Sony DRM malware

[casdave]

I only want to ask opinions and information about this, bit I imagine this thread will become very pitworthy very quickly.

Surfing one of my regular sites the following pooped up.

http://www.sysinternals.com/blog/200...al-rights.html

I don't pretend to understand much of this, but it seems pretty bad.

Anyone please explain in very basic terms things such as 'rootkit', and anything else that might be helpful to assist in working out how outraged or otherwise we should be.

[Big G]

cadave , I'm no expert on this stuff, but I read about this here and it seems to be a good general overview of the situation.

And I agree with you, it does seem pretty bad. What with this and things like PC game copy protection schemes, it seems like companies are making life miserable for honest customers to spite pirates who won't be effected in the long run.

[Revtim]

One should ALWAYS have autorun turned off, to prevent this and other malware from loading automatically into your machine.
http://www.annoyances.org/exec/show/article03-018

[Duke of Rat]

It's making waves, one of the front page stories if you hit Google News right now..

PC World is taking note, as are what appears to be all of the tech rags.

[Fillepe the Mexican]

This thing concerns me somewhat. First we are not safe from DRM with digital music and now we cannot even buy physical discs.

A good blog that perhaps makes it easier to understand for less technical folks is this from some guy at the Washington Post.

http://blogs.washingtonpost.com/secu...aids_hack.html

There is also Slashdot which has some good (and much bad) discussion.

Quote:

Originally Posted by Jussi K. Kojootti (Slashdot)

They do... This is their Minimum system requirements for content protected discs:

To listen to the music on this disc, you need a PC with the following minimum system requirements:

* One of the following operating systems: Windows 98SE, ME, 2000 SP4, XP Home or XP Pro
* Pentium II or higher with Windows 98SE, Windows ME
* Pentium III or higher with Windows 2000 SP4, Windows XP Home, Windows XP Pro
* at least 64MB RAM above recommended OS memory level
* CD-ROM/DVD-ROM disc drive
* Internet Explorer 5.0 or higher
* Microsoft DirectX 9.0 or higher with non-Windows XP systems (download)
* Logged in with Administrator rights

.. you need to be root to listen to music. Just amazing.

I think that last line is important. Really in the general course of your daily computing tasks there shouldn't be a reason to run with Administrator rights but increasing numbers of Windows programs now require that the user is a local admin. I heard that new versions of Winamp complain if installed as a user and now playing CDs as well.

Guess you are out of luck if you want to listen to Switchfoot (whoever they are) at work.

[Anne Neville]

A rootkit is a collection of tools that are used to hide an intrusion into a computer and possibly to give administrator-level access to someone.

This particular one sounds like it's hiding files and drivers used for DRM. Maybe it's theoretically possible that a hacker could exploit it and gain administrator access to your machine, but it doesn't seem to be intended for that purpose.

It also resists uninstalling, and can cause your CD driver to be missing from Explorer if you delete it. If I had this on my computer, I'd immediately take it to someone who knows what they are doing in a Windows registry and have them get rid of it.

[Jayrot]

UPDATE!

Sony to patch copy-protected CD.

Quote:

"We want to make sure we allay any unnecessary concerns," said Mathew Gilliat-Smith, CEO of First 4 Internet. "We think this is a pro-active step and common sense."

Yeah you fuckers are really trying to help out the consumer.

Too little, too late.

Fuckers.

[Armilla]

I notice from reading the news article on Sony patching the software is that they're not changing the way it functions, or the function it performs, but are only removing the code that attempts to hide it from the system. To listen to their CDs on your computer you'll still need to install it.

It makes me wonder what will happen if other publishers go down this route. If publisher X's software works in the same way will it be able to safely install if Sony's software is already there? If so, how will Sony's software react next time you insert a Sony CD?

This could end up with a situation where you need to have a separate PC to listen to each publisher's CDs since they all fight so viciously for the privileged position in the system drivers. And woe betide anyone who puts the wrong CD in - that'd probably mean a system rebuild.

The stuff about having to be logged in as an administrator to listen to the music is also totally ridiculous. We're having an uphill battle to convince people not to do that in the first place but if Sony link Admin rights to such basic functions as listening to music then the battle is lost. Malware and viruses will continue to flourish with this advantage.

Programs like Winamp assuing they'll have write access to their program directory doesn't help either. MS have had quite clear guidelines on this kind of thing out for years now and it's still astounding that otherwise professional and accomplished developers keep making the same mistakes. For the interested there's a Hall of Shame here for applications that make this mistake.

