What effect has Sony's rootkit attack had on us?

As a general rule of thumb, I stay away from Sony.

Depends on what it is. I've never really had that much of a problem with Sony until this rootkit mess.

You have left me in the dust. Keep it as KISS.
Keep It Simple Stupid for me please.

-Kevin

Where were those wonderful people/organisations that should have bowled this one out the instant it appeared? The ones that take your money on a yearly basis, insist that you update twice a week and are forever preaching that the sky is falling?
I'm speaking of the Anti-Virus companies, all of them, and the Software Firewall companies. With all these "Security" companies telling us of the "possible" flaw in Windows, IE, iTunes, you name it, how did they ALL miss this obvious invasion? This was no theoretical flaw, this was a deliberate attack by big business!
How did a rootkit get installed without the AV program flagging suspicious behavior unless Sony had arranged for their root kit to be included in a list of "non-dangerous" occurrences?
Why didn't the firewalls shout that something, other than it's already configured allowable programs, was trying to access the internet, every time you played the CD?
I don't claim that OS X is bullet proof, however, it is a lot more difficult to drop one of these things onto a Mac and, right now, seems to require the cooperation of the user to get it there. It does appear that there may well have been a "playing down" of the news from the National media but this thing has been all over the internet since day one. As I mentioned in my first post, I have seen little reference to this affecting the Mac. Other than the link supplied by Bob, back about a week, that is the only report I have seen about there being a possibility of something being installed on an OS X machine. Remember the "security by obscurity" myth which states that with such a small market share, it is not worth writing a nasty for the Mac. Did Sony actually bother?
An interesting note about the rootkit was in the link supplied by Grim. The author, who has a very low opinion of the rootkit writer, mentions that the kit does not work on Windows driven by 64bit processors so the writer didn't bother to write (didn't know how?) for a low market share on the Windows side. Did he bother for the Mac?

Just a thought

Have a great Thanksgiving, all of you

P

Just got back home, 1,100 miles in 14.5 hours. a new personal record!

I have read posts that speculate on why anti-virus software didn't speak up, but most posts see it reversed. They figure that the AV companies don't consider programs from a large corp. to fit the profile of malware. It stands to reason that you have it the right way around. The software doesn't know where the malware came from unless it's told in an update to ignore THAT piece of software. I have not read anything from the ''protection racket'' companies explaining this.

From a post I read but can't rmember where;

''Sent an email earlier today to New Media Manager, Stein Vegusdal @ SonyBMG Norway.'' ...
...''Further he states that First4Internet is a Symantec-partner and that Symantec has posted it as not harmful.''

I wonder what he meant by ''partner''?

I have read reports that the DRM Rootkit will install on an OSX machine, but not without you typing your admin/PW.
Auto-Run for Windows, and the fact that many Windows users operate their machines as an administrator (equal to always booting as root in OSX), seems to be the security hole Sony is taking advantage of.

Sony's other DRM spyware, made by Sunncomm, is still being used on CDs made by Sony, and reportedly, is an issue for OSX. I went to their site http://www.sunncomm.com , and found some comical spin in the FAQ.

Q-Is there a way to remove your software from my computer?
A-Please note that MediaMax was designed to manage and safeguard the copyrights of specified artists' CDs while giving you an enhanced visual and listening experience. It does not interfere with or impact any of the normal operations and/or functions of your computer.

Hmmm. I guess that means no?

Q-Is there a way to remove the DRM files?
A-Please note that because the keys are very essential in controlling access to protected music, Windows Media doesn't allow anyone to have access to them directly. They are located in a license store file that is handled exclusively by Windows Media Player, in accordance with the way your Windows system is configured. Since those keys are very small and literally do nothing other than help the user play content that would otherwise be inaccessible, Microsoft never envisioned that anyone would have a desire to remove them. As a result, we do not have a way to tell the Windows Media Player to remove a particular key.

Still means no, I think.

