March 28, 2024

SonyBMG and First4Internet Release Mysterious Software Update

SonyBMG and First4Internet, the companies caught installing rootkit-like software on the computers of people who bought certain CDs, have taken their first baby steps toward addressing the problem. But they still have a long way to go; and they might even have made the situation worse.

Yesterday, the companies released a software update that they say “removes the cloaking technology component that has been recently discussed in a number of articles”. Reading that statement, and the press statements by company representitives, you might think that that’s all the update does. It’s not.

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function – they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert – falsely – that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.

The companies need to come clean with the public – their customers – about what they did in the first place, and what they are doing now. At the very least, they need to tell us what is in the software update they’re now distributing.

Meanwhile, lawprof Eric Goldman asks whether the SonyBMG EULA adequately disclosed what the company was doing to users’ computers. If not, the company may be legally liable for trespass to chattels, or may even have violated the Computer Fraud and Abuse Act. Goldman concludes that the disclosure may be adequate as a legal matter, though he doesn’t assert that it’s a good business practice.

While the legal question is beyond my expertise, it’s awfully hard to see how, from a common-sense viewpoint, SonyBMG could be said to have disclosed that they might be installing rootkit-like software. Surely the user’s consent to installing “a small proprietary software program … intended to protect the audio files embodied on the CD” does not give SonyBMG free rein to do absolutely anything they like to the user’s computer. Whether, as a legal matter, Sony exceeded their user-granted authorization to modify the user’s computer would ultimately be for a court to decide.

Goldman says, with some justification, that today’s EULAs expose a “crisis” in contract law by attenuating, almost beyond recognition, the notion of consent to a contract. Part of the problem is the well-known fact that hardly anybody reads EULAs. But another part of the problem is that EULAs don’t give even the most diligent users a clear idea of what they are consenting to.

Comments

  1. […] SonyBMG releases a software update to remove its DRM rootkit but the cure turns out to be worse than the disease (Felten). […]

  2. […] It’s a tale of extreme hubris. Sony rolled out this incredibly invasive copy-protection scheme without ever publicly discussing its details, confident that its profits were worth modifying its customers’ computers. When its actions were first discovered, Sony offered a “fix” that didn’t remove the rootkit, just the cloaking. […]

  3. […] As we’ve mentioned before, Sony-BMG has been using copy-protection technology called XCP in its recent CDs. You insert your CD into your Windows PC, click “agree” in the pop up window, and the CD automatically installs software that uses rootkit techniques to cloak itself from you. Sony-BMG has released a “patch” that supposedly “uncloaks” the XCP software, but it creates new problems. […]

  4. As soon as I heard Sony supported DRM, I stopped buying anything Sony.

    In fact, where I used to buy 25-30 CDs a year and listen to music (some radio, but mostly CDs) 25+ hours per week…I have only bought 3 CDs in the last year. If DVD/DVR technology goes the same way, I may very well stop watching most movies, and that’s really sad. The music industry has already lost a steady, valuable customer. The movie industry may as well.

    And I think if DVD recorder/player manufacturers don’t fight the proposed law tooth & nail, their fates will be much worse. The added fact that buying video equipment is expensive, and the media is expensive as well, will be a lot more likely to cause a larger percentage of former customers to stop watching movies than DRM on CDs caused people to stop buying mass-manufactured CDs.

    Sad, but true. I love to support my favorite artists, but I love my own wallet, and my own freedom, much more…if musicians and actors can’t make a living–tough, find a new profession. Because I support myself, and my beliefs and my freedoms, before yours. Anything you get from me is a bonus!

    I’m glad now I’ve been so anti-closed-source and anti-spyware (even stuff that discloses it’s spyware, like Windows Media Player) for the last couple years. People call it extreme, and look at the hassle it saved me. I actually stopped listening to my favorite artists, stopped buying their music, RETURNED their music as “defective” CDs to avoid DRM that’s spyware or that at least violates my rights to make as many personal copies as I want.

    And what did those “extreme tactics” get me?

    No Sony rootkit, no viruses, no software phoning home without my express and fully-informed permission…and no money for the artists who are innocent in this mess. Sorry, my own interests are more important than yours.

    And at all those who try to make anti-Windows and anti-closed-source-software people out to be paranoid fanatics…I laugh, I laugh, I laugh. It was only a matter of time.