[Steve MB]

Quote:

Originally Posted by casdave

Anyone please explain in very basic terms

Sony executives have ordered their programmers to do the very same things that get 133t haquer d00dz sent to the pen. If the claim that there is one law for everybody actually meant anything, these executives and programmers would join the 133t haquer d00dz in Billy Bob's cellblock harem.

[sleestak]

I meant to open a pit thread about this but casdave beat me to it.

This is absolutely unacceptable. I emailed Sony about my displeasure including the fact that I will not buy any of their CDs anymore until I *know* that they are not going to pull this kind of crap. I am also emailing every artist that I on Sony that I will not buy any of their CDs with this kinda crap going on.

The funny thing is I am against file sharing. Now, with this kind of behavior, I am more than willing to think about doing illegal filesharing because I *WILL NOT* have this kinda crap installed on my computer.

Way to go, Sony.

Slee

[Jayrot]

Quote:

Originally Posted by sleestak

I meant to open a pit thread about this but casdave beat me to it.

This is absolutely unacceptable. I emailed Sony about my displeasure including the fact that I will not buy any of their CDs anymore until I *know* that they are not going to pull this kind of crap. I am also emailing every artist that I on Sony that I will not buy any of their CDs with this kinda crap going on.

The funny thing is I am against file sharing. Now, with this kind of behavior, I am more than willing to think about doing illegal filesharing because I *WILL NOT* have this kinda crap installed on my computer.

Way to go, Sony.

Slee

But they released a patch!

[Go You Big Red Fire Engine]

Wait, so because I am running linux I wouldn't be able to run one of these cd's in my cd-rom drive?
I would care, but the music they put out these days sucks anyway.

[Tabby_Cat]

Well, if you're running Linux, or Mac, or anything NOT AUTORUNNING FSKING CDs, then you're safe. >90% of the world, however, has autorunning CDs. THe autorun apparently modifies some windows APIs and replaces some drivers. Otherwise, it's a basic music CD. I don't know if there is any other protection on it, but I've heard Macs can simply do whatever they used to do.

I think the term "spyware" should be renamed. I don't so much mind the collection of my data (although it is a concern), but I mind the using of my computer resources and generally FSKING UP MY MACHINE. I mean, I'd like to think of myself as a generally more advanced computer user, and I probably could get this thing off my PC if I really tried, and had help from the internet, but honestly. "Keeping honest users honest?"

They're admitting that they want to annoy the people that feed them.

[Zabali_Clawbane]

I wonder if Sony could be prosecuted due to the fact that their program breaks some operating systems, and trying to remove it renders your CD ROM drive disfunctional?

[Tabby_Cat]

It depends on whether EULAs are accepted. It was stated in the EULA that by putting the CD into your CD drive you were consenting to install yadda yadda etc. I think that that's an abuse of contract law, but YMMV.

[Zabali_Clawbane]

It could be argued that since they knowingly put rootkits on computers, they damaged the security of numerous computers, and so broke the law(s) prohibiting such things couldn't it?

[DeadlyAccurate]

Quote:

Originally Posted by sleestak

The funny thing is I am against file sharing. Now, with this kind of behavior, I am more than willing to think about doing illegal filesharing because I *WILL NOT* have this kinda crap installed on my computer.

Yep. The harder they make on honest users, the more likely those honest users are to turn dishonest. So they don't even faze the pirates and only turn many otherwise honest people into criminals. "Well, I woulda bought that CD, but I can only play it on this one computer, and it doesn't even work right then. So I got it from [whatever place they stole it from]."

Tabby_Cat, what does FSKING stand for? I keep trying to think of likely acronyms, but nothing comes to mind.

[Tabby_Cat]

In the UK, they would. From the BBC

Quote:

If Sony BMG released XCP copy-protected CDs in the UK this oversight could leave the music company open to prosecution under the Computer Misuse Act because it made "unauthorised" changes to a machine, said net law expert Nick Lockett.

However, the problem is that it doesn't really "compromise" your security. It makes it harder to impossible for virus-scanners to detect viruses that exploit the $sys$ thing, but it doesn't affect the virus transmission vectors.

In addition, you "consented" via the EULA to have them make changes to your computer. I assume that the UK does not accept the validity of EULAs, because of the quote linked to above, but I believe that EULA has been approved of in the US. It is currently unknown if you can indeed consent to such an operation by software through consent via EULA, but I don't think the matter is likely to go to court - Sony has deep pockets, and can outlast any potential individual who would sue. And they would simply settle with any big company.


And "fsking" is just a made-up swear word.

[Zabali_Clawbane]

I was thinking more along the lines of potential criminal prosecution. At the least, they ought to tighten the laws so that other companies can't sneak such things into their products, even with EULAs.

