PDA

View Full Version : SONY is at it AGAIN with DRM troubles...


Hazdaz
12-09-2005, 07:32 PM
http://arstechnica.com/news.ars/post/20051208-5720.html


Sony caught in another DRM snafu (http://arstechnica.com/news.ars/post/20051208-5720.html)

Stop me if you've heard this one before. A record label uses DRM to sort of keep its customers from copying the music. It turns out that the software poses a threat to the user's PC. So the label issues a patch... which opens up another security hole. If you guessed that the label in question is Sony, you'd be correct. If you guessed that I'm recapping last month's rootkit debacle (http://arstechnica.com/news.ars/post/20051101-5514.html), you'd be wrong.

It's déjà vu all over again (http://www.sonybmg.com/mediamax/statement.html), as Yogi Berra once said. On Tuesday, Sony informed the world that its other DRM software contained a security vulnerability as well. SunnComm's Media Max version 5 is the culprit, with its installation of a directory that could provide a means by which malware writers could hijack a PCs running Windows. The problem was discovered in late November by Information Security Partners, which shared it with the EFF and Sony.

Common sense would tell most people that if your DRM software a) is a security risk for your customers and b) doesn't really do anything to solve the problem you think you have, then your best course of action is to drop the whole subject. Unfortunately, common sense and Sony are only passing acquaintances. Sony and SunnComm released a patch to fix the vulnerability. If by "fix," Sony and SunnComm meant "make the problem worse," then their solution is a rousing success.

According (http://www.freedom-to-tinker.com/?p=942) to Princeton computer science professor Ed Felton, the patch is insecure.

It turns out that there is a way an adversary can booby-trap the MediaMax files so that hostile software is run automatically when you install and run the MediaMax patch. The previously released MediaMax uninstaller is also insecure in the same way, allowing an adversary to booby-trap files so that hostile software is run automatically when you try to use the uninstaller.

This time, Sony turned to security professionals for help and was able to release an updated patch (http://www.sunncomm.com/support/updates/updates.asp) earlier today that supposedly fixes the problems with the previous version. If you own one of the 27 CDs (http://www.sonybmg.com/mediamax/titles.html) that came with MediaMax 5.0 and want to get rid of the software all together, SunnComm offers a web-based uninstall tool (http://www.sunncomm.com/support/tools/uninstall.asp).

At this point, I don't know what I can say about the whole sorry mess that hasn't already been said, so I'll close with this: if Sony is trying to alienate its customers, expose itself to massive legal liability, and get the general public up in arms over DRM, it's doing a fine job. If the music label has some other goal in mind, it needs to change its tactics quickly.





:banghead:


This has gotten to the point where it's just ridiculious. Why exactly haven't criminal charges been filed yet???

tozz
12-09-2005, 08:51 PM
I'm not defending Sony, but criminal charges? Then you should include Microsoft and alot of software developers because there's plenty of software out there that poses security risks.

Nightez
12-09-2005, 10:01 PM
I'm not defending Sony, but criminal charges? Then you should include Microsoft and alot of software developers because there's plenty of software out there that poses security risks. Well at least you have the choice to not install it. Unlike sony's software.

tozz
12-09-2005, 10:08 PM
Well at least you have the choice to not install it. Unlike sony's software.
I don't consider buying a cd and playing it in a computer as being forced. When you buy any other software, you're also "forced" to install it on the computer.

DoubleSupercool
12-09-2005, 10:36 PM
I don't consider buying a cd and playing it in a computer as being forced. When you buy any other software, you're also "forced" to install it on the computer.

As far as I know, the original problem was that that the Sony software installed itself without telling you or asking permission. That would indicate you are forced to use it.

Hazdaz
12-09-2005, 11:03 PM
I don't consider buying a cd and playing it in a computer as being forced. When you buy any other software, you're also "forced" to install it on the computer.

You can't possibly be serious. Have you actually read about this and othe toher SONY DRM BS?!?

How dare someone want to actually LISTEN to a music CD that they purchsaed. :rolleyes:
... just by the mear act of popping into your CD drive you are automatically installing (without warning or asking) this BS software, that ends up making your PC both vulnerable to viruses, but can also make your drive stop working. And you are defending this??

These people should definitly face criminal charges. If someone came into your home and trashed your PC, they would definitly be held responsible for the damages and would be seeing jail time. When a corporation does essentially the same thing vis electronic means, you find nothign wrong with this???