    I’ve never had a virus, I’ve never had a rootkit, I had adware once (when I was a brand-new naive Windows PC user).

    The only thing I can’t laugh about is, since I haven’t bought anything Sony, I can’t join the class-action lawsuits. Wah.

  5. Samenvatting van een PR-nachtmerrie

    Er wordt zoveel geouwehoerd over SonyBMG’s DRM-PR-nachtmerrie dat ik maar even een samenvatting geschreven heb. Voor mezelf en voor wie er wat om geeft.

  6. When you think about it, it’s a scary thought- large corporations using the legal system (using EULAs) and malicious software hidden inside software products to control what we can and can’t do with our computers.

    Makes me glad that there’s open-source freeware out there. It provides much-needed competition in this industry, which would otherwise be monopolised by multi-billion dollar corporations.

  7. What I don’t understand in all this furor over Sony, is why other invasive DRM has not drawn any attention whatsoever. For example, try this little experiment. Install an iPod on your PC. Now UNinstall it, as completely as you can. Reboot. Open up Task Manager and count the Apple processes STILL RUNNING.

    Now check the side of the iPod box. Did you find the warning that tells users: “This product will PERMANENTLY install software that will run at all times while you use your computer… even if you stop using your iPod!” No? Oh well…

    Now reformat your PC and reinstall Windows, ’cause that’s just about the only way you’re going to get rid of this stuff.

    At least Apple’s DRM doesn’t seem to crash the computer. (Though who knows what incompatibilities may lurk.) I’m not sure if it “phones home.” But it certainly does consume processor cycles that you naively thought belonged to you. And it certainly inserts itself in a way that most users will find just as invisible and just as permanent as Sony’s “root-kit.”

    So, the question is: would Sony’s “root-kit” have been perfectly OK, had the software been well-written? Or is there a wider principle here, along the lines of: my computer belongs to ME, and companies DON’T have an absolute right to invade it?

  8. … whoops sorry, I play most of my DVDs on my *computer*.

    Hmmm… with thoroughness like that, I could probably get a job at First4Internet.

    By the way, I bet it will come out that F4I got the contract because they knew someone at Sony… a little money under the table… I mean c’mon, they CLEARLY weren’t the best shop for the job!

    BTW, if it looks like I have an axe to grind against F4I, I don’t, but I’m an engineer (actually EE from Prof. Felten’s school) and I cannot stand to see inferior slop passed off as professional-grade/production-ready code. Not to mention the fact that I find F4I’s willingness to hide code & infect computers completely deplorable, spineless, immoral and revolting.

  9. 2 points:

    1) Why aren’t more people calling for accountability on the part of First4Internet? I mean I know Sony contracted them, and ultimately Sony is accountable… but what about these dolts at F4I? Their website says nothing about the debacle… there is documented evidence of the woman who wrote XCP just recently admitting that she knew very little about what she was working on…

    2) Is there any chance something like this is out there on DVDs too? Is someone looking into this? I rarely play CDs on my computer, and don’t own any Sony discs, but I play most of my DVDs in a DVD player… and if I find out (if it comes out) that these DVDs have been phoning home or installing anything without me knowing about it (I have *never* agreed to anything a multimedia disc wants to do when it runs) I will make it my mission in life to bury these Fat Cats.

  10. Sony will apologize for their Lapse of Judgment.

  11. “specific harm” is not XCP. It’s hidden files have no $$ in them. IS IT WORSE?
    I am glad that DHS took notice, but disappointed as if they winked at Sony
    and said, knock it off UNTIL AFTER THE AVIAN FLU epidemic.
    The Mu-sick-al TROJAN HORSE i am ranting about is very dangerous
    and has a big fit since it’s been taken offline. It will not even let the computer turn off.

    It is my DEAD SERIOUS OPINION that
    NO ONE SHOULD PLAY CDs on PCs that are
    CONNECTED TO INDUSTRIAL MACHINERY.

    Pondering Spam I get from an Amtrak server,
    I am concerned that (myself innocent)
    It has crossed my mind that whatever hacked me
    is capable of causing a TRAIN WRECK.