[Revtim]

Quote:

Originally Posted by Zabali_Clawbane

I was thinking more along the lines of potential criminal prosecution. At the least, they ought to tighten the laws so that other companies can't sneak such things into their products, even with EULAs.

I'd certainly like that, but that would be legislation to protect the consumer, at the expense of business. Apparently consumers are simply filthy thieves now, and it seems all new legislation lately must treat them as such.

[fortytwo]

Quote:

Originally Posted by Tabby_Cat

In addition, you "consented" via the EULA to have them make changes to your computer. I assume that the UK does not accept the validity of EULAs, because of the quote linked to above, but I believe that EULA has been approved of in the US. It is currently unknown if you can indeed consent to such an operation by software through consent via EULA, but I don't think the matter is likely to go to court - Sony has deep pockets, and can outlast any potential individual who would sue. And they would simply settle with any big company.

I read through the article written by Mark Russinovich who was one of those who brought this to light and I understood that Sony only recently changed the EULA. Originally there was no mention of anything being written to your OS. So there are probably many people out there who unknowingly have this on their PC.

[treis]

Quote:

"We want to make sure we allay any unnecessary concerns," said Mathew Gilliat-Smith, CEO of First 4 Internet. "We think this is a pro-active step and common sense."

Jeez, getting caught red-handed and being forced to change now counts as being pro-active?

[mhendo]

Quote:

Originally Posted by Jayrot

UPDATE!

Sony to patch copy-protected CD.

Yeah you fuckers are really trying to help out the consumer.

Too little, too late.

Fuckers.

I also love the Sony guy's use of the term "unnecessary concerns."

What he's really saying is, "This is nothing to get your panties in a wad about, but we'll give you a ptach to stop you whining."

Fuck him and his fucking company. As others have suggested, the vast majority of copyright and DRM protection on modern media does very little except make life more difficult for the people who actually pay money for the product.

[catsix]

Quote:

Tabby_Cat said:
And "fsking" is just a made-up swear word.

File system check, used for examination and repair of file systems, on *nix operating systems. Running fsck is 'fscking'.

[ArrMatey!]

So you know, this is SOP for Sony. They have a tendancy to do the illegal until caught, then back-pedal and say, "Oh, your concerns are unjustified, but here's a fix, and... Oh! Look!" They then point out the windown and run from the room while the lawyers are distracted.

Case in point- It is (or at least, was 5 years ago) illegal to own a film company, distributer, and movie theaters. It's considered something of a 'vertical monopoly'. Guess who owns all three? Unfortunately, it's one of those things that isn't seen as hurting anyone, and no one really stands to gain by standing up to the giant on this. When there was murmuring about doing so, Sony began to change the names of the theaters they owned, to make it a little less obvious.

(Disclaimer: please don't ask for a cite- I was in film school when we were discussing this and reading actual paper newspapers.)

[Nanoda]

Quote:

Originally Posted by catsix

File system check, used for examination and repair of file systems, on *nix operating systems. Running fsck is 'fscking'.

And of course is often substituted as a swear 'cause it looks like one when you type it.

I'm with sleestak. I admit to using filesharing programs in the past, but if I found any songs that I liked, I bought the CD!!! (got at least 1/2 my collection that way). Now if I buy the CD it'll hack my PC if I put it in the drive? Forget that, no way!

[rayh]

Quote:

Originally Posted by Tabby_Cat

In addition, you "consented" via the EULA to have them make changes to your computer. I assume that the UK does not accept the validity of EULAs, because of the quote linked to above, but I believe that EULA has been approved of in the US. It is currently unknown if you can indeed consent to such an operation by software through consent via EULA, but I don't think the matter is likely to go to court - Sony has deep pockets, and can outlast any potential individual who would sue. And they would simply settle with any big company.

As far as I understand the situation in the UK, the EULA has never been tested in a court of law. When buying a product you have certain statutory rights, and you cannot give these rights away even by agreeing to a EULA. Some of the EuLA's try to circumvent your rights one way or another. Whether this is actually legal or not has never actually been proved.

[smiling bandit]

Quote:

As far as I understand the situation in the UK, the EULA has never been tested in a court of law.

I belierve the same thing applies in the US - it's simply never been tested.

[smiling bandit]

Quote:

As far as I understand the situation in the UK, the EULA has never been tested in a court of law.

I belierve the same thing applies in the U.S. It's simply never been tested.

