Sony CDs Rootkit Your Systems (Bad news)

[Matt Flynn]

This is last week in the tech world, but many Sony CD's secretly rootkit your system. See the links below for a discussion of what that is. It is bad. A rootkit essentially creates an environment "around" your system that the system cannot see. It is invisible to antispyware and other malware detection software. It cannot be tracked by regular means. The Sony malware can easily be exploited by hackers and has already been. It can also screw up your devices and some programs.

Thanks to my buddy Earl, here are some Links:

The blog posting by Mark Russinovich that started the furor in which a
security techie discovers the rootkit. Basically, it's a geek
detective story.

http://www.sysinternals.com/blog/200...al-rights.html


Washington Post picks up the story:

http://blogs.washingtonpost.com/secu...aids_hack.html


Slashdot picks up a second Russinovich blog in which he shows the Sony's
DRM phones home.

http://games.slashdot.org/article.pl...207&tid=10

Why rootkits should be illegal; Malware that exploits Sony's rootkit
appears:

http://it.slashdot.org/article.pl?si...72&tid=233


Sony's wonderful EULA analyzed:

http://www.eff.org/deeplinks/archives/004145.php


Here's the must read: Bruce Schneir (a big crypto-guy) asks why the
anti-virus didn't detect Sony's DRM rootkit.

http://www.schneier.com/blog/archive...drm_rootk.html


Hmmm, the security companies are evidently NOT going to protect you from
malware put out by companies. Also, you do really think that Sony is
the only one doing this?

Enjoy. If you want to test for it, go to http://www.f-secure.com/blacklight/ and download their beta-test rootkit detector.

I am putting Sony on a two-year boycott for this. Worse, it looks like I'll have to go Linux once the new Microsoft operating system comes out. Unreal.

[astroglide]

[ QUOTE ]
I am putting Sony on a two-year boycott for this.

[/ QUOTE ]

do you think this order came from the ceo? sony is a monster company, no doubt with billions of divisions, vice presidents, and managers. the audio cd people have likely never even met the dvd player people. the dvd player people haven't met the television people. etc. sony has gotten a lot of deserved anti-press over this.

your boycott won't do anything individually, which i'm sure you know, but feel it's worth it on principle which would be fine. but what i'm suggesting is that the idea of boycotting everything they make (if that is your intention) seems kind of dumb, because each division can effectively be seen as its own company. for a philosophical boycott, how about just skipping their audio cds? that way if you think the playstation 3 or some other product looks cool, you can still buy one.

i've never understood why people would stop eating at a restaurant over a bad waiter, stop shopping at a store over a bad salesperson, etc. there are other waiters and there are managers to which you can complain and actually make a difference as opposed to simply not showing up. running up the chain of command until you get a response that satisfies you isn't a big hassle, and at a minimum you'll usually get free stuff out of it. one of my stepfathers had all sorts of places where he "couldn't go" because of isolated problems. as a consumer, he screwed himself.

[ QUOTE ]
Worse, it looks like I'll have to go Linux once the new Microsoft operating system comes out. Unreal.

[/ QUOTE ]

vista isn't even close to being released. if you decide for whatever reason that it sucks, you'd still be infinitely better off with a mac over a pc with linux if you value day-to-day usability.

[Matt Flynn]

[ QUOTE ]
[ QUOTE ]
I am putting Sony on a two-year boycott for this.

[/ QUOTE ]

do you think this order came from the ceo? sony is a monster company, no doubt with billions of divisions, vice presidents, and managers. the audio cd people have likely never even met the dvd player people. the dvd player people haven't met the television people. etc. sony has gotten a lot of deserved anti-press over this.

your boycott won't do anything individually, which i'm sure you know, but feel it's worth it on principle which would be fine. but what i'm suggesting is that the idea of boycotting everything they make (if that is your intention) seems kind of dumb, because each division can effectively be seen as its own company. for a philosophical boycott, how about just skipping their audio cds? that way if you think the playstation 3 or some other product looks cool, you can still buy one.