    I want to make a few points.
    Before the rootkit was discovered, I knew something was awry,
    and told everyone not to play CDs in our computers, use a CD
    player instead. It seemed paranoid that you could Buy musick virus CDs.
    It also seemed paranoid that (now that we all know what it is) that since 911
    I always said using different words that the hijackers were rootkitted autopilots.
    I think the “alleged hijackers who claim they weren’t on the planes” support that idea.
    TROJAN HORSE. If you weren’t asleep in history class you might know that
    this refers to a large horse statue given to Troy, containing Greek Soldiers,
    whom subsequently destroyed that City. A warfare weapon of mas destruction!

    RIAA has graduated from piRIAAte (ship robber) to International Terrorist!
    Microsoft has been quite a violent gang lately too, with police force actions in Asia,
    and threatening Europe for NOT USING their software!
    DRM is a bomb.
    DMCA is no law, just a mob racket. Unwanted Tea for the fish in Boston.
    Sunny Bono is dead.

    Music which myself and friends have performed will be released without copy protections because the point was Never to get filthy rich and attack people, the point
    was to make music, or beautiful noise. There are copyless ways of doing this, known
    since Pythagoras, using math, because music is objectively just a Number.
    “…When the saints go marching in!” – Public Domain

    Sony 666 fifth? Hmm.

    DRM is a success in only one way: No one who is not sick wants a copy of a virus.

  12. I just started catching up on all this and one point that I feel is being missed here and yes I do whole heartly agree that for what Sony did they should be hanged for, I do PC support for a large company and one thought that came to mind was what about the poor guy on a late night shift that puts one of these cd’s in a server to play it….. Now for another road to go down what about CD firmware? What is to stop Sony from incorprating the same type of problem into their CD rom drives? Will I ever buy another Sony product, NO. It’s like this they screwed up and now lost one customer for good. They can’t be trused and are on the same level as low life hackers and virus makes.

  13. Captain Keelhaul says

    Buy music??? You actually BUY music? What a quaint idea!

    Seriously, hacking users who actually buy their wares is just a slap in the face to honest people. To those who steal their tunes it does nothing. In the end it will just drive the former to become the later.

  14. this is the first i heard about this crap, but i’m never buying another sony and/or bmg cd again, EVER

    screw trying to figure out whether it’s poisoned or not

    and screw you sony, there’s enough good music available without having to listen to you!

  15. Sony faces Californian class-action suit & likely a 2nd US suit
    Posted by Seán Byrne on 10 November 2005 – 00:20 –
    http://www.cdfreaks.com/news/12658
    Source: Washington Post

    Californian attorney, Alan Himmelfarb who filed the first lawsuit has asked the court to stop Sony from selling any further CDs which use the rootkit based DRM technology, which covers 20 CDs already on the market. He also wants the court to seek damages to cover the Californian customers who purchased these affected titles. In this lawsuit, Sony has been alleged to violate at least three statutory laws including one that covers unfair / misleading trading, another that prohibits the distribution of software that takes control away from the user, which includes preventing the uninstallation of it and finally one more that protects businesses and consumers from unfair business practices, all of which Sony has violated with its DRM software.

    With the serious issues Sony has caused with its CD’s rootkit based DRM technology, they now face a class-action Californian lawsuit and as well as a 2nd nation-wide US lawsuit, which is expected to be filed in a New York court.

    The 2nd lawsuit aims to seek relief of this DRM for all US consumers who have purchased any of the 20 Audio CDs which use the rootkit based DRM. The New York attorney, Scott Kamber behind the New York lawsuit mentions that he is really surprised with what Sony has landed on its customers as well as its attitude, considering this is a company who should know better. For example, he mentions that Sony should not get away with claiming that their intellectual property deserves more protection that the customer’s own intellectual property, especially since the recent patch Sony released to uncloak its DRM has the potential to crash the system or worse still, cause the loss of data. Thanks to heystoopid used our news submit and to Herbert who also let us know about this news:

    A class-action lawsuit has been filed on behalf of California consumers who may have been harmed by anti-piracy software installed by some Sony music CDs. A second, nationwide class-action lawsuit is expected to be filed against Sony in a New York court on Wednesday seeking relief for all U.S. consumers who have purchased any of the 20 music CDs in question.

    Experts say the Sony CDs use virus-like techniques to install digital rights management software on computers. Windows users cannot listen to the protected CDs on their computers without first installing the software, which hides itself on the users’ system and cannot be uninstalled by conventional removal methods.

    The California lawsuit, filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, Calif., attorney Alan Himmelfarb, asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them.

    The full article can be read here.