I e-mailed them, explaining that I used OSX, and asked for either
A) removal instructions
or
B) the contact information of the attorneys who handle class action law suits on their behalf.

Here's the reply;

Hi Lampie, and thank you for contacting us. We appreciate your purchase of the copy protected CD and apologize for any inconvenience.
We appreciate your frustration in this matter. To address the questions surrounding the actual DRM files, the files are only loaded to your machine if you instruct them to do do. In order for that to have occurred, you must run the M4 application, accept the EULA, and then copy the songs to your hard drive via the MediaMax application. If you did not do this, then the DRM files were not loaded to your machine. However, if you did do this, then here is the procedure for removing them.
If you browse to Library -> Preferences -> DRM you will find any DRM files loaded, and they can be deleted from there.
Please let us know if we can assist you further.
Thank you,
Rob
SunnComm Tech Support

It appears that OSX is still pretty secure from SunnComm, if Rob's answer can be believed. I don't have a DRM CD to try it out, and you can bet I won't buy one in the future, so I'll just leave it as FWIW.

For Windows users, the problem is more complicated.
"Sony said in a statement Friday that SunnComm had removed the uninstall program from the Web, and was in the process of contacting 223 consumers who had downloaded it while it was available.
The security hole in the uninstall program was similar to one discovered with First 4 Internet's uninstall program several days ago.
In each case, Princeton University computer science professor Edward Felten and researcher Alex Halderman found that the uninstall programs responded to commands from their creators' Web sites, but would also respond to malicious instructions from other Web sites."

Some other things I found;

The CEO of First 4 Internet, Mathew Gilliat Smith, boasted to a European IT website -- ''IT Enquirer'' in July 2005, that their XCP-1 copy protection software is now in use by ''most of the large record labels around the world'' http://www.it-enquirer.com/main/ite/more/digital_rights_management/ .
Note that this Wired article http://www.wired.com/news/digiwood/0,1412,67696,00.html from May reported that First 4 Internet's clients include Universal Music Group, Warner Music Group and EMI, in addition to Sony/BMG.

In my opinion, the issue isn't ''Are Macs safe''? It's ''Who owns our computers''? We shouldn't ignore the issue or play it down just because our particular brand of computer isn't infected this time.
The issue is privacy. The issue is property rights. It's not a Mac vs. PC issue.
Am I the only one who sees it this way?

Lampie

You're absolutely right, this is about property rights, and if they do figure out a way to do this on windows in a legal way (or the courts side with them), then mac can't be far behind. It's not about the OS.

That being said, I would not trust apple and the online itunes store either. Here's the reason. Companies who sell digital music are very very interested in keeping tabs on those who purchase music from them, and controlling their use of that data. Apple has become a huge player in the online music business - they have been ranked as the 7th largest music retailer in the U.S. (not sure about here in Canada) recently, and growing. Apple has just as much reason to play the same game as sony - they are both in the music business. Plain and simple.

Apple does not own the rights to any music, and so has no digital rights issues except one.

Apple must satisfy the owners (record companies) that the music they sell won't be used to pirate the music. If Apple can't do that, they won't be liscensed by the owners to sell the music.
This is why you can't move song files from the iPod to a computer. It's also why they don't sell mp3's.

Lampie

Steve Jobs is a pretty smart guy, and keeps his cards well-hidden. It's hard to anticipate what direction he's going to go with things. Recent developments have me wondering what apple's true plans are for the future. The video-enabled ipod has opened a whole can of worms.

I recently had the tv on (a very rare occurence), and ellen degeneres' talk show was on. She was giving things away to her audience, and of course they were excited. One of the things they gave away was an ipod. It wasn't probably the most expensive item, nor in my opinion necessarily the best, but the audience reaction was unreal. They went hysterical. And the audience is mostly women. Apple is tuning into a huge market, women, largely ignored by other tech companies, and it's brand recognition there is beyond big.

I think they could do anything they choose at this point, and launching their own label would not be something I would be surprised to see them do. Once they do, don't be surprised if they try to 'protect' their rights.

