New Sony CD's install rootkit Options

[*mipadi*]

Well, this isn't kosher:

Mark Russinovich, of SysInternals.com, has discovered a so-called "rootkit" which is installed by Sony's new digital rights management-protected music compact disks (CDs). A rootkit is a common name for malicious software that is used by hackers or criminals to gain access to a computer system and be able to clandestinely run other malicious code. Rootkits frequently contain hidden and hard to remove files and are designed to be difficult for the user to remove.

Russinovich classifies Son'y malware as a rootkit because it introduce several serious security holes, one of which is intended to be exploited to hide files and prevent the user from removing them. In particular, all executable files which begin with '$sys$' are hidden when the software is installed. He points out that these security holes could be exploited by hackers, or other malware producers besides Sony.

Russinovich explains that naively removing the files will result in a crippling of the operating system on the user's computer. He provides an explination of the difficult step required to remove Sony's malware.

Playing the same CDs under Linux or on a non-computer based CD player remains safe. As removing Sony's malware may violate the DMCA, ripping the CDs under Linux may be the best legal option for those who wish to listen to them under Windows.

The software is automatically installed when a Sony CD is played on a computer, and is not mentioned in their EULA. The rootkit appears to have been commercially developed by First 4 Internet and lisenced to Sony.

Read

[*kryogenix*]

It's a commercial rootkit too :(

[edit]

http://www.f-secure.com/weblog/archives/archive-112005.html

removal

[*mipadi*]

This really bothers me. I'd like to say that I don't understand how companies like Sony can justify breaking the law and stamping on the rights of consumers, but then I remember that they are a corporation who undoubtedly feels they are above the law.

Now's the time when consumers need to wake up and realize what companies are doing to them, and actually do something about it.

[uLoVeMikeRoch]

I saw this somewhere too. Engadget or hackaday. I think this is stupid. Why would Sony do that? The funny thing was, the guy who found out about this was the music the guy was listening.

[*mipadi*]

I guess a lawsuit has encouraged Sony to stop producing such CD's, but Sony still argues it has a right to protect its music. There are several quotes from these articles that bother me a bit:

"Sony said it had a right to stop people illegally copying music, but added that the halt was precautionary." [1]

I think Sony has some right to protect their music, but their rights end where mine begin; not only do I have certain fair use rights (which I won't even get into at this point, since those have all but disappeared a long time ago), but Sony doesn't have the right to break my machine in order to have their music protected. (I mention this only theoretically, of course; since I don't run Windows on my laptop or various desktops, Sony's CD's don't technically do anything to my computers--even play.)

"Mathew Gilliat-Smith, the CEO of First 4 Internet, the company that created the software, claims it is 'benign content.' Meanwhile, in an NPR interview, a spokesman for Sony said, 'users don't know what a rootkit is, and therefore, don't care.'"[2]

Firstly, the software clearly isn't "benign," as it can allow other viruses to piggy back on top of it; secondly, I find it arrogant and ignorant that Sony says it doesn't matter because people don't know what a rootkit is. Whether they know what it is or not is trivial--it can still do damage. (In fact, not knowing what it is probably leaves one open for more damage.) Most people also don't know what ebola is, but it will kill them just the same.

Actions like this make me think it's about time we, as consumers, stop purchasing DRM-protected music. If someone like Sony is going to trample on consumers' rights, I see nothing wrong with hitting back by pirating their music.

[*tweeak*]

http://www.msnbc.msn.com/id/10005667/

Haven't they stopped it?

[*mipadi*]

I guess, if you consider "temporarily suspend[ing]" to be stopping. Still, the fact is that if they did it once, they're like to try it again sometime.

[sadolakced acid]

and plus, those CDs are still out there.

any form of copy protection pisses me off. i have a program (exact audio copy) that override virtually all copy protection by simply tricking the CD drive into thinking it's a purely audio CD drive, and therefore any CD that will play in a regular CD player (e.g. all of them) can be ripped (except for the last track sometimes... they sometimes leave that open ended which screws things up)

yea.

so everytime i encounter a copy protected CD i purposely rip it and distribute it.

boycott sony music. kazaa has less viruses.