    This was expected to happen as it is bad enough to get Spyware on your system from browsing dodgy websites, not to mention harmful software just by the trivial task of playing a music CD! In my opinion, it is about time the companies who use DRM get the feeling of this having a good bite back at them.

    From what I can see, if media is eventually replaced by DRM based online distribution, it will mean the end of physical collections as well as the ability to resell this (purchased content) later on. While it may be bad enough that DRM locks content to a one or a few given devices, Sony has already patented a technology which covers the locking of discs to a given hardware device, which essentially follows this same limitation of DRM protected content that was purchased as a download online. At the moment, we can see many records from the 1960’s that are worth a lot of money. However, what will happen in another 40 years down the line with what we have now? Chances are that most of the downloaded content over 10 years old may only be played on the well-outdated systems that the DRM was locked to and I cannot see digital content becoming collectables in the future.

    heystoopid wrote: When visiting Mark Russinovich over at systernals.com, his latest blog had this link to Washington Post, showing that on Novemebr 1st, class action legal action, has commenced in California, further additional legal action will be initiated in New York state as well, under a combination of both state and federal laws. Oh well, the toasting of SONY has now begun for this folly! Who knows where all this fun will lead.

  16. An interesting footnote about Sony and their “respect” for intellectual property.

    In the mid to late 80’s, Sony was having problems marketing R-DAT technology into N. America, which was originally developed as a consumer digital recording format that Sony hoped would replace the standard cassettte deck in everyone’s home stereo system.

    One of their biggest opponents was the RIAA, who feared that the technology could be used to facilitate music trading and piracy similar to the way they oppose MP3’s and music downloading today.

    Anyway during the controversy, consumer interest in R-DAT waned, but interest amongst professional and semi-professional users increased. Now R-DAT is widely used in recording studios and CD mastering labs, but has not reached anywhere near the consumer market penetration Sony had hoped for.

    The R-DAT launch initiated several years of controversy over digital copying, culminating in an agreement in July 1989 obligating both sides to support legislation mandating the inclusion of a serial copying technology, called SCMS (Serial Copy Management System).

    However, during this same period Sony, did not own a record company, until they bought CBS records in 1987, then Columbia Pictures a short time later, giving Sony control of vast assets in terms of music and motion picture content.

    According to a short history published on Sony’s own web site, “acquiring CBS Records and Columbia Pictures meant the fulfillment of the Sony Group’s ultimate strategy: to secure high quality software in order to complement and promote Sony’s wealth of hardware products.”

    I dont think that it is a coincidence that the Sony’s purchase of Columbia assets happened during this same period of digital rights controversy.

    It appears that when Sony could not circumvent the concerns and opposition of the RIAA, they simply went out and bought one of the largest American record companies in existance in order to give themselves a postion of power, and a hence strong voice that could not easily be ignored, within the recording industry in North America.

    In other owrds “if you can’t beat ’em, buy ’em”

  17. WARNING:MORE ROOTKITS:

    1.on SPECIFIC HARM RECORDS(ASCAP) CD: JOHN MAYER-HEAVIER THINGS

    2.on LID-ROCK (targets children!!!)

    Specific Harm!- The lawyers and juries will stuff ASCAP through the ANALOG HOLE!!!
    Specific Harm!- No Joke!

    Fact:
    We are looking to sue for ACTUAL DAMAGES
    THEY DIDN’T COPY MY MUSICAL COMPOSITIONS, THEY ERASED THEM!!!
    IMO they forfeited the right to sue for P2P FS, which we don’t even use.

    Humor:also don’t buy anything from…
    “Smashing Windows”
    “Breaking and Entering”
    “Sony Music to keep Homer Simpson alert at work” (Uh-Oh)
    “Blue Screens of Death”
    “Black Widow’s Web”
    “Hellish-Death TeleVision”
    “The device formerly known as a DVR but still called T-Vo”

    “Dangerous Rootkitted Music (DRM)”-NO JOKE!!!

  18. I am an attorney in Chicago, Illinois. Some affiliated law firms and I are investigating a possible consumer class action against Sony Music Entertainment Corp. (“Sony”) for selling “CD”-like media encoded with the XCP2 copy protection scheme, without properly disclosing XCP2 copy protection program’s nature or effects on its users’ computers.