How is this much different than those teenagers/college kids that were arrested (on criminal charges) for writing viruses?

tozz
12-09-2005, 11:41 PM
You can't possibly be serious. Have you actually read about this and othe toher SONY DRM BS?!?

How dare someone want to actually LISTEN to a music CD that they purchsaed. :rolleyes:
... just by the mear act of popping into your CD drive you are automatically installing (without warning or asking) this BS software, that ends up making your PC both vulnerable to viruses, but can also make your drive stop working. And you are defending this??

These people should definitly face criminal charges. If someone came into your home and trashed your PC, they would definitly be held responsible for the damages and would be seeing jail time. When a corporation does essentially the same thing vis electronic means, you find nothign wrong with this???

How is this much different than those teenagers/college kids that were arrested (on criminal charges) for writing viruses?
No you're not, this is only true if you have autorun enabled, something I don't understand why Microsoft implemented in the first place since there's so many ways of missuing it.
Alot of software does alot of things without asking, overwriting .dll's, chaning system settings, installing codecs, modifying files etc.

There's a big difference between the shit Sony put on the discs and your average virus written buy the kid next door, the intent do destroy, or rather, the lack of it. You write a virus to steal or destroy information. You will have a hard time convincing me that Sony had the same intent with the DRM rootkit.

As I said, I'm not defending Sony (I find what they did to be very distasteful), nor do I support DRM. But I consider the laws around software to be very very fragile right now, and considering past events this might easily overflow into a extreme misuse of people suing software companies for things like "your software makes an exploit possible".

Since you find this so extremly important, you must have a load of evidence for viruses written to use this exploit or other related material that have destroyed all those computers, or do you want to sue for "in case of"?

Nightez
12-10-2005, 12:29 AM
I don't consider buying a cd and playing it in a computer as being forced. When you buy any other software, you're also "forced" to install it on the computer. OK fair enough I see your point. But you buy a Music CD purely for the music only, not for some the secret software it secretly installs onto your hard drive without your permission.

Hazdaz
12-10-2005, 01:28 AM
No you're not, this is only true if you have autorun enabled,
Which means that probably 95% of the people out there are then suseptible to this BS. Are we supposed to predict the future here?? Are people supposed to expect a simple MUSIC CD - without warning - is going to install thsi crap onto their system?? That is kind of the whole point - there is no warning ahead of time as to the fact that this stuff is being installed ahead of time.

There's a big difference between the shit Sony put on the discs and your average virus written buy the kid next door, the intent do destroy, or rather, the lack of it. You write a virus to steal or destroy information. You will have a hard time convincing me that Sony had the same intent with the DRM rootkit.
Good intentions are useless. If someone gets hurt or property gets destroyed by someone meaning to "do good", that still doesn't negate the fact that it happened. The Ends do NOT justify the means. And no, this is not any better than some kid writing a virus. Maybe this crime - and yes, it is a crime - isn't "premeditated" to cause damagae (which would be more severe and would apply to people that write viruses), but tghe fact that this SONY virus used a rootkit definitly means that they were purposefully doing this behind the user's knowledge. This isn't a case of "dumb luck". SONY knew exactly what they were doing by going the rootKit route. But like most corporations they don't want to be held accountable for their screw-ups.

the laws around software to be very very fragile right now, and considering past events this might easily overflow into a extreme misuse of people suing software companies". The laws around software are very fragile??? I have no idea where you get that. Seems to me that software companies have their asses covered every which way from sunday. Those EULAs cover essentially anything and everything - something that this SOLY virus conveniently didn't have... since after all it installed itself without telling you.

tozz
12-10-2005, 01:38 AM
You still haven't gotten to the proof yet, it's still just alot of "if". So far the only thing proven is that the _uninstallers_ generate a possible way for exploitation (and a far fetched one at that). Now, if you want to compare that in a leagal sense with a virus proven to infecting millions of computers you have a very long way to go.
As I said before, alot of software makes new paths for exploits (most aren't probably found since there's no use digging for them). Interesting numbers about computers having autorun enabled, care to elaborate where you got the statistics from?

Grim Beefer
12-10-2005, 02:34 AM
For proof that this rootkit damages coputers look here (http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/), and here (http://www.wired.com/news/privacy/0,1848,69601,00.html). A criminal lawsuit has solid evidence from this (http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm) perspective. Sony knew about the risks of using such iffy software, and did nothing about it until it became a public fiasco. Furthermore, even the code itself in the rootkit violates (http://dewinter.com/modules.php?name=News&file=article&sid=215) the LGPL by ripping off Lame, another criminal offense. Comparing the actions of Sony to any plain old software manufacturer is ridiculous. Sony's intent was as malicious as any trojan author, because this software had nothing to do with the playing of music, but everything to do with the erosion of personal freedom to bloat someones bank account. If you claim that this had no intent to "steal" or "destroy", you obviously don't understand the concept of "rights", or what's left of them.

