I thought this BBC article gave a pretty good summing up of the state of play so far and the longer term implications.
It was also encouraging to read that the US Department of Homeland Security are on the case.
Sony, and others, might forget it at times but it our PCs that are being deliberately infected.
This has actually turned out to be a bit of a PR coup for Microsoft; they get to play the good guy in this scene.
The thing I find simultaneously funniest and most sickening about this whole Sony fiasco was the statement made by Thomas Hesse, who is president of their global digital business division. He said (and note, he came out with this gem quite a while after the shit had already well and truly hit the fan): “Most people, I think, don’t even know what a rootkit is, so why should they care about it?”
Those early viruses usually infected any disks you wrote, so the definition does apply. Worms back then were distinguished from virii by being spread through the net (like the Morris worm) but now that almost everyone is on the net, the distinction is not very significant.
Anyone laying odds that SONY will sue the open source developers from whom it stole for writing code that got SONY in a mess. :smack: (I think I’m getting too cynical.)
Something I’ve been wondering about, and am not entirely clear on for a bit. In their EULA, does Sony prohibit people playing their songs at Weddings (as in a live DJ at the reception) and such? (This was implied by an article linked here, in post 109) If so, they are being quite stupid. People will ask the DJ at such public events what the song/artist was, then go out and buy the album themselves. They have forgotten that in the grand scheme of things, THEY are the symbiote, WE (the consumers) are the host body.
One has to take into account that it was the UK-based First 4 Internet company that created the kit for Sony, knowing the chain of command, I do think that SONY is making sure that the First 4 Internet CEOs will soon get very comfy concrete shoes.
If so, they better not be the only ones.
Yeah, I think I’ll just swear off Sony crap for life, now.
Wait a second…what?
Does this mean that the whole “If you turn off autoplay you’re safe” is no longer correct?
Either way, fuck Sony and fuck the EFF.
-Joe
No, no, don’t include EFF in here. They’re one of the groups letting us know about this crap that Sony pulled. They’ve filed a class action lawsuit against Sony, and have been working hard to publicize this situation. See also the timeline at boingboing.net.
What you want to say is, fuck Sony, MediaMax and First4Internet (or whatever that other assholish company was.
WTF? “Users were vulnerable to this loophole even if they did not install the copy protection system on the music CD on their home computer.”
That makes no sense. If nothing is installed, then I fail to see how anything on the CD could possibly do anything to affect the security of the PC.
I think that story is inaccurate and/or poorly written. I bet they mean something like “The copy protection software that makes users vulnerable is installed even if the user does not explicitly agree to install it.”
I’m pretty sure keeping autorun turned off still keeps you protected.
Oops. I was mixing up EFF with one of the rabid anti-piracy groups.
-Joe
…and whatever you do don’t install the patch!!!
Total bullshit.
-Joe
If Autoplay is one hundred percent disabled, it’s safe. Make sure you use the registry key way to do it.
The EFF are the good guys, they’re the ones pointing out the patch has a flaw.
I see nothing in that link that indicates this malware will still be installed even if autorun is turned off.
If you have autorun turned off on a drive, then software on media in that drive will not be run or installed unless you manually start it. It doesn’t matter how clever they write the software, it simply will not be executed automatically. You might as well wave the disk in front of your monitor; no matter what is written on it, it will not run or install.
You mean holding the shift key down doesn’t work? Disabling the function in the CP doesn’t work? Only direct entry thru the Registry works? If so, got a cite for that?
http://blogs.msdn.com/oldnewthing/archive/2005/06/03/424802.aspx
Sometimes… it forgets.
The shift key works, but is subject to human error. Someone else uses your computer, bam.
Disabling the function on the CD icon in My Computer may not disable it for music CDs. I have been looking for the cite, as it was available a few months ago, but I can’t find it now. Basically? Sony uses the V1 of Autorun. The V2 behaves a bit differently, and is sorted by type, the V1 is ‘is there a file named Autorun’ version. The V1 may not be stopped by the ‘by type’ disable, as that’s a V2 feature.
GPedit isn’t available on XP Home.
TweakUI works, though. But it’s doing the registry disable.
Sony, MicroMush, and Bad Apple all have egg on their face and the RIIA will also. Sony’s greed and that of the other players will keep the pot boiling for a long time.
Sony’s rootkit really messed up the XP’s it was loaded on when playing a Sony DVD with the offending copy protection program.
Unless, of course, Sony’s embedded crap in the “enhanced features” of the CD, so that if there’s, for example, a music video on the CD, and when you click on it to launch it, it sticks some crap on your machine or does a “phone home” to get a codec (or whatever) and implants the stuff that way. IIRC, virus writers have found ways to imbed malware in image files and the like. Given Sony’s contempt for the consumer, it wouldn’t be surprising to me if they’d done something like that.
Oh, and apparently, the RIAA has decided that now they’re going to go after websites which list the lyrics to songs on them. So how you’re going to be able to find out what the frack the Britster’s warbling about on her latest CD without actually paying for the crap is beyond me.
Sure, if you manually run something from the disk, that’s as bad as having autorun turned on.
I’ve never heard of viruses in image files or codecs, but one way a video file can get you malware is via the mechanism to check digitial rights. Basically it hits a URL to get the rights, but it could just as easily go to the URL of an executable somewhere.