    If you or anyone you know has purchased a compact disc with the XCP2 copy protection program (apparently most of Sony’s releases since August 2005) and played or attempted to pay the compact disc on a Windows personal computer, you may have a claim against Sony and other parties. If you would like representation in this matter, please contact me at:

    Ethan Preston
    150 South Wacker
    Suite 2600
    Chicago, IL 60606
    (312) 346-8700 ex. 108
    ep -At- eplaw.us

    LAWYER ADVERTISEMENT

  19. Empty: artists are, as usual, powerless tools. How else would you call people that will basically “work for food” until 300.000 copies of their album are sold? I am sure one of the bands involved already stated that they didn’t want this “protection”, didn’t authorize it, and even briefly posted the procedure to remove it (before, of course, “the Man”-Sony came around and removed it). But their contracts are clear: they are little more than slaves and have no power whatsoever in these matters.

    The only way you can “help” the music industry is ignoring it: find and listen to freely downloadable music, don’t buy CDs unless you know they are not carrying DRM craphola, and if they do just return the cd to the store complaining LOUDLY. The only language that Sony and sisters will understand is money — stop participating in the system, and it will go away.

  20. Many PC games are now incorporating a check to see if you’re running any CD emulation software (CloneCD, Daemon Tools, Alcohol 120%, etc.) and will refuse to run if any such software is detected — it’s a reasonably effective (if not a little broad) attempt to curb piracy, and thus far in order to defeat the checks it’s required using some erraticly behaving tools (AntiBlaxx being the most common) which don’t always work and can, on rare occasions, cause no small measure of problems.

    Unwittingly, however, Sony’s offering would seem to provide a pretty good tool to avoid these checks — if the emulation software prefixes its executable name, drivers, etc., with $sys$ then they’ll magically disappear from view. Sony’s anti-piracy measure actually facilitates piracy! Ah, the irony…

  21. I have, if anyone is interested, the original rootkit detection utility created earlier this year by the person who was first to detect Sony’s abuse of DRM technolgy and it’s blatant violation of the computer fraud act which is part of the 1st patriot act. It is only 90 Kb as opposed to the 3.4 MB “FIx” that Sony is offering and does NOT install further malicious code on one’s machine. Feel free to find it in the “Links” section. I will send this email and then add the link to my page post haste.

    belknapmountain.com – A Site for honest folks.

    [Be careful about what you download. I can’t vouch for this; it may be fine but I just don’t know. I would recommend Rootkit Revealer, http://www.sysinternals.com/Utilities/RootkitRevealer.html, which is what Mark Russinovich used to find this. — Ed Felten]

  22. under what circumstances do they become legally responsible for the consequences of this rootkit? it would be very pleasant to turn the tables on this bit of idiocy through a
    class action lawsuit…

  23. Install Slysoft’s “AnyDVD” Not only does it prevent the Sony crapware from installing, it also allows you to play/copy any protected audio CD and CSS protected DVD with the player(s) of your choice

  24. Zarathoustra says

    The sony sue peoples for priracy. Installing a rootkit it is piracy. Why not EFF sue Sony for computer piracy? Actually, if you think the chance somebody played this disk in a DOD computer… They should be charge for spying.

  25. I’ve been waiting for over a month for Sony/BMG to acknowledge this problem. I called and email them after I returned my purchased Patty Loveless, ‘Dreamin… CD. I tried to uninstall their spyware after I had returned the CD. Still can’t. If they can’t provide me with a complete uninstall utility, I’m tempted to send them a Time & Material bill for my cold-load time.

  26. doggy style says

    How about criminal charges? There are still laws in some countries, are there not?

  27. What is the best way to express my annoyance with this nonsense directly to the artists? I’d like to send a letter, e-mail or call either directly to my favorite musicians (which they may or may not eventually read) or to their direct agents – i.e. not to Sony BMG, since they apparently couldn’t care less what we think. I have no idea where to start, and posting on fan sites would probably make no difference.

    Fortunately I don’t touch Windows (I’m a Linux person) so I’m not directly affected by this, but as a matter of principle, I will not be buying new CDs from the affected artists unless and until they dump Sony (or at least read my feelings on this).