Beamtracer
12-10-2005, 02:52 AM
It's criminal!

These recent DRM issues have caused more damage to the Sony brand name than anything before.

Criminal charges should be laid against Sony executives.

After all, young computer geeks have been sent to gaol for writing viruses that aren't as dangerous as Sony's Rootkit malware.

There's a big difference between the shit Sony put on the discs and your average virus written buy the kid next door, the intent do destroy, or rather, the lack of it. You write a virus to steal or destroy information. You will have a hard time convincing me that Sony had the same intent with the DRM rootkit.

Most viruses don't destroy information. Most viruses aren't as malicious as people think. OK, the occasional one is malicious, but the majority don't trash your drive or steal your information.

Sony's Rootkit does steal your information. You think you're using your computer in private, but Sony is collecting information about what you are doing. It modifies code deep in the Windows operating system, replacing it with it's own code.



The fact that this is the second DRM security breach is astounding and unbelievable.

Criminal charges should be laid against Sony executives. Why let them off the hook, when young geeks get the book thrown at them for lesser offenses? If the law is applied fairly and evenly, then the Sony execs would be sent to gaol.

amfantasy
12-10-2005, 03:22 AM
this is making me sick, the software is installed on your computer with out asking, Sony needs to pay

Beamtracer
12-10-2005, 03:34 AM
Plus, it destroy's peoples' confidence in buying compact disks (CDs).

Buy a compact disk and it might contain some malware that'll install on your computer and collect your information and modify the operating system to expose it to even more hacks, viruses and exploits.

You can't trust CDs any more, as they are just vessels that carry a payload of malware.

Teyon
12-10-2005, 05:45 AM
People could do what I do...use a CD player instead of my computer. Keeps me virtually worry free of such silly things as music with hidden programs.

E_Moelzer
12-10-2005, 07:36 AM
Well, actually from what I understand Sony must not even call this a Compact Disc since it is against CD- specs...
Personally I think that Sony (and others) are about to make entertainment a pain in the ass.
Really, its almost as if you are already half way criminal if you buy a CD, or DVD nowadays.
Has anyone noticed the amount of legal bullshit they confront someone with at the beginning of every DVD (and that cant even be skipped!). Its annoying and it steals my valuable (and way to little anyway) free time. Now having to concern myself with this on top of all the other stuff just makes me angry. Whats next? Will we have to sign a contract upon purchasing a DVD, or CD?
IMHO it is like this: The record and movie companies are producing cheap shit and noone wants to buy or watch it, then they blame whoever they can get a hold of (the internet and the PC- users, filesharing, copying, etc). It is nothing but a cheap excuse to quieten their shareholders, so they dont realize that the real reason for losses they make is the actual quality of the content.
The best examples are recent movies like Doom or the other stuff people like Uwe Boll produces.
And yes, I am upset about the way entertainment is getting less and less entertaining and more and more stressful.
CU
Elmar

Hazdaz
12-10-2005, 08:43 AM
TOZZ - just because you won't understand the technology and seem to be niave enough to think that 'wonderful' SONY isn't gonna do anything to harm your PC, doesn't mean that it isn't so.

Beamtracer
12-10-2005, 10:29 AM
People could do what I do...use a CD player instead of my computer. Keeps me virtually worry free of such silly things as music with hidden programs.

It might suit some to use a hi-fi style CD player instead of a computer. But I sit in front of my computer all day with my headsets on. If I want to listen to a CD, I will do it at the computer. Now Sony has made it unsafe to put CDs into a computer.

Sony's exploit #1
The first piece of malware that Sony hid on its CDs is a Rootkit. By definition, a rootkit is designed to exploit the operating system kernel (core) for the express purpose of hiding malicious software. This is like a cancer invading your system.

It will cause the operating system to become unstable, the CD drive may disappear, and result in Blue-Screens-Of-Death. It also opens up your computer so that any hacker can hide malicious code on your hard drive.

Now wait for this....

The man who discovered the Sony Rootkit malware and alerted the public to it, a guy called Mark Russinovich, has apparently broken the Digital Millennium Copyright Act (http://www.anti-dmca.org/) by revealing it.