Many years ago Apple found itself in a lawsuit against Apple Records, the label the Beatles used and I think, owned.
The problem was of course Apple Computer's name. Apple Records wanted them to change it.
If I remember correctly, The agreement was that they could keep the name, as long as they stayed out of the music business. I figured the music store wouold bring a lawsuit, but Apple Records didn't move on it. If Steve tries to start a label, You can bet Apple Records will be looking to own it, and because Steve already agreed in writing to stay out, I'll bet it would be a slam dunk.

Lampie

To my way of thinking this goes way beyond protection of copyright/fair use issues. I have seen computer pundits talk about this but have yet to see an explanation from Sony as to what all this was exactly supposed to do.

1 - we know it was supposed to limit copies.
2 - we know it somehow opened a backdoor on a PC.

Why the back door ?

Was this supposed to report to sony every time you played their CD ? Do we know if each individual CD track had an identifying code imbedded in it ? If so, then they could conceivably track any song released on a p2p network through sales records back to the individual who bought it. Only those who use cash and refuse to put their personal info into the computerized cash register could not be tracked.

As I said Sony needs to make a full disclosure of the intended use of the software. It strikes me as a big brother bug. Every time we click on a EULA we concede that the equipment is ours but the OS and other software that makes it run is someone else's. The reality is we have already LEGALLY accepted that these software companies can dictate how we use the software we thought we were buying but in reality are renting - one time renters fee to be sure but the EULA implies the software company can take the product away if we do not use it as they intended it to be used. Music, Movie and Book publishers are simply extending what the software manufacturers started.

Books, over the past 1/2 century, have had reproduction warnings on the inside cover. Xerox machines in libraries scared publishers to death. The reality was that a dime a page made it prohibitive to copy a book rather than buy one. Still, book resellers in many places are required to rip the front cover off of certain books to diminish the books value and mark it as pre-sold. The record stores used to do this with the notch in the album cover in the bargain bin section.

The problem of the old scenario in the new world is that we aren't making copies on a Xerox. We can take digital originals and make perfect copies of the original... and not at a dime a page either ! The question raised from our view as consumers is what is fair value for the product ? The content providers ask what is fair use ? Legislators listen to lobbyists and unfortunately forget they are there to really serve the interests of their constitutes (after all they tell us we own our land but charge us rent or "property tax" every year and reserve the right to take our land away if we don't pay - but thats for a different post).

The bottom line before any other issue is - to my way of thinking - disclosure. Sony failed to disclose the full features built into their product. In fact they are still not telling us all the facts about what it was designed to do. Proof of intent to deceive (wouldn't this be fraud? ) lays in the fact that the root kit installs whether you accept the EULA or not. The result is a modification of the way your PC works without your consent or notification. Vandalizing, graffiti, hacking all fall under this definition don't they ? The fact that these CDs have been out for close to 2 years compounds the fraud.

If Sony had disclosed the content on these discs and sold them for a lesser price would it have been fair ? If music and movie companies sold "full use" discs for twice as much would you buy them ?

BTW I saw on one article about sony that they have recently copyrighted software that would allow them to lock a disc to a player. The implication was if combined with a gaming platform (play station 3? ) that they could control what machine the game is played on and possibly charge a fee if you wanted to play the game at a friends house... all monitored on the internet I assume. Your machine breaks and they charge a fee to allow you to port over to a new machine ? Used game resellers pay a fee to void a registered serial number on each disc ? It's ironic that sony was part of the law suits involving VCRs back in the 1970's but now that they are content providers they fight to limit consumer use to maximize profits. Heck, in my house we buy a new PS2 controller every 6 or 7 months... the grey PS1 controller is still working after 8 years ! Video games... the electronic crack pipe.

grim

<<If you browse to Library -> Preferences -> DRM you will find any DRM files loaded, and they can be deleted from there.>>

Hmmmm... after reading through most of the postings in this link--especially this quote, I went to my Prefs (OS X 10.3.9) and found a file named DRM with and item named DRM.key in it--DOES THIS NEED TO FOLLOW MARGARET MITCHELL'S ADVICE AND MAKE IT GONE WITH THE WIND???