  28. Brian Srivastava says

    For those who didn’t happen to see the news slashdot reported (or moreover linked to this site http://www.securityfocus.com/brief/34) talking about how the sony rootkit allows users to hide their programs from Blizzards “Warden” anti cheating software. There has been a bit of news about warden as well of course, since its arguably spyware etc… But from the people I know that play WoW, Warden is acknowledged as a necessary evil. Regardless of what one thinks of Warden as such, it certainly is an example of an attempt at security (which WoW needs to stay healthy), being circumvented by a product not seen before. I think this bodes poorly for WoW because if the SonyBMG rootkit allows you to hide things from Warden, then presumably one can write their own rootkit that accomplishes the same task, which is, in general a problem for a lot of the major online games.

    The conspiracy theorist in me wants to say this is SonyBMG’s way of trying to Help out Sony’s online entertainment business.

    Regardless I don’t like the idea that Sony is promising to ‘fix’ their rootkit problem by releasing a different copy protection scheme, which for all we know is as problematic as the last version. Much as i don’t like starforce (in part because their products have been known to fry CD rom drives), at least when the company released a removal tool, it was (and remains as far as I can tell) a removal tool.

  29. The four faces of the Sony DRM FAQ

    Sony have so far had three differnt FAQ’s posted on their site at here:
    http://cp.sonybmg.com/xcp/english/faq.html

    I have a complete summary listing of the exact wording here

    http://netweb.wordpress.com/2005/11/05/sony-and-the-xpc-faq/

    I have hyperlinks to the cached pages of are there also.

    Interestingly in the first version I have from MSN Cache there is not a single mention in the enire site

    for any form of the words:-

    ‘Update’, ‘Security’, ‘Uninstall’ or ‘Remove’

    The main additions to the FAQ are:-

    Two versions of “I heard this is malware?’
    The addition of ‘How can I update this software?’
    The addition of ‘How can I make my computer secure?’
    Two versions of ‘How do I uninstall the software?’

    Does Sony now have suffecient wording here???

    And a couple of other little things I wrote regarding Security Issues this raises.
    http://netweb.wordpress.com/2005/11/04/cd-audio-standards/
    http://netweb.wordpress.com/2005/11/04/why-rootkits-are-global-security-breaches/

  30. Here’s one source for the Sony tirade:

    http://www.theregister.co.uk/2000/08/23/we_will_block_napster/

  31. Sony-BMG are evil incarnate. We have been warning folks against the RIAA and against DRM for years. Maybe eventually enough folks will start listening and stop buying RIAA crap.

    When you bring DRM infected garbage into your home, your house is going to stink. It’s that simple folks. Stop supporting the evil empire.

    Shmoo, aka “independentmusician”
    Admin/Mod of Boycott-Riaa
    Support Local and Independent Music ONLY!

  32. Mike, what you say is mostly true; however, users on most Windows-based home PC’s run as a system administrator whereas on Linux, BSD, and MacOS X, users usually run without administrative priviliges and can only write to their own home directory. This extremely limits the power of rootkits on such systems and usually rootkits can be discovered more easily as such rootkits can’t hide from the root user on such systems unless they are installed by the root user. People who run these other operating systems also happen to be more aware of proper security procedures and usually avoid logging in as root unnecessarily. Furthermore, most of these OS’s make recommendations on password security and good usage practices during installation and in help files; therefore, getting off Microsoft and simply following the procedures recommended in the install routines and help files of most non-microsoft operating systems would actually help significantly limit severe security problems in home computers. A rootkit installed in a single user’s directory doesn’t require the format and reinstall that a rootkit installed with administrator priviliges requires–it can be solved by simply deleting the user and creating a new one.

  33. Pete M, GoM, I’m not sure you guys get it. These kinds of vulnerabilities exist on any operating system. It’s just that less than 10% of people use Mac OS and Linux combined. If everybody “get(s) off microsoft,” as you put it, then what do you think will happen next?

  34. J.B. Nicholson-Owens says

    Software freedom is also not an issue of blindly trusting other people or their code because one has the source code and can either inspect it themselves or hire someone to do the work for them. Even on the narrow terms of “whom do you trust”, most people don’t work on the system development team for any proprietary OS and therefore have no reason to trust secret code that results from that process. Proprietary programs are, by default, untrustworthy. Trusting them is unwise and this doesn’t change because a lot of people run proprietary programs.

    Most of a system is not all of a system. It really doesn’t take much code to do something that users most likely would not like if they knew it was there. Even if one pays for Microsoft Windows source code they can’t distribute what they’ve paid for, they can’t make derivative works from what they’ve paid for, and therefore they have paid money for programs that are not free.