[/ QUOTE ]

Absolutely I want to punish the whole company. It encourages Sony and other companies to create cultures of responsibility and holds them accountable.

[astroglide]

i think you're cutting off your nose to spite your face here

[Matt Flynn]

[ QUOTE ]
i think you're cutting off your nose to spite your face here

[/ QUOTE ]

Astroglide,

I understand your reasoning. Both positions strike me as rational.

I am worried about worldwide corporate hegemony. At some size X, corporations get to rewrite many of the laws in their favor. At the top of those corporations are still highly fallable people, many of whom demonstrate megalomaniac tendencies and a lack of empathy for others in this man's opinion. I am most concerned about toxins in the environment (the real ones like organic mercury, not the tree-hugger ones), loss of privacy, and people wasting my time. Time and a body are all we get: I value those assets very highly.

I do not want those corporations controlling my privacy or invading my private life or wasting my time. If I could, I would ban most of the information tracking and trafficking that goes on. A boycott of Sony in toto sends the message that messing with my privacy and my property has consequences. Posting on this message board helps to magnify my statement - likely not enough to tickle the beast, but perhaps so. I want these companies to think long and hard before blithely attacking me. Anyone who, for their own gain, slips malware on my computer (and it IS malware - just the increased vulnerability to hacking is enough - if someone passed out keys to my house would it seem innocuous?) attacks ME. At the least, it wastes my time looking for it and removing it.

If I owned Sony stock I would sell it for the same reasons. I vote with my wallet. If Sony came out with something spectacular, it's a simple decision of utility vs anger.

[wacki]

[ QUOTE ]
Absolutely I want to punish the whole company. It encourages Sony and other companies to create cultures of responsibility and holds them accountable.

[/ QUOTE ]

I'm with you on this one Flynn. Also, I totally disagree with astro's opinion that you won't make a difference. Sony may not feel it immediately but you are spreading word via a heavily trafficked forum. Word spreads and consumers, even if they don't fully boycott, may be influenced enough to choose another brand if they are on the edge. Simply laying down and doing nothing only invite more of this behavior.

Also, I don't think a waiter and a giant corporation are all that related. A corporation like sony has the power to set industry standards. A waiter will never effect your life outside of a restaurant. This is simply not true with a giant corporation that has power to set industry standards and effect your everyday life. If you complain to a restaurant manager they will listen and possibly fire someone. Odds are a company like sony will only blow you off if you complain about their DRM techniques being intrusive and too hard core.

That being said I understand what astro meant, I just don't think it applies all that well.

If anyone gets "free stuff" from sony (other than a BMG CD of course) by complaining about their DRM techniques I will truly be amazed.

[astroglide]

official buyback program with sony-provided mp3 downloads

amazon.com email informing all buyers that they are eligible for refunds

usa today article on recall

sony's list of affected items (all of which are being replaced in stores)

register article on rootkit-targetting trojan

sony's press statement on the issue via reuters

washington post article with a bush administration official admonishing sony

wired article on infection rates

free microsoft antispyware product updated to remove the rootkit

sony eula investigated after the attention was drawn to them along with possible illegal use of open source code

electronic frontier foundation soliciting feedback for a potential class-action lawsuit

another class-action lawsuit from news.com

with the waiter comment i was literally talking about waiters and restaurants. it was inspired by the belief that boycotting sony for 2 years is a boner move. i wasn't suggesting that people contact sony or try to get free stuff or whatever from them. they're painfully aware of the problem already because the media has 'contacted the manager'. i was talking about how i think it's dumb to take a good idea like not getting walked on as a customer and proceeding to [censored] yourself by refusing to patronize an otherwise good establishment instead of actually getting them to address the problem. so i think people who love the food and hate the service that never go back after the first trip are dumb. separate, but similar topic.

i guess i'm a real freedom-hating heretic for suggesting that this topic just might have been noticed already. for weeks now you can't read the news without running into the story.

does this mean i don't care? no. does this mean i'm not going to [censored] myself over and refuse to buy a playstation 3 or whatever if it's a product i want? that's exactly what it means.