Lately, (sometime after my update to X 10.3.9) I started burning nothing but coasters on my iTunes LEGALLY purchased music--not until I just happened to used a BACKED-UP version of my pre-updated OS (OS X 10.3. on a FW drive have I been able to burn to CD. (After having a truck and several hundred dollars worth of "store-bought" music stolen from me--I prefer to keep a burned back-up copy in my truck now.)

I wonder if this file has had anything to do with all the coasters? Don't see it in the back-up copy that let's me burn my iTunes PURCHASED music... Hmmmmmmmm.....

BTW, it is dated 4/1/05--VERY FOOKIN' FUNNY APRIL FOOL'S DAY JOKE ON ME, HUH?

Rum

UH, as I write this, the news on TV is talking about extending the Patriot Act--though they claim new safeguards are being installed... BUT, THEN AGAIN, I'M FROM N'AWLINS--AND RIGHT NOW, THE PHRASE, "HI, I'M FROM THE GOVERNMENT (LOCAL, STATE, OR FEDERAL), AND I'M HERE TO HELP YOU", DON'T MEAN CRAP TO ME--NOT EVEN A COUPLE OF CASES OF MRE's WHEN WE HAD NO GROCERIES... roflmao
Rum
Still here and still surviving....

...but then, I like burning CD's AND using the most updated software.

I search all over the internet for someone with an infected mac, and here you are. What can you tell us about it?

On second thought, don't just throw it away. Make a copy of it, and any related files. I've sent you an e-mail with my email address on it. If you could send the files you found to me, I'd like to take a look at them.

Of course the next question is can we link your coasters to the DRM files. After you remove them, does your burner work?

Pete? Bob? Am I missing something? should he do something else first so no information is lost?

Rum, I'm glad to hear you are still there and kicking! NOLA hold's a special place in my heart, because the year I turned 21, I was living on St. Peter. Need I say more?
Make em rebuild, even if it turns into an island!


Hey come on, IT'S A STREET!


Lampie

That file, DRM.key is exactly what it says it is. I have one too and all because I purchased music from the music store and because my version of iTunes is capable of reading DRM encoded files from the Music Store.
If you have Keynote, the file has a keynote icon and when double clicked it launched Keynote, which claims is is corrupt, but puts up the media pane for Keynote showing purchased music in the iTunes Library.

Methinks the coaster issue is something else and not related to this. Note, there was never a mention of using a SONY CD, that I saw, in this post

P

Your question really bugged me, and the websites of all the major players seemed to be handling Sony with kid gloves, even today, so I did a little surfing.

The ''security'' companies it seems, had a gun to their head in the form of the DCMA.
There is a section of the Digital Millennium Copyright Act (DMCA) that deals with anticircumvention of devices put in place to protect content.

From Chilling Effects Clearinghouse
http://chillingeffects.org
The Digital Millennium Copyright Act (DMCA) is the latest amendment to copyright law, which introduced a new category of copyright violations that prohibit the ''circumvention'' of technical locks and controls on the use of digital content and products. These anti-circumvention provisions put the force of law behind any technological systems used by copyright owners to control access to and copying of their digital works.

The DMCA contains four main provisions:

a prohibition on circumventing access controls [1201(a)(1)(A)];
an access control circumvention device ban (sometimes called the ''trafficking'' ban) [1201(a)(2)];
a copyright protection circumvention device ban [1201(b)]; and,
a prohibition on the removal of copyright management information (CMI) [1202(b)].

I'd imagine that the security of our computers took a backseat to the DMCA, and still does. Since uncloaking of the DRM might be considered as against the DMCA, it would be risky to help us do it. Certainly, creating software that searches it out and removes it is a violation.
Gee, the DMCA sounded like a good idea at the time.