[Tabby_Cat]

Errr.. it has indeed been tested in the US. ProCD, Inc. v. Ziedenberg. 86 F.3d 1447 (7th Cir., 1996). EULA was found to be legal, but there are still ways of deeming an EULA void, whether due to overly restrictive terms, or perhaps even a minor being unable to consent to the EULA.


I couldn't find any such case in the in the UK, however, "contracts of adhesion" are most certainly legal, and the EULA is a type of contract of adhesion. Regardless of the status of the EULA, it cannot take away the rights in the Sale of Goods Act and other statutory consumer protection.

However, there is nothing in the Sale of Goods Act that prevents you from contracting to have your computer modified, which is exactly what the Sony Malware does. If the EULA was indeed proven legal, you would have no recourse to rely on your "right not to have my computer fuxx0red", because there is no such right.


If I contract to have you bash my computer into sub-atomic particles, I am most certainly free to do so. This is vaguely akin to what Sony is having you agree to.


However, again, there is another issue, that if a term in a contract is especially onerous, that it has to be specially brought to attention, for example, having a "red hand" pointing to the term. Spurling v Bradshaw [1956] 1WLR 461 per Lord Denning (Mwhahaha). It is at least arguable that this term is particularly onerous, and that putting the consent into the EULA, regardless of the validity of EULAs, is not conspicuous enough, and therefore that term should be void.

If a minor, or someone without the ability to consent, opens the box etc, then everything I just said goes straight out the window.

WHEW!

[sleestak]

I found an update on Slashdot that is kinda funny.

Blizzard's Warden Thwarted by Sony's DRM

Basically you can use the rootkit Sony installed to get around the security spyware(rootkit?) that Blizzard installed to stop cheats for World of Warcraft.

Not funny in the 'Ha Ha' way, funny in the ironic way.

What is distrubing about this is that others are already using Sonys little rootkit in ways that I am sure Sony never expected.

Slee

[slaphead]

Quote:

Originally Posted by Tabby_Cat

However, there is nothing in the Sale of Goods Act that prevents you from contracting to have your computer modified, which is exactly what the Sony Malware does. If the EULA was indeed proven legal, you would have no recourse to rely on your "right not to have my computer fuxx0red", because there is no such right.


If I contract to have you bash my computer into sub-atomic particles, I am most certainly free to do so. This is vaguely akin to what Sony is having you agree to.

I'm not familiar with the terms of the EULA, but given that the purpose of the DRM is to prevent copying and so on, if it arses your PC up totally or exposes you to hacking, could you not have a claim on the lines that the product was not fit for the purpose it was sold to fulfil? This would be along the lines of you buying a cup of coffee with "warning! scalding hot liquid, consume at your own risk" written on it and then finding that it was not just scalding but contaminated with Paraquat.

[Zabali_Clawbane]

Quote:

Originally Posted by sleestak

I found an update on Slashdot that is kinda funny.

Blizzard's Warden Thwarted by Sony's DRM

Basically you can use the rootkit Sony installed to get around the security spyware(rootkit?) that Blizzard installed to stop cheats for World of Warcraft.

Not funny in the 'Ha Ha' way, funny in the ironic way.

What is distrubing about this is that others are already using Sonys little rootkit in ways that I am sure Sony never expected.

Slee

Wow! That is a weird "coincidence", since Sony owns Everquest and Everquest 2. They lost a LOT of customers to WoW. It wouldn't surprise me if it also caused WoW to malfunction in other ways, and crash.

[GaWd]

Quote:

Originally Posted by Zabali_Clawbane

I wonder if Sony could be prosecuted due to the fact that their program breaks some operating systems, and trying to remove it renders your CD ROM drive disfunctional?

Ya, that's it! Let's SUE the bastards!

Maybe if Sony weren't one of the largest companies in the world, didn't have one of the largest stables of attornies on-hand, and had a proven record of continually violating minor laws and rights of citizens, it would be a good idea. But they aren't all of the above, so it will do no good.

Additionally, if people would read their fucking EULAs, this might not happen so often.

Sam

[GaWd]

Quote:

Originally Posted by slaphead

I'm not familiar with the terms of the EULA, but given that the purpose of the DRM is to prevent copying and so on, if it arses your PC up totally or exposes you to hacking, could you not have a claim on the lines that the product was not fit for the purpose it was sold to fulfil? This would be along the lines of you buying a cup of coffee with "warning! scalding hot liquid, consume at your own risk" written on it and then finding that it was not just scalding but contaminated with Paraquat.

Just about every EULA in existence has a clause about any harm coming to your computer or the data contained within due to the install of the specific software essentially not being their fault. Most times, the EULA is just a backstop for them inc ase they really want to distance themselves from the effects of their software.