[*tweeak*]

forget kazaa, redlightglow.com + elbo.ws = all my music needs

[sadolakced acid]

i'm piggy backing my sister's napster account, and that works.

but kazaa is the more recognizable P2P network and is infamous about its viruses.

[*tweeak*]

oh, yeah, i knew that, i just misinterpreted your point. neeeevermind.

[*mipadi*]

I used to fully support the legal purchase of music, but now that I've noticed how much the music corporations infringe on consumers' rights, I think it's open season to copy as much music as one wants.

[sadolakced acid]

^ se!

and michael joins the fray.

i have... i think about 200 songs i got legally... the rest, from friends, library, etc.


and i have like... 1400 songs.

[*tweeak*]

I have about 2 gbs of music I got off my cds...but about a third of those I got from James, so they're not exactly legal. A few I paid for the downloads...the rest I got off mp3 blogs. So I'd say about 200 of my 1200 are legal. I mean, I would attempt to pay for it, but it's just ridiculous at this point. They over charge and then skrew up your computer. Yeah, great.

[*kryogenix*]

http://cp.sonybmg.com/xcp/

Sony apologizes

[*mipadi*]

Bit too late for that, I think.

[*kryogenix*]

Bit too late for that, I think.

I don't like how they're not really addressing the issue. They don't mention the word rootkit, and they seem to try to blame it on the third party vendor.

[*mipadi*]

That, and they dragged their feet. Their original tool for removing the rootkit only worked in IE, and didn't remove everything; I think it may even have installed more stuff. Sony hasn't really done a lot to prevent damage from their product, and they've hidden a lot from the consumer in the process.

[*kryogenix*]

Boycott the PS3!

[sadolakced acid]

boycott sony records for one financial quarter.

that'd get thier attention.

the thing is: i think they still think it was ok to do that.

which isn't very promising for anti-DRM. although it *should discourage other companies from using DRM...

hopefully

[*kryogenix*]

boycott sony records for one financial quarter.

that'd get thier attention.

the thing is:  i think they still think it was ok to do that. 

which isn't very promising for anti-DRM.  although it *should discourage other companies from using DRM...

hopefully

Boycotting their games would hurt them the most, since it's their most profitable division.

[sadolakced acid]

but it has nothing to do with thier rootkit.

if thier games had spyware, i'd be all for it.

but it's their music division, so that's where to hit them.

think the harm that one financial quater where they made no profit, absolutley none.

that would sent a mighty fine message to other record companies to not use DRM, as well as sony.

if you boycott the games, it will have a lesser impact on pure music companies, because if you boycotted the music, it shows you can put a company out of buisness.

and that is what they're afraid of.

[*mipadi*]

Sony would just chalk the losses up to "increased file sharing and piracy", not a boycott.

[sadolakced acid]

which is why such a boycott would have to be publicized.

however, if it's seen that sony's losses are much greater than any other companies, and a journalist ;coincidentally writes of the boycott... then, it will have impact.

which means it needs to be a nationwide effort.

but surely we can go 3 months without buying a sony CD.

[*kryogenix*]

but it has nothing to do with thier rootkit.

if thier games had spyware, i'd be all for it.

but it's their music division, so that's where to hit them.

think the harm that one financial quater where they made no profit, absolutley none. 

that would sent a mighty fine message to other record companies to not use DRM, as well as sony.

if you boycott the games, it will have a lesser impact on pure music companies, because if you boycotted the music, it shows you can put a company out of buisness.

and that is what they're afraid of.

Regardless, Sony is ultimately the offending company. They are the target, you want to aim for the part that hurts the most. If someone punches you, you don't aim for their hand, you aim for the soft spots.

You can still boycott Sony BMG as well as Sony Computer Entertainment.