So Rumdunnitt? I never said to remove that file. I was never here. It was a guy who typed like me, honest. I sure hope the police catch that evil clown impersonator.

Lampie (Hi, I've never been here before) Clown

Lampie, Who thought that Sony wood stoop to this level!?
What happens to the Windows users when their system is effected and damaged?
Sounds like a class-action suit in the offing to me.
By the way, you guys are way over my head with this stuff. Yet, your link was really simple to understand. Thanks,

-Kevin

and don't quote me on this, but a root kit is a modification of the operating system kernel. As I understand it, this root kit creates a back door that allows access to your computer for anyone aware of the vulnerability. Virus software would not warn you of any access because virus ware needs to have a definition of any malicious code to look out for in order to warn you. It took almost 2 years for anyone to be aware of this root kit so little is known about it yet. Does it communicate with sony ? I don't know.

2 different programs are involved here. One is software that limits the amount of copies that could be made. this is pretty self explanatory. What the purpose of the root kit is I'm not so sure and have yet to see an explanation of it's purpose.

I am not sure but wouldn't a modification of the system kernel by a root kit from sony be a violation of MS copyright and Windows XP EULA ? Does a software company need to inform MS of any commercial program that modifies the MS OS ? Does this imply that MS was aware of the root kit if no legal action has been taken by MS ?

grim

Grim, Thanks for keeping it KISS: Keep It Simple Stupid.
Works for me.
Thanks,

-Kevin

It's tough to come up with a definition. Yours hits it pretty good.
I noticed that you limit it to what is installed on the users equipment. Was that deliberate? There are many ways to gather information without putting anything onto a person's computer. It's harder, and slower, but it can happen. Spyware on a server for example.
As I understand it, Google's "G-Mail will allow you to store a Gig before your mailbox is full, but Google will scan your e-mail, keep track of your searches and use all of this info to (according to them) put targeted ads on your screen. Spyware?

Your def would also include cookies.
This is why it's so hard to come up with a working legal definition. We don't want to be spied on, but we have uses for the technology. I wouldn't have a prroblem if I had to OK new cookies, but if every time the site want's to update a cookie I have to read an EULA, it's going to make internet banking, and internet shopping, a hard task.

What do you think?


Lampie

maybe we should we be looking at disclosure and what a EULA should tell you up front ? As I said on my other post it is a failure to inform or an attempt to mislead you that is disturbing. Just as there are laws re: what/how food ingredients should be listed, maybe the computer industry should be required to adhere to strict guidelines regarding what they must tell the consumer and how they must tell it. After all, Al Capone was busted for tax evasion... maybe companies like Sony should be busted for failure to disclose what a product does.

What incentive do companies have to be forth coming ?

Content providers, just like spammers and phishers depend on what the consumer doesn't know to achieve their ends. Make "social engineering with intent to mislead" a crime and we wouldn't have had this little hack from Sony hidden in the first place. Of course a law like this could really screw political careers as well...

grim

I think were gonna need a new definition for disclosure.

According to the EFF, http://www.eff.org/deeplinks/archives/004145.php
Sony's EULA pretty much covered what they did.
Well, it covered their butts, anyway. According to EFF lawyers, here's the breakdown of some of it.

If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

You have no right to transfer the music on your computer, even along with the original CD.

Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

So, they can put whatever they want on your computer, and if they change it, you have to install the updates. It's OK if it gives them a back door, and their not at risk if they leave the back door open.
Sounds like exactly what they did.

The question then is, when they hide that information in legalese, and bury it in fine print, is it still disclosure?
I'm not a lawyer, but since before I was old enough to sign a contract I was told that if I didn't read it - my though luck. If I didn't understand it - I shouldn't have signed it.
The only bit of hope is if a judge rules that the contract is not binding for some reason. Maybe because the things it asks for are not legal, or not possible, or something like that. As EFF states in the above link, Sony's EULA has changed the rules. Rights that we have enjoyed while owning a standard CD, through "Fair Use" and "First Sale", have been taken away now. Sony may not be able to do that legally in an EULA. Like I said, I'm not a lawyer.

