying to make people think that CDs don't belong in your CD-ROM drive, and delivering sneaky malware might just be one way to get that point across."

-----------------------------------------------------------------------------------------------------------

If you think you may have been sonyed, you can go here http://www.sysinternals.com/Utilities/R ... ealer.html
They provide a rootkit detetction software that works quite well I am told.

[elasticwings]

Yet another reason to use Linux.

[Bone]

....."[Sony] is saying, 'No, we are not going to pay attention to U.S. copyright law that's been generally accepted for the past 30 years,' " he said.
....

I just have to put my 2 cents in here.
If Sony won't follow COPYRIGHT LAW, then why the hell should we consumers?

and my free comment:
Yet another reason why I won't own a win-doze machine.
LONG LIVE APPLE AND OSX!

[vertigo25]

Yet another reason to use Linux.

Except that these CDs won't play on Linux or Mac...

The thing that really torques me off about all of this crap is that the record companies keep saying that it's to secure their intellectual property, yet most of the people who are making (legal in the US) copies of their CDs aren't contributing one bit to the piracy problem. Piracy comes from pretty major outfits, mostly from overseas. But the record companies want to treat the consumer as a thief.

Anyway...

I doubt that ultimately there will be much backlash to this. It would be nice if there was, but I just don't see it happening.

[littlepockit]

Honestly people, you always get so worked up. How many of yuo have even bought cds in the last 6 months, much less from Sony? Psh.

[iblis]

Yet another reason to use Linux.

Except that these CDs won't play on Linux or Mac...

if someone would like to donate one of these evil cds to me, i'll happily write a utility to make it play on linux (sans rootkit), and host it on my sourceforge account.

[Bigun]

May Sony rot in hell...

[Hardcoregirl]

Would someone care to translate the above book into a paragraph easily understood by those of us without the geek gene?

I have a Sony Vaio, a sony digital camera and I love them.

I haven't bought a cd in quite a while, lol.

[iblis]

Would someone care to translate the above book into a paragraph easily understood by those of us without the geek gene?

I have a Sony Vaio, a sony digital camera and I love them.

I haven't bought a cd in quite a while, lol.

their music cds contain and install software that could allow bad guys to take over your computer and steal your porn.

[scarecrow]

Would someone care to translate the above book into a paragraph easily understood by those of us without the geek gene?

I have a Sony Vaio, a sony digital camera and I love them.

I haven't bought a cd in quite a while, lol.

their music cds contain and install software that could allow bad guys to take over your computer and steal your porn.

DAmn....so much for adding my new Mudvayne cd to my Itunes library.......


Take my porn will they? Fuckin corporate bastards can download their own!!

[iblis]

of course, none of this will in any way prevent me from getting a ps3. lol

[scarecrow]

of course, none of this will in any way prevent me from getting a ps3. lol

Here, here!

[Scorptrio]

Coming next: internet enabled toasters that charge your credit card every time you make toast, a little more for dark brown

internet enabled refridgerators which charge your credit card on a rate based on how much food is being chilled at the time

internet enabled cars which charge a road usage tax by the mile

internet enabled TVs which charge as you watch

internet enabled toilets which.... you get the idea

[iblis]

internet enabled toilets

already exist. trust me on this one.

[Mercurygriffin]

I say we go back to the days of traveling musicians and you can only buy the music if you see them live or you can download it for free but you get no liner notes or extras. If the bands took more of the work on themselves and simplified it down a bit then I think things would be better. Sound is free but to be entertaining is the real work. You can be in the studio for hours and make something perfect but to be on stage and do it live with lights, instrements, and all other necessary equipment is really hard. Then do it everyday like it is a job. Then I will buy your music if it is good. Otherwise you are just doing the same as so many others that we will never know because of the lack of corperate sponcership. Take out the corperations and it becomes something new that feels like something from long ago, only better.

[Spam]

internet enabled cars which charge a road usage tax by the mile

I actually like that idea.

[Nigredo]

I thiNk we have one of those buGs in our computer.

[elasticwings]

Coming next: internet enabled toasters that charge your credit card every time you make toast, a little more for dark brown

internet enabled refridgerators which charge your credit card on a rate based on how much food is being chilled at the time

internet enabled cars which charge a road usage tax by the mile

internet enabled TVs which charge as you watch

internet enabled toilets which.... you get the idea

Most of this is already being paid for by you anyways. Tv, fridge, and toaster requires you pay for electricity. Everybody whether they drive or not pays some kind of tax to pay for all the construction that goes on I-40. Toilets require water and sewage to be paid for. I would imagine that you are taxed on your bills. Not 100% certain about the utilities since they are city owned, but you might pay state tax on them.

[junkie christ]

of course, none of this will in any way prevent me from getting a ps3. lol

agreed
and sony has released maybe two cds in the last few years i would buy anyway
long live the underground.

[Bigun]

lol... they found a way to use this malware to cheat in World of Warcraft:

http://www.theregister.co.uk/2005/11/04 ... s_wow_bot/