[Blarg]

Who cares? That's your decision, and you can do what you like, as can anyone else. It's ridiculous to criticise a consumer for putting his money where his mouth is. That's the greatest power he has. That doing so is not an exact science goes without saying, and the fact that it isn't is a very poor rationalization for not doing it.

The idea that you would really suffer by not buying a Sony product is also not a very compelling one no matter what you think about rootkits.

It also doesn't matter at all if other people have heard or said something about an issue before and it can be found on google. Most everything can. Most people know little or nothing about this, and couldn't be hurt by knowing a little more. I'll look at one or two of the links you provided too, so I can know a little bit more about it myself. And I'm glad that this is being discussed, because it's a serious and potentially quite costly issue that raises some interesting questions about where and how the lines are or can be drawn.

[wacki]

[ QUOTE ]
i think people who love the food and hate the service that never go back after the first trip are dumb.

[/ QUOTE ]

I agree with you on this 100%.

[ QUOTE ]
hink it's dumb to take a good idea like not getting walked on as a customer and proceeding to [censored] yourself by refusing to patronize an establishment instead of actually getting them to address the problem.

[/ QUOTE ]

I agree with this. However, a sony boycot isn't exactly [censored] yourself is it? You've got tons of alternatives for almost all of their products. A boycott would be of little inconvenience let alone [censored] yourself.

Look, basically I agree with everything you say except for the fact that indivual boycotts are useless. Think about it. Why does the "media's 'contacting the manager'" work in the first place? It's because they are afraid of declining sales. If you tell people an individual boycott is useless (and they listen to you) than you pretty much take away the power of the media to contact the manager.

Yes I know it's in the news. Still, if the populace is educated or conditioned not to boycott (as you seem to be doing) then the media loses it's power

Also, there is a long history of boycotts of products irrelevant to the issues being the critical factor in swaying the company to change it's stance in a different area. So telling people that boycotting the whole company isn't an acceptable route simply isn't true.


[ QUOTE ]
i guess i'm a real freedom-hating heretic for suggesting that this topic just might have been noticed already.

[/ QUOTE ]

freedom hating Heretic? I hope this is an attempt at humor.

[ QUOTE ]
for weeks now you can't read the news without running into the story.

[/ QUOTE ]

Well great! Now don't go around convincing people they are powerless.

[ QUOTE ]
does this mean i don't care? no. does this mean i'm not going to [censored] myself over and refuse to buy a playstation 3 or whatever if it's a product i want? that's exactly what it means.

[/ QUOTE ]

Well, a playstation 3 doesn't exactly have an equivalent does it? As for music, camera's, stereos, etc there are tons of ways to boycott without [censored] yourself.

Sorry if my post was a little unorganized. It's 5AM after all and I need sleep.

[CORed]

[ QUOTE ]
do you think this order came from the ceo?

[/ QUOTE ]

I think somebody pretty high in management (possibly VP level) said, "I want a copy protection system that can't be removed." . Somebody farther down the food chain hired Three Stooges Software to implement this, and they came up with this abomination. While I wouldn't boycott Denny's because some idiot assistant manager in Bumfuck, Kentucky threw a black guy out of the restaraunt for no reason other than that he was black, I don't think the two cases are comparable. Also, Sony's response to this is telling. They have not made an uninstaller publicly available: You have to send two emails, and accept ActiveX controls from their website to get the uninstaller. They have not recalled the infected CD's, nor offered to refund or replace on request. They have tried to spin it as not really being that bad.
So, while the initial decision to put the root kit copy protection on their CD's may or may not have been a mistake by a contractor or a lower level employee, their response when it became public has shown them to be unethical and irresponsible. Yes, making it right would be expensive for them, but I hope, failing to do so will be even more expensive.