What we need is a good anti-EULA case, since to date we've had almost none.

Sam

[Zabali_Clawbane]

Quote:

Originally Posted by GaWd

Ya, that's it! Let's SUE the bastards!

Maybe if Sony weren't one of the largest companies in the world, didn't have one of the largest stables of attornies on-hand, and had a proven record of continually violating minor laws and rights of citizens, it would be a good idea. But they aren't all of the above, so it will do no good.

Additionally, if people would read their fucking EULAs, this might not happen so often.

Sam

You put words in my mouth there. I didn't say the citizens should sue, I said Sony should be prosecuted. There is a difference. I would like to see them pay legal penalties and get the laws tightened up so such things cannot happen again. That would be very nice, don't you think? I know it's not likely to happen, but I can still dream, can't I?

[Zabali_Clawbane]

Quote:

Originally Posted by GaWd

Just about every EULA in existence has a clause about any harm coming to your computer or the data contained within due to the install of the specific software essentially not being their fault. Most times, the EULA is just a backstop for them inc ase they really want to distance themselves from the effects of their software.

What we need is a good anti-EULA case, since to date we've had almost none.
Sam

Bolding mine.

I agree, and in essence that is what I have suggested.

[GaWd]

Unforutnately, Z_C, most of us need the software we are purchasing. In many cases, there aren't any safe or less violating alternatives that won't pull the same stunts in contract language. As a result, people are unlikely to take a stand and argue against the EULA.

I agree with your sentiments, however I think prosecuting by the state and suing by citizens would be as fruitless as Microsoft's prosecution and in this case even less likely to come out of it with a win of any sort. Sony was very quick to placate users with their patch, and most will say "Yay Sony! you're goo people!" and install the crap anyways.

Sam

[holmes]

I'm not sure that EULA applies to removing the software, that a. they didn't tell you they were installing, b. they hid and c. uninstalling it renders your machine non-funtional.

I don't see how SONY gets to hide behind is EULA, when they hid what they were doing.

[Zabali_Clawbane]

Quote:

Originally Posted by holmes

I'm not sure that EULA applies to removing the software, that a. they didn't tell you they were installing, b. they hid and c. uninstalling it renders your machine non-funtional.

I don't see how SONY gets to hide behind is EULA, when they hid what they were doing.

That's what I was thinking when I was hoping there was a way to prosecute them for this.

[Guinastasia]

Anyone know where I can find a list of artists signed with Sony so I can make sure to avoid their CDs?

(Which sucks, if Fiona Apple's latest CD is finally released. Dammit)

[mhendo]

Quote:

Originally Posted by Guinastasia

Anyone know where I can find a list of artists signed with Sony so I can make sure to avoid their CDs?

(Which sucks, if Fiona Apple's latest CD is finally released. Dammit)

Surprisingly enough, you can find the list of artists at the Sony Music website.

And Fiona Apple is indeed among them.

[Guinastasia]

D'oh. I probably should have guessed.

[Revtim]

I notice that Sony Music website does NOT mention Van Zant, the artists whose CD installed the DRM that led to its discovery. So just because it's not on the list, does not mean it won't this particular malware.

[Revtim]

..won't *have* this particular malware.

[Guinastasia]

Dammit, the SW soundtracks go through Sony. (Although I only saw one of them there).

I'm just seeing red by now. Even though I usually don't play my CDs on my computer, sometimes I like to.

(What happens for students using a computer lab who want to play their cds?)

[Hamadryad]

Quote:

Originally Posted by Guinastasia

(What happens for students using a computer lab who want to play their cds?)

More to the economic point: what happens for people who want to listen to ANY of the Sony/BMG catalog on their shiny new iPods?

[mhendo]

Quote:

Originally Posted by Hamadryad

More to the economic point: what happens for people who want to listen to ANY of the Sony/BMG catalog on their shiny new iPods?

...or other commercially available hard-drive-based compressed-music listening devices?

[Revtim]

Sony released some kind of patch who's stated purpose is to reveal the cloaked files (not even unistall them...) and there's reason to believe the patch does more that they aren't telling:

Quote:

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function — they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

http://www.freedom-to-tinker.com/?p=921

[Revtim]

Quote:

Originally Posted by Hamadryad

More to the economic point: what happens for people who want to listen to ANY of the Sony/BMG catalog on their shiny new iPods?

Turn off autorun, as described in my link in post #3. The computer should then treat the disc like any other CD, and be rippable to any player or to standard mp3 files.

If it's too late and they already allowed the malware to be installed, then I dunno. They might have to wipe their Windows and re-install it to get rid of that shit.