    Software freedom remains very much at the heart of this discussion. But I understand that those who deal in proprietary software would be uncomfortable with anyone who reframes the issue in such a way that it challenges underlying assumptions of proprietary software businesses.

  35. “Kokuryu”, I don’t suppose you can provide a source for that very inflammatory statement?

    Please note that I’m not accusing you of lying–I myself vaguely remember a Sony bigwig making some inflammatory statement related to copyright/DRM a year or so back that hit the usual channels (Slashdot, etc.) and then sort of slipped into obscurity. I just don’t remember who it was or exactly what they said.

  36. My thought: Truth-In-EULA opportunity?

    “Anyone for a “Truth In EULA legal proposal? That is, a disclosure cannot be legally deemed to have been made unless a “reasonable” person would have some sort of “material” understanding of the risk entailed in the “small proprietary software program”?

    It may not pass, it likely won’t pass. But it would be a great opportunity to publicly grill some of the most egregious offenders. “

  37. “a small proprietary software program … intended to protect the audio files embodied on the CD”

    With that EULA wording, they could be talking about installing and running fdisk. That would certainly qualify.

    Overly-broad EULAs suck.

  38. Well kinda make me glad once again i switched to Linux around 10 years ago now .

    Something realy does need to be done about this type of intrusion though it’s bad enough the script kiddies playing about but then you get the likes of Sony and co at it as well makes you think as someone else said earlier shows just where the real cyber terrorists are does it not .

    As for the idea of M$ Corp saying anything to put down or othrewise say anything about the situation i think youre in for a long long long wait now there is the cyber terrorists in chief Mr Gates numero uno ! ..

    Pete .

  39. Cudos to the clever people at First4Internet. They made some interesing technology and then have the audacity to crow about it by saying (and I paraphrase here…) nobody complained in the first 8 months of use, so it isn’t a problem! There was an interesing translation of their statement that basically said we can’t help it if the unsophisitcated masses don’t know how to trace kernel hooking!

  40. Everyone has forgotten – but a few years ago Sony’s CEOs had made some extremely pointed remarks stating that Sony was going to protect it’s content by using cyberterror tacticts and techniques, was going to hire the top computer infiltration specialists in the world, and was going to secretly install a set of software on every computer in the world that will report back to Sony every copyright violation commited by the user on that computer, and who that computer shared or received the violated content from, and also provide a means whereby which to destroy all the data on the offending machines in question and render them completely useless for all time, and automatically render all recordings made by that machine completely useless as well.

    At that time I had bought this topic up to the FBI and the Department of Justice – but they didnt want to do anything about it and totally dismissed it.

    Just goes to show you just where the cyberterrorist really live! In the posh compartments of Corporate America!

  41. Sony are a bunch of cunts and I will go out of my way to not pay for anything that comes from them.

  42. Miles’ post was entered as I was writing mine, so in respnonse to that, I point out that it would be a PR disaster for Sony to admit that they screwed up here by not adequetly following up on this — this was where I was going with my point about it being ironic, above.

    Anyway, I’m just speculating.

  43. Ed: You could be right, but it also could be something else. I’ve just read the blog over on f-secure.com that their people had been in discussions with both First 4 and Sony during their investigation of the rootkit over the last month or so (independent of SysInternals, btw). See: http://f-secure.com/weblog/ (Post is dated yesterday. Scroll down. Sorry, I can’t find a direct link to it)

    It’s possible that F-Secure contacting Sony about this was the first Sony had heard of it.

    Also, since they’ve known since at least that time (whether you are right or I am), it means that they’ve had at least that amount of time to prepare – or force these First 4 people to do so, as the case may be.

    Something ironic about all this: If Sony was duped and they decide to sue First 4, they’d have to say in court that it was a rootkit — something they are currently denying

  44. Miles Vorkosigan says

    Somebody says:

    “I think SonyBMG may be a victim here too. The real villain is this First4Interent outfit.”

    That might have been plausible up until their recent statement. You’ll notice they have NOT said they’re refusing to deal any further with First4Internet, nor are they particularly apologetic about what they’ve done. I think they knew that the install would hide some files, and contrary to their original EULA, would install things that could not be uninstalled.

  45. If Sony did not know it was there how could they have generated a 3.5MB “Patch” the day after the story hit. I would certainly hope that a patch of that magnitude with the potential to do a great deal of damage to thousands of user’s computers would go through serious code review and debugging time. It seems to me that they must have known months ago that this story was going to break sooner or later.