It just goes to show that the lawmakers are in the pockets of the music industry.

paintbox
12-10-2005, 11:15 AM
If you liked this, you are going to love the next generation of Windows IF they truly incorporate DRM into the hardware. (I have been reading that in a thread a couple of weeks back) Any word from those developments ?

tozz
12-10-2005, 11:16 AM
For proof that this rootkit damages coputers look here (http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/), and here (http://www.wired.com/news/privacy/0,1848,69601,00.html). A criminal lawsuit has solid evidence from this (http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm) perspective. Sony knew about the risks of using such iffy software, and did nothing about it until it became a public fiasco. Furthermore, even the code itself in the rootkit violates (http://dewinter.com/modules.php?name=News&file=article&sid=215) the LGPL by ripping off Lame, another criminal offense. Comparing the actions of Sony to any plain old software manufacturer is ridiculous. Sony's intent was as malicious as any trojan author, because this software had nothing to do with the playing of music, but everything to do with the erosion of personal freedom to bloat someones bank account. If you claim that this had no intent to "steal" or "destroy", you obviously don't understand the concept of "rights", or what's left of them.
Well, you did provide a source saying no outbreaks has been reported, also no information what so ever that this rootkit steals and submits information to Sony. You still seem to be missing the point, I'm not defending what Sony did, but rather that you can't sue every software that opens up holes and possiblities for exploits, there wouldn't be much software left out there if this was the case. A rootkit is of course some serious tresspassing on personal privacy, but so is the entire DRM concept, and it should be stoped there, not at the end of the line (at the consumers).

E_Moelzer: the CD specs were broken many years ago and there was pressure from alot of sides that the icon had to be removed (if I remember correctly so was the case).

Hazdaz: naaw, still waiting for those facts... or did you pull those numbers out of a hat?

Beamtracer: same goes for the guy who found the Adobe Acrobat exploit, now where's the uproar about suing Adobe for making an extremely more wide open exploit possible?

rebo
12-10-2005, 11:40 AM
I buy pretty much all my music now in mp3 format, can't remember the last time I bought a CD.

pgp_protector
12-10-2005, 03:51 PM
People could do what I do...use a CD player instead of my computer. Keeps me virtually worry free of such silly things as music with hidden programs.

I don't have any, got rid of them a while ago.

Office (Home / work) I use the computer to listen to music.
Car MP3 Player
Portable MP3 Player

Hazdaz
12-10-2005, 08:28 PM
People could do what I do...use a CD player instead of my computer. Keeps me virtually worry free of such silly things as music with hidden programs.

That is not really an option to everyone. I for one had a stereo that broke a few years ago - so while waste money on a new stereo, when I spend most of my time in my PC room - the computer is right there... it plays CDs. Why should I have to be worried about this crap when I am buying legitamate CDs from a supposed legitimate music company? I mean I MIGHT expect something liek this if I was downloading music illegally - but not from a legit cmopany.


TOZZ - be sure to post up when your PC get's infected by some virus that uses SONY's rootkit exploit as an enterance.

BigJay
12-10-2005, 09:23 PM
has anyone talked to anyone outside of this forum/internet about it. I find most people that don't read news on the internet have no clue this is going on at all. I have yet to see any word of it on the news or news paper.

JosephGoss
12-10-2005, 09:46 PM
has anyone talked to anyone outside of this forum/internet about it. I find most people that don't read news on the internet have no clue this is going on at all. I have yet to see any word of it on the news or news paper.

it has not been on the actuall news, but has came up on BBC interactive a few times, so it has not actually broken out into the world for most. things like this stay silienced, you know, its probably illegal to broadcast negative stuff about sony over TV, just a quess

lol

Hazdaz
12-10-2005, 10:54 PM
has anyone talked to anyone outside of this forum/internet about it. I find most people that don't read news on the internet have no clue this is going on at all. I have yet to see any word of it on the news or news paper.
I concur. I have read and heard very little about this outside of the internet news sites and mostly the computer sites that I go to. I think that is what really pisses me off about this, si that the average consumer (99.9% of the people out there) haven't a clue about any of this, they just expect a purchased music CD to simply work. Not install crap on your system unknowingly. Not possibly open holes in their system that might threaten the stability of their PC and not possibly have their CD-Rom drive stop working.

One thing that I did hear was that the State Attorney of NY was looking into this case espesially because even weeks after this problem was discovered (and even after SONY said that the CDs would be pulled off the shelves), investigators were still able to purchase CD infected with this SONY Virus. The state Attorney seemed quite pissed about that, and that was even before this 2nd DRM problem surfaced.