I do know this;

When things get to the point where you have to read a 3 page contract to buy a $15 item that doesn't shoot, explode, or even plug into the wall, It's a bad day for the free market system. Business, the legal system, and the consumers need to sort some things out fast, or commerce is going to grind to a halt.

I have a better chance of getting my computer infected by clicking OK on the contract, than I do downloading pirate copies on the internet. For anybody with a Windows machine that really needs it for school or work, what are you going to do?
It almost looks as though Sony has become the marketing division of Limewire and BitTorrent. If one of them had gone public in the last few months, I'd have looked into which Sony and First4internet Execs. had the stock.

So, does the EULA cover it? Or should Sony be required to put a large skull and crossbones on the cover, AND the CD.

Were going to have a dictionary when we are done, but...

How do you define "disclosure"?

Lampie (just call me webster) the Clown

I know this is going to sound impotent and ineffective, after all, what can one person do against the giant corporations.

Money isn't everything but it sure is powerful in politics and the market place.

The one thing we always retain is our power to influence and change things we don't like by with holding our dollars. When all else fails, when software agreements like we are discussing seemingly force us to accept terms we feel unfair, possibly illegal or just flat out not right, we always have the option to disagree by not buying the product, or not buying any more from the offending company.

Well one person in this case exposed this problem and it has already forced some changes, though not good enough yet. Exposing the problem was the first step, but if consumers do not react against Sony by complaining and ultimately not buying Sony products, or if Sony did not at least fear these consequences from the market place, they would not have done a thing.

Individual voices do not effect changes, but collectively we do. I have learned from experience that letters to politicians and company's logically detailing our concerns without being abusive or sounding like crackpots, or becoming chronic complainers does get their attention fast. Especially when we promise not to vote for them or purchase their products until the right kinds of changes are made. It doesn't always take an avalanche of letters on a given issue either. Often it only takes a few.

Having said that - I will be writing my State and Federal reps and senators, appropriate Senate committees, and of course Sony to let them know my concerns and the need for legislation to fairly control this sort of thing.

At the same time it remains important to keep these discussions going and getting them spread to wider and wider audiences using the most widely/easily understood descriptions of the problem as possible.

Part of the reason I started the thread here, was that I wanted Mac users to understand the situation, and realize that it it's their problem too. Your point is also proven by the fact that when Sony was told about the problem (but it hadn't gone public yet), they did nothing, and denied everything.

From there to recalling the CD's, making removal software, and giving customers MP3's with no copy protection, was due to publicity. Sonys estimate of the sales lost if the story got bigger, and became a story even my grandmother would have an opinion about, got them woried. Oh yea, the Texas and California AG's might have helped too.

Sony realised that no one who knows the story is on their side. Their only hope is to make it a ''non-story'' as quickly as possible, so more people don't find out.
They also know that the public is fickle, and may just forget about it. A few well placed price drops for the Christmas shoppers will test just how strongly the public feels about a Sony boycot. Sad, but true (and effective).
The funny thing about it is that Sony stepped in it so many times, that the story got redundant, and it seems people stopped paying attention.
I wonder how many people know that the un-installer didn't, or that the second un-installer opened security issues, or that Sunncomm's un-installer was pulled for security issues after only a few hundred people downloaded it. Sony crashes on every lap, and no one will be watching by the time they finish the race.

I only own one Sony product at the moment, an older ''digital 8'' camcorder. It will be my last Sony product.

My Texas AG is already on the case without my prodding, and I made sure the Ohio AG's office was aware of what was going on while I was up there. (it's good to have family in government)

This Christmas is the time that will make it or break it money wise. If Sony doesn't see the result of their actions in the December sales report, they will know that they can do what ever they want.

Lampie

Sony never did make any removal software. All they did was issue a patch that made the files visible. It was up to you to figure out how to remove it and this is what caused a lot of CDROM players to stop working

P