  46. Is there any documented proof that SonyBMG actually knew that the DRM solution they paid First4Internet for was in fact a rootkit? I can’t imagine somebody at Sony asking a contractor “hey, will that thing you’re developing for us leave millions of our customers vulnerable to all kinds of new malware?”

    I assume that the contract would have had provisions for this, but how would Sony have actually known if they didn’t ask? Until the guy at sysinternals.com found it, it was completely hidden. How could Sony have looked for it unless they already knew it was there?

    I think SonyBMG may be a victim here too. The real villain is this First4Interent outfit.

    And in case the AC who posted earlier is wondering, no, I’m not a Sony employee.

  47. Microsoft should be issuing a statement. If they haven’t yet, their silence is REALLY INTERESTING!

    I expect Microsoft to say: “We feel strongly that no company should try to install a rootkit in Windows. We will take strong action against any company that tries to, or does.

    Or Microsoft might say: That’s exactly how Vista is going to work, but cloaking will not be necessary because the OS will handle these functions. First4Internet worked with us to develop this kit, and people should bear in mind that it’s illegal to reverse engineer it or try to remove it.

    WHAT IS MICROSOFT’S POSITION ???

  48. This is yet another reason why everyone needs to turn off the ‘autoplay’ feature of Windows and never, ever install any application in order to listen to a CD.

  49. Anonymous Coward says

    Welcome to the 21st Century. No doubt Sony has a roomfull of college kids posting Pro-Sony Rootkit blog comment propaganda.

  50. I was under the impression that the only practical way to remove a rootkit is to reformat and reinstall?

    In this case, there isn’t even much point making backups and logs as evidence for court; the trojan is on the CD!

  51. I think that the “intended to protect” bit may well be accurate. It turned out that it did quite a bit more than that, but it might be reasonable for a development team to have missed that.

    In other words, if the development team’s threat model didn’t include “hackers take advantage of our product to hide their code,” then the other impacts of this code could have gone un-noticed.

    Is that good development practice? Probably not. Is it so far from standard as to be actionable? I don’t know, but standard development practice is often poor.

  52. If you’d read the source material first, mate, before commenting, you’d have known which operating system was targeted by First 4/Sony.

    http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

  53. Actually,

    (1) I used to work on the Mac OS X software engineering team at Apple, I have a pretty good idea of what’s in Mac OS X. And the main thing I have to tell you is that there isn’t a conspiracy hidden in any system binaries. All you need to do to find out what’s in one is disassemble it, which you can do with free tools provided by Apple as part of the Developer Tools package (otool, nmutil, strings). Provided you know PowerPC assembly language.

    (2) Most of the underlying source code for the core of Mac OS X is actually available as part of the Darwin project. This includes the compilers and linkers and 99.99% of the kernel as shipped.

    It’s perhaps not well known that Microsoft makes the Windows source code available to people willing to pay for it.

    But that’s neither here nor there. The point is that we inherently trust Apple and Microsoft to do more or less the right thing with the OS. They have earned our trust; third parties do widely audit and reverse engineer, etc both platforms. Neither makes a serious effort to encrypt binaries (with the possible exception of DVD player software and the Xbox, which are different discussions…) to make this task more difficult.

    On the other hand, we know (now) that Sony is untrustworthy; on auditing, they’ve been discovered to be installing evil hackware.

    I think software freedom is a valid, but different discussion. This particular software will never be free; that’s the whole point of it, after all. It should not be on the CD in the first place.

  54. For all the talk of lack of trust, I rhetorically wonder how many of the people are running proprietary OSes. I’m guessing that most people who would agree with these sentiments are running Microsoft Windows or MacOS X, both of which contain mysterious binaries that do unknowable things.

    Software freedom is at the heart of what’s so objectionable about what Sony/BMG did because if people could inspect the software, modify it to suit their liking, share the improved version, or decide whether or not to run the software in the first place we’d be on to helping the community by sharing improved versions by now.

    If this fight is going to focus on ways to defeat this or that kind of DRM, the larger message of stifling a cooperative community is lost and DRM tactics are tacitly accepted, it merely becomes a game of which tactics will be “acceptable” (much like the old joke which ends “Madam, what you are is clear, we are merely haggling over price.”).

    —J.B. Nicholson-Owens ()