Seems that the average Joe 6-pac isn't too concerned about this, but unforutntaly those are the people that are usually most affected if by someting like this, cuz they won't know why their PC is flaking out on them.

Lorecanth
12-10-2005, 11:27 PM
has anyone talked to anyone outside of this forum/internet about it. I find most people that don't read news on the internet have no clue this is going on at all. I have yet to see any word of it on the news or news paper.

Large New conglomeration suppression at its finest.

PhantomDesign
12-11-2005, 09:21 AM
Contact your local news papers, they may be interested in thie story.

tozz
12-11-2005, 02:18 PM
TOZZ - be sure to post up when your PC get's infected by some virus that uses SONY's rootkit exploit as an enterance.
Since I buy CD's for the quality of music I like to play them on a dedicated setup, so it's not a problem.

As for the media, at least in Sweden you never get any it-security related news unless it's a trojan/virus that has infected some serious amounts of computers. Reason is probably that news like it doesn't sell and people don't care.

jcorpe
12-11-2005, 04:36 PM
Now we just need to pass some legislation requiring the music industry to put labels on their CD's that say something like "PARENTAL ADVISORY-SPYWARE INCLUDED". It could be put next to the explicit lyrics label.

angel
12-11-2005, 05:23 PM
This is trully amazing to me, I think that the free market will work this out. Me for one, don't buy Sony's overpriced products. I can count the Sony products I have with five finguers and will have four finguers left. The one product I have is collecting dust in the garage... a PS1.

I don't buy music cd's either, can't remember the last time I did.

BigJay
12-11-2005, 08:51 PM
Contact your local news papers, they may be interested in thie story.

I really think that every news agency in the world is aware of this story. But for what ever reason they are not picking it up. It has been news now for at least two months and local news/CNN and news papers, magazines in the US have not touched it. I checked Wired website and there is nothing there about it. In the US everything is fine please keep buying the cds, thank you.

What scares me about this is that there seems to be a mechanism in place that allows sony to influence the media to turn a blind eye to the issue. What is even scarier about this is that there may be other companies that have used the same mechanism to hide other stories they don't like.

tozz
12-11-2005, 10:05 PM
What scares me about this is that there seems to be a mechanism in place that allows sony to influence the media to turn a blind eye to the issue. What is even scarier about this is that there may be other companies that have used the same mechanism to hide other stories they don't like.
This shouldn't come as news (no pun intended). In all logic there's probably thousands of important events that isn't reported because of various factors, money and influence being two of them.

Beamtracer
12-12-2005, 04:53 AM
The music CDs that contain this malicious software usually have a label on the box that reads:

'Content Enhanced and Protected'

Hazdaz
12-12-2005, 05:00 AM
'Content Enhanced and Protected'


The ironing is delicious!

jeremybirn
12-12-2005, 05:45 AM
What scares me about this is that there seems to be a mechanism in place that allows sony to influence the media to turn a blind eye to the issue. What is even scarier about this is that there may be other companies that have used the same mechanism to hide other stories they don't like.
It seems to me that Sony has received a huge amount of bad press about this, lots of newspaper articles, TV coverage, threads on cgtalk, Wired magazine editorial calling to "boycott Sony" etc.

-jeremy

Grim Beefer
12-12-2005, 06:58 AM
True, but the news stories are primarily coming to and from a technocratic elite. You and I may use computers everyday, being able to stay informed with some sentiment of "objectivity" in our news sources, but that does not apply to the majority of the public. While more people are getting their news from alternative sources, such as the web, the fact remains that the most people just turn on the televison. It is in the mainstream media that this fiasco has had a commerical blackout, just like most news stories potentially threating to advertisers (Sony must be asking Monsanto for tips). So sure, maybe it was on CNN at 3 in the morning for a split second at the bottom of a ticker tape (or something, I'm being sarcastic), but the treatment thus far hardly qualifies as objective journalism.

My personal outrage stems from the fact that most people affected by such handiwork will be totally unaware of why it's a problem, even after a jargon laden explanation. Sony knows that a significant part of the populus is under-educated tech wise, and banked on the fact that because most people would not "see" any disturbances, they would pay little heed to such "minor" infringement.

CGTalk Moderation
12-12-2005, 06:58 AM
This thread has been automatically closed as it remained inactive for 12 months. If you wish to continue the discussion, please create a new thread in the